Skip to main content

File audit device

The file audit device writes audit logs to a file. This is a very simple audit device: it appends logs to a file.

The device does not currently assist with any log rotation. There are very stable and feature-filled log rotation tools already, so we recommend using existing tools.

Sending a SIGHUP to the OpenBao process will cause file audit devices to close and re-open their underlying file, which can assist with log rotation needs.

Examples

Enable at the default path:

$ bao audit enable file file_path=/var/log/openbao_audit.log

Enable at a different path. It is possible to enable multiple copies of an audit device:

$ bao audit enable -path="openbao_audit_1" file file_path=/home/user/openbao_audit.log

Enable logs on stdout. This is useful when running in a container:

$ bao audit enable file file_path=stdout

Configuration

Note the difference between audit enable command options and the file backend configuration options. Use bao audit enable -help to see the command options.

The file audit device supports the common configuration options documented on the main Audit Devices page, and these device-specific options:

  • file_path (string: <required>) - The path to where the audit log will be written. If a file already exists at the given path, the audit backend will append to it. There are some special keywords:

    • stdout writes the audit log to standard output

    • discard discards output, instead of writing it to a device (useful in testing scenarios)

  • mode (string: "0600") - A string containing an octal number representing the bit pattern for the file mode, similar to chmod. Set to "0000" to prevent OpenBao from modifying the file mode.

warning

Note: Starting with OpenBao v2.4.0, any executable bits set in mode are zeroed automatically, for security purposes. For example, mode = 777 will convert to mode = 666. Furthermore, mode values that are irregular are rejected with an error.

Log file rotation

To properly rotate OpenBao File Audit Device log files on BSD, Darwin, or Linux-based OpenBao servers, it is important that you configure your log rotation software to send the bao process a signal hang up / SIGHUP after each rotation of the log file.