Vault - Copy logs to an external system

[IanKWatts]

Describe the issue In the interest of security and reliability, configure Vault to copy log files to an external system.

What is the Value/Impact?

• In the event of a hack or compromised system, we will have another set of log files outside of the Vault system, just in case the original logs are deleted or tampered with.
• We can retain logs for a longer period of time.

What is the plan? How will this get completed?

• Look into our options for creating another set of logs
• Test the configuration in the lab instances
• Apply the same configuration to prod
• See: https://developer.hashicorp.com/vault/docs/audit

Identify any dependencies n/a

Definition of done

• [ ] Secondary logging configured and tested in the labs
• [ ] Configured in prod

[StevenBarre]

All pod logs are being sent to the SIEM already, maybe just need to get a view setup in there to ensure they are easy to access and have sufficient retention? cc @NickCorcoran

[IanKWatts]

We're keeping the server log and the audit log separate, because the first is a fixed format normal log message, while the audit log messages are JSON objects. The lab cluster has been configured to send audit log messages to the SIEM; we're waiting to get confirmation that they're being received and will be useful to us for monitoring and alerts. We currently keep 30 days worth of audit logs and they are copied to an S3 bucket.