Vault audit logging with Elasticsearch

Hi Team, I was enabled audit log by vault cli with file path as per docs while adding socket getting syntax error. it was taking http address, but Elasticsearch was running on https then how to enable vault audit socket with Elasticsearch agent which was running on https. and credentials.

no one assisted on my topic.

Hi @vijayachandra.nimmak - have you reviewed this tutorial? It uses elasticsearch as part of the set up.

Yes, @jonathanfrappier

Vault and Elasticsearch deployed as containers. while adding vault integration on Kibana UI it was asking to install fleet agent on vault host. in my case i am unable to do few things on container by default container up as vault user so while installing fleet getting permission denied errors.

Good to know you have access to the container. Elastic (and other similar platforms) are not part of my day-to-day work at the moment, but sounds like you may need to request permission to get the agent installed. In my last role I used Datadog, but similarly, needed to install an agent.

@jonathanfrappier I have access to that container, and I can install that agent on container but while installing agent on container getting an error as permission denied due to here, the container running with vault user so that user limited access. and we can’t switch root on container.

Apologies, I thought you were building the container yourself so you had control over the setup and permissions.

I don’t have advanced working knowledge of Elastic, but I think you can run the Elastic agent as a container on your container host as well but I do not have additional information on how to configure Elastic/Elastic agent in that scenario.

Quick follow up - from the looks of this issue for the elastic agent, it seems like you’re just hitting a limitation between what Elastic supports and Alpine linux:

That GH issue also links to this forum topic, which also suggested running the agent as a container: