> For the complete documentation index, see [llms.txt](https://docs.enclaive.cloud/vault/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.enclaive.cloud/vault/api/system-backend/sys-audit.md). # /sys/audit The `/sys/audit` endpoint is used to list, enable, and disable audit devices. Audit devices must be enabled before use, and more than one device may be enabled at a time. ### List enabled audit devices This endpoint lists only the enabled audit devices (it does not list all available audit devices). * **`sudo` required** – This endpoint requires `sudo` capability in addition to any path-specific capabilities. | Method | Path | | ------ | ------------ | | `GET` | `/sys/audit` | #### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/audit ``` #### Sample response ```javascript { "file": { "type": "file", "description": "Store logs in a file", "options": { "file_path": "/var/log/vault.log" } } } ``` ### Enable audit device This endpoint enables a new audit device at the supplied path. The path can be a single word name or a more complex, nested path. * **`sudo` required** – This endpoint requires `sudo` capability in addition to any path-specific capabilities. | Method | Path | | ------ | ------------------ | | `POST` | `/sys/audit/:path` | #### Parameters * `path` `(string: )` – Specifies the path in which to enable the audit device. This is part of the request URL. * `description` `(string: "")` – Specifies a human-friendly description of the audit device. * `options` `(map: nil)` – Specifies configuration options to pass to the audit device itself. For more details, please see the relevant page for an audit device `type`, under Audit Devices docs. * `type` `(string: )` – Specifies the type of the audit device. Valid types are `file`, `socket` and `syslog`. Additionally, the following options are allowed in Vault open-source, but relevant functionality is only supported in Vault Enterprise: * `local` `(bool: false)` – Specifies if the audit device is local within the cluster only. Local audit devices are not replicated nor (if a secondary) removed by replication. #### Sample payload ```json { "type": "file", "options": { "file_path": "/var/log/vault/log" } } ``` #### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/audit/example-audit ``` ### Disable audit device This endpoint disables the audit device at the given path. \~> Note: Once an audit device is disabled, you will no longer be able to HMAC values for comparison with entries in the audit logs. This is true even if you re-enable the audit device at the same path, as a new salt will be created for hashing. * **`sudo` required** – This endpoint requires `sudo` capability in addition to any path-specific capabilities. | Method | Path | | -------- | ------------------ | | `DELETE` | `/sys/audit/:path` | #### Parameters * `path` `(string: )` – Specifies the path of the audit device to delete. This is part of the request URL. #### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/sys/audit/example-audit ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.enclaive.cloud/vault/api/system-backend/sys-audit.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.