Hello,
I am seeing vault audit logs logged to my /var/log/messages file but I do not use the syslog audit device. I have 2 audit devices configured and working: file and socket.
File uses file_path=/var/log/vault/audit/vault_audit.log
For socket device type, I also use rsyslog to capture and dump the logs to another specified audit.log file. Nothing unusual and nothing pointed to syslog.
I also have an env var set in /etc/sysconfig/vault: VAULT_LOG_LEVEL=info
I am running Vault v1.4.2. Will soon be upgrading to 1.6.1.
I expect only vault server/service messages to be logged to syslog, but that is not the case. Consequently, my messages file is being overrun by vault audit logs.
Has anyone encountered this? Anything I am missing that would cause this?
Thanks,
-Paul