Vault file audit log availability behaviour

scobit · January 16, 2026, 6:12am

Hello! Tested with version 1.18.4, 1.19.5, 1.21.2

As mentioned in documentation, it’s very important to have properly working audit device and if device is unavailable Vault stop process the request.

Topic: Availability of audit devices

So, with single node i created audit device.

vault audit device enable file file_path=/vault/audit.log

Then I have tried to:

chown root:root /vault/audit.log

chmod 000 /vault/audit.log

and finally

rm -rf /vault/audit.log

And Vault still was working.

vault secrets enable …

vault kv list …

vault kv get …

vault kv put …

After reboot service and unseal process empty file automatically recreated.

Changes that i made with deleted audit file in Vault was applied.

So, as i understand in case of audit type file, there is no protection for audit?

As like as checks - file exists, RW available etc.

jonathanfrappier · January 27, 2026, 6:57pm

To confirm my understanding of your question - you are concerned that you can delete the file that audit logs are being written too? And once deleted Vault continues to operate against the information from the docs saying if an audit device is not available, it should halt operations?

Topic		Replies	Views
Vault Audit logs stopping daily/not logging Vault	19	2886	October 31, 2022
Reenable Audit log in Same Path which is already exist Vault	1	464	June 15, 2022
Audit logs for HA vault Vault	2	746	June 25, 2024
Vault Audit Log - seem not working Vault	1	464	February 26, 2024
Cannot disable audit logging after adding a socket device without a port number Vault	0	362	December 19, 2020

Vault file audit log availability behaviour

Related topics