Audit
Audit backends are the components in Vault that keep a detailed log of all requests and response to Vault. Because every operation with Vault is an API request/response, the audit log contains every interaction with Vault, including errors.
Vault ships with multiple audit backends, depending on the location you want the logs sent to. Multiple audit backends can be enabled and Vault will send the audit logs to both. This allows you to not only have a redundant copy, but also a second copy in case the first is tampered with.
API
Enabling/Disabling syslog backend:
yield from client.audit.enable('syslog')
yield from client.audit.disable('syslog')
Enabling/Disabling file backend:
yield from client.audit.enable('file', path='/path/to/file')
yield from client.audit.disable('file')
List enabled backends:
yield from client.audit.items()
Internals
-
class
AuditEndpoint(req_handler)
-
task
enable(name, *, type=None, description=None, **options)
Enable an audit backend.
| Parameters: |
- name (str) – The audit name
- type (str) – The type of the audit backend
- description (str) – A description of the audit backend for operators
- options (dict) – An object of options to configure the backend.
This is dependent on the backend type
|
|---|
| Returns: | bool
|
|---|
-
task
disable(name)
Disable the given audit backend.
| Parameters: | name (str) – The audit name |
|---|
| Returns: | bool |
|---|
-
task
get(name)
Returns audit backend.
| Parameters: | name (str) – The audit backend name |
|---|
| Returns: | dict |
|---|
-
task
items()
Disable the given audit backend.
Backends
-
class
FileBackend(name, req_handler)
The file audit backend writes audit logs to a file.
-
validate(*, path, log_raw=False)
Configure audit backend.
| Parameters: |
- path (str) – The path to where the file will be written. If this
path exists, the audit backend will append to it
- log_raw (bool) – Should security sensitive information be logged raw
|
|---|
-
class
SyslogBackend(name, req_handler)
The syslog audit backend writes audit logs to syslog.
-
validate(*, facility='AUTH', tag='vault', log_raw=False)
Configure audit backend.
| Parameters: |
- facility (str) – The syslog facility to use
- tag (str) – The syslog tag to use
- log_raw (bool) – Should security sensitive information be logged raw
|
|---|
