Vault audit logs are logging to syslog


I am seeing vault audit logs logged to my /var/log/messages file but I do not use the syslog audit device. I have 2 audit devices configured and working: file and socket.

File uses file_path=/var/log/vault/audit/vault_audit.log

For socket device type, I also use rsyslog to capture and dump the logs to another specified audit.log file. Nothing unusual and nothing pointed to syslog.

I also have an env var set in /etc/sysconfig/vault: VAULT_LOG_LEVEL=info

I am running Vault v1.4.2. Will soon be upgrading to 1.6.1.

I expect only vault server/service messages to be logged to syslog, but that is not the case. Consequently, my messages file is being overrun by vault audit logs.

Has anyone encountered this? Anything I am missing that would cause this?


I have upgraded to version 1.6.1 and still have the same issue. Is this expected behavior for Vault to log not only operational logs but audit logs to the messages file? Any input/suggestions appreciated. Thanks!