How to read the audit log in the syslog (hmac-sha256)
1,682 views
Skip to first unread message
Will Pinney
Dec 20, 2016, 7:00:59 PM12/20/16
to Vault
HI, All,
I am trying to decode the following message:
Dec 20 18:56:41 vm-10-68-47-10 vault[14410]: {"time":"2016-12-20T23:56:41.792825492Z","type":"request","auth":{"display_name":"token-00-1E-67-9C-1B-C4-2016-12-20-18-56-41-376523605--0500-EST","policies":["default","service_token_readonly"],"metadata":null},"request":{"id":"2de256b9-ab99-f2d0-6c5b-00a649ed7cea","operation":"read","client_token":"hmac-sha256:6b6c7ec5e8bb51b827c759cc1f7083413a6e50a9a5af59bd2848b22498b54072","path":"service_token/second-marathon-web-proxy","data":null,"remote_address":"10.68.19.1","wrap_ttl":0},"error":""}
But I do not know how to read the bold parts.
/var/log$ vault audit-list
Path Type Description Options
syslog/ syslog
/var/log$ vault list sys/
No value found at sys/
/var/log$ vault read /sys/audit-hash
No value found at sys/audit-hash
/var/log$ vault list /sys/audit-hash
No value found at sys/audit-hash/
Per the documentation, I can read hmac-sha256 hash vault when I have a /sys/audit_hash hash. But the directory is empty.
Jeff Mitchell
Dec 20, 2016, 7:36:58 PM12/20/16
to vault...@googlegroups.com
Hi Will,
The HMAC cannot be decoded; this is on purpose. You can, however,
match against it -- that's what the sys/audit-hash endpoint is for.
You provide the audit path (for instance, the file backend defaults to
file, so sys/audit-hash/file) and perform a write, passing in the
string you want to match. The endpoint will give you that audit
backend's HMAC value for that string.
In 0.6.3+ the accessor is added to each request entry, and if
hmac_accessor is set to false, it will be in plaintext there too.
Best,
Jeff
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/3f8f91d1-8cdb-40e8-918e-74d7e6e7d8ab%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
The HMAC cannot be decoded; this is on purpose. You can, however,
match against it -- that's what the sys/audit-hash endpoint is for.
You provide the audit path (for instance, the file backend defaults to
file, so sys/audit-hash/file) and perform a write, passing in the
string you want to match. The endpoint will give you that audit
backend's HMAC value for that string.
In 0.6.3+ the accessor is added to each request entry, and if
hmac_accessor is set to false, it will be in plaintext there too.
Best,
Jeff
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/vault/issues
> IRC: #vault-tool on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Vault" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to vault-tool+...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/vault-tool/3f8f91d1-8cdb-40e8-918e-74d7e6e7d8ab%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages