In this article we are going to walk through the limitations and options of configuring Audit Log when running Vault in Kubernetes Environment.
Properly Configure Vault Audit Devices is an important task as it allows you to monitor the activities performed in your Vault environment, in addition satisfying the compliance requirements for many organizations.
Audit Device Configuration Options
File Option with auditStorage annotation
The auditStorage option is available under Vault helm chart. To enable the option, please set the enabled to true, and run the following command:
kubectl exec -ti <POD NAME> -- vault audit enable file file_path=/vault/audit/vault_audit.log
Important note: In case of usage of File Option with auditStorage option, then the Log file rotation is mandatory in order to avoid the filesystem exhaustion. To accomplish the Log file rotation task, the extraContainers option should be enabled in the helm chart. This task has been also discussed in Helm chart issue #142.
File Option with stdout
Another possible configuration option is to redirect the Vault Audit logs to standard streams for input, output, and error output (stdout). In this case, the Vault Audit logs should be configured to use the file_path as stdout as in the below example.
kubectl exec -ti <POD NAME> --vault audit enable file file_path=stdout
In order to inspect and read the Vault Audit logs the following command may be used as example:
kubectl logs <POD NAME>
Important note: In case of usage of File Option to stdout, the Vault Operational Logs will be mixed with Vault Audit Logs.
Enabling with the Socket option could be performed by following the official docs. Note that Network Policies in your Kubernetes environment may prevent you from using this option.
As per current design, the syslog is not available for Vault containers. As result, the Vault Audit logs cannot use a syslog audit device option. Please use the File Option or the Socket Option.