[Vault] Audit logs being written in 3 log files

Hello ,

Could an expert help me understand why Vault audit logs are being written in the following files ?

syslog, messages and auth.log.

No config file suggests or has any mention of these log files.
Apparently i think during the vault init ( this is a inherited setup) the audit log should have been to stdout.

any help and pointers please.

It sounds like you have configured audit logs be written to syslog.

Once written to syslog it is out of Vault’s control which files the messages are written to - message routing is controlled by the syslog daemon’s configuration.

It is not uncommon for Linux distributions to ship default syslog configurations which duplicate messages to different files… sadly, IMO.

My personal preference is to disable Vault audit via syslog and send it directly to a file.

Please use the vault audit list command to inspect your current audit setup within Vault.

thank you for the help,

/ # vault audit list
Path Type Description

file/ file n/a
syslog/ syslog n/a

this is what the config looks like.
So i do a
$vault audit disable syslog/ ?

and then
$vault audit enable file file_path=stdout ← this may not be needed right as it is already logging to file ?

Yes, but before you do, double-check the file audit method is actually working, lest you lock yourself out of Vault (Vault refuses to serve any requests if every configured audit method is unable to log).

vault audit list -detailed will show you the existing configuration.

so this is what i see in detailed
Path Type Description Replication Options

file/ file n/a replicated file_path=stdout
syslog/ syslog n/a replicated facility=AUTH tag=vault

and yes, i see that when i do docker logs i see the logs, so i think thats what the file and stdout is doing. (correct me if i am wrong)

Yes, that sounds right.

It looks like all you need to do is disable the syslog audit method that you never really wanted, then.

1 Like

thank you so much for the help.

Hello maxb,

quick question i have.

I have a setup of 3 machines for vault and consul and it is running in a cluster mode.
Do i disable the audit on syslog/ on all nodes or its enough for one node.

Audit configuration is stored once, centrally, in the cluster, so only needs to be updated once even though it applies to all nodes.

1 Like

ok, so i applied it and it worked. Should i restart the containers ?
but the logs are still being written in syslog and messages.

am i missing anything here ?

I think it is still writing to the SYSLOG and MESSAGES due to the driver defined in docker config which is the journald.

Any means of changing this driver to something else so that it stops writing to the system logs ?

TIA for the help.