Configure HCP Vault audit log streaming to generic HTTP sink
Availability
HCP Vault audit logs streaming is available for all production grade clusters. The feature is not available for Development tier clusters.
The generic HTTP sink is an optional audit log streaming configuration that can be used when native integrations are not yet available. It provides support for sending audit logs in either JSON or NDJSON formats. Additionally, you can choose to compress (gzip) audit logs, if supported by your telemetry service. The exact configuration of the generic HTTP sink will depend on your target telemetry service. Not all telemetry services will support the use of the generic HTTP sink.
Refer to the HCP Vault integrations documentation for a complete list of natively supported providers.
Prerequisites
To configure audit logs streaming you will need to have:
A HCP account with Admin or Contributor role assigned in HCP
A production grade HCP Vault cluster
Note
If you do not have a cluster running, refer to the Create a Vault Cluster on HCP or the Deploy HCP Vault with Terraform tutorial to create an HCP Vault cluster.
Configure target log aggregation service
Example log aggregation service
Webhook.site is used for demonstration purposes and will generate a unique URL on first access.
If you are using an existing HCP Vault cluster, audit logs will be publicly available.
Open a web browser and navigate to https://webhook.site/
Make note of the URL.
Leave this page open. You will return to the site when configuring HCP Vault.
Enable audit logs streaming
Open a new web browser/tab and log in to the HCP Portal.
Navigate to the Vault clusters page.
Click the Vault cluster you wish to enable streaming for and click Audit Logs.
Click Enable log Streaming.
From the Select a provider view, select Generic HTTP Sink as the provider and click Next.
Under Add provider details, enter Your unique URL from webhook.site in the URI field.
Click the Method pulldown menu and select POST. The generic HTTP sink supports PATCH, POST, and PUT methods. Verify the method(s) required for your specific logging service.
Click the Strategy pull down menu. The generic HTTP sink supports both Basic (username and password) or Bearer (token) authentication.
Leave the Strategy menu blank - it is not required for webhook.site.
Leave the Headers (Optional) fields empty. Additional headers can be added to the request as key/value pairs.
Under Compression select Disable. Compression allows you to chose whether to gzip logs sent to the logging service. Verify whether your logging service supports gzip log streaming.
Click the pulldown menu for Encoding codec and select JSON. The generic HTTP sink supports both JSON and NDJSON. When using JSON, the entire message will be sent as a single JSON array. When using NDJSON, each element is placed on a new line and not wrapped in brackets (
[]
).
Leave the Payload prefix and Payload suffix empty. The optional prefix and suffix allows you to add a custom prefix and suffix to the message which must be JSON formatted.
Click Save.
Audit logs will start to appear after a few minutes, though the process to enable audit logging in the HCP Portal may take up to 20 minutes.
Note
At this time, HCP Vault only supports audit logs streaming to one log endpoint at a time.
Edit the audit log streaming configuration (optional)
To edit a audit log streaming integration, perform the following steps.
From the Audit Logs page, click on the Manage drop-down, then Edit configuration.
Edit the configuration, then click Save.
Disable audit log streaming (optional)
To disable a audit log streaming integration, from the Audit Logs page, click on the Manage drop-down, then Disable streaming.