Key Features
Complete Tracking
Every Vault operation is logged including reads, writes, deletes, and policy changes.
User Attribution
Each log entry includes who performed the action with username and email.
Filtering & Search
Filter logs by action type, resource, status, and search by path.
CSV Export
Export logs for external analysis, compliance reports, or archival.
Required Permissions
Viewing audit logs requiresiam:project:cicd:vault:read permission. Audit logs cannot be modified or deleted by any user.
How to Filter Logs
Search by Path
Enter a path pattern in the search box to find operations on specific secrets or folders.
Filter by Action
Select an action type from the dropdown:
- All Actions
- Read, Write, Delete, List, Create
- Rollback, Destroy, Revoke
How to Export Logs
The exported CSV includes all fields and is suitable for:
- Compliance reporting
- External SIEM integration
- Long-term archival
- Spreadsheet analysis
Common Use Cases
Security Investigation
Find unauthorized access attempts:- Filter by Status = Failed
- Search for sensitive paths
- Review user and timestamp patterns
Compliance Audit
Generate access reports:- Filter by Resource = Secret
- Export to CSV
- Review who accessed what and when
Troubleshooting
Debug permission issues:- Search for the affected path
- Find the user’s recent operations
- Check for Failed status and error messages
Change Tracking
Monitor configuration changes:- Filter by Action = Write or Delete
- Filter by Resource = Policy
- Review who changed policies and when
Understanding Failed Operations
Common failure reasons:| Error | Meaning |
|---|---|
| Permission denied | Token lacks required policy |
| Path not found | Secret or resource doesn’t exist |
| Invalid token | Token expired or revoked |
| Rate limited | Too many requests |
| Seal status | Vault is sealed |
Troubleshooting
Logs not appearing
Logs not appearing
- Refresh the page or click the refresh button
- Check that you have read permission for Vault audit logs
- Logs may take a moment to propagate after operations
Cannot find specific operation
Cannot find specific operation
- Clear all filters and search by path
- Check the time range - logs may be older than displayed period
- Verify the operation actually occurred (check other logs)
Export fails
Export fails
- Check your permissions
- Large exports may timeout - try filtering to reduce data
- Retry after a few moments
User shows as 'Unknown'
User shows as 'Unknown'
- The user account may have been deleted
- Operation may have been performed by a service token
- Root token operations may not have user attribution
Missing logs for known operations
Missing logs for known operations
- Audit logging may not be enabled for all mounts
- Some internal operations are not logged
- Check with administrator for audit configuration
FAQ
How long are logs retained?
How long are logs retained?
Log retention depends on your Vault and database configuration. Contact your administrator for specific retention policies.
Can I see the actual secret values in logs?
Can I see the actual secret values in logs?
No. For security reasons, secret values are never logged. Only metadata (path, action, user, time) is recorded.
Are read operations logged?
Are read operations logged?
Yes. Every operation including reads is logged. This is important for security auditing to know who accessed sensitive data.
Can I delete audit logs?
Can I delete audit logs?
No. Audit logs cannot be modified or deleted to maintain integrity for compliance and security purposes.
What's the difference between Delete and Destroy?
What's the difference between Delete and Destroy?
Delete soft-deletes a secret version (recoverable). Destroy permanently removes it (irrecoverable). Both are logged separately.
How can I get alerts for specific events?
How can I get alerts for specific events?
Export logs to an external SIEM system and configure alerts there. The platform does not currently support native alerting on audit events.
Best Practices
Regular Review
- Schedule weekly reviews of failed operations
- Monitor for unusual patterns (off-hours access, bulk operations)
- Track policy changes and token creations
Export & Archive
- Export logs periodically for compliance
- Store exports in immutable storage
- Maintain exports beyond the platform’s retention period if required
Access Control
- Limit who can view audit logs (sensitive information)
- Use separate policies for audit log access
- Monitor access to the audit logs themselves