audit

The audit command groups subcommands for interacting with Vault's audit devices. Users can list, enable, and disable audit devices.

For more information, please see the audit device documentation

Examples

Enable an audit device:

$ vault audit enable file file_path=/tmp/my-file.txt
Success! Enabled the file audit device at: file/

List all audit devices:

$ vault audit list
Path     Type    Description
----     ----    -----------
file/    file    n/a

Disable an audit device:

$ vault audit disable file/
Success! Disabled audit device (if it was enabled) at: file/

Note: Once an audit device is disabled, you will no longer be able to HMAC values for comparison with entries in the audit logs. This is true even if you re-enable the audit device at the same path, as a new salt will be created for hashing.

Usage

Usage: vault audit <subcommand> [options] [args]

  # ...

Subcommands:
    disable    Disables an audit device
    enable     Enables an audit device
    list       Lists enabled audit devices

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.

audit disable

The audit disable command disables an audit device at a given path, if one exists. This command is idempotent, meaning it succeeds even if no audit device is enabled at the path.

Once an audit device is disabled, no future audit logs are dispatched to it. The data associated with the audit device is unaffected. For example, if you disabled an audit device that was logging to a file, the file would still exist and have stored contents.

Examples

Disable the audit device enabled at "file/":

$ vault audit disable file/
Success! Disabled audit device (if it was enabled) at: file/

Usage

There are no flags beyond the standard set of flags included on all commands.

audit enable

The audit enable command enables an audit device at a given path. If an audit device already exists at the given path, an error is returned. Additional options for configuring the audit device are provided as KEY=VALUE. Each audit device declares its own set of configuration options.

Once an audit device is enabled, almost every request and response will be logged to the device.

Examples

Enable the audit device "file" enabled at "file/":

$ vault audit enable file file_path=/tmp/my-file.txt
Success! Enabled the file audit device at: file/

Full configuration parameters for each audit device are available on the Audit Devices page.

Usage

The following flags are available in addition to the standard set of flags included on all commands.

-description (string: "") - Human-friendly description for the purpose of this audit device.
-local (bool: false) - Mark the audit device as a local-only device. Local devices are not replicated or removed by replication.
-path (string: "") - Place where the audit device will be accessible. This must be unique across all audit devices. This defaults to the "type" of the audit device.

audit list

The audit list command lists the audit devices enabled. The output lists the enabled audit devices and options for those devices.

Examples

List all audit devices:

$ vault audit list
Path     Type    Description
----     ----    -----------
file/    file    n/a

List detailed audit device information:

$ vault audit list -detailed
Path     Type    Description    Replication    Options
----     ----    -----------    -----------    -------
file/    file    n/a            replicated     file_path=/var/log/audit.log

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

-format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.

Command options

-detailed (bool: false) - Print detailed information such as options and replication status about each auth device.

Previousagent Nextauth

Last updated 1 year ago