How to decode hmac-sha256 in audit.log

I enabled the audit device to write audit logs


In the logs, the information brought, much of it is encrypted in hash hmac. How do I view them?

You can’t as it is a one way hash.

The idea is that you can compare log lines as well as compute the hash yourself from known plaintext, but as the items encoded are usually the more sensitive ones you don’t want them in a log file.

You can configure which fields get hashed, but I’d be cautious in doing so.

1 Like

To provide some links based on @stuart-c’s response:

  1. Compare the data you think went into Vault using the sys/audit-hash api endpoint /sys/audit-hash - HTTP API | Vault by HashiCorp
    Also see Audit Devices | Vault by HashiCorp
  2. Adjust the auditing settings per mount to log items in clear text (be very cautious when doing this): /sys/mounts - HTTP API | Vault by HashiCorp