»Socket Audit Device

The socket audit device writes to a TCP, UDP, or UNIX socket.


Enable at the default path:

$ vault audit enable socket
$ vault audit enable socket

Supply configuration parameters via K=V pairs:

$ vault audit enable socket address= socket_type=tcp
$ vault audit enable socket address= socket_type=tcp


  • address (string: "") - The socket server address to use. Example or /tmp/audit.sock.

  • socket_type (string: "tcp") - The socket type to use, any type compatible with net.Dial is acceptable.

  • log_raw (bool: false) - If enabled, logs the security sensitive information without hashing, in the raw format.

  • hmac_accessor (bool: true) - If enabled, enables the hashing of token accessor.

  • mode (string: "0600") - A string containing an octal number representing the bit pattern for the file mode, similar to chmod.

  • format (string: "json") - Allows selecting the output format. Valid values are "json" and "jsonx", which formats the normal log entries as XML.

  • prefix (string: "") - A customizable string prefix to write before the actual log line.