Hi guys i am unable to to enable auditing bcuz i get sanity check permission denied. I have tried doing chown -R to the directory and to the audit log file itself:
vault audit enable file file_path=/var/log/vault_audit.log
Error enabling audit device: Error making API request.
URL: PUT http://10.10.1.91:8200/v1/sys/audit/file
Code: 400. Errors:
* sanity check failed; unable to open "/var/log/vault_audit.log" for writing: open /var/log/vault_audit.log: permission denied
Personally I wouldn’t change the owner and permissions on the /var/log directory as that could cause problems with other things running on the server.
I found the easiest way to log to /var/log was to enable the syslog audit device and let the syslog deamon handle it (there is a potential issue with log entry truncation if it doesn’t all fit in a UDP packet, but I haven’t hit it yet).
If you’re using rsyslog as your syslog daemon then you’ll want to use something like the following in your rsyslog.conf
# log vault to messages to their own file
:programname, isequal, "vault" /var/log/vault.log
You’ll also want to add /var/log/vault.log to the list of syslog files to be rotated by logrotate
The interesting part is, that you are running the Vault service as user vault but the audit log is create by a root process. Maybe somebody else could help, I don’t have any glue how to solve this in a proper and secure way.
what about when you run Vault under the Vault user ? I’m having the same problem, I’ve even given the folder /var/log/vault drwxrwxrwx vault:vault perms. The file vault-audit.log is also owned by the vault:vault user/group and still get the 400 error. " sanity check failed; unable to open “/var/log/vault/vault-audit .log” for writing : open /var/log/vault/vault-audit.log: permission denied "
I am running into the same issue. Attempting to enable audit logging and getting a permissions error as the root user. permissions on the directory are root:root 0750. This is on Vault 1.6.0
As @Wolfsrudel mentioned earlier in this thread, typically Vault is running under a vault account, with permissions mostly targeted at reading its own config files.
Are you sure the Vault process is running under the root account? You created this environment yourself, as opposed to using an official repo? And it’s definitely this exact “sanity check” type of error? On that, just wondering whether it might be an issue with the permissions associated with your token.