open-vault/website/content/api-docs/system/audit.mdx
Jim Kalafut 75caf59093
Replace docs references to PUT with POST (#14270)
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.

A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
2022-02-25 06:52:24 -08:00

123 lines
3 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: /sys/audit - HTTP API
description: The `/sys/audit` endpoint is used to enable and disable audit devices.
---
# `/sys/audit`
The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
Audit devices must be enabled before use, and more than one device may be
enabled at a time.
## List Enabled Audit Devices
This endpoint lists only the enabled audit devices (it does not list all
available audit devices).
- **`sudo` required**  This endpoint requires `sudo` capability in addition to
any path-specific capabilities.
| Method | Path |
| :----- | :----------- |
| `GET` | `/sys/audit` |
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/audit
```
### Sample Response
```javascript
{
"file": {
"type": "file",
"description": "Store logs in a file",
"options": {
"file_path": "/var/log/vault.log"
}
}
}
```
## Enable Audit Device
This endpoint enables a new audit device at the supplied path. The path can be a
single word name or a more complex, nested path.
- **`sudo` required**  This endpoint requires `sudo` capability in addition to
any path-specific capabilities.
| Method | Path |
| :----- | :----------------- |
| `POST` | `/sys/audit/:path` |
### Parameters
- `path` `(string: <required>)`  Specifies the path in which to enable the audit
device. This is part of the request URL.
- `description` `(string: "")`  Specifies a human-friendly description of the
audit device.
- `options` `(map<string|string>: nil)`  Specifies configuration options to
pass to the audit device itself. This is dependent on the audit device type.
- `type` `(string: <required>)`  Specifies the type of the audit device.
Additionally, the following options are allowed in Vault open-source, but
relevant functionality is only supported in Vault Enterprise:
- `local` `(bool: false)` Specifies if the audit device is local within the cluster only. Local
audit devices are not replicated nor (if a secondary) removed by replication.
### Sample Payload
```json
{
"type": "file",
"options": {
"file_path": "/var/log/vault/log"
}
}
```
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/audit/example-audit
```
## Disable Audit Device
This endpoint disables the audit device at the given path.
- **`sudo` required**  This endpoint requires `sudo` capability in addition to
any path-specific capabilities.
| Method | Path |
| :------- | :----------------- |
| `DELETE` | `/sys/audit/:path` |
### Parameters
- `path` `(string: <required>)`  Specifies the path of the audit device to
delete. This is part of the request URL.
### Sample Request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/audit/example-audit
```