Just got the Vault App for Splunk receiving Vault audit log events, using:
But it required some extra work on my part.
Initially, I attempted to give the
vault group read permission on the Vault audit device file, and include the user running Fluentd (
td-agent) in that group. However, it seemed like Vault was periodically changing the permission on that audit log file back to user read/write only (i.e., from 640 to 600).
Either way, Splunk was seeing lots of telemetry, but no Vault audit events, at this point.
Then I found someone suggesting, on an unrelated Fluentd GitHub issue, using file ACL permissions instead, and this did the trick. Specifically, after installing the
acl package, this:
sudo setfacl -m 'u:td-agent:r' /path/to/vault-audit.log
Continues to persist Fluentd’s access to the log file (for now, anyway), and Vault audit log events are hitting Splunk.
Not sure whether you want to update the tutorial to address this. There are also a few typos, on the example log file paths, and the private IP for the Splunk server, but those are easy to spot.
Anyway, just thought I’d flag it up. Great tutorial!