Skip to content

Commit

Permalink
Known issues: Vault Enterprise - Performance Standby nodes audit log …
Browse files Browse the repository at this point in the history
…all request headers (#26158) (#26783)

* Add known issue docs for Ent Perf Standby audit header logging issue

* attempt to improve description

Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
  • Loading branch information
hc-github-team-secure-vault-core and Peter Wilson authored May 2, 2024
1 parent 4336721 commit f1d7bcd
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 1 deletion.
5 changes: 4 additions & 1 deletion website/content/docs/release-notes/1.15.0.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,10 @@ description: |-
| 1.15.0+ | [URL change for KV v2 plugin](/vault/docs/upgrading/upgrade-to-1.15.x#kv2-url-change) |
| 1.15.1 | [Fatal error during expiration metrics gathering causing Vault crash](/vault/docs/upgrading/upgrade-to-1.15.x#fatal-error-during-expiration-metrics-gathering-causing-vault-crash) |
| 1.15.0 - 1.15.4 | [Audit devices could log raw data despite configuration](/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration) |
| 1.15.0 - 1.15.5 | [Deadlock can occur on performance secondary clusters with many mounts](/vault/docs/upgrading/upgrade-to-1.15.x#deadlock-can-occur-on-performance-secondary-clusters-with-many-mounts)
| 1.15.5 | [Unable to rotate LDAP credentials](/vault/docs/upgrading/upgrade-to-1.15.x#unable-to-rotate-ldap-credentials) |
| 1.15.0 - 1.15.5 | [Deadlock can occur on performance secondary clusters with many mounts](/vault/docs/upgrading/upgrade-to-1.15.x#deadlock-can-occur-on-performance-secondary-clusters-with-many-mounts) |
| 1.15.0 - 1.15.5 | [Audit fails to recover from panics when formatting audit entries](/vault/docs/upgrading/upgrade-to-1.15.x#audit-fails-to-recover-from-panics-when-formatting-audit-entries) |
| 1.15.0 - 1.15.7 | [Vault Enterprise performance standby nodes audit all request headers regardless of settings](/vault/docs/upgrading/upgrade-to-1.15.x#vault-enterprise-performance-standby-nodes-audit-all-request-headers) |

## Vault companion updates

Expand Down
2 changes: 2 additions & 0 deletions website/content/docs/upgrading/upgrade-to-1.15.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -72,3 +72,5 @@ option.
@include 'known-issues/perf-secondary-many-mounts-deadlock.mdx'

@include 'known-issues/ocsp-redirect.mdx'

@include 'known-issues/1_15-audit-vault-enterprise-perf-standby-logs-all-headers.mdx'
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
### Vault Enterprise Performance Standby nodes audit all request headers

#### Affected versions

- 1.15.0 - 1.15.7

#### Issue

Due to an issue in the new event framework, Performance Standby nodes in a Vault
Enterprise cluster do not correctly receive configuration regarding which request
headers should be written to the audit log.

Rather than no headers appearing in the audit logs by default, Vault Enterprise
logs **all** headers on Performance Standby nodes.

The header issue was resolved in `1.15.8`.

#### Workaround

Set the `VAULT_AUDIT_DISABLE_EVENTLOGGER` environment variable to `true` to
disable the new underlying event framework and restart Vault:

```shell-session
$ export VAULT_AUDIT_DISABLE_EVENTLOGGER=true
```

On startup, Vault reverts to the audit behavior used in `1.14.x`.

0 comments on commit f1d7bcd

Please sign in to comment.