Audit Device Notes

Avatar
Brian Shumate
  • Updated

This article shares some generally useful notes about Vault’s Audit Device system and specifics on the Audit Device log format.

Audit Log Time Format

All Audit Device logging uses the RFC3339Nano time format through the Go standard library time package at a resolution of 1 second.

Audit Log List Output

Here is an example detailed Audit Device list output from Vault configured with multiple Audit Devices:

$ vault audit list -detailed
Path       Type      Description    Replication    Options
----       ----      -----------    -----------    -------
file/      file      n/a            replicated     description=File audit device file_path=/vault/logs/audit.log
socket/    socket    n/a            replicated     socket_type=tcp address=10.10.42.111:7474

This output shows three Audit Devices enabled. Here are their details:

  • Path: this is the vault internal path, not to be confused with filesytem path
  • Type: the Audit Device type; one of file, socket, or syslog
  • Description: optional device description
  • Replicated Behavior: whether the audit log backend is local or replicated
  • Options: device specific options, such as hostnames, paths, and syslog facilities. See the individual Audit Devices

Audit Log Output Description

The following provides some examples of Audit Device log output and description of the fields contained within the output.

NOTE: The Audit Device log format is JSON by default.

This example demonstrates a login with the AppRole Auth Method. Upon login, the following two entries are present in the audit log representing an entry for the request and response respectively.

Request Log Entry Example

The following is an request Audit Device log entry:

{
"auth": {
"accessor": "hmac-sha256:7d8348f406dc7003e863bdcc413a31e0a48f9533f31af42f7e275972ecdd7dd2",
"client_token": "hmac-sha256:fefd13028d42558f06e9c98bdc36f3e163f8528ada8f29a827a34193d9065cb1",
"display_name": "userpass-r1",
"entity_id": "e2853091-6c3c-2200-3ff7-0b664ed70c4d",
"metadata": {
"username": "r1"
},
"policies": [
"default",
"kv-v2-creds-policy"
],
"policy_results": {
"allowed": true,
"granting_policies": [
{
"type": ""
},
{
"name": "default",
"namespace_id": "root",
"type": "acl"
}
]
},
"token_policies": [
"default",
"kv-v2-creds-policy"
],
"token_issue_time": "2024-10-02T16:00:39+10:00",
"token_ttl": 2764800,
"token_type": "service"
},
"request": {
"client_id": "e2853091-6c3c-2200-3ff7-0b664ed70c4d",
"client_token": "hmac-sha256:3192e6e2bad2a76a3a403f40ce17a0b43f3bc7bca4e9096182263e2206208b3c",
"client_token_accessor": "hmac-sha256:7d8348f406dc7003e863bdcc413a31e0a48f9533f31af42f7e275972ecdd7dd2",
"id": "e19dde82-8778-c234-bbb4-c9ab1cfc32dc",
"mount_class": "auth",
"mount_point": "auth/token/",
"mount_running_version": "v1.18.0+builtin.vault",
"mount_type": "token",
"namespace": {
"id": "root"
},
"operation": "read",
"path": "auth/token/lookup-self",
"remote_address": "127.0.0.1",
"remote_port": 33324
},
"time": "2024-10-02T06:03:05.987731879Z",
"type": "request"
}

The request (noted here by type of request) contains two sections, the auth section and the request section; each of these in turn contain fields relevant to that section.

Main Fields

These fields are part of any log entry and denote the time, type, and related errors:

  • error: If there is an error in the request, it will be contained here
  • time: Timestamp as detailed in the Audit Log Time Format section
  • type: Type of log entry, either request or response

Auth Fields

These fields represent authentication related details:

  • client_token: HMAC SHA256 of the client token id
  • accessor: HMAC SHA256 of the client token accessor
  • display_name: The configured role display name
  • policies: a list of policies
  • token_policies: list of policies associated with the token
  • metadata: token metadata
    • role_name: Configured name of the auth method role
  • remaining_uses: Number of uses remaining for the token
  • entity_id: The Identity entity ID attached to the token, if any

Request Fields

These fields represent details about the request:

  • id: Unique identifier for the request
  • operation: Type of operation (create, list, read, update)
  • client_token: HMAC SHA256 of the client token id
  • client_token_accessor: HMAC SHA256 of the client token accessor
  • path: Path to the request
  • data: content of any data passed to the request
  • policy_override: true if a Sentinel soft-mandatory policy override was requested
  • remote_address: Address of the remote host initiating request
  • wrap_ttl: The response wrapping time to live for a wrapped token
  • headers: Content of any HTTP headers which were part of request

Response Log Entry Example

The following is an response Audit Device log entry:

{
"auth": {
"accessor": "hmac-sha256:7d8348f406dc7003e863bdcc413a31e0a48f9533f31af42f7e275972ecdd7dd2",
"client_token": "hmac-sha256:fefd13028d42558f06e9c98bdc36f3e163f8528ada8f29a827a34193d9065cb1",
"display_name": "userpass-ram1",
"entity_id": "e2853091-6c3c-2200-3ff7-0b664ed70c4d",
"metadata": {
"username": "ram1"
},
"policies": [
"default",
"kv-v2-creds-policy"
],
"policy_results": {
"allowed": true,
"granting_policies": [
{
"type": ""
},
{
"name": "default",
"namespace_id": "root",
"type": "acl"
}
]
},
"token_policies": [
"default",
"kv-v2-creds-policy"
],
"token_issue_time": "2024-10-02T16:00:39+10:00",
"token_ttl": 2764800,
"token_type": "service"
},
"request": {
"client_id": "e2853091-6c3c-2200-3ff7-0b664ed70c4d",
"client_token": "hmac-sha256:3192e6e2bad2a76a3a403f40ce17a0b43f3bc7bca4e9096182263e2206208b3c",
"client_token_accessor": "hmac-sha256:7d8348f406dc7003e863bdcc413a31e0a48f9533f31af42f7e275972ecdd7dd2",
"id": "e19dde82-8778-c234-bbb4-c9ab1cfc32dc",
"mount_accessor": "auth_token_fd69e897",
"mount_class": "auth",
"mount_point": "auth/token/",
"mount_running_version": "v1.18.0+builtin.vault",
"mount_type": "token",
"namespace": {
"id": "root"
},
"operation": "read",
"path": "auth/token/lookup-self",
"remote_address": "127.0.0.1",
"remote_port": 33324
},
"response": {
"data": {
"accessor": "hmac-sha256:7d8348f406dc7003e863bdcc413a31e0a48f9533f31af42f7e275972ecdd7dd2",
"creation_time": 1727848839,
"creation_ttl": 2764800,
"display_name": "hmac-sha256:99174a33371b021911e5dc14c34600a9611217b65b00cb284661fdee476a88a7",
"entity_id": "hmac-sha256:894a434cd3e0659acb2f4fa9bae3bb1142f7b455328eedede750c783a91c32cf",
"expire_time": "2024-11-03T17:00:39.425703035+11:00",
"explicit_max_ttl": 0,
"id": "hmac-sha256:fefd13028d42558f06e9c98bdc36f3e163f8528ada8f29a827a34193d9065cb1",
"issue_time": "2024-10-02T16:00:39.425705993+10:00",
"meta": {
"username": "hmac-sha256:d071167dd5e4a51410cb47db7aabb7ff73420f1a4a3145fcce4687e9605922dc"
},
"num_uses": 0,
"orphan": true,
"path": "hmac-sha256:6df44a8fea3106617ad1c102f9acd9abe7a77040b1fcccde7c24a74ea560e3fc",
"policies": [
"hmac-sha256:3a0563653ab09a35bd4274d99e4103b38a327bf6491561fb2e19db56fcd70a97",
"hmac-sha256:b1e0fd956e090cd4f4487bf5112d45e5663e824c426d4e1ad672a275fcb7b6b7"
],
"renewable": true,
"ttl": 2764653,
"type": "hmac-sha256:e5a30ada3627fad60ed957f03655ea3523bb5c45ac575effc81110ac5b92b22b"
},
"mount_accessor": "auth_token_fd69e897",
"mount_class": "auth",
"mount_point": "auth/token/",
"mount_running_plugin_version": "v1.18.0+builtin.vault",
"mount_type": "token"
},
"time": "2024-10-02T06:03:05.987888989Z",
"type": "response"
}

The response (denoted here by type of response) contains three sections, the auth section, the request section, and the response section; each of these in turn contain fields relevant to that section.

Main Fields

These fields are part of any log entry and denote the time, type, and related errors:

  • error: If there is an error in the request, it will be contained here
  • time: Timestamp as detailed in the Audit Log Time Format section
  • type: Type of log entry, either request or response

Auth Fields

These fields represent authentication related details:

  • client_token: HMAC SHA256 of the client token id
  • accessor: HMAC SHA256 of the client token accessor
  • display_name: The configured role display name
  • policies: a list of policies
  • token_policies: list of policies associated with the token
  • metadata: token metadata
    • role_name: Configured name of the auth method role
  • remaining_uses: Number of uses remaining for the token
  • entity_id: The Identity entity ID attached to the token, if any

Request Fields

These fields represent details about the request:

  • id: Unique identifier for the request
  • operation: Type of operation (create, list, read, update)
  • client_token: HMAC SHA256 of the client token id
  • client_token_accessor: HMAC SHA256 of the client token accessor
  • path: Path to the request
  • data: content of any data passed to the request
  • policy_override: true if a Sentinel soft-mandatory policy override was requested
  • remote_address: Address of the remote host initiating request
  • wrap_ttl: The response wrapping time to live for a wrapped token
  • headers: Content of any HTTP headers which were part of request

Response Fields

These fields represent details about the response:

  • data: Contains the token’s data
    • accessor: HMAC SHA256 of the client token accessor
    • creation_time: Epoch timestamp representing creation time of token
    • creation_ttl: Token time to live at creation time in seconds
    • display_name: The configured role display name
    • entity_id: The Identity entity ID attached to the token, if any
    • expire_time: Token expiration time
    • explicit_max_ttl: Token’s explicit maximum time to live
    • id: HMAC SHA256 of the client token id
    • issue_time: Timestamp representing token issue time (same as creation time)
    • meta: Token metadata
      • role_name: HMAC SHA256 of the role name
    • num_uses: Remaining number of token uses
    • orphan: True is token is an orphan
    • path: HMAC SHA256 of response path
    • policies: token policies
      • HMAC SHA256 of policy name
    • renewable: true if token is renewable
    • ttl: Token time to live

Note on HMAC’d Fields

Certain potentially sensitive fields are HMAC’ed by default; you can compare a known value to the HMAC by using the /sys/audit-hash API or if you’d prefer that certain fields are not HMAC’d, you can exclude the fields in the Auth Method’s role configuration with the Tune Auth Method API and specifically these options:

  • audit_non_hmac_request_keys to specify a comma-separated list of keys that will not be HMAC’d by Audit Devices in the request data object
  • audit_non_hmac_response_keys to specify a comma-separated list of keys that will not be HMAC’d by Audit Devices in the response data object

Configuring File Audit Device with /dev/null

A tip that can help with initial Audit Device log setup: you can prevent a mistake in configuration resulting in a blocked Audit Device by enabling a temporary file based Audit Device using /dev/null on Linux:

$ vault audit enable -path=audit-temp file file_path=/dev/null
Success! Enabled the file Audit Device at: audit-temp/

When you have successfully configured all Audit Devices, you can then disable the temporary device.

Resources

  1. Audit Devices
  2. Audit Device: File
  3. Audit Device: Syslog
  4. Audit Device: Socket
  5. Tune Auth Method
  6. audit_non_hmac_request_keys
  7. audit_non_hmac_response_keys

Articles in this section

See more

Related articles