audit log in config
1,460 views
Skip to first unread message
Sagar A
May 13, 2016, 4:10:56 AM5/13/16
to Vault
Hi,
I'm trying to set up Vault in production in HA mode and would like to know how I add config parameter in vault config file (server.hcl) similar to below which I used to run that command on a single VM with each vault and consul instances on it.
vault audit-enable file path=/var/vcap/packages/log/vault_audit.log
My server.hcl in HA mode
backend "consul" {
address = "127.0.0.1:8500"
path = "vault"
}
listener "tcp" {
address = "XXX.XXX.XXX.XXX:XXXX"
tls_cert_file = "/var/vcap/jobs/vault/ssl/selfsigned.crt"
tls_key_file = "/var/vcap/jobs/vault/ssl/selfsigned.key"
}
Matt Button
May 13, 2016, 6:31:36 AM5/13/16
to vault...@googlegroups.com
Hi Sagar,
It's not possible to configure audit logging from the config file.
As far as I understand it the rationale for this is that enabling/disabling audit logging is protected by vault's ACL system, and allowing users to specify the audit log in the config file would allow someone to sidestep the ACL system.
Matt
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/05fe45ee-e3e3-4d2a-a4a8-eafff7999c6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sagar A
Jun 16, 2016, 3:23:59 AM6/16/16
to Vault
Thanks Matt for the clarification.
Jeff Mitchell
Jun 17, 2016, 5:28:28 AM6/17/16
to vault...@googlegroups.com
Matt is correct -- generally speaking as much configuration as
possible is in Vault's internal state so that ACLs can be applied. The
only things in the config file are the things necessary to get Vault
up and ready for unseal keys.
Best,
Jeff
On Thu, Jun 16, 2016 at 9:23 AM, Sagar A
> https://groups.google.com/d/msgid/vault-tool/6b1705e4-2cab-4f53-89a3-75d1b5b1ff43%40googlegroups.com.
possible is in Vault's internal state so that ACLs can be applied. The
only things in the config file are the things necessary to get Vault
up and ready for unseal keys.
Best,
Jeff
On Thu, Jun 16, 2016 at 9:23 AM, Sagar A
Will Pinney
Feb 24, 2017, 4:30:23 PM2/24/17
to Vault
A follow up question. If one executes "vault audit-enable syslog", but later vault itself restarted. Does "vault audit-enable syslog" command needs to be executed everytime vault restart?
Jeff Mitchell
Feb 24, 2017, 4:41:27 PM2/24/17
to vault...@googlegroups.com
Hi Will,
Audit backends are mounts and they get persisted, so no!
Best,
Jeff
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/97642b9b-2b73-4ace-a0a3-809d049998bf%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages