I am seeing vault audit logs logged to my /var/log/messages file but I do not use the syslog audit device. I have 2 audit devices configured and working: file and socket.
For socket device type, I also use rsyslog to capture and dump the logs to another specified audit.log file. Nothing unusual and nothing pointed to syslog.
I also have an env var set in /etc/sysconfig/vault:
I am running Vault v1.4.2. Will soon be upgrading to 1.6.1.
I expect only vault server/service messages to be logged to syslog, but that is not the case. Consequently, my messages file is being overrun by vault audit logs.
Has anyone encountered this? Anything I am missing that would cause this?