Activation Vault Audit log in a cluster deployed by Terraform

Hi folks,

We have Vault deployed with 5 nodes over three AZs in AWS using Terraform. Now we need to enable Audit log for the cluster.
Is there any best practices to enable Audit logs in a cluster in AWS?
I am wondering that Terraform should run a script to enable Vault components, then it will be enabled in all nodes, so will it cause an issue?

I appreciate to share your experiences :slight_smile:


If all your nodes are part of the same cluster then you only need to enable the audit device once.

You can use Terraform’s Vault provider to manage audit devices as well.

1 Like

Thanks @jeffsanicola for your comment.
So what does it mean to have more than one audit device enabled?
for example, in our solution (vault in a cluster), enabling audit device once and it will be replicated in all nodes?

Basically have two types and/or two destinations enabled.
For instance, if you use the sockets method and the connectivity to your log server gets interrupted Vault will stop functioning until the connection is re-established.

For example, you could do two file audit devices (or one file and one syslog) with each pointing to a unique volume so that if one volume reaches capacity the other audit device may continue to be write to its target volume and allow Vault to maintain operation.

1 Like