From 3af0d890df1deddd2e080cd263e97ebe8052d0de Mon Sep 17 00:00:00 2001 From: Kay Craig Date: Tue, 2 Sep 2025 12:36:31 -0400 Subject: [PATCH 01/12] update 1.20 and 1.19 for rotation logging --- content/vault/v1.19.x/content/docs/auth/ldap.mdx | 4 ++++ .../v1.19.x/content/docs/secrets/databases/index.mdx | 5 ++++- content/vault/v1.19.x/content/docs/secrets/ldap.mdx | 9 +++++++++ .../content/partials/rotation-manager-logging.mdx | 7 +++++++ content/vault/v1.20.x/content/docs/auth/ldap.mdx | 4 ++++ .../v1.20.x/content/docs/secrets/databases/index.mdx | 5 +++++ content/vault/v1.20.x/content/docs/secrets/ldap.mdx | 11 ++++++++++- .../content/partials/rotation-manager-logging.mdx | 7 +++++++ 8 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx create mode 100644 content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx diff --git a/content/vault/v1.19.x/content/docs/auth/ldap.mdx b/content/vault/v1.19.x/content/docs/auth/ldap.mdx index ce62d5162e..81300c3af4 100644 --- a/content/vault/v1.19.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/auth/ldap.mdx @@ -184,6 +184,8 @@ Use `vault path-help` for more details. The root bindpass can be rotated to a Vault-generated value that is not accessible by the operator. This will ensure that only Vault is able to access the "root" user that Vault uses to manipulate credentials. +Manual root rotations will be logged to the vault.log and state that the rotation was `on user request`. + ```shell-session vault write -f auth/ldap/config/rotate-root ``` @@ -231,6 +233,8 @@ TTL. For more details on rotating root credentials in the Azure plugin, refer to the [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs. +@include 'rotation-manager-logging.mdx' + ## Examples: ### Scenario 1 diff --git a/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx b/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx index 6d6b2034af..e4eec89ace 100644 --- a/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx +++ b/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx @@ -104,7 +104,7 @@ TTL. For more details on rotating root credentials in the DB Secrets engine, refer to the [Rotate Root credentials](/vault/api-docs/secret/databases#rotate-root-credentials) API docs. - +@include 'rotation-manager-logging.mdx' ## Setup @@ -296,6 +296,9 @@ or otherwise, it will not be rotated until the next scheduled rotation. !> The `rotation_period` and `rotation_schedule` fields are mutually exclusive. One of them must be set but not both. +Rotations will be logged with reference to the `name` of the role and `error` +if failed. They will also indicate that they were rotated in a `periodic function`. + ## Password generation Passwords are generated via [Password Policies](/vault/docs/concepts/password-policies). diff --git a/content/vault/v1.19.x/content/docs/secrets/ldap.mdx b/content/vault/v1.19.x/content/docs/secrets/ldap.mdx index 604684e02e..a209e2f452 100644 --- a/content/vault/v1.19.x/content/docs/secrets/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/secrets/ldap.mdx @@ -158,6 +158,8 @@ TTL. For more details on rotating root credentials in the Azure plugin, refer to the [Root credential rotation](/vault/api-docs/secret/ldap#rotate-root) API docs. +@include 'rotation-manager-logging.mdx' + ## Static credentials ### Setup @@ -194,11 +196,18 @@ role, the response will include the time before the next rotation (`ttl`). The `binddn` account used by Vault should be rotated using the `rotate-root` endpoint to generate a password only Vault will know. +Similar to the rotation manager, rotations will be logged with reference to the +`name` of the role and `error` if failed. They will also indicate that they were rotated in +a `periodic function`. + ### Manual rotation Static roles can be manually rotated using the `rotate-role` endpoint. When manually rotated the rotation period will start over. +Logging here will be similar to the other rotation logging, and will reference that the +rotation happened `on user request`. + ### Deleting static roles Passwords are not rotated upon deletion of a static role. The password should be manually diff --git a/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx b/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx new file mode 100644 index 0000000000..d8fe036c0f --- /dev/null +++ b/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx @@ -0,0 +1,7 @@ +### Rotation Logging +The rotation manager emits logs (to the standard `vault.log`) on any successful or failed +rotation. In the case of success, the log will note which credential was rotated, under +the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`. +In the case of failure, the log will include the `rotationID` and an `err` reason. +Other logs may be emitted, depending on the set log level. When associated with a specific +credential, the `rotationID` will be included as the first parameter. \ No newline at end of file diff --git a/content/vault/v1.20.x/content/docs/auth/ldap.mdx b/content/vault/v1.20.x/content/docs/auth/ldap.mdx index 5b17b0f671..99ed7f5704 100644 --- a/content/vault/v1.20.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/auth/ldap.mdx @@ -198,6 +198,8 @@ This will ensure that only Vault is able to access the "root" user that Vault us vault write -f auth/ldap/config/rotate-root ``` +Manual root rotations will be logged to the vault.log and state that the rotation was `on user request`. + ### Schedule-based root credential rotation @include 'alerts/enterprise-only.mdx' @@ -241,6 +243,8 @@ TTL. For more details on rotating root credentials in the Azure plugin, refer to the [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs. +@include rotation-manager-logging.mdx + ## Examples: ### Scenario 1 diff --git a/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx b/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx index 4b9f05825d..36799f338e 100644 --- a/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx +++ b/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx @@ -105,6 +105,8 @@ TTL. For more details on rotating root credentials in the DB Secrets engine, refer to the [Rotate Root credentials](/vault/api-docs/secret/databases#rotate-root-credentials) API docs. +@include 'rotation-manager-logging.mdx' + ## Setup Most secrets engines must be configured in advance before they can perform their @@ -397,6 +399,9 @@ or otherwise, it will not be rotated until the next scheduled rotation. !> The `rotation_period` and `rotation_schedule` fields are mutually exclusive. One of them must be set but not both. +Rotations will be logged with reference to the `name` of the role and `error` +if failed. They will also indicate that they were rotated in a `periodic function`. + ## Password generation Passwords are generated via [Password Policies](/vault/docs/concepts/password-policies). diff --git a/content/vault/v1.20.x/content/docs/secrets/ldap.mdx b/content/vault/v1.20.x/content/docs/secrets/ldap.mdx index 604684e02e..d7aa3bf11d 100644 --- a/content/vault/v1.20.x/content/docs/secrets/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/secrets/ldap.mdx @@ -155,9 +155,11 @@ of the root credential until the field is reset to `false`. If you use `rotation_period`, setting `disable_automated_rotation` also resets the credential TTL. -For more details on rotating root credentials in the Azure plugin, refer to the +For more details on rotating root credentials in the LDAP plugin, refer to the [Root credential rotation](/vault/api-docs/secret/ldap#rotate-root) API docs. +@include 'rotation-manager-logging.mdx' + ## Static credentials ### Setup @@ -194,11 +196,18 @@ role, the response will include the time before the next rotation (`ttl`). The `binddn` account used by Vault should be rotated using the `rotate-root` endpoint to generate a password only Vault will know. +Similar to the rotation manager, rotations will be logged with reference to the +`name` of the role and `error` if failed. They will also indicate that they were rotated in +a `periodic function`. + ### Manual rotation Static roles can be manually rotated using the `rotate-role` endpoint. When manually rotated the rotation period will start over. +Logging here will be similar to the other rotation logging, and will reference that the +rotation happened `on user request`. + ### Deleting static roles Passwords are not rotated upon deletion of a static role. The password should be manually diff --git a/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx b/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx new file mode 100644 index 0000000000..5960305b5c --- /dev/null +++ b/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx @@ -0,0 +1,7 @@ +### Rotation Logging +The rotation manager emits logs (to the standard `vault.log`) on any successful or failed +rotation. In the case of success, the log will note which credential was rotated, under +the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`. +In the case of failure, the log will include the `rotationID` and an `err` reason. +Other logs may be emitted, depending on the set log level. When associated with a specific +credential, the `rotationID` will be included as the first parameter. From dce2aedf1ac180802bf14216ea7feba93a829662 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:16:39 -0400 Subject: [PATCH 02/12] Update content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../v1.19.x/content/partials/rotation-manager-logging.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx b/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx index d8fe036c0f..a95849b7e0 100644 --- a/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx +++ b/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx @@ -1,4 +1,5 @@ -### Rotation Logging +### Rotation logging + The rotation manager emits logs (to the standard `vault.log`) on any successful or failed rotation. In the case of success, the log will note which credential was rotated, under the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`. From bc9233a2009c6dfaab444e2aee348211272dbc65 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:25:18 -0400 Subject: [PATCH 03/12] Update content/vault/v1.19.x/content/docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.19.x/content/docs/auth/ldap.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/vault/v1.19.x/content/docs/auth/ldap.mdx b/content/vault/v1.19.x/content/docs/auth/ldap.mdx index 81300c3af4..27dda923f6 100644 --- a/content/vault/v1.19.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/auth/ldap.mdx @@ -184,7 +184,7 @@ Use `vault path-help` for more details. The root bindpass can be rotated to a Vault-generated value that is not accessible by the operator. This will ensure that only Vault is able to access the "root" user that Vault uses to manipulate credentials. -Manual root rotations will be logged to the vault.log and state that the rotation was `on user request`. +Vault logs manual root rotations to `vault.log` with a note that the rotation was `on user request`. ```shell-session vault write -f auth/ldap/config/rotate-root From b3fd6a06557210b73f66b2f34da8eb93d6c41e46 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:25:28 -0400 Subject: [PATCH 04/12] Update content/vault/v1.20.x/content/docs/auth/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.20.x/content/docs/auth/ldap.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/vault/v1.20.x/content/docs/auth/ldap.mdx b/content/vault/v1.20.x/content/docs/auth/ldap.mdx index 99ed7f5704..dfc3047a47 100644 --- a/content/vault/v1.20.x/content/docs/auth/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/auth/ldap.mdx @@ -198,7 +198,7 @@ This will ensure that only Vault is able to access the "root" user that Vault us vault write -f auth/ldap/config/rotate-root ``` -Manual root rotations will be logged to the vault.log and state that the rotation was `on user request`. +Vault logs manual root rotations to `vault.log` with a note that the rotation was `on user request`. ### Schedule-based root credential rotation From 87bb7c1bc0a7f52d3a8b0059abea45dfe1263c5c Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:25:36 -0400 Subject: [PATCH 05/12] Update content/vault/v1.19.x/content/docs/secrets/databases/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.19.x/content/docs/secrets/databases/index.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx b/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx index e4eec89ace..459ff65f10 100644 --- a/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx +++ b/content/vault/v1.19.x/content/docs/secrets/databases/index.mdx @@ -296,8 +296,7 @@ or otherwise, it will not be rotated until the next scheduled rotation. !> The `rotation_period` and `rotation_schedule` fields are mutually exclusive. One of them must be set but not both. -Rotations will be logged with reference to the `name` of the role and `error` -if failed. They will also indicate that they were rotated in a `periodic function`. +Vault logs rotations with reference to the `name` of the role and `error` if the rotation failed. The logs also indicate if the rotation was part of a `periodic function`. ## Password generation From 9531a9954f2fc43509dc0bfc69a9a22cbb46a91d Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:25:43 -0400 Subject: [PATCH 06/12] Update content/vault/v1.20.x/content/docs/secrets/databases/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.20.x/content/docs/secrets/databases/index.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx b/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx index 36799f338e..71f3a4facb 100644 --- a/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx +++ b/content/vault/v1.20.x/content/docs/secrets/databases/index.mdx @@ -399,8 +399,7 @@ or otherwise, it will not be rotated until the next scheduled rotation. !> The `rotation_period` and `rotation_schedule` fields are mutually exclusive. One of them must be set but not both. -Rotations will be logged with reference to the `name` of the role and `error` -if failed. They will also indicate that they were rotated in a `periodic function`. +Vault logs rotations with reference to the `name` of the role and `error` if the rotation failed. The logs also indicate if the rotation was part of a `periodic function`. ## Password generation From 4b5cf499190b42a3c5e168394f6cbd2d5d12ab2f Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:26:03 -0400 Subject: [PATCH 07/12] Update content/vault/v1.19.x/content/docs/secrets/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.19.x/content/docs/secrets/ldap.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/secrets/ldap.mdx b/content/vault/v1.19.x/content/docs/secrets/ldap.mdx index a209e2f452..d03ad18478 100644 --- a/content/vault/v1.19.x/content/docs/secrets/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/secrets/ldap.mdx @@ -196,9 +196,9 @@ role, the response will include the time before the next rotation (`ttl`). The `binddn` account used by Vault should be rotated using the `rotate-root` endpoint to generate a password only Vault will know. -Similar to the rotation manager, rotations will be logged with reference to the -`name` of the role and `error` if failed. They will also indicate that they were rotated in -a `periodic function`. +As with the rotation manager, Vault logs rotations with reference to the +`name` of the role and `error` if the rotation failed. The logs also indicate + if the rotation was part of a `periodic function`. ### Manual rotation From f60c969e06aa5b85662fd0f046ae82f7c44c52f7 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:26:17 -0400 Subject: [PATCH 08/12] Update content/vault/v1.20.x/content/docs/secrets/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.20.x/content/docs/secrets/ldap.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/secrets/ldap.mdx b/content/vault/v1.20.x/content/docs/secrets/ldap.mdx index d7aa3bf11d..45a952297b 100644 --- a/content/vault/v1.20.x/content/docs/secrets/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/secrets/ldap.mdx @@ -196,9 +196,9 @@ role, the response will include the time before the next rotation (`ttl`). The `binddn` account used by Vault should be rotated using the `rotate-root` endpoint to generate a password only Vault will know. -Similar to the rotation manager, rotations will be logged with reference to the -`name` of the role and `error` if failed. They will also indicate that they were rotated in -a `periodic function`. +As with the rotation manager, Vault logs rotations with reference to the +`name` of the role and `error` if the rotation failed. The logs also indicate + if the rotation was part of a `periodic function`. ### Manual rotation From af91c7b58f41e7e3490dffdeff53ebfac88a812e Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:30:23 -0400 Subject: [PATCH 09/12] Update content/vault/v1.19.x/content/docs/secrets/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.19.x/content/docs/secrets/ldap.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/secrets/ldap.mdx b/content/vault/v1.19.x/content/docs/secrets/ldap.mdx index d03ad18478..76c13f1116 100644 --- a/content/vault/v1.19.x/content/docs/secrets/ldap.mdx +++ b/content/vault/v1.19.x/content/docs/secrets/ldap.mdx @@ -205,8 +205,7 @@ As with the rotation manager, Vault logs rotations with reference to the Static roles can be manually rotated using the `rotate-role` endpoint. When manually rotated the rotation period will start over. -Logging here will be similar to the other rotation logging, and will reference that the -rotation happened `on user request`. +Logging for manual rotation records the same information as other rotation logging with an additional reference that the rotation happened `on user request`. ### Deleting static roles From c3e099d34323ef47cfa32ff2f0ff76c789a81445 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Mon, 8 Sep 2025 15:30:31 -0400 Subject: [PATCH 10/12] Update content/vault/v1.20.x/content/docs/secrets/ldap.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- content/vault/v1.20.x/content/docs/secrets/ldap.mdx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/secrets/ldap.mdx b/content/vault/v1.20.x/content/docs/secrets/ldap.mdx index 45a952297b..abe947a910 100644 --- a/content/vault/v1.20.x/content/docs/secrets/ldap.mdx +++ b/content/vault/v1.20.x/content/docs/secrets/ldap.mdx @@ -205,8 +205,7 @@ As with the rotation manager, Vault logs rotations with reference to the Static roles can be manually rotated using the `rotate-role` endpoint. When manually rotated the rotation period will start over. -Logging here will be similar to the other rotation logging, and will reference that the -rotation happened `on user request`. +Logging for manual rotation records the same information as other rotation logging with an additional reference that the rotation happened `on user request`. ### Deleting static roles From 9609e8aef3b1d0596d2dbbfd4ea54e37e2d00d6b Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Tue, 9 Sep 2025 11:49:29 -0400 Subject: [PATCH 11/12] Update content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../partials/rotation-manager-logging.mdx | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx b/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx index a95849b7e0..4f8eb1d7e0 100644 --- a/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx +++ b/content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx @@ -1,8 +1,12 @@ ### Rotation logging -The rotation manager emits logs (to the standard `vault.log`) on any successful or failed -rotation. In the case of success, the log will note which credential was rotated, under -the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`. -In the case of failure, the log will include the `rotationID` and an `err` reason. -Other logs may be emitted, depending on the set log level. When associated with a specific -credential, the `rotationID` will be included as the first parameter. \ No newline at end of file +The rotation manager emits logs to the standard `vault.log` on any successful or +failed rotation. + +In the case of success, Vault notes: + +- the rotated credential as the first parameter, `rotationID`. +- the anticipated time of the next rotation as `expire_time`. + +In the case of failure, Vault sets `rotationID` to `err` and may emit additional +logs depending on the configured log level. \ No newline at end of file From 0fc1c472fc5cb75ea62fba41651fbe775c9eb434 Mon Sep 17 00:00:00 2001 From: kpcraig <3031348+kpcraig@users.noreply.github.com> Date: Tue, 9 Sep 2025 11:49:36 -0400 Subject: [PATCH 12/12] Update content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../partials/rotation-manager-logging.mdx | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx b/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx index 5960305b5c..75c26c62b3 100644 --- a/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx +++ b/content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx @@ -1,7 +1,12 @@ -### Rotation Logging -The rotation manager emits logs (to the standard `vault.log`) on any successful or failed -rotation. In the case of success, the log will note which credential was rotated, under -the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`. -In the case of failure, the log will include the `rotationID` and an `err` reason. -Other logs may be emitted, depending on the set log level. When associated with a specific -credential, the `rotationID` will be included as the first parameter. +### Rotation logging + +The rotation manager emits logs to the standard `vault.log` on any successful or +failed rotation. + +In the case of success, Vault notes: + +- the rotated credential as the first parameter, `rotationID`. +- the anticipated time of the next rotation as `expire_time`. + +In the case of failure, Vault sets `rotationID` to `err` and may emit additional +logs depending on the configured log level.