Audit Vault Logs - OCI
Audit Vault Logs in OCI Context: Setting Vault in Dev Mode and Ingest Logs to Apica Ascent.
Audit Vault Logs in OCI Context: Setting Vault in Dev Mode and Ingest Logs to Apica Ascent.
Step 1: Create a Namespace for Vault
Create a namespace to isolate Vault resources.
kubectl create namespace vault
kubectl get namespace
Step 2: Create a persistent volume claim (PVC) in ReadWriteOnce
access mode
ReadWriteOnce
access mode The Persistent Volume Claim (PVC) is used to store audit logs, which FluentBit reads and then ingest it into to Ascent.
Create the new PVC under vault namespace.
kubectl apply -f vault-pvc.yaml -n vault
kubectl get pvc -n vault
Step 3: Install Vault in Dev Mode and Verify the Installation
Add the HashiCorp Helm Repository and Update Local Repository Cache
helm repo add hashicorp https://helm.releases.hashicorp.com
helm repo updat
Install HashiCorp Vault in a Kubernetes cluster, deploying it in development mode with the UI enabled and exposed via a LoadBalancer service for external access.
helm upgrade --install vault hashicorp/vault \
--set='server.dev.enabled=true' \
--set='ui.enabled=true' \
--set='ui.serviceType=LoadBalancer' \
--namespace vault -f server.yaml --debug
Verify the pods are in the running state
kubectl get all -n vault
Describe the verify the pods incase of any errors.
kubectl describe pod/<vault pod name> -nvault
Step 4: Enable Audit Logs from the CLI
Follow these steps to enable the audit logs track all Vault requests, by exec into the vault pod.
Access the Vault pod by exec into the
vault-0
pod in thevault
namespace:kubectl exec -it pod/vault-0 -n vault -- sh
Log in to the Vault server using the root token:
vault login root
List current audit devices configured in Vault:
vault audit list
Enable a file audit device with JSON log format, storing logs at the specified file path:
vault audit enable file file_path=/vault/logs/vault-audit.log log_format=json
Verify that the file audit device has been successfully added:
vault audit list
Step 5: Update the PVC access mode to ReadWriteMany
To update a Persistent Volume Claim (PVC) in a Kubernetes namespace, follow these steps. First, list all PVCs in the vault
namespace to identify which one needs modification. Then, edit the specific PVC using kubectl edit
, replacing <replace PV name>
with the actual name of the PVC you want to update.
# List all Persistent Volume Claims in the 'vault' namespace
kubectl get pvc -n vault
# Edit the specific PVC by replacing '<replace PV name>' with the actual PVC name
kubectl edit pvc/<replace PV name> -n vault
Please update the following section in your configuration file to clarify the access modes:
spec:
accessModes:
- ReadWriteMany
Description:
ReadWriteMany: This access mode allows multiple nodes to read and write the data
Step 6: Install Fluent Bit to Stream Vault Audit Logs to Ascent
Configure the Fluent Bit Helm chart by adding its repository and refreshing your local chart list.
Add the Fluent Bit Helm repository:
helm repo add fluent https://fluent.github.io/helm-charts helm repo update
Create a ConfigMap for fluentBit:
Before applying the configmap, please update the 4 fields based on the configuration in fb-configmap.yaml
file.
[INPUT]: Replace
path
with the Vault audit log file path (e.g.,/vault/logs/vault-audit.log
).[OUTPUT]: Replace
Host
with the Apica Ascent hostname or endpoint.[OUTPUT]: Update
URI
path if necessary.[OUTPUT]: Update
Header
Authorization Bearer token.
Apply the Config Map:
kubectl apply -f fb-configmap.yaml -n vault
kubectl get configmap -n vault
Deploy Fluent Bit:
kubectl apply -f fb-deployment.yaml -n vault
Step 7: Generate Logs and Verify Fluent Bit Output
Follow these steps to log into the Vault UI and create secrets:
kubectl get all -nvault
Steps
Log in to the Vault UI using the LoadBalancer IP or DNS name.
Enter your login credentials and access the Vault interface it will be token/root.
Navigate to the "Secrets" section from the side menu.
Click on "Create secret" and fill in the required information for your secret.
Save your secret to finalize the creation process.
This should generate some vault audit logs and verify the fluent fit pod logs, should scrape the new logs that are generated.
kubectl logs pod/<pod name> -n vault
Ensure logs show successful processing of Vault audit logs.
Step 8: Verify Logs in Apica Ascent
Log in to Apica Ascent.
Navigate to Logs & Insights.
Look for the
vault-logs
namespace.Click on the Vault app to view the logs.
Last updated
Was this helpful?