Vault Audit logs not showing up in syslog

[Ola O]

I have a vault-consul cluster of 5 nodes 

2 vaults and 3 consul backend 

Here is my vault configuration

backend "consul" {

  address = "127.0.0.1:8500"

  path = "vault/"

}

listener "tcp" {

  address = "0.0.0.0:8200"

  tls_cert_file = "/etc/consul.d/ssl/crt.pem"

  tls_key_file = "/etc/consul.d/ssl/key.pem"

}

telemetry {

  statsd_address = "127.0.0.1:8125"

  disable_hostname = false

}

and my consul config looks like this 

{

      "server": false,

      "datacenter": "Vikingsforlife",

      "data_dir": "/var/consul",

      "ca_file": "/etc/consul.d/ssl/ca.pem",

      "cert_file":"/etc/consul.d/ssl/crt.pem",

      "key_file":"/etc/consul.d/ssl/key.pem",

      "ui_dir": "/home/consul/dist",

      "log_level": "DEBUG",

      "enable_syslog": true,

      "start_join": [ "10.43.166.153", "10.43.188.160","10.43.134.75","10.43.171.35"],

      "telemetry": {

     "statsd_address": "127.0.0.1:8125"

  }

}

When i enable audit backend to syslog 

"vault audit-enable syslog tag="vault" facility="AUTH"

i get ------------> Successfully enabled audit backend 'syslog' with path 'syslog'!

Path     Type                   Description                     Options

syslog/  syslog               facility=AUTH                 tag=vault

but when i check the syslog destination, i do not see any audit entries 

However, when i send enable a file path 

vault audit-enable file file_path=/tmp/vault_audit.log

i can see these entries in the destination -------->{"time":"2018-03-06T13:14:33Z","type":"request","auth":{"client_token":"","accessor":"","display_name":"","policies":null,"metadata":null},"request":{"id":"d94d724d-c8c2-e860-bad9-1c54a018491d","operation":"update","client_token":"","client_token_accessor":"","path":"auth/cert/login","data":null,"remote_address":"XX.XX.X.X","wrap_ttl":0,"headers":{}},"error":""

Am i missing something? 

i would have written the logs to /var/log/ but i keep getting permission denied. What do i need to do to make this show up in syslog?

[Jeff Mitchell]

Hi there,

Are you sure that your syslog daemon is configured to log the AUTH facility to where you expect? Are you seeing any errors in Vault's log or the syslog daemon's log?

Best,

Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/8655f96a-a6d9-4a0b-8473-7bafb1c47a4a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.