Skip to content

Vault: Revamp audit logging docs #631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Vault: Revamp audit logging docs #631

wants to merge 11 commits into from
+583 −370

Conversation

gsantos-hc
Copy link

@gsantos-hc gsantos-hc commented Jul 24, 2025
edited by jira bot
Loading

Revamp the documentation for Vault's audit logging. Changes include:

  1. Adding a page to document the structure of audit log entries and the meaning of each field.
  2. Adding a page to document general best practices w/r/t audit logging in Vault.
  3. Reorder and rewrite content in the main audit logging docs page to improve readability.

These changes cover most of VSM-226 and were reviewed internally by Engineering and Resident Architects/Engineers from the Professional Services team (see Google Docs history).

The changes also include minor fixes for the Audit Filtering docs page, which were identified in the course of Engineering review.

@gsantos-hc
vault(audit): reorder audit logging docs
2cc7063 
Rearrange the order of sections in the main Audit Logging documentation
to keep related content closer together.
@gsantos-hc
vault(audit): move excepted endpoints to own section
e8fe51a
@gsantos-hc
vault(audit): rewrite main docs page
245084a
@gsantos-hc
vault(audit): add best practices
19ec215
@gsantos-hc
vault(audit): document log structures
22e5119
@gsantos-hc
vault(audit): remove blocking device paragraph
a434151 
Remove the paragraph on blocking audit device failures. This content
predates the rearchitecture of Vault's audit logging system and is no
longer relevant. Vault's audit logging pipeline currently enforces a
10-second timeout for all audit devices.
@gsantos-hc
vault(audit): fix links and note performance cost
ceae43c 
Fix links to related concepts and API documentation. Add a note to
recommend that users test the performance impact of their filtering
rules in a non-production environment before deploying to production.
@gsantos-hc
vault(audit): refinements to audit structure
63a35b8
@gsantos-hc
vault(audit): refine best practices
1857650
@gsantos-hc gsantos-hc requested a review from a team as a code owner July 24, 2025 13:03
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 24, 2025
edited
Loading

Vercel Previews Deployed

Name Status Preview Updated (UTC)
Dev Portal ✅ Ready (Inspect) Visit Preview Mon Jul 28 21:30:25 UTC 2025
Unified Docs API ✅ Ready (Inspect) Visit Preview Mon Jul 28 21:24:24 UTC 2025

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 24, 2025
edited
Loading

Broken Link Checker

No broken links found! 🎉

schavis
schavis requested changes Jul 24, 2025
View reviewed changes
Copy link
Contributor

@schavis schavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worked through the best practices doc. Will pick up the remaining docs tomorrow.

content/vault/v1.20.x/content/docs/audit/best-practices.mdx Outdated
Comment on lines 68 to 72
You should configure monitoring and alerting on the health of your audit devices.

Vault produces several [telemetry metrics](/vault/docs/internals/telemetry/metrics/audit) related to audit logging. You should especially monitor `vault.audit.log_request_failure`, `vault.audit.log_response_failure`, `vault.audit.{DEVICE}.log_request`, and `vault.audit.{DEVICE}.log_response` for spikes, which can indicate one or more audit devices failing.

Additionally, you should configure monitoring and alerting specific to each type of audit device, such as available disk space, disk IOPS, and log rotation status for `file` audit devices.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
You should configure monitoring and alerting on the health of your audit devices.
Vault produces several [telemetry metrics](/vault/docs/internals/telemetry/metrics/audit) related to audit logging. You should especially monitor `vault.audit.log_request_failure`, `vault.audit.log_response_failure`, `vault.audit.{DEVICE}.log_request`, and `vault.audit.{DEVICE}.log_response` for spikes, which can indicate one or more audit devices failing.
Additionally, you should configure monitoring and alerting specific to each type of audit device, such as available disk space, disk IOPS, and log rotation status for `file` audit devices.
We strongly recommend monitoring and alerting on the health of your audit
devices, with specific alerts for each type of audit device. For example,
alerting on available disk space, disk IOPS, and log rotation status for `file`
audit devices.
Vault produces several audit logging
[telemetry metrics](/vault/docs/internals/telemetry/metrics/audit) and we
recommend monitoring the following metrics for spikes, which can indicate one or
more audit devices failing:
- [`vault.audit.log_request_failure`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-log_request_failure)
- [`vault.audit.log_response_failure`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-log_response_failure)
- [`vault.audit.{DEVICE}.log_request`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-device-log_request)
- [`vault.audit.{DEVICE}.log_response`](/vault/docs/internals/telemetry/metrics/audit#vault-audit-device-log_response)

content/vault/v1.20.x/content/docs/audit/best-practices.mdx Outdated
Comment on lines 76 to 80
For each authentication backend and secrets engine mount you configure in Vault, you should evaluate which request and response attributes need *not* be [hashed](/vault/docs/audit#hashing-of-sensitive-values) in the audit logs.

<Tip>
Hashing should be left on for attributes that are sensitive (e.g., passwords, private keys) or that may be excessively large for your audit log.
</Tip>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For each authentication backend and secrets engine mount you configure in Vault, you should evaluate which request and response attributes need *not* be [hashed](/vault/docs/audit#hashing-of-sensitive-values) in the audit logs.
<Tip>
Hashing should be left on for attributes that are sensitive (e.g., passwords, private keys) or that may be excessively large for your audit log.
</Tip>
We recommend [hashing](/vault/docs/audit#hashing-of-sensitive-values) for all
sensitive attributes (for example, passwords and private keys) and any attribute
may be excessively large for your audit log.
For all other attributes, we recommend reviewing each authentication backend and
secrets engine mount you configure in Vault to evaluate which request and
response attributes do not need hashing in the audit logs.

schavis
schavis reviewed Jul 25, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schavis schavis schavis requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
vault-docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gsantos-hc @schavis