Audit Vault Logs - OCI
Audit Vault Logs in OCI Context: Setting Vault in Dev Mode and Ingest Logs to Apica Ascent.
Last updated
Was this helpful?
Audit Vault Logs in OCI Context: Setting Vault in Dev Mode and Ingest Logs to Apica Ascent.
Last updated
Was this helpful?
Create a namespace to isolate Vault resources.
ReadWriteOnce access mode The Persistent Volume Claim (PVC) is used to store audit logs, which FluentBit reads and then ingest it into to Ascent.
Create the new PVC under vault namespace.
Add the HashiCorp Helm Repository and Update Local Repository Cache
Install HashiCorp Vault in a Kubernetes cluster, deploying it in development mode with the UI enabled and exposed via a LoadBalancer service for external access.
Verify the pods are in the running state
Describe the verify the pods incase of any errors.
Follow these steps to enable the audit logs track all Vault requests, by exec into the vault pod.
Access the Vault pod by exec into thevault-0 pod in the vault namespace:
Log in to the Vault server using the root token:
List current audit devices configured in Vault:
Enable a file audit device with JSON log format, storing logs at the specified file path:
Verify that the file audit device has been successfully added:
To update a Persistent Volume Claim (PVC) in a Kubernetes namespace, follow these steps. First, list all PVCs in the vault namespace to identify which one needs modification. Then, edit the specific PVC using kubectl edit, replacing <replace PV name> with the actual name of the PVC you want to update.
Please update the following section in your configuration file to clarify the access modes:
Description:
ReadWriteMany: This access mode allows multiple nodes to read and write the data
Configure the Fluent Bit Helm chart by adding its repository and refreshing your local chart list.
Add the Fluent Bit Helm repository:
Create a ConfigMap for fluentBit:
Before applying the configmap, please update the 4 fields based on the configuration in fb-configmap.yaml file.
[INPUT]: Replace path with the Vault audit log file path (e.g., /vault/logs/vault-audit.log).
[OUTPUT]: Replace Host with the Apica Ascent hostname or endpoint.
[OUTPUT]: Update URI path if necessary.
[OUTPUT]: Update Header Authorization Bearer token.
Apply the Config Map:
Deploy Fluent Bit:
Follow these steps to log into the Vault UI and create secrets:
Log in to the Vault UI using the LoadBalancer IP or DNS name.
Enter your login credentials and access the Vault interface it will be token/root.
Navigate to the "Secrets" section from the side menu.
Click on "Create secret" and fill in the required information for your secret.
Save your secret to finalize the creation process.
This should generate some vault audit logs and verify the fluent fit pod logs, should scrape the new logs that are generated.
Ensure logs show successful processing of Vault audit logs.
Log in to Apica Ascent.
Navigate to Logs & Insights.
Look for the vault-logs namespace.
Click on the Vault app to view the logs.
