View Source

Introduction

The tags beginning with kms.hashicorp identify events generated by Hashicorp.

Valid tags and data tables

The full tag must have four levels. The first two are fixed as kms.hashicorp. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables
Hashicorp Vault Audit	`kms.hashicorp.vault.audit_logs`	`kms.hashicorp.vault.audit_logs`
Hashicorp Vault Audit	`kms.hashicorp.vault.operational_logs`	`kms.hashicorp.vault.operational_logs`

For more information, read more about Devo tags.

Send it

Data should be sent using the relay.

Example relay rules

         Source message: 
            Source data: 
             Source tag: 
             Target tag: kms.hashicorp.vault.audit_logs
Sent without syslog tag: true
        Stop processing: true

         Source message: 
            Source data: 
             Source tag: 
             Target tag: kms.hashicorp.vault.operational_logs
Sent without syslog tag: true
        Stop processing: true

Table structure

These are the fields displayed in these tables:

kms.hashicorp.vault.audit_logs

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

hostname

str

time

timestamp

type

str

auth__token_type

str

auth__client_token

str

auth__accessor

str

auth__display_name

str

auth__policies_str

str

join(auth__policies, ',')

auth__policies

auth__token_policies_str

str

join(auth__token_policies, ',')

auth__token_policies

auth__metadata__role

str

auth__metadata__service_account_name

str

auth__metadata__service_account_namespace

str

auth__metadata__service_account_secret_name

str

auth__metadata__service_account_uid

str

auth__metadata__loglevel

str

auth__metadata__remote

str

auth__metadata__surf

str

auth__entity_id

str

auth__token_ttl

int4

auth__token_issue_time

timestamp

request__id

str

request__operation

str

request__mount_type

str

request__client_token

str

request__client_token_accessor

str

request__namespace__id

str

request__namespace__path

str

request__path

str

request__data__jwt

str

request__data__role

str

request__data__description

str

request__data__type

str

request__data__local

bool

request__data__options__file_path

str

request__data__config__default_lease_ttl

str

request__data__config__force_no_cache

bool

request__data__config__max_lease_ttl

str

request__data__external_entropy_access

bool

request__data__seal_wrap

bool

request__remote_address

ip4

request__wrap_ttl

int4

response__mount_type

str

response__data__data__hello

str

response__data__metadata__created_time

str

response__data__metadata__custom_metadata

str

response__data__metadata__deletion_time

str

response__data__metadata__destroyed

bool

response__data__metadata__version

int4

response__data__accessor

str

response__data__creation_time

timestamp

response__data__creation_ttl

int4

response__data__display_name

str

response__data__entity_id

str

response__data__expire_time

timestamp

response__data__id

str

response__data__issue_time

timestamp

response__data__num_uses

int4

response__data__orphan

bool

response__data__path

str

response__data__policies_str

str

join(response__data__policies, ',')

response__data__policies

response__data__renewable

bool

response__data__ttl

int4

error

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

kms.hashicorp.vault.operational_logs

Field	Type	Extra field
eventdate	`timestamp`
hostname	`str`
timestamp	`timestamp`
level	`str`
component	`str`
message	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓