open-vault/website/content/docs/audit/file.mdx

---
layout: docs
page_title: File - Audit Devices
sidebar_title: File
description: The "file" audit device writes audit logs to a file.
---

# File Audit Device

The `file` audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.

The device does not currently assist with any log rotation. There are very
stable and feature-filled log rotation tools already, so we recommend using
existing tools.

Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
and re-open their underlying file, which can assist with log rotation needs.

## Examples

Enable at the default path:

```shell-session
$ vault audit enable file file_path=/var/log/vault_audit.log
```

Enable at a different path. It is possible to enable multiple copies of an audit
device:

```shell-session
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
```

Enable logs on stdout. This is useful when running in a container:

```shell-session
$ vault audit enable file file_path=stdout
```

## Configuration

Note the difference between `audit enable` command options and the `file` backend
configuration options. Use `vault audit enable -help` to see the command options.
Following are the configuration options available for the backend.

## Configuration

- `file_path` `(string: <required>)` - The path to where the audit log will be
  written. If a file already exists at the given path, the audit backend will
  append to it. There are some special keywords:

  - `stdout` writes the audit log to standard output

  - `discard` writes output (useful in testing scenarios)

- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
  information without hashing, in the raw format.

- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
  accessor.

- `mode` `(string: "0600")` - A string containing an octal number representing
  the bit pattern for the file mode, similar to `chmod`. Set to `"0000"` to
  prevent Vault from modifying the file mode.

- `format` `(string: "json")` - Allows selecting the output format. Valid values
  are `"json"` and `"jsonx"`, which formats the normal log entries as XML.

- `prefix` `(string: "")` - A customizable string prefix to write before the
  actual log line.

## Log File Rotation

To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the `vault` process a signal hang up / `SIGHUP` after each rotation of the log file.
website: audit backends 2015-04-20 05:59:39 +00:00			`---`
New Website! (#8154) * new documentation website * ci job adjustment * update to latest version on downloads page * remove transition-period scripts * add netlify toml file * fix docs patch * fix ci config? * revert go.mod changes * a couple last markdown formatting fixes 2020-01-18 00:18:09 +00:00			`layout: docs`
			`page_title: File - Audit Devices`
			`sidebar_title: File`
			`description: The "file" audit device writes audit logs to a file.`
website: audit backends 2015-04-20 05:59:39 +00:00			`---`

Audit backend -> device 2017-09-08 02:38:47 +00:00			`# File Audit Device`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			The `file` audit device writes audit logs to a file. This is a very simple audit
			`device: it appends logs to a file.`
Update changelog and website for GH-1958 2016-09-30 19:08:38 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`The device does not currently assist with any log rotation. There are very`
Update changelog and website for GH-1958 2016-09-30 19:08:38 +00:00			`stable and feature-filled log rotation tools already, so we recommend using`
			`existing tools.`

Audit backend -> device 2017-09-08 02:38:47 +00:00			Sending a `SIGHUP` to the Vault process will cause `file` audit devices to close
			`and re-open their underlying file, which can assist with log rotation needs.`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Examples`
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Enable at the default path:`
website: audit backends 2015-04-20 05:59:39 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Audit backend -> device 2017-09-08 02:38:47 +00:00			`$ vault audit enable file file_path=/var/log/vault_audit.log`
			```
website: audit backends 2015-04-20 05:59:39 +00:00
Audit backend -> device 2017-09-08 02:38:47 +00:00			`Enable at a different path. It is possible to enable multiple copies of an audit`
			`device:`
website: audit backends 2015-04-20 05:59:39 +00:00
🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Audit backend -> device 2017-09-08 02:38:47 +00:00			`$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log`
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			```

Fix audit docs (#6000) These appear to have been converted to (bad) HTML. This returns them to their original markdown format. 2019-01-04 19:45:50 +00:00			`Enable logs on stdout. This is useful when running in a container:`

🌷 Docs Website Maintenance (#8985) * website maintenance round * improve docs, revert bug workaround as it was fixed * boost memory * remove unnecessary code 2020-05-21 17:18:17 +00:00			```shell-session
Fix audit docs (#6000) These appear to have been converted to (bad) HTML. This returns them to their original markdown format. 2019-01-04 19:45:50 +00:00			`$ vault audit enable file file_path=stdout`
			```

Audit backend -> device 2017-09-08 02:38:47 +00:00			`## Configuration`
website: audit backends 2015-04-20 05:59:39 +00:00
Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 20:19:28 +00:00			Note the difference between `audit enable` command options and the `file` backend
			configuration options. Use `vault audit enable -help` to see the command options.
Doc update for syslog and file backends 2016-03-12 02:14:39 +00:00			`Following are the configuration options available for the backend.`
website: audit backends 2015-04-20 05:59:39 +00:00
Fix audit docs (#6000) These appear to have been converted to (bad) HTML. This returns them to their original markdown format. 2019-01-04 19:45:50 +00:00			`## Configuration`

			- `file_path` `(string: <required>)` - The path to where the audit log will be
			`written. If a file already exists at the given path, the audit backend will`
			`append to it. There are some special keywords:`

			- `stdout` writes the audit log to standard output

			- `discard` writes output (useful in testing scenarios)

			- `log_raw` `(bool: false)` - If enabled, logs the security sensitive
			`information without hashing, in the raw format.`

			- `hmac_accessor` `(bool: true)` - If enabled, enables the hashing of token
			`accessor.`

			- `mode` `(string: "0600")` - A string containing an octal number representing
			the bit pattern for the file mode, similar to `chmod`. Set to `"0000"` to
			`prevent Vault from modifying the file mode.`

			- `format` `(string: "json")` - Allows selecting the output format. Valid values
			are `"json"` and `"jsonx"`, which formats the normal log entries as XML.

			- `prefix` `(string: "")` - A customizable string prefix to write before the
			`actual log line.`
Docs: File Audit Device (#7633) * Docs: File Audit Device - Add section + note about proper File Audit Device log rotation * Additional clarification about relevant platforms 2019-10-15 14:20:51 +00:00
			`## Log File Rotation`

			To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the `vault` process a signal hang up / `SIGHUP` after each rotation of the log file.