Audit Logging and Compliance

Vault logs every read and write operation. Enable the audit device to capture a structured log of all secret accesses:

Enable file audit log
vault audit enable file file_path=/var/log/vault/audit.log

Enable syslog audit (to ship to your SIEM)
vault audit enable syslog tag="vault" facility="AUTH"

Verify audit is enabled
vault audit list

The audit log contains JSON entries for each operation:

{
  "time": "2026-03-22T14:32:01.000Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:...",
    "accessor": "auth/approle/...",
    "display_name": "approle-ci-deployer",
    "policies": ["deploy-policy"]
  },
  "request": {
    "operation": "read",
    "path": "secret/data/myapp/database"
  },
  "response": {
    "data": {
      "username": "hmac-sha256:..."
    }
  }
}

Secret values are HMAC-hashed in the audit log. you can verify whether a specific value was accessed without storing it in plaintext. Query who accessed production database credentials in the last hour:

Parse audit log for reads of the database secret
jq 'select(.request.path == "secret/data/myapp/database" and .request.operation == "read")
    | {time: .time, user: .auth.display_name}' /var/log/vault/audit.log

For compliance reporting, these logs satisfy SOC 2, PCI DSS, and ISO 27001 secret access logging requirements when retained for 90+ days.

Related Articles

• How to Audit Your Password Manager Vault: A Practical Guide
• Audit Password Vault for Weak, Duplicate, and Reused
• Bitwarden Web Vault vs Desktop App Comparison
• 1Password Secrets Automation for DevOps: A Practical Guide
• Bitwarden Vault Export Backup Guide
• AI Tools for Automated Secrets Rotation and Vault Management Built by theluckystrike. More at zovo.one