Hi!
Do anyone know whether Vault support undeletable changelog/change history over the secrets? To know who did what and when.

You would need to use an Audit Device to capture this information.

Vault can maintain a set of versions for KV secrets but as far as I’m aware it does not track who. For that you’d need to inspect the audit logs.

Audit is a nice feature indeed! (on paper at least).
Thank you!

Yet for Vault as a storage of secrets generally (hope company staff reads this) would be so logical to track changelog on secrets.

@jeffsanicola has the right answer, just need to be careful with it.

1. It does contain sensitive information.
2. If you use a file device, and fill up the partition where the file exists your Vault instance will stop responding until that’s resolved. I highly recommend using at least two different audit types, socket and file … as long as one of them is viable there is no issue.