Skip to main content

Syslog audit device

The syslog audit device writes audit logs to syslog.

It currently does not support a configurable syslog destination, and always sends to the local agent. This device is only supported on Unix systems, and should not be enabled if any standby OpenBao instances do not support it.

warning

Warning: Audit messages generated for some operations can be quite large, and can be larger than a maximum-size single UDP packet. If possible with your syslog daemon, configure a TCP listener. Otherwise, consider using a file backend and having syslog configured to read entries from the file; or, enable both file and syslog so that a failure for a particular message to log directly to syslog will not result in OpenBao being blocked.

Examples

Audit syslog device can be enabled by the following command:

$ bao audit enable syslog

Supply configuration parameters via K=V pairs:

$ bao audit enable syslog tag="openbao" facility="AUTH"

Configuration

The syslog audit device supports the common configuration options documented on the main Audit Devices page, and these device-specific options:

  • facility (string: "AUTH") - The syslog facility to use.

  • tag (string: "openbao") - The syslog tag to use.