This tutorial covers configuration of HCP Vault audit log streaming to a general telemetry service using the generic HTTP sink.
The generic HTTP sink is an optional audit log streaming configuration that can be used when native integrations are not yet available. It provides support for sending audit logs in either JSON or NDJSON formats. Additionally, you can choose to compress (gzip) audit logs, if supported by your telemetry service. Not all telemetry services will support the use of the generic HTTP sink.
Refer to the HCP Vault integrations documentation for a complete list of natively supported providers.
HCP Vault audit logs streaming is available for all production grade clusters. The feature is not available for Development tier clusters.
To configure audit logs streaming you will need to have:
A HCP account with Admin or Contributor role assigned in HCP
A production grade HCP Vault cluster
Example log aggregation service
Webhook.site is used for demonstration purposes and will generate a unique URL on first access.
Open a web browser and navigate to https://webhook.site/
Make note of the URL.
Leave this page open. You will return to the site when configuring HCP Vault.
Open a new web browser/tab and log in to the HCP Portal.
Navigate to the Vault clusters page.
Click the Vault cluster you wish to enable streaming for and click Audit Logs.
Click Enable log Streaming.
From the Select a provider view, select Generic HTTP Sink as the provider and click Next.
Under Add provider details, enter Your unique URL from webhook.site in the URI field.
Click the Method pulldown menu and select POST. The generic HTTP sink supports PATCH, POST, and PUT methods. Verify the method(s) required for your specific logging service.
Click the Strategy pull down menu. The generic HTTP sink supports both Basic (username and password) or Bearer (token) authentication.
Leave the Strategy menu blank - it is not required for webhook.site.
Leave the Headers (Optional) fields empty. Additional headers can be added to the request as key/value pairs.
Under Compression select Disable. Compression allows you to chose whether to gzip logs sent to the logging service. Verify whether your logging service supports gzip log streaming.
Click the pulldown menu for Encoding codec and select JSON. The generic HTTP sink supports both JSON and NDJSON. When using JSON, the entire message will be sent as a single JSON array. When using NDJSON, each element is placed on a new line and not wrapped in brackets (
Leave the Payload prefix and Payload suffix empty. The optional prefix and suffix allows you to add a custom prefix and suffix to the message which must be JSON formatted.
Audit logs will start to appear after a few minutes, though the process to enable audit logging in the HCP Portal may take up to 20 minutes.
At this time, HCP Vault only supports audit logs streaming to one log endpoint at a time.
To edit a audit log streaming integration, perform the following steps.
From the Audit Logs page, click on the Manage drop-down, then Edit configuration.
Edit the configuration, then click Save.
To disable a audit log streaming integration, from the Audit Logs page, click on the Manage drop-down, then Disable streaming.