mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/api-docs/system/audit.mdx
Erica Thompson 0660ea6fac
Update README (#31244) 
* Update README

Let contributors know that docs will now be located in UDR

* Add comments to each mdx doc

Comment has been added to all mdx docs that are not partials

* chore: added changelog

changelog check failure

* wip: removed changelog

* Fix content errors

* Doc spacing

* Update website/content/docs/deploy/kubernetes/vso/helm.mdx

Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>

---------

Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com>
Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
2025-07-22 08:12:22 -07:00

140 lines
4.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: /sys/audit - HTTP API
description: The `/sys/audit` endpoint is used to enable and disable audit devices.
---
> [!IMPORTANT]
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
# `/sys/audit`
@include 'alerts/restricted-root.mdx'
The `/sys/audit` endpoint is used to list, enable, and disable audit devices.
Audit devices must be enabled before use, and more than one device may be
enabled at a time.
## List enabled audit devices
This endpoint lists only the enabled audit devices (it does not list all
available audit devices).
- **`sudo` required** This endpoint requires `sudo` capability in addition to
any path-specific capabilities.
| Method | Path |
|:-------|:-------------|
| `GET` | `/sys/audit` |
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/audit
```
### Sample response
```javascript
{
"file": {
"type": "file",
"description": "Store logs in a file",
"options": {
"file_path": "/var/log/vault.log"
}
}
}
```
## Enable audit device
This endpoint enables a new audit device at the supplied path. The path can be a
single word name or a more complex, nested path.
- **`sudo` required** This endpoint requires `sudo` capability in addition to
any path-specific capabilities.
| Method | Path |
|:-------|:-------------------|
| `POST` | `/sys/audit/:path` |
### Parameters
- `path` `(string: <required>)` Specifies the path in which to enable the audit
device. This is part of the request URL.
- `description` `(string: "")` Specifies a human-friendly description of the
audit device.
- `options` `(map<string|string>: nil)` Specifies configuration options to pass to the audit device itself.
There are a set of [common options](#common-configuration-options)
which can be applied to all types of audit device.
For more details, please see the relevant page for an audit device `type`,
under [Audit Devices docs](/vault/docs/audit).
- `type` `(string: <required>)` Specifies the type of the audit device.
Valid types are `file`, `socket` and `syslog`.
Additionally, the following options are allowed in Vault Community Edition, but
relevant functionality is only supported in Vault Enterprise:
- `local` `(bool: false)` Applies exclusively to performance replication. Specifies if the audit device is local within the cluster only. Local
audit devices are not replicated nor (if a secondary) removed by replication.
#### Common configuration options
@include 'audit-options-common.mdx'
### Sample payload
```json
{
"type": "file",
"options": {
"file_path": "/var/log/vault/log"
}
}
```
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/audit/example-audit
```
## Disable audit device
This endpoint disables the audit device at the given path.
~> Note: Once an audit device is disabled, you will no longer be able to HMAC values
for comparison with entries in the audit logs. This is true even if you re-enable
the audit device at the same path, as a new salt will be created for hashing.
- **`sudo` required** This endpoint requires `sudo` capability in addition to
any path-specific capabilities.
| Method | Path |
|:---------|:-------------------|
| `DELETE` | `/sys/audit/:path` |
### Parameters
- `path` `(string: <required>)` Specifies the path of the audit device to
delete. This is part of the request URL.
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/sys/audit/example-audit
```
Reference in New Issue View Git Blame Copy Permalink