Audit logs for HA vault

So, I have made an HA vault cluster, backed by Consul. I need audit logs to be collected. I tried
vault audit enable file file_path=/var/log/vault/audit.log
and got

Error enabling audit device: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:

  • sanity check failed; unable to open “/var/log/vault/audit.log” for writing: mkdir /var/log/vault: permission denied

so I tried
vault audit enable file file_path=/home/vault/audit.log

Error enabling audit device: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/audit/file
Code: 400. Errors:

  • sanity check failed; unable to open “/home/vault/audit.log” for writing: mkdir /home/vault: permission denied

/home/vault on this machine (it is one vault node) is certainly writeable by vault. So maybe it is trying… on some other machine.

I tried

vault audit enable syslog tag=“vault”

and it said it worked, but I see no audit logs in /var/log/syslog

where is it putting logs? How do I see them?

It is trying to create the file on master node even if you enable the audit log on any of standby nodes.