# /sys/audit The `/sys/audit` endpoint is used to list, enable, and disable audit devices. Audit devices must be enabled before use, and more than one device may be enabled at a time. ### List enabled audit devices This endpoint lists only the enabled audit devices (it does not list all available audit devices). * **`sudo` required** – This endpoint requires `sudo` capability in addition to any path-specific capabilities. | Method | Path | | ------ | ------------ | | `GET` | `/sys/audit` | #### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/audit ``` #### Sample response ```javascript { "file": { "type": "file", "description": "Store logs in a file", "options": { "file_path": "/var/log/vault.log" } } } ``` ### Enable audit device This endpoint enables a new audit device at the supplied path. The path can be a single word name or a more complex, nested path. * **`sudo` required** – This endpoint requires `sudo` capability in addition to any path-specific capabilities. | Method | Path | | ------ | ------------------ | | `POST` | `/sys/audit/:path` | #### Parameters * `path` `(string: )` – Specifies the path in which to enable the audit device. This is part of the request URL. * `description` `(string: "")` – Specifies a human-friendly description of the audit device. * `options` `(map: nil)` – Specifies configuration options to pass to the audit device itself. For more details, please see the relevant page for an audit device `type`, under Audit Devices docs. * `type` `(string: )` – Specifies the type of the audit device. Valid types are `file`, `socket` and `syslog`. Additionally, the following options are allowed in Vault open-source, but relevant functionality is only supported in Vault Enterprise: * `local` `(bool: false)` – Specifies if the audit device is local within the cluster only. Local audit devices are not replicated nor (if a secondary) removed by replication. #### Sample payload ```json { "type": "file", "options": { "file_path": "/var/log/vault/log" } } ``` #### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/audit/example-audit ``` ### Disable audit device This endpoint disables the audit device at the given path. \~> Note: Once an audit device is disabled, you will no longer be able to HMAC values for comparison with entries in the audit logs. This is true even if you re-enable the audit device at the same path, as a new salt will be created for hashing. * **`sudo` required** – This endpoint requires `sudo` capability in addition to any path-specific capabilities. | Method | Path | | -------- | ------------------ | | `DELETE` | `/sys/audit/:path` | #### Parameters * `path` `(string: )` – Specifies the path of the audit device to delete. This is part of the request URL. #### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/sys/audit/example-audit ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/vault/api/system-backend/sys-audit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.