This topic describes how to use HCP Consul's audit logging functionality.
Audit logging is enabled by default on Standard and Plus cluster tiers (refer to Pricing for details about tiers). Audit logs capture information about Consul-authenticated events that occur via the HTTP API, including timestamp, operation, and assessor ID associated with the token used to make the API call. Refer to the ACL tokens documentation to learn about assessor IDs and other ACL token metadata.
You can obtain a token from the UI, CLI, or API and correlate it with the assessor ID in the audit log. This provides security and compliance teams your HCP organization with greater insight into Consul access and usage patterns.
Refer to Audit Logging in the Consul documentation for additional information.
Retrieve Audit Logs
The audit logs are written from the HCP Consul instance and stored in encrypted storage which in the same region as the cluster. You can retrieve audit logs in 24-hour increments from the HCP portal.
- If you have not already done so, log into the HashiCorp Cloud Platform and click Consul under the Services sidebar menu.
- Click the link to the cluster in the ID column to open its overview screen.
- Click Audit logs in the sidebar menu and specify a range of dates and times you would like to audit. Each period of up to 24 hours specified in the range will be downloaded as a separate archive.
- Click Download request. HCP will be begin preparing the audit log archive. You can navigate away from the audit log screen during this process.
- When the logs have been generated, click the download icon in the Latest download requests field to download the audi log. Links are available in 24 hours from when they were created.
Audit logs are stored within the platform for a minimum of one year. HCP began archiving audit logs in February of 2022. The logs are still available after the cluster associated with the log has been deleted. Contact HashiCorp Support if you need access to logs from deleted clusters.