Syslog has some limitations around the message (audit log) size. In specific scenarios, Vault audit request output can be very large that Syslog devices cannot capture the complete message/log due to its message size limitation. Users might get an error with code 500 while listing or reading secrets from Vault.
The sample error (while listing the PKI secrets for example) looks like the below:
[ERROR]audit: backend failed to log response:backend=syslog/error="write unixgra @->/run/systemd/journal/dev-log: write: message too long"
[ERROR]core: failed to audit response: request_path=pki_int/certs/
error=1 error occurred: |\t* no audit backend succeeded in logging the responseˀ
oversized audit log entries
The latest version of vault 1.13.x+ent has this fixed by providing a new parameter while enabling the syslog audit device called "elide_list_responses".
Here is how you enable it:
- Enable audit device with "elide_list_responses":
vault audit enable syslog elide_list_responses=true
- List audit devices to confirm:
vault audit list --detailed
Path Type Description Replication Options
--- ---- --------- -------- -----
syslog/ syslog. n/a. replicated elide_list_responses=true
- After elide_list_responses, it will show the total number of certs in "Keys" (as highlighted below):
[root@ip-172-31-90-255 vault.d]# vault list pki_int/certs | wc -l
Please Note, It is highly recommended that you configure Vault to use multiple audit devices. Audit failures can prevent Vault from servicing requests, so it is important to provide at least one other device.