一、添加audit日志功能:
1.创建策略:
vault policy write audit ./audit.hcl
[root@k8s ~]# cat audit.hcl
# 'sudo' capability is required to manage audit devices
path "sys/audit/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# To list enabled audit devices, 'sudo' capability is required
path "sys/audit"
{
capabilities = ["read", "sudo"]
}
2.创建此策略的token:
vault token create -policy=audit
3.登录此token:
vault login ******
4.激活audit功能:
vault audit enable file file_path=/data/vault-audit.log
效果:
二、更改日志级别:
1.使用cli命令
vault server -config=/etc/vault/config-file.hcl -log-level=debug
2.AULT_LOG_LEVEL环境变量
export VAULT_LOG_LEVEL=debug
3.服务器配置文档里添加
log_level = "Debug"
三、添加syslog日志
vault audit enable syslog tag="vault" facility="AUTH"
tailf /var/log/message就有操作日志了
