How to decode hmac-sha256 in audit.log

CamilaBetim · July 20, 2021, 4:57pm

I enabled the audit device to write audit logs

In the logs, the information brought, much of it is encrypted in hash hmac. How do I view them?

stuart-c · July 20, 2021, 5:56pm

You can’t as it is a one way hash.

The idea is that you can compare log lines as well as compute the hash yourself from known plaintext, but as the items encoded are usually the more sensitive ones you don’t want them in a log file.

You can configure which fields get hashed, but I’d be cautious in doing so.

jeffsanicola · July 20, 2021, 5:58pm

To provide some links based on @stuart-c’s response:

Compare the data you think went into Vault using the sys/audit-hash api endpoint /sys/audit-hash - HTTP API | Vault by HashiCorp
Also see Audit Devices | Vault by HashiCorp
Adjust the auditing settings per mount to log items in clear text (be very cautious when doing this): /sys/mounts - HTTP API | Vault by HashiCorp

Topic		Replies	Views
Unable to validate the auditing for Vault Vault vault	2	364	May 3, 2022
How to make audit data visible? Vault	10	3404	October 10, 2020
Cannot prevent HMAC hash of lease_id in request Vault	0	63	June 4, 2024
HCSEC-2024-01 - Vault May Expose Sensitive Information When Configuring An Audit Log Device Security security-vault	0	6324	February 1, 2024
Auditing and Logging Vault	2	94	May 9, 2024

How to decode hmac-sha256 in audit.log

Related topics