I can’t find any traces of operations performed in the user interface on DR node nodes.
Audit is enabled on file and correctly logs activity on the primary leader node
So, no audit logs are logged for dr nodes?
Can you confirm whether you are speaking of the Vault Enterprise DR replication feature, or using DR in some other colloquial way?
IIUC, Vault Enterprise DR clusters do not perform any user API operations at all, so it would make sense for their audit logs to be empty.
What kinds of operations are being performed, that you think should show up there?
i confirm Vault Enterprise DR replication
Simply browsing via the UI on any of Dr nodes, logged via a token root
Hmm… I no longer work at an organization with a Vault Enterprise license, so I don’t have any way to test, but I was under the impression that a DR Secondary cluster could not be accessed other than via a DR Operation Token.
It is possible there is an undocumented exception for root tokens.
If, by browsing the UI, you just mean the various system status pages of the UI, then I wonder if possibly they are only using API paths that are not audit logged anyway? Certain paths are exempt from audit logging.
On the other hand, if you are actually managing to browse secrets engines on a DR Secondary cluster… I had no idea that was possible.
Is it possible your requests are actually being sent to the primary cluster for processing, and appear in the primary cluster’s audit logs?
i cannot manage scretes by the UI
I can browse and operates things such :
Promote cluster
Generate operation token
Update primary
and monitor the wal index state
So , i f i can promote the dr via the UI, i think it must be audited
Actually, no, many of the lower level status or management endpoints bypass the audit log completely.
I submitted a PR to the documentation to document this back in December but got no response - Docs: fix inaccurate claim that audit log contains all requests by maxb · Pull Request #18510 · hashicorp/vault · GitHub - that PR just lists the relevant endpoints in Vault open-source, but I would not be surprised to find the same applies to some of the Enterprise-only administration endpoints too.