Forwarding Vault audit logs to a remote Syslog server (like Graylog)
Using Vault’s Audit Backend to send logs to a remote Syslog server.
Objective
- Send audit_logs from Hashicorp’s Vault to an Graylog instance
Prerequisite
- Setup a Syslog TCP/UDP Input on Graylog (if you’re using graylog)
- Has a remote syslog server running
Steps
Important Notice: Vault has a Syslog Audit Backend as part of its suite but it currently does not allow remote forwarding. In order to do that we will have to make use of rsyslog’s rules forwarding.
In your vault server instance,
Setup your local syslog audit backend
$ ./vault audit-enable syslog tag="<TAG>"
# TAG - A recognizable name that represents what this vault is for or where is it located. eg. mysupersecretserver.domain
This audit backend sends all logs to your local syslog’s auth
facility with the tag that you specify
Now, lets create a syslog configuration file to lookout for the logs.
Create a new configuration file:
# /etc/rsyslog.d/30-vault.conf
if $syslogfacility-text == "auth" and $syslogtag startswith "<tag>" then @@<remote_syslog_host>:<remote_syslog_port>
If you are running graylog, replace remote_syslog_host
and remote_syslog_port
with your Graylog Syslog listening host and port.
Restart your local syslog
$ systemctl restart rsyslog.service
Now when you do any vault activity, you should see the log appear in both /var/log/auth.log
and your remote syslog server
.