open-vault/website/source/docs/audit/syslog.html.md

2.4 KiB

layout page_title sidebar_current description
docs Audit Backend: Syslog docs-audit-syslog The "syslog" audit backend writes audit logs to syslog.

Audit Backend: Syslog

The syslog audit backend writes audit logs to syslog.

It currently does not support a configurable syslog destination, and always sends to the local agent. This backend is only supported on Unix systems, and should not be enabled if any standby Vault instances do not support it.

Format

Each line in the audit log is a JSON object. The type field specifies what type of object it is. Currently, only two types exist: request and response. The line contains all of the information for any given request and response. By default, all the sensitive information is first hashed before logging in the audit logs.

Enabling

Via the CLI

Audit syslog backend can be enabled by the following command.

$ vault audit-enable syslog

Backend configuration options can also be provided from command-line.

$ vault audit-enable syslog tag="vault" facility="AUTH"

Following are the configuration options available for the backend.

Backend configuration options
  • facility optional The syslog facility to use. Defaults to `AUTH`.
  • tag optional The syslog tag to use. Defaults to `vault`.
  • log_raw optional A string containing a boolean value ('true'/'false'), if set, logs the security sensitive information without hashing, in the raw format. Defaults to `false`.
  • hmac_accessor optional A string containing a boolean value ('true'/'false'), if set, enables the hashing of token accessor. Defaults to `true`. This option is useful only when `log_raw` is `false`.
  • format optional Allows selecting the output format. Valid values are `json` (the default) and `jsonx`, which formats the normal log entries as XML.