audit enable
The audit enable
command enables an audit device at a given path. If an audit
device already exists at the given path, an error is returned. Additional
options for configuring the audit device are provided as KEY=VALUE
. Each audit
device declares its own set of configuration options.
Once an audit device is enabled, almost every request and response will be logged to the device.
Examples
Enable the audit device "file" enabled at "file/":
$ vault audit enable file file_path=/tmp/my-file.txtSuccess! Enabled the file audit device at: file/
Usage
The following flags are available in addition to the standard set of flags included on all commands.
-description
(string: "")
- Human-friendly description for the purpose of this audit device.-local
(bool: false)
- Mark the audit device as a local-only device. Local devices are not replicated or removed by replication.-path
(string: "")
- Place where the audit device will be accessible. This must be unique across all audit devices. This defaults to the "type" of the audit device.
All audit devices support the following common options which can be supplied after the flags documented above:
elide_list_responses
(bool: false)
- See Eliding list response bodies.exclude
(string: "")
- Enterprise Defines a set of rules such that, when the condition (optional) is matched, Vault removes the specified fields from the audit entry before writing to the audit log. Refer to the exclusion section of the auditing overview for more information.fallback
(bool: false)
- Enterprise Indicates whether the audit device is the fallback for filtering purposes. Vault only supports one fallback audit device at a time.filter
(string: "")
- Enterprise Sets an optional string used to filter the audit entries logged by the audit device. See the filtering section of the auditing overview for more information.format
(string: "json")
- Allows selecting the output format. Valid values are"json"
and"jsonx"
, which formats the normal log entries as XML.hmac_accessor
(bool: true)
- If enabled, enables the hashing of token accessor.log_raw
(bool: false)
- If enabled, logs the security sensitive information without hashing, in the raw format.prefix
(string: "")
- A customizable string prefix to write before the actual log line.
For device specific options, refer to the relevant audit device type under the Audit Devices overview.