open-vault/website/source/api/system/audit.html.md

---
layout: "api"
page_title: "/sys/audit - HTTP API"
sidebar_title: "<tt>/sys/audit</tt>"
sidebar_current: "api-http-system-audit/"
description: |-
  The `/sys/audit` endpoint is used to enable and disable audit devices.
---

# `/sys/audit`

The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
Audit devices must be enabled before use, and more than one device may be
enabled at a time.

## List Enabled Audit Devices

This endpoint lists only the enabled audit devices (it does not list all
available audit devices).

- **`sudo` required** – This endpoint requires `sudo` capability in addition to
  any path-specific capabilities.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `GET`    | `/sys/audit`                 | `200 application/json` |

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/audit
```

### Sample Response

```javascript
{
  "file": {
    "type": "file",
    "description": "Store logs in a file",
    "options": {
      "file_path": "/var/log/vault.log"
    }
  }
}
```

## Enable Audit Device

This endpoint enables a new audit device at the supplied path. The path can be a
single word name or a more complex, nested path.

- **`sudo` required** – This endpoint requires `sudo` capability in addition to
  any path-specific capabilities.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `PUT`    | `/sys/audit/:path`           | `204 (empty body)`     |

### Parameters

- `path` `(string: <required>)` – Specifies the path in which to enable the audit
  device. This is part of the request URL.

- `description` `(string: "")` – Specifies a human-friendly description of the
  audit device.

- `options` `(map<string|string>: nil)` – Specifies configuration options to
  pass to the audit device itself. This is dependent on the audit device type.

- `type` `(string: <required>)` – Specifies the type of the audit device.

Additionally, the following options are allowed in Vault open-source, but
relevant functionality is only supported in Vault Enterprise:

- `local` `(bool: false)` – Specifies if the audit device is a local only. Local
  audit devices are not replicated nor (if a secondary) removed by replication.

### Sample Payload

```json
{
  "type": "file",
  "options": {
    "file_path": "/var/log/vault/log"
  }
}
```

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request PUT \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/audit/example-audit
```

## Disable Audit Device

This endpoint disables the audit device at the given path.

- **`sudo` required** – This endpoint requires `sudo` capability in addition to
  any path-specific capabilities.

| Method   | Path                         | Produces               |
| :------- | :--------------------------- | :--------------------- |
| `DELETE` | `/sys/audit/:path`           | `204 (empty body)`     |

### Parameters

- `path` `(string: <required>)` – Specifies the path of the audit device to
  delete. This is part of the request URL.

### Sample Request

```
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/audit/example-audit
```
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								---
-												/docs/http -> /api

											
										
										
											2017-03-17 18:06:03 +00:00
+								layout: "api"
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								page_title: "/sys/audit - HTTP API"
-												New Docs Website (#5535)

* conversion stage 1

* correct image paths

* add sidebar title to frontmatter

* docs/concepts and docs/internals

* configuration docs and multi-level nav corrections

* commands docs, index file corrections, small item nav correction

* secrets converted

* auth

* add enterprise and agent docs

* add extra dividers

* secret section, wip

* correct sidebar nav title in front matter for apu section, start working on api items

* auth and backend, a couple directory structure fixes

* remove old docs

* intro side nav converted

* reset sidebar styles, add hashi-global-styles

* basic styling for nav sidebar

* folder collapse functionality

* patch up border length on last list item

* wip restructure for content component

* taking middleman hacking to the extreme, but its working

* small css fix

* add new mega nav

* fix a small mistake from the rebase

* fix a content resolution issue with middleman

* title a couple missing docs pages

* update deps, remove temporary markup

* community page

* footer to layout, community page css adjustments

* wip downloads page

* deps updated, downloads page ready

* fix community page

* homepage progress

* add components, adjust spacing

* docs and api landing pages

* a bunch of fixes, add docs and api landing pages

* update deps, add deploy scripts

* add readme note

* update deploy command

* overview page, index title

* Update doc fields

Note this still requires the link fields to be populated -- this is solely related to copy on the description fields

* Update api_basic_categories.yml

Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.

* Add bottom hero, adjust CSS, responsive friendly

* Add mega nav title

* homepage adjustments, asset boosts

* small fixes

* docs page styling fixes

* meganav title

* some category link corrections

* Update API categories page

updated to reflect the second level headings for api categories

* Update docs_detailed_categories.yml

Updated to represent the existing docs structure

* Update docs_detailed_categories.yml

* docs page data fix, extra operator page remove

* api data fix

* fix makefile

* update deps, add product subnav to docs and api landing pages

* Rearrange non-hands-on guides to _docs_

Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.

* WIP Redirects for guides to docs

* content and component updates

* font weight hotfix, redirects

* fix guides and intro sidenavs

* fix some redirects

* small style tweaks

* Redirects to learn and internally to docs

* Remove redirect to `/vault`

* Remove `.html` from destination on redirects

* fix incorrect index redirect

* final touchups

* address feedback from michell for makefile and product downloads

											
										
										
											2018-10-19 15:40:11 +00:00
+								sidebar_title: "<tt>/sys/audit</tt>"
 								sidebar_current: "api-http-system-audit/"
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								description: |-
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								  The `/sys/audit` endpoint is used to enable and disable audit devices.
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								---
 								# `/sys/audit`
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
 								Audit devices must be enabled before use, and more than one device may be
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								enabled at a time.
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								## List Enabled Audit Devices
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								This endpoint lists only the enabled audit devices (it does not list all
 								available audit devices).
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
 								- **`sudo` required** – This endpoint requires `sudo` capability in addition to
 								  any path-specific capabilities.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `GET`    | `/sys/audit`                 | `200 application/json` |
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/sys/audit
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								```
 								### Sample Response
 								```javascript
 								{
 								  "file": {
 								    "type": "file",
 								    "description": "Store logs in a file",
 								    "options": {
-												fixes file path option in samples (#5377)

fixes file path option in samples

											
										
										
											2018-09-20 22:55:20 +00:00
+								      "file_path": "/var/log/vault.log"
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								    }
 								  }
 								}
 								```
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								## Enable Audit Device
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								This endpoint enables a new audit device at the supplied path. The path can be a
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								single word name or a more complex, nested path.
 								- **`sudo` required** – This endpoint requires `sudo` capability in addition to
 								  any path-specific capabilities.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `PUT`    | `/sys/audit/:path`           | `204 (empty body)`     |
 								### Parameters
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								- `path` `(string: <required>)` – Specifies the path in which to enable the audit
 								  device. This is part of the request URL.
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
 								- `description` `(string: "")` – Specifies a human-friendly description of the
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								  audit device.
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
 								- `options` `(map<string|string>: nil)` – Specifies configuration options to
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								  pass to the audit device itself. This is dependent on the audit device type.
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								- `type` `(string: <required>)` – Specifies the type of the audit device.
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
-												Add local flag to docs for API endpoints. (#2625)


											
										
										
											2017-04-28 18:33:27 +00:00
+								Additionally, the following options are allowed in Vault open-source, but
 								relevant functionality is only supported in Vault Enterprise:
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								- `local` `(bool: false)` – Specifies if the audit device is a local only. Local
 								  audit devices are not replicated nor (if a secondary) removed by replication.
-												Add local flag to docs for API endpoints. (#2625)


											
										
										
											2017-04-28 18:33:27 +00:00
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								### Sample Payload
 								```json
 								{
 								  "type": "file",
 								  "options": {
-												fixes file path option in samples (#5377)

fixes file path option in samples

											
										
										
											2018-09-20 22:55:20 +00:00
+								    "file_path": "/var/log/vault/log"
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								  }
 								}
 								```
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request PUT \
 								    --data @payload.json \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/sys/audit/example-audit
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								```
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								## Disable Audit Device
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								This endpoint disables the audit device at the given path.
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
 								- **`sudo` required** – This endpoint requires `sudo` capability in addition to
 								  any path-specific capabilities.
 								| Method   | Path                         | Produces               |
 								| :------- | :--------------------------- | :--------------------- |
 								| `DELETE` | `/sys/audit/:path`           | `204 (empty body)`     |
 								### Parameters
-												More naming cleanup

											
										
										
											2017-09-21 21:14:40 +00:00
+								- `path` `(string: <required>)` – Specifies the path of the audit device to
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								  delete. This is part of the request URL.
 								### Sample Request
 								```
 								$ curl \
 								    --header "X-Vault-Token: ..." \
 								    --request DELETE \
-												Drop vault.rocks (#4186)


											
										
										
											2018-03-23 15:41:51 +00:00
+								    http://127.0.0.1:8200/v1/sys/audit/example-audit
-												Redo docs for system backend

This commit updates the API documentation for the system backend to
break things apart on a per-page basis and provide specific examples.
This pattern will give more flexibility for future documentation as
well.

											
										
										
											2017-03-15 06:40:33 +00:00
+								```