How to filter Vault Audit Logs in AWS CloudWatch logs

Avatar
Mauricio Lombard
  • Updated

Introduction 

HashiCorp Vault is a widely used secrets management tool that helps organizations securely store, access, and manage secrets. Vault audit logs record all requests and responses made to Vault, including authentication attempts and access to secrets. Monitoring and analyzing these logs is crucial for security and compliance purposes.

Amazon CloudWatch Logs is a log monitoring and management service provided by AWS. It allows you to ingest, store, and analyze log data from various sources, including Vault audit logs. This article explains how to filter Vault audit logs in AWS CloudWatch Logs to detect when a root token has been used.

 

Outcome

Help identify when a root token has been used for authentication.

 

Prerequisites 

Before you proceed, make sure you have the following:

  1. A running HashiCorp Vault instance with audit logs enabled and configured to send logs to Amazon CloudWatch Logs.
  2. AWS Management Console access with permissions to view and manage CloudWatch Logs.

Filtering Vault Audit Logs in CloudWatch Logs

Step 1: Access Log Groups

  1. Sign in to the AWS Management Console.
  2. Navigate to the Amazon CloudWatch service.
  3. In the left-hand menu, click on "Log groups".

Step 2: Select or Create a Log Group

Select the log group where your Vault audit logs are stored. If you haven't created one yet, follow these steps to create a new log group:

  1. Click on the "Actions" button and select "Create log group".
  2. Enter a name for the new log group and click "Create".

Step 3: Create a Metric Filter

To create a metric filter that triggers an alarm when a root token has been used, follow these steps:

  1. Select the log group containing your Vault audit logs.
  2. Click on "Metric filter".
  3. Click on "Create metric filter".

Step 4: Define the Filter Pattern

Enter the following filter pattern to match log events where a root token is used:

{($.type="response") && ($.request.path = "auth/token/lookup-self") && ($.auth.display_name = "root")}

This filter pattern searches for log events with the following conditions:

  • The "type" field equals "response".
  • The "request.path" field equals "auth/token/lookup-self".
  • The "auth.display_name" field equals "root".

These conditions help identify when a root token has been used for authentication.

 

Additional Information

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html

 

Articles in this section

See more

Related articles