Closed Flamefire closed 3 weeks ago
Hi 👋
I think what's happening here is that the audit device path
—which is effectively the unique identifier of the audit device—is easy to mistake for the file_path
, which is where the file where the audit device will write the log to. I do see that our docs aren't very clear on it right now, but we are currently working on improving the CLI documentation, so I will pass this on as feedback to my colleagues who are working on that.
For the future, if you'd like to change the audit device path, i.e. the ID of the device, you can pass the -path
flag with your command:
vault audit enable -path=bar file file_path=/tmp/foo
Otherwise the CLI just automatically uses the type of the device as path.
Also, if you want to see the file_path
(and other options) for an audit device you have, please try adding the -detailed
flag to the list command, like this:
~
➜ vault audit enable -path=bar file file_path=/tmp/foo
Success! Enabled the file audit device at: bar/
~
➜ vault audit list -detailed
Path Type Description Replication Options
---- ---- ----------- ----------- -------
bar/ file n/a replicated file_path=/tmp/foo
That should give you the expected output.
Relevant docs:
-path
flag: https://developer.hashicorp.com/vault/docs/commands/audit/enable#path file_path
argument: https://developer.hashicorp.com/vault/docs/audit/file#file_pathI understand. path
is confusing at this point, especially with the trailing slash.
Maybe the documentation can also be improved as the examples don't make it easy to understand the difference of "path" and "file_path":
Enable at the default path:
$ vault audit enable file file_path=/var/log/vault_audit.log
Enable at a different path. It is possible to enable multiple copies of an audit device:
$ vault audit enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
The example for "different path" changes both "paths" at once. And "Place where the audit device will be accessible." isn't really clear either. What does "accessible" mean here, accessible by and for what? Maybe just "[...] accessible for/to vault commands" already helps.
Anyway this isn't a bug and for me the distinction is clear now.
I appreciate you taking the time to write up the feedback. I have already passed it on to the peeps looking at improving our CLI documentation. I will close the issue now, thanks!
To Reproduce Steps to reproduce the behavior:
vault audit enable file file_path=/tmp/foo
vault audit list
Expected behavior
Audit log goes to file
/tmp/foo
andvault audit list
shows that. BUT:Environment:
vault status
): 1.17.0vault version
): v1.17.6