Permission denied when i try to vault audit enable file

Hi guys i am unable to to enable auditing bcuz i get sanity check permission denied. I have tried doing chown -R to the directory and to the audit log file itself:

vault audit enable file file_path=/var/log/vault_audit.log
Error enabling audit device: Error making API request.

Code: 400. Errors:

* sanity check failed; unable to open "/var/log/vault_audit.log" for writing: open /var/log/vault_audit.log: permission denied

this is my vault.service file:

Description="HashiCorp Vault - A tool for managing secrets" Documentation= ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID 

i am on vault version 1.3.0

Personally I wouldn’t change the owner and permissions on the /var/log directory as that could cause problems with other things running on the server.

I found the easiest way to log to /var/log was to enable the syslog audit device and let the syslog deamon handle it (there is a potential issue with log entry truncation if it doesn’t all fit in a UDP packet, but I haven’t hit it yet).

If you’re using rsyslog as your syslog daemon then you’ll want to use something like the following in your rsyslog.conf

# log vault to messages to their own file
:programname, isequal, "vault"                          /var/log/vault.log

You’ll also want to add /var/log/vault.log to the list of syslog files to be rotated by logrotate

Can you show us the exact permissions on directory and file?


I have the same problem.

vault audit enable file file_path=/var/log/vault/vault_audit.log

Error enabling audit device: Error making API request.
Code: 400. Errors:

  • sanity check failed; unable to open “/var/log/vault/vault_audit.log” for writing: open /var/log/vault/vault_audit.log: permission denied

And these are the permissions

ls -ld /var/log/vault/vault_audit.log

-rw-r–r-- 1 root root 0 May 2 13:27 /var/log/vault/vault_audit.log

ls -ld /var/log/vault/

drwxr-xr-x 2 root root 4096 May 2 13:27 /var/log/vault/

Are you running Vault as root? If not the error message is correct. You are not allowed to write.

Yes, I’m running the command as vault root.

ps -ef | grep vault

#ps -ef | grep vault
vault 929 1 0 May02 ? 00:02:48 /usr/bin/vault server -config=/etc/vault/config.hcl
root 7683 7649 0 09:37 pts/2 00:00:00 grep --color=auto vault

The interesting part is, that you are running the Vault service as user vault but the audit log is create by a root process. Maybe somebody else could help, I don’t have any glue how to solve this in a proper and secure way.


The service was running as vault user so I have changed it and also the ownership of the vault directory to root.

root@ubuntu-ws:~# ps aux | grep -i vault
root 710 1.7 6.4 196800 193720 ? SLsl 14:01 0:02 /bin/vault server -config=/etc/vault/config.hcl

And now able to enable the log.
#vault audit enable file file_path=/etc/vault/log/vault_audit.log
Success! Enabled the file audit device at: file/

what about when you run Vault under the Vault user ? I’m having the same problem, I’ve even given the folder /var/log/vault drwxrwxrwx vault:vault perms. The file vault-audit.log is also owned by the vault:vault user/group and still get the 400 error. " sanity check failed; unable to open “/var/log/vault/vault-audit .log” for writing : open /var/log/vault/vault-audit.log: permission denied "

Any other ideas of what might be the problem ?

I am running into the same issue. Attempting to enable audit logging and getting a permissions error as the root user. permissions on the directory are root:root 0750. This is on Vault 1.6.0

As @Wolfsrudel mentioned earlier in this thread, typically Vault is running under a vault account, with permissions mostly targeted at reading its own config files.

Are you sure the Vault process is running under the root account? You created this environment yourself, as opposed to using an official repo? And it’s definitely this exact “sanity check” type of error? On that, just wondering whether it might be an issue with the permissions associated with your token.

Vault was running under the vault user. I changed it to root and am still getting the same error:

* sanity check failed; unable to open "/var/log/vault.d/vault_audit.log" for writing: mkdir /var/log/vault.d: permission denied

I am using a root token.

I do not have this issue on another vault instance running 1.5.4

H’m. I’d recommend going back to running under the vault account, and set-up that file structure ahead of time. So:

  1. Check the permissions on /var/log
  2. It might be read and write for root, and adm group
  3. Add vault to the adm group or syslog or a new group… However you want to do it
  4. sudo mkdir /var/log/vault.d
  5. sudo touch /var/log/vault.d/vault_audit.log
  6. sudo chown -R vault:vault /var/log/vault.d
  7. Then try to enable your audit device again

Thanks. Looks like the issue was the /var/log/vault.d was owner by vault.

Now running into a new issue: Vault Audit logs stopping daily/not logging

1 Like

As it says @jlj7 its better to use the vault user, and besides his solution, I think you can also add to the vault.service the line


this will automatically add the directory /var/log/vault and give permissions to be used by vault


I had the same issue, I am using storage type: RAFT across a few servers. In the end I did the following:

On all servers in the cluster:

touch /var/log/vault_audit.log
chmod 644 /var/log/vault_audit.log
chown vault:vault /var/log/vault_audit.log

Then I found the leader and executed the following there:

To find the leader

vault operator raft list-peers

Execute on the leader to enable audit log

vault audit enable file file_path=/var/log/vault_audit.log

You may need to restart and unseal vault to see the logs on the leader (only the leader generates logs)

tail -f /var/log/vault_audit.log

I’m not 100% sure you “have to” run this on the leader but that is what I did.