File audit device
The file
audit device writes audit logs to a file. This is a very simple audit
device: it appends logs to a file.
The device does not currently assist with any log rotation. There are very stable and feature-filled log rotation tools already, so we recommend using existing tools.
Sending a SIGHUP
to the OpenBao process will cause file
audit devices to close
and re-open their underlying file, which can assist with log rotation needs.
The File audit device is sensitive as it can write to arbitrary files on the
instance. Be cautious when granting operators the ability to create this
device via the API when unsafe_allow_api_audit_creation=true
is set.
Consider using declarative audit configuration instead.
Examples
Enable at the default path:
$ bao audit enable file file_path=/var/log/openbao_audit.log
Enable at a different path. It is possible to enable multiple copies of an audit device:
$ bao audit enable -path="openbao_audit_1" file file_path=/home/user/openbao_audit.log
Enable logs on stdout. This is useful when running in a container:
$ bao audit enable file file_path=stdout
Configuration
Note the difference between audit enable
command options and the file
backend
configuration options. Use bao audit enable -help
to see the command options.
The file
audit device supports the common configuration options documented on
the main Audit Devices page, and
these device-specific options:
-
file_path
(string: <required>)
- The path to where the audit log will be written. If a file already exists at the given path, the audit backend will append to it. There are some special keywords:-
stdout
writes the audit log to standard output -
discard
discards output, instead of writing it to a device (useful in testing scenarios)
-
-
mode
(string: "0600")
- A string containing an octal number representing the bit pattern for the file mode, similar tochmod
. Set to"0000"
to prevent OpenBao from modifying the file mode.warningNote: Starting with OpenBao v2.4.0, any executable bits set in
mode
are zeroed automatically, for security purposes. For example,mode = 777
will convert tomode = 666
. Furthermore,mode
values that are irregular are rejected with an error.
Log file rotation
To properly rotate OpenBao File Audit Device log files on BSD, Darwin, or Linux-based OpenBao servers, it is important that you configure your log rotation software to send the bao
process a signal hang up / SIGHUP
after each rotation of the log file.