File Audit Device
file audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.
The device does not currently assist with any log rotation. There are very stable and feature-filled log rotation tools already, so we recommend using existing tools.
SIGHUP to the Vault process will cause
file audit devices to close
and re-open their underlying file, which can assist with log rotation needs.
Enable at the default path:
$ vault audit enable file file_path=/var/log/vault_audit.log
Enable at a different path. It is possible to enable multiple copies of an audit device:
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
Enable logs on stdout. This is useful when running in a container:
$ vault audit enable file file_path=stdout
Note the difference between
audit enable command options and the
configuration options. Use
vault audit enable -help to see the command options.
file audit device supports the common configuration options documented on
the main Audit Devices page, and
these device-specific options:
(string: <required>)- The path to where the audit log will be written. If a file already exists at the given path, the audit backend will append to it. There are some special keywords:
(string: "0600")- A string containing an octal number representing the bit pattern for the file mode, similar to
chmod. Set to
"0000"to prevent Vault from modifying the file mode.
Log File Rotation
To properly rotate Vault File Audit Device log files on BSD, Darwin, or Linux-based Vault servers, it is important that you configure your log rotation software to send the
vault process a signal hang up /
SIGHUP after each rotation of the log file.