Using Vault’s Audit Backend to send logs to a remote Syslog server.
- Send audit_logs from Hashicorp’s Vault to an Graylog instance
- Setup a Syslog TCP/UDP Input on Graylog (if you’re using graylog)
- Has a remote syslog server running
Important Notice: Vault has a Syslog Audit Backend as part of its suite but it currently does not allow remote forwarding.
In order to do that we will have to make use of rsyslog’s rules forwarding.
In your vault server instance,
Setup your local syslog audit backend
$ ./vault audit-enable syslog tag="<TAG>" # TAG - A recognizable name that represents what this vault is for or where is it located. eg. mysupersecretserver.domain
This audit backend sends all logs to your local syslog’s
auth facility with the tag that you specify
Now, lets create a syslog configuration file to lookout for the logs.
Create a new configuration file:
# /etc/rsyslog.d/30-vault.conf if $syslogfacility-text == "auth" and $syslogtag startswith "<tag>" then @@<remote_syslog_host>:<remote_syslog_port>
If you are running graylog, replace
remote_syslog_port with your Graylog Syslog listening host and port.
Restart your local syslog
$ systemctl restart rsyslog.service
Now when you do any vault activity, you should see the log appear in both
/var/log/auth.log and your
remote syslog server.