The main event system that was used by Vault was changed in 1.15.0 to use a new and more advanced library (eventlogger).
This change brought about errors which are applicable to many versions throughout:
- Vault 1.15.x (all)
- Vault 1.16.0 to 1.16.9
- Vault 1.17.0 to 1.17.6
The errors visible in the Vault operational logs may resemble:
... [ERROR] core: failed to audit response: request_path=sys/leases/renew
error=
| 1 error occurred:
| \t* event not processed by enough 'sink' nodes
The easiest remedy for this issue is upgrading to a version of Vault that's 1.16.10 or 1.17.7 and higher where it's resolved.
Solution for Vault 1.15.x
In case you're on a version of Vault that's 1.15.x and are unable to upgrade then you can set the environment variable: VAULT_AUDIT_DISABLE_EVENTLOGGER=true as part of the process launch (SystemD unit file, etc).
Symptoms repeating on Vault 1.17.7 & higher
If you're using Vault Enterprise versions and are still observing these sink related messages but less frequently then that may be endemic to a highly loaded or overloaded cluster. In those cases it's advised to open a Vault Support Request (via the HashiCorp support portal) providing as much context as possible from the onset including available Vault Operational Logs, Vault Audits & Vault Debug packages when these issues had occurred.