diff --git a/website/content/docs/release-notes/1.15.0.mdx b/website/content/docs/release-notes/1.15.0.mdx index d360b7789e1a..753dc123b165 100644 --- a/website/content/docs/release-notes/1.15.0.mdx +++ b/website/content/docs/release-notes/1.15.0.mdx @@ -17,6 +17,7 @@ Version | Issue ------- | ----- 1.15.0+ | [Vault no longer reports rollback metrics by mountpoint](/vault/docs/upgrading/upgrade-to-1.15.x#rollback-metrics) 1.15.0 | [Panic in AWS auth method during IAM-based login](/vault/docs/upgrading/upgrade-to-1.15.x#panic-in-aws-auth-method-during-iam-based-login) +1.15 | [Vault file audit devices do not honor SIGHUP signal to reload](/vault/docs/upgrading/upgrade-to-1.15.x#file-audit-devices-do-not-honor-sighup-signal-to-reload) ## Vault companion updates diff --git a/website/content/docs/upgrading/upgrade-to-1.15.x.mdx b/website/content/docs/upgrading/upgrade-to-1.15.x.mdx index b1de7d0e3cd6..284bea51b88e 100644 --- a/website/content/docs/upgrading/upgrade-to-1.15.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.15.x.mdx @@ -52,3 +52,5 @@ option. @include 'known-issues/transit-managed-keys-sign-fails.mdx' @include 'known-issues/aws-auth-panics.mdx' + +@include 'known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx' diff --git a/website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx b/website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx new file mode 100644 index 000000000000..4ee0c7aef166 --- /dev/null +++ b/website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx @@ -0,0 +1,47 @@ +### File audit devices do not honor SIGHUP signal to reload + +#### Affected versions + +- 1.15.0 + +#### Issue + +The new underlying event framework for auditing causes Vault to continue using +audit log files instead of reopening the file paths even when you send +[`SIGHUP`](/vault/docs/audit/file#log-file-rotation) after log rotation. The +issue impacts any Vault cluster with `file` audit devices enabled. + +Not honoring the `SIGHUP` signal has two key consequences when moving or +deleting audit files. + +If you **move or rename your audit log file** locally, Vault continues to log +data to the original file. For example, if you archive a file locally: + +```shell-session +$ mv /var/log/vault/audit.log /var/log/vault/archive/audit.log.bak +``` + +Vault continues to write data to `/var/log/vault/archive/audit.log.bak` +instead of logging audit entries to a newly created file at +`/var/log/vault/audit.log`. + +If you **delete your audit log file**, the OS unlinks the file from the +directory structure, but Vault still has the file open. Vault continues to write +data to the deleted file, which continues to consume disk space as it grows. +When Vault is sealed or restarted, the OS deletes the previously unlinked file, +and you will lose all data logged to the audit file after it was tagged for +deletion. + +The issue with `file` audit devices not honoring `SIGHUP` signals is fixed as a +patch release in Vault `1.15.1`. + +#### Workaround + +Set the `VAULT_AUDIT_DISABLE_EVENTLOGGER` environment variable to `true` to +disable the new underlying event framework and restart Vault: + +```shell-session +$ export VAULT_AUDIT_DISABLE_EVENTLOGGER=true +``` + +On startup, Vault reverts to the audit behavior used in `1.14.x`.