»File Audit Device
The file audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.
The device does not currently assist with any log rotation. There are very stable and feature-filled log rotation tools already, so we recommend using existing tools.
Sending a SIGHUP to the Vault process will cause file audit devices to close
and re-open their underlying file, which can assist with log rotation needs.
»Examples
Enable at the default path:
Enable at a different path. It is possible to enable multiple copies of an audit device:
Enable logs on stdout. This is useful when running in a container:
»Configuration
Note the difference between audit enable command options and the file backend
configuration options. Use vault audit enable -help to see the command options.
Following are the configuration options available for the backend.
»Configuration
file_path(string: <required>)- The path to where the audit log will be written. If a file already exists at the given path, the audit backend will append to it. There are some special keywords:log_raw(bool: false)- If enabled, logs the security sensitive information without hashing, in the raw format.hmac_accessor(bool: true)- If enabled, enables the hashing of token accessor.mode(string: "0600")- A string containing an octal number representing the bit pattern for the file mode, similar tochmod. Set to"0000"to prevent Vault from modifying the file mode.format(string: "json")- Allows selecting the output format. Valid values are"json"and"jsonx", which formats the normal log entries as XML.prefix(string: "")- A customizable string prefix to write before the actual log line.
»Log File Rotation
To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the vault process a signal hang up / SIGHUP after each rotation of the log file.
