This tutorial covers configuration of HCP Vault audit logs streaming to your existing Elasticsearch environment. Elastic Cloud is used for demonstration purposes, but any Elasticsearch environment should work.
HCP Vault audit logs streaming is available for all production grade clusters. The feature is not available for Development tier clusters.
To configure audit logs streaming to Elasticsearch, you will need to have:
A HCP account with Admin or Contributor role assigned in HCP
A production grade HCP Vault cluster
An Elasticsearch cluster created in Elastic Cloud with permission to create a role, and a user.
To configure HCP Vault audit log streaming to Elasticsearch, you must provide a endpoint URL, username, and password for a user that has been assigned a role with adequate permission to the Elasticsearch cluster.
Log in to the Elastic Cloud console and navigate to the stack management security page.
Click Roles, then click Create role.
hcp-vault-log-streamingin the Role name textbox.
In the Cluster privileges pull down, select monitor.
Under Index privileges, enter
*in the Indices pulldown menu.
Click the Privileges pulldown menu and select the following:
Click Create role.
From the stack management security page, click Users.
Click Create user.
hcp-vault-log-streamingin the Username textbox.
Enter a secure password in the Password and Confirm password textbox. Make note of the username and password - you will need this to configure audit log streaming in the HCP Portal.
Click the Roles pulldown menu and select the hcp-vault-log-streaming role.
Click Create user.
Click Manage for the Elastic Cloud deployment you wish to send HCP Vault audit logs to.
Under Applications click Copy endpoint for Elasticsearch. Make note of the endpoint URL - you will need this to configure audit log streaming in the HCP Portal.
The URL will be in the format of
Log in to the HCP Portal and navigate to the Vault clusters page.
Click the Vault cluster you wish to enable streaming for and click Audit Logs.
Click Enable log Streaming.
From the Enable audit logs streaming view, select Elastic as the provider and click Next.
Under Elastic configuration, enter the Endpoint URL, Elastic user, and Elastic password created in the Create IAM user section.
At this time, HCP Vault only supports audit logs streaming to one log endpoint at a time.
Refer to the Elastic documentation for details on log exploration.
To edit a audit log streaming integration, perform the following steps.
From the Audit Logs page, click on the Manage drop-down, then Edit configuration.
Edit the configuration, then click Save.
To disable a audit log streaming integration, from the Audit Logs page, click on the Manage drop-down, then Disable streaming.