Forwarding Vault audit logs to a remote Syslog server (like Graylog)

Using Vault’s Audit Backend to send logs to a remote Syslog server.

Objective

  • Send audit_logs from Hashicorp’s Vault to an Graylog instance

Prerequisite

  • Setup a Syslog TCP/UDP Input on Graylog (if you’re using graylog)
  • Has a remote syslog server running

Steps

Important Notice: Vault has a Syslog Audit Backend as part of its suite but it currently does not allow remote forwarding.
In order to do that we will have to make use of rsyslog’s rules forwarding.

In your vault server instance,

Setup your local syslog audit backend

$ ./vault audit-enable syslog tag="<TAG>"

# TAG - A recognizable name that represents what this vault is for or where is it located. eg. mysupersecretserver.domain

This audit backend sends all logs to your local syslog’s auth facility with the tag that you specify

Now, lets create a syslog configuration file to lookout for the logs.

Create a new configuration file:

# /etc/rsyslog.d/30-vault.conf

if $syslogfacility-text == "auth" and $syslogtag startswith "<tag>" then @@<remote_syslog_host>:<remote_syslog_port>

If you are running graylog, replace remote_syslog_host and remote_syslog_port with your Graylog Syslog listening host and port.

Restart your local syslog

$ systemctl restart rsyslog.service

Now when you do any vault activity, you should see the log appear in both /var/log/auth.log and your remote syslog server.

References