open-vault/website/content/docs/audit/file.mdx

---
layout: docs
page_title: File - Audit Devices
description: The "file" audit device writes audit logs to a file.
---

# File Audit Device

The `file` audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.

The device does not currently assist with any log rotation. There are very
stable and feature-filled log rotation tools already, so we recommend using
existing tools.

Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
and re-open their underlying file, which can assist with log rotation needs.

## Examples

Enable at the default path:

```shell-session
$ vault audit enable file file_path=/var/log/vault_audit.log
```

Enable at a different path. It is possible to enable multiple copies of an audit
device:

```shell-session
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
```

Enable logs on stdout. This is useful when running in a container:

```shell-session
$ vault audit enable file file_path=stdout
```

## Configuration

Note the difference between `audit enable` command options and the `file` backend
configuration options. Use `vault audit enable -help` to see the command options.

The `file` audit device supports the common configuration options documented on
the [main Audit Devices page](/vault/docs/audit#common-configuration-options), and
these device-specific options:

- `file_path` `(string: <required>)` - The path to where the audit log will be
  written. If a file already exists at the given path, the audit backend will
  append to it. There are some special keywords:

  - `stdout` writes the audit log to standard output

  - `discard` writes output (useful in testing scenarios)

- `mode` `(string: "0600")` - A string containing an octal number representing
  the bit pattern for the file mode, similar to `chmod`. Set to `"0000"` to
  prevent Vault from modifying the file mode.


## Log File Rotation

To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the `vault` process a signal hang up / `SIGHUP` after each rotation of the log file.
website: audit backends 2015-04-20 05:59:39 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: File - Audit Devices`
			`description: The "file" audit device writes audit logs to a file.`
website: audit backends 2015-04-20 05:59:39 +00:00			`---`

Audit backend -> device 2017-09-08 02:38:47 +00:00			`# File Audit Device`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			The `file` audit device writes audit logs to a file. This is a very simple audit
			`device: it appends logs to a file.`
Update changelog and website for GH-1958 2016-09-30 19:08:38 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`The device does not currently assist with any log rotation. There are very`
Update changelog and website for GH-1958 2016-09-30 19:08:38 +00:00			`stable and feature-filled log rotation tools already, so we recommend using`
			`existing tools.`

Audit backend -> device 2017-09-08 02:38:47 +00:00			Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
			`and re-open their underlying file, which can assist with log rotation needs.`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Examples`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Enable at the default path:`
website: audit backends 2015-04-20 05:59:39 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Audit backend -> device 2017-09-08 02:38:47 +00:00			`$ vault audit enable file file_path=/var/log/vault_audit.log`
			```
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Enable at a different path. It is possible to enable multiple copies of an audit`
			`device:`
website: audit backends 2015-04-20 05:59:39 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Audit backend -> device 2017-09-08 02:38:47 +00:00			`$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			```

Fix audit docs (#6000) These appear to have been converted to (bad) HTML. This returns them to their original markdown format. 2019-01-04 19:45:50 +00:00			`Enable logs on stdout. This is useful when running in a container:`

🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Fix audit docs (#6000) These appear to have been converted to (bad) HTML. This returns them to their original markdown format. 2019-01-04 19:45:50 +00:00			`$ vault audit enable file file_path=stdout`
			```

Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Configuration`
website: audit backends 2015-04-20 05:59:39 +00:00
Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 20:19:28 +00:00			Note the difference between `audit enable` command options and the `file` backend
			configuration options. Use `vault audit enable -help` to see the command options.
website: audit backends 2015-04-20 05:59:39 +00:00
Add option 'elide_list_responses' to audit backends (#18128) This PR relates to a feature request logged through HashiCorp commercial support. Vault lacks pagination in its APIs. As a result, certain list operations can return very large responses. The user's chosen audit sinks may experience difficulty consuming audit records that swell to tens of megabytes of JSON. In our case, one of the systems consuming audit log data could not cope, and failed. The responses of list operations are typically not very interesting, as they are mostly lists of keys, or, even when they include a "key_info" field, are not returning confidential information. They become even less interesting once HMAC-ed by the audit system. Some example Vault "list" operations that are prone to becoming very large in an active Vault installation are: auth/token/accessors/ identity/entity/id/ identity/entity-alias/id/ pki/certs/ In response, I've coded a new option that can be applied to audit backends, `elide_list_responses`. When enabled, response data is elided from audit logs, only when the operation type is "list". For added safety, the elision only applies to the "keys" and "key_info" fields within the response data - these are conventionally the only fields present in a list response - see logical.ListResponse, and logical.ListResponseWithInfo. However, other fields are technically possible if a plugin author writes unusual code, and these will be preserved in the audit log even with this option enabled. The elision replaces the values of the "keys" and "key_info" fields with an integer count of the number of entries. This allows even the elided audit logs to still be useful for answering questions like "Was any data returned?" or "How many records were listed?". 2023-01-11 21:15:52 +00:00			The `file` audit device supports the common configuration options documented on
docs: Migrate link formats (#18696) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-26 00:12:15 +00:00			`the [main Audit Devices page](/vault/docs/audit#common-configuration-options), and`
Add option 'elide_list_responses' to audit backends (#18128) This PR relates to a feature request logged through HashiCorp commercial support. Vault lacks pagination in its APIs. As a result, certain list operations can return very large responses. The user's chosen audit sinks may experience difficulty consuming audit records that swell to tens of megabytes of JSON. In our case, one of the systems consuming audit log data could not cope, and failed. The responses of list operations are typically not very interesting, as they are mostly lists of keys, or, even when they include a "key_info" field, are not returning confidential information. They become even less interesting once HMAC-ed by the audit system. Some example Vault "list" operations that are prone to becoming very large in an active Vault installation are: auth/token/accessors/ identity/entity/id/ identity/entity-alias/id/ pki/certs/ In response, I've coded a new option that can be applied to audit backends, `elide_list_responses`. When enabled, response data is elided from audit logs, only when the operation type is "list". For added safety, the elision only applies to the "keys" and "key_info" fields within the response data - these are conventionally the only fields present in a list response - see logical.ListResponse, and logical.ListResponseWithInfo. However, other fields are technically possible if a plugin author writes unusual code, and these will be preserved in the audit log even with this option enabled. The elision replaces the values of the "keys" and "key_info" fields with an integer count of the number of entries. This allows even the elided audit logs to still be useful for answering questions like "Was any data returned?" or "How many records were listed?". 2023-01-11 21:15:52 +00:00			`these device-specific options:`
Fix audit docs (#6000) These appear to have been converted to (bad) HTML. This returns them to their original markdown format. 2019-01-04 19:45:50 +00:00
			- `file_path` `(string: <required>)` - The path to where the audit log will be
			`written. If a file already exists at the given path, the audit backend will`
			`append to it. There are some special keywords:`

			- `stdout` writes the audit log to standard output

			- `discard` writes output (useful in testing scenarios)

			- `mode` `(string: "0600")` - A string containing an octal number representing
			the bit pattern for the file mode, similar to `chmod`. Set to `"0000"` to
			`prevent Vault from modifying the file mode.`


Docs: File Audit Device (#7633) * Docs: File Audit Device - Add section + note about proper File Audit Device log rotation * Additional clarification about relevant platforms 2019-10-15 14:20:51 +00:00
			`## Log File Rotation`

			To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the `vault` process a signal hang up / `SIGHUP` after each rotation of the log file.