Audit
Summary: Audit devices log every API request and response. Enable at least two — if the only audit device blocks, OpenBao stops servicing requests.
Sources: raw/docs/audit/index.md, raw/docs/audit/file.md, raw/docs/audit/syslog.md, raw/docs/audit/socket.md, raw/docs/audit/http.md.
Last updated: 2026-05-19
What gets logged
Every API request and response. Each line is a JSON object with type: request or type: response. Sensitive values are hashed before logging (source: raw/docs/audit/index.md).
A small set of paths is not audited (source: raw/docs/audit/index.md):
sys/init,sys/seal-status,sys/seal,sys/unsealsys/leader,sys/healthsys/storage/raft/bootstrap,sys/storage/raft/join- If unauthenticated access is allowed:
sys/metrics,sys/pprof/*,sys/in-flight-req
Devices
Built-in sinks (raw/docs/audit/):
- file — write to a file path; rotation is the operator’s problem.
- syslog — local syslog (Unix only).
- socket — TCP/UDP/Unix socket, line-delimited JSON.
- http — POST JSON to an HTTP endpoint.
Why enable more than one
OpenBao counts a request as successful if it can log to at least one configured audit device. If only one device is configured and it blocks (disk full, syslog down), OpenBao stops serving requests (source: raw/docs/audit/index.md). Always run ≥ 2 devices and treat their union as the canonical log.
Running multiple devices also gives you tamper detection by cross-comparing the logs.
CLI
bao audit enable, bao audit list, bao audit disable (source: raw/docs/commands/audit/).
Related pages
- configuration —
audit { ... }stanza - commands-cli —
bao audit - policies — audit logs reveal which policies were applied per request