2015-04-24 18:44:16 +00:00
|
|
|
---
|
|
|
|
layout: "docs"
|
|
|
|
page_title: "Audit Backend: Syslog"
|
|
|
|
sidebar_current: "docs-audit-syslog"
|
|
|
|
description: |-
|
|
|
|
The "syslog" audit backend writes audit logs to syslog.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Audit Backend: Syslog
|
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
The `syslog` audit backend writes audit logs to syslog.
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
It currently does not support a configurable syslog destination, and always
|
|
|
|
sends to the local agent. This backend is only supported on Unix systems,
|
2015-04-24 18:44:16 +00:00
|
|
|
and should not be enabled if any standby Vault instances do not support it.
|
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
## Format
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
Each line in the audit log is a JSON object. The `type` field specifies what type of
|
|
|
|
object it is. Currently, only two types exist: `request` and `response`. The line contains
|
2016-03-12 02:27:43 +00:00
|
|
|
all of the information for any given request and response. By default, all the sensitive
|
|
|
|
information is first hashed before logging in the audit logs.
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
## Enabling
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
#### Via the CLI
|
|
|
|
|
|
|
|
Audit `syslog` backend can be enabled by the following command.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ vault audit-enable syslog
|
|
|
|
```
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
Backend configuration options can also be provided from command-line.
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
```
|
|
|
|
$ vault audit-enable syslog tag="vault" facility="AUTH"
|
|
|
|
```
|
2015-04-24 18:44:16 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
Following are the configuration options available for the backend.
|
2015-04-27 21:28:02 +00:00
|
|
|
|
2016-03-12 02:14:39 +00:00
|
|
|
<dl class="api">
|
|
|
|
<dt>Backend configuration options</dt>
|
|
|
|
<dd>
|
|
|
|
<ul>
|
|
|
|
<li>
|
|
|
|
<span class="param">facility</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
The syslog facility to use. Defaults to `AUTH`.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">tag</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
The syslog tag to use. Defaults to `vault`.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">log_raw</span>
|
|
|
|
<span class="param-flags">optional</span>
|
2016-10-26 20:18:31 +00:00
|
|
|
A string containing a boolean value ('true'/'false'), if set, logs the security sensitive information without
|
2016-03-12 02:14:39 +00:00
|
|
|
hashing, in the raw format. Defaults to `false`.
|
|
|
|
</li>
|
|
|
|
<li>
|
2016-03-14 18:52:29 +00:00
|
|
|
<span class="param">hmac_accessor</span>
|
2016-03-12 02:14:39 +00:00
|
|
|
<span class="param-flags">optional</span>
|
2016-10-26 20:18:31 +00:00
|
|
|
A string containing a boolean value ('true'/'false'), if set, enables the hashing of token accessor. Defaults
|
2016-09-21 14:29:42 +00:00
|
|
|
to `true`. This option is useful only when `log_raw` is `false`.
|
|
|
|
</li>
|
|
|
|
<li>
|
|
|
|
<span class="param">format</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
Allows selecting the output format. Valid values are `json` (the
|
|
|
|
default) and `jsonx`, which formats the normal log entries as XML.
|
2016-03-12 02:14:39 +00:00
|
|
|
</li>
|
2017-02-11 00:56:28 +00:00
|
|
|
<li>
|
|
|
|
<span class="param">prefix</span>
|
|
|
|
<span class="param-flags">optional</span>
|
|
|
|
Allows a customizable string prefix to write before the actual log
|
|
|
|
line. Defaults to an empty string.
|
|
|
|
</li>
|
2016-03-12 02:14:39 +00:00
|
|
|
</ul>
|
|
|
|
</dd>
|
|
|
|
</dl>
|