How to know if journald is blocking

This is a follow on to Query what tokens have root policy attached.

I am using Vault v1.4.2 on CentOS 7.

The script appears to do what I want on our test vault cluster but when I access our production cluster which has many more tokens I get the following error in the vault logs.

2020-06-08T18:12:44.508Z [ERROR] core: failed to audit response: request_path=auth/token/accessors/ error="1 error occurred:

From my reading this is probably due to the audit device blocking but we are using syslog as our audit device. What I am trying to understand is if my error is happening because of the log mechanism blocking or some other error.

% vault audit list
Path       Type      Description
----       ----      -----------
syslog/    syslog    n/a

If I have to add another audit device, can I do that live? Also, what would a good device be that will not block.

It’d be good to have a file audit as well. If Vault can’t log to anything it will not service the request.

Thank you for the tip, I will look into that. Is there a way to know if journald is blocking?