open-vault/website/source/docs/audit/file.html.md

88 lines
3.1 KiB
Markdown
Raw Normal View History

2015-04-20 05:59:39 +00:00
---
layout: "docs"
2017-09-08 02:38:47 +00:00
page_title: "File - Audit Devices"
2015-04-20 05:59:39 +00:00
sidebar_current: "docs-audit-file"
description: |-
2017-09-08 02:38:47 +00:00
The "file" audit device writes audit logs to a file.
2015-04-20 05:59:39 +00:00
---
2017-09-08 02:38:47 +00:00
# File Audit Device
2015-04-20 05:59:39 +00:00
2017-09-08 02:38:47 +00:00
The `file` audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.
2017-09-08 02:38:47 +00:00
The device does not currently assist with any log rotation. There are very
stable and feature-filled log rotation tools already, so we recommend using
existing tools.
2017-09-08 02:38:47 +00:00
Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
and re-open their underlying file, which can assist with log rotation needs.
2015-04-20 05:59:39 +00:00
2017-09-08 02:38:47 +00:00
## Examples
2015-04-20 05:59:39 +00:00
2017-09-08 02:38:47 +00:00
Enable at the default path:
2015-04-20 05:59:39 +00:00
2017-09-08 02:38:47 +00:00
```text
$ vault audit enable file file_path=/var/log/vault_audit.log
```
2015-04-20 05:59:39 +00:00
2017-09-08 02:38:47 +00:00
Enable at a different path. It is possible to enable multiple copies of an audit
device:
2015-04-20 05:59:39 +00:00
2017-09-08 02:38:47 +00:00
```text
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
```
2017-09-08 02:38:47 +00:00
## Configuration
2015-04-20 05:59:39 +00:00
Note the difference between `audit enable` command options and the `file` backend
configuration options. Use `vault audit enable -help` to see the command options.
Following are the configuration options available for the backend.
2015-04-20 05:59:39 +00:00
<dl class="api">
<dt>Backend configuration options</dt>
<dd>
<ul>
<li>
<span class="param">file_path</span>
<span class="param-flags">required</span>
The path to where the audit log will be written. If this
path exists, the audit backend will append to it. Specify `"stdout"` to write audit log to standard output; specify `"discard"` to discard output (useful in testing scenarios).
</li>
<li>
<span class="param">log_raw</span>
<span class="param-flags">optional</span>
A string containing a boolean value ('true'/'false'), if set, logs
the security sensitive information without hashing, in the raw
format. Defaults to `false`.
</li>
<li>
2016-03-14 18:52:29 +00:00
<span class="param">hmac_accessor</span>
<span class="param-flags">optional</span>
A string containing a boolean value ('true'/'false'), if set,
enables the hashing of token accessor. Defaults
2016-09-21 14:29:42 +00:00
to `true`. This option is useful only when `log_raw` is `false`.
2016-10-07 19:48:29 +00:00
</li>
<li>
2016-10-08 23:52:49 +00:00
<span class="param">mode</span>
2016-10-07 19:48:29 +00:00
<span class="param-flags">optional</span>
2016-10-10 02:23:30 +00:00
A string containing an octal number representing the bit pattern
for the file mode, similar to `chmod`. This option defaults to
`0600`. Specifying mode of `0000` will disable Vault's setting any mode on the file.
2016-09-21 14:29:42 +00:00
</li>
<li>
<span class="param">format</span>
<span class="param-flags">optional</span>
Allows selecting the output format. Valid values are `json` (the
default) and `jsonx`, which formats the normal log entries as XML.
</li>
<li>
<span class="param">prefix</span>
<span class="param-flags">optional</span>
Allows a customizable string prefix to write before the actual log
line. Defaults to an empty string.
</li>
</ul>
</dd>
</dl>