Permission denied when i try to vault audit enable file

#1

Hi guys i am unable to to enable auditing bcuz i get sanity check permission denied. I have tried doing chown -R to the directory and to the audit log file itself:

vault audit enable file file_path=/var/log/vault_audit.log
Error enabling audit device: Error making API request.

URL: PUT http://10.10.1.91:8200/v1/sys/audit/file
Code: 400. Errors:

* sanity check failed; unable to open "/var/log/vault_audit.log" for writing: open /var/log/vault_audit.log: permission denied

this is my vault.service file:

[Unit]
Description="HashiCorp Vault - A tool for managing secrets" Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target ConditionFileNotEmpty=/etc/vault.d/vault.hcl StartLimitIntervalSec=60
StartLimitBurst=3
[Service]
User=vault
Group=vault
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
Capabilities=CAP_IPC_LOCK+ep
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP $MAINPID 
KillMode=process 
KillSignal=SIGINT 
Restart=on-failure 
RestartSec=5
TimeoutStopSec=30
StartLimitInterval=60
StartLimitIntervalSec=60
StartLimitBurst=3
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

i am on vault version 1.3.0

#2

Personally I wouldn’t change the owner and permissions on the /var/log directory as that could cause problems with other things running on the server.

I found the easiest way to log to /var/log was to enable the syslog audit device and let the syslog deamon handle it (there is a potential issue with log entry truncation if it doesn’t all fit in a UDP packet, but I haven’t hit it yet).

If you’re using rsyslog as your syslog daemon then you’ll want to use something like the following in your rsyslog.conf

# log vault to messages to their own file
:programname, isequal, "vault"                          /var/log/vault.log

You’ll also want to add /var/log/vault.log to the list of syslog files to be rotated by logrotate

#3

Can you show us the exact permissions on directory and file?