* Docs: File Audit Device - Add section + note about proper File Audit Device log rotation * Additional clarification about relevant platforms
2.5 KiB
layout | page_title | sidebar_title | sidebar_current | description |
---|---|---|---|---|
docs | File - Audit Devices | File | docs-audit-file | The "file" audit device writes audit logs to a file. |
File Audit Device
The file
audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.
The device does not currently assist with any log rotation. There are very stable and feature-filled log rotation tools already, so we recommend using existing tools.
Sending a SIGHUP
to the Vault process will cause file
audit devices to close
and re-open their underlying file, which can assist with log rotation needs.
Examples
Enable at the default path:
$ vault audit enable file file_path=/var/log/vault_audit.log
Enable at a different path. It is possible to enable multiple copies of an audit device:
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
Enable logs on stdout. This is useful when running in a container:
$ vault audit enable file file_path=stdout
Configuration
Note the difference between audit enable
command options and the file
backend
configuration options. Use vault audit enable -help
to see the command options.
Following are the configuration options available for the backend.
Configuration
-
file_path
(string: <required>)
- The path to where the audit log will be written. If a file already exists at the given path, the audit backend will append to it. There are some special keywords:-
stdout
writes the audit log to standard output -
discard
writes output (useful in testing scenarios)
-
-
log_raw
(bool: false)
- If enabled, logs the security sensitive information without hashing, in the raw format. -
hmac_accessor
(bool: true)
- If enabled, enables the hashing of token accessor. -
mode
(string: "0600")
- A string containing an octal number representing the bit pattern for the file mode, similar tochmod
. Set to"0000"
to prevent Vault from modifying the file mode. -
format
(string: "json")
- Allows selecting the output format. Valid values are"json"
and"jsonx"
, which formats the normal log entries as XML. -
prefix
(string: "")
- A customizable string prefix to write before the actual log line.
Log File Rotation
To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the vault
process a signal hang up / SIGHUP
after each rotation of the log file.