How to enable HashiCorp Vault audit logs

Enable HashiCorp Vault audit logs.

Ensure that HAProxy is using the PROXY protocol Version 1.

[...]

# consul agent
resolvers consul
  nameserver consul 127.0.0.1:8600
  accepted_payload_size 8192
  hold valid 5s

# https frontend
frontend https-frontend
  bind *:443 ssl crt /etc/haproxy/haproxy.pem

  # match vault address
  acl is-vault hdr(host) -i vault-basilisk.octocat.cloud

  # use backend if address match
  use_backend vault-ui-backend if is_vault

# vault backend
backend vault-ui-backend
  # backend server template
  server-template vault 1-5 _vault._tcp.service.consul resolvers consul resolve-prefer ipv4 check ssl ca-file /etc/haproxy/vault-ca.pem send-proxy

Ensure that Vault configuration include proxy protocol configuration, so the the remote address will reflect the client IP address for specified proxy hosts.

# consul storage backend
storage "consul" {
  address = "127.0.0.1:8500"
  path = "vault"
}

# built-in web user interface
ui = true

# HTTPS listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_cert_file = "/opt/vault/tls/tls.crt"
  tls_key_file = "/opt/vault/tls/tls.key"

  proxy_protocol_behavior = "allow_authorized"
  proxy_protocol_authorized_addrs = "172.16.150.1,172.16.150.2,172.16.150.3"
}

# Enterprise license_path (this will be required for enterprise as of v1.8)
license_path = "/etc/vault.d/vault.hclic"

Create vault log directory.

$ mkdir /var/log/vault

Ensure that vault user can access log directory.

$ sudo chown vault:vault /var/log/vault

$ sudo chmod 700 /var/log/vault

Enable audit log.

$ sudo -u vault vault audit enable file file_path=/var/log/vault/vault_audit.log

Inspect audit logs.

$ tail -f /var/log/vault/vault_audit.log 

[...]
{"time":"2022-07-19T22:54:26.268508605Z","type":"request","auth":{"token_type":"default"},"request":{"id":"55141006-221e-335b-6ca2-ca3c4ad11af9","operation":"read","mount_type":"system","namespace":{"id":"root"},"path":"sys/internal/ui/resultant-acl","remote_address":"172.16.150.150","remote_port":41478},"error":"permission denied"}
{"time":"2022-07-19T22:54:26.455951542Z","type":"request","auth":{"policy_results":{"allowed":true},"token_type":"default"},"request":{"id":"c96c7f24-7bd6-f962-a6a5-c580d4402929","operation":"read","mount_type":"system","namespace":{"id":"root"},"path":"sys/internal/ui/mounts","remote_address":"172.16.150.150","remote_port":41486}}