d1f2b101b5
This PR relates to a feature request logged through HashiCorp commercial
support.
Vault lacks pagination in its APIs. As a result, certain list operations
can return **very** large responses. The user's chosen audit sinks may
experience difficulty consuming audit records that swell to tens of
megabytes of JSON.
In our case, one of the systems consuming audit log data could not cope,
and failed.
The responses of list operations are typically not very interesting, as
they are mostly lists of keys, or, even when they include a "key_info"
field, are not returning confidential information. They become even less
interesting once HMAC-ed by the audit system.
Some example Vault "list" operations that are prone to becoming very
large in an active Vault installation are:
auth/token/accessors/
identity/entity/id/
identity/entity-alias/id/
pki/certs/
In response, I've coded a new option that can be applied to audit
backends, `elide_list_responses`. When enabled, response data is elided
from audit logs, only when the operation type is "list".
For added safety, the elision only applies to the "keys" and "key_info"
fields within the response data - these are conventionally the only
fields present in a list response - see logical.ListResponse, and
logical.ListResponseWithInfo. However, other fields are technically
possible if a plugin author writes unusual code, and these will be
preserved in the audit log even with this option enabled.
The elision replaces the values of the "keys" and "key_info" fields with
an integer count of the number of entries. This allows even the elided
audit logs to still be useful for answering questions like "Was any data
returned?" or "How many records were listed?".
46 lines
1.5 KiB
Plaintext
46 lines
1.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Syslog - Audit Devices
|
|
description: The "syslog" audit device writes audit logs to syslog.
|
|
---
|
|
|
|
# Syslog Audit Device
|
|
|
|
The `syslog` audit device writes audit logs to syslog.
|
|
|
|
It currently does not support a configurable syslog destination, and always
|
|
sends to the local agent. This device is only supported on Unix systems,
|
|
and should not be enabled if any standby Vault instances do not support it.
|
|
|
|
~> **Warning**: Audit messages generated for some operations can be quite
|
|
large, and can be larger than a [maximum-size single UDP
|
|
packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your
|
|
syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
|
|
backend and having syslog configured to read entries from the file; or, enable
|
|
both `file` and `syslog` so that a failure for a particular message to log
|
|
directly to `syslog` will not result in Vault being blocked.
|
|
|
|
## Examples
|
|
|
|
Audit `syslog` device can be enabled by the following command:
|
|
|
|
```shell-session
|
|
$ vault audit enable syslog
|
|
```
|
|
|
|
Supply configuration parameters via K=V pairs:
|
|
|
|
```shell-session
|
|
$ vault audit enable syslog tag="vault" facility="AUTH"
|
|
```
|
|
|
|
## Configuration
|
|
|
|
The `syslog` audit device supports the common configuration options documented on
|
|
the [main Audit Devices page](/docs/audit#common-configuration-options), and
|
|
these device-specific options:
|
|
|
|
- `facility` `(string: "AUTH")` - The syslog facility to use.
|
|
|
|
- `tag` `(string: "vault")` - The syslog tag to use.
|