mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 23:21:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
64 lines
2.6 KiB
Plaintext
64 lines
2.6 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Syslog - Audit Devices
|
|
description: The "syslog" audit device writes audit logs to syslog.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Syslog audit device
|
|
|
|
The `syslog` audit device writes audit logs to syslog.
|
|
|
|
It currently does not support a configurable syslog destination, and always
|
|
sends to the local agent. This device is only supported on Unix systems,
|
|
and should not be enabled if any standby Vault instances do not support it.
|
|
|
|
~> **Warning**: Audit messages generated for some operations can be quite
|
|
large, and can be larger than a [maximum-size single UDP
|
|
packet](https://tools.ietf.org/html/rfc5426#section-3.1). If possible with your
|
|
syslog daemon, configure a TCP listener. Otherwise, consider using a `file`
|
|
backend and having syslog configured to read entries from the file; or, enable
|
|
both `file` and `syslog` so that a failure for a particular message to log
|
|
directly to `syslog` will not result in Vault being blocked.
|
|
|
|
## Examples
|
|
|
|
Audit `syslog` device can be enabled by the following command:
|
|
|
|
```shell-session
|
|
$ vault audit enable syslog
|
|
```
|
|
|
|
Supply configuration parameters via K=V pairs:
|
|
|
|
```shell-session
|
|
$ vault audit enable syslog tag="vault" facility="AUTH"
|
|
```
|
|
|
|
## Configuration
|
|
|
|
The `syslog` audit device supports the common configuration options documented on
|
|
the [main Audit Devices page](/vault/docs/audit#common-configuration-options), and
|
|
these device-specific options:
|
|
|
|
- `facility` `(string: "AUTH")` - The syslog facility to use.
|
|
|
|
- `tag` `(string: "vault")` - The syslog tag to use.
|
|
|
|
|
|
## Notes
|
|
|
|
If the items written to the syslog audit device are larger than the syslog host's configured maximum socket
|
|
send buffer, then Vault will log an error such as this example:
|
|
|
|
```
|
|
[ERROR] audit: backend failed to log response: backend=syslog/ error=write unixgram ->/var/run/log: write: message too long
|
|
[ERROR] core: failed to audit response: request_path=pki/certs/ error=1 error occurred:
|
|
* no audit backend succeeded in logging the response
|
|
```
|
|
|
|
To remediate this, consult the [Linux Programmer's Manual manual page for socket(7)] (https://man7.org/linux/man-pages/man7/socket.7.html) to
|
|
increase socket send buffer size.
|