| layout | page_title | description |
|---|---|---|
docs |
Syslog - Audit Devices |
The "syslog" audit device writes audit logs to syslog. |
The syslog audit device writes audit logs to syslog.
It currently does not support a configurable syslog destination, and always sends to the local agent. This device is only supported on Unix systems, and should not be enabled if any standby Vault instances do not support it.
~> Warning: Audit messages generated for some operations can be quite
large, and can be larger than a maximum-size single UDP
packet. If possible with your
syslog daemon, configure a TCP listener. Otherwise, consider using a file
backend and having syslog configured to read entries from the file; or, enable
both file and syslog so that a failure for a particular message to log
directly to syslog will not result in Vault being blocked.
Audit syslog device can be enabled by the following command:
$ vault audit enable syslog
Supply configuration parameters via K=V pairs:
$ vault audit enable syslog tag="vault" facility="AUTH"
The syslog audit device supports the common configuration options documented on
the main Audit Devices page, and
these device-specific options:
-
facility(string: "AUTH")- The syslog facility to use. -
tag(string: "vault")- The syslog tag to use.