1--- 2layout: "api" 3page_title: "/sys/audit - HTTP API" 4sidebar_title: "<code>/sys/audit</code>" 5sidebar_current: "api-http-system-audit/" 6description: |- 7 The `/sys/audit` endpoint is used to enable and disable audit devices. 8--- 9 10# `/sys/audit` 11 12The `/sys/audit` endpoint is used to list, enable, and disable audit devices. 13Audit devices must be enabled before use, and more than one device may be 14enabled at a time. 15 16## List Enabled Audit Devices 17 18This endpoint lists only the enabled audit devices (it does not list all 19available audit devices). 20 21- **`sudo` required** – This endpoint requires `sudo` capability in addition to 22 any path-specific capabilities. 23 24| Method | Path | 25| :--------------------------- | :--------------------- | 26| `GET` | `/sys/audit` | 27 28### Sample Request 29 30``` 31$ curl \ 32 --header "X-Vault-Token: ..." \ 33 http://127.0.0.1:8200/v1/sys/audit 34``` 35 36### Sample Response 37 38```javascript 39{ 40 "file": { 41 "type": "file", 42 "description": "Store logs in a file", 43 "options": { 44 "file_path": "/var/log/vault.log" 45 } 46 } 47} 48``` 49 50## Enable Audit Device 51 52This endpoint enables a new audit device at the supplied path. The path can be a 53single word name or a more complex, nested path. 54 55- **`sudo` required** – This endpoint requires `sudo` capability in addition to 56 any path-specific capabilities. 57 58| Method | Path | 59| :--------------------------- | :--------------------- | 60| `PUT` | `/sys/audit/:path` | 61 62### Parameters 63 64- `path` `(string: <required>)` – Specifies the path in which to enable the audit 65 device. This is part of the request URL. 66 67- `description` `(string: "")` – Specifies a human-friendly description of the 68 audit device. 69 70- `options` `(map<string|string>: nil)` – Specifies configuration options to 71 pass to the audit device itself. This is dependent on the audit device type. 72 73- `type` `(string: <required>)` – Specifies the type of the audit device. 74 75Additionally, the following options are allowed in Vault open-source, but 76relevant functionality is only supported in Vault Enterprise: 77 78- `local` `(bool: false)` – Specifies if the audit device is a local only. Local 79 audit devices are not replicated nor (if a secondary) removed by replication. 80 81### Sample Payload 82 83```json 84{ 85 "type": "file", 86 "options": { 87 "file_path": "/var/log/vault/log" 88 } 89} 90``` 91 92### Sample Request 93 94``` 95$ curl \ 96 --header "X-Vault-Token: ..." \ 97 --request PUT \ 98 --data @payload.json \ 99 http://127.0.0.1:8200/v1/sys/audit/example-audit 100``` 101 102## Disable Audit Device 103 104This endpoint disables the audit device at the given path. 105 106- **`sudo` required** – This endpoint requires `sudo` capability in addition to 107 any path-specific capabilities. 108 109| Method | Path | 110| :--------------------------- | :--------------------- | 111| `DELETE` | `/sys/audit/:path` | 112 113### Parameters 114 115- `path` `(string: <required>)` – Specifies the path of the audit device to 116 delete. This is part of the request URL. 117 118### Sample Request 119 120``` 121$ curl \ 122 --header "X-Vault-Token: ..." \ 123 --request DELETE \ 124 http://127.0.0.1:8200/v1/sys/audit/example-audit 125``` 126