luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/docs/audit/socket.html.md
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359) 
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00

3.2 KiB
Raw Blame History

layout page_title sidebar_current description
docs Audit Backend: Socket docs-audit-socket The "socket" audit backend writes audit writes to a TCP or UDP socket.

Audit Backend: Socket

The socket audit backend writes to a TCP, UDP, or UNIX socket.

~> Warning: Due to the nature of the underlying protocols used in this backend there exists a case when the connection to a socket is lost a single audit entry could be omitted from the logs and the request will still succeed. Using this backend in conjunction with another audit backend will help to improve accuracy, but the socket backend should not be used if strong guarantees are needed for audit logs.

Format

Each line in the audit log is a JSON object. The type field specifies what type of object it is. Currently, only two types exist: request and response. The line contains all of the information for any given request and response. By default, all the sensitive information is first hashed before logging in the audit logs.

Enabling

Via the CLI

Audit socket backend can be enabled by the following command.

$ vault audit-enable socket

Backend configuration options can also be provided from command-line.

$ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"

Following are the configuration options available for the backend.

Backend configuration options
  • address required The socket server address to use. Example `127.0.0.1:9090` or `/tmp/audit.sock`.
  • socket_type optional The socket type to use, any type compatible with net.Dial is acceptable. Defaults to `tcp`.
  • log_raw optional A string containing a boolean value ('true'/'false'), if set, logs the security sensitive information without hashing, in the raw format. Defaults to `false`.
  • hmac_accessor optional A string containing a boolean value ('true'/'false'), if set, enables the hashing of token accessor. Defaults to `true`. This option is useful only when `log_raw` is `false`.
  • format optional Allows selecting the output format. Valid values are `json` (the default) and `jsonx`, which formats the normal log entries as XML.
  • write_timeout optional Sets the timeout for writes to the socket. Defaults to "2s" (2 seconds).
  • prefix optional Allows a customizable string prefix to write before the actual log line. Defaults to an empty string.