I have a three-node HA Vault setup backed up by Consul, with two nodes on standby in case the active node goes down. My plan was to use the file audit device and a log shipper to collect Vault’s audit logs in Loki or Elasticsearch.
So I enabled the file device on one node:
vault audit enable file file_path=/var/log/vault/audit.log
What irritates me, that it says “replicated”, although it has been only activated on one node:
vault audit list -detailed Path Type Description Replication Options ---- ---- ----------- ----------- ------- file/ file n/a replicated file_path=/var/log/vault/audit.log
I also couldn’t enable the same interface on the other nodes, as it was already activated for the cluster.
What is the best way to set up the audit backend on a HA cluster? My initial understanding was that the active node would write the logs to the local disk and if the node should go down, one of the standby nodes would take over, becoming the active node and start writing the log files on their local file system. Am I missing something?