HashiCorp Vault
Collect audit logs from your HashiCorp Vault instance, showing who accessed what secrets, when, and from where.
HashiCorp Vault audit logs can be ingested via S3 object storage.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_hashicorp_vaultSetup
Configure your HashiCorp Vault instance to send audit logs to an S3 bucket.
- Enable audit logging in your Vault configuration
- Configure Vault to write audit logs to an S3 bucket
- In RunReveal, create a new HashiCorp Vault source
- Configure the S3 bucket connection
Verify It’s Working
Once added, the source logs should begin flowing within a few minutes.
You can validate we are receiving your logs by running the following SQL query.
SELECT * FROM runreveal.logs WHERE sourceType = 'hashicorp-vault' LIMIT 1Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: hashicorp_vault_logs (87 columns)
hashicorp_vault_logs (87 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
Accessor | String |
ClientToken | String |
DisplayName | String |
EntityID | String |
AuthIdentityPolicies | Array(String) |
AuthPolicies | Array(String) |
AuthTokenPolicies | Array(String) |
TokenIssueTime | Nullable(DateTime) |
| Column | Type |
|---|---|
TokenTTL | Int64 |
TokenType | String |
AuthMetaRole | String |
AuthPolicyResultsAllowed | Bool |
AuthPolicyResultsGrantingPolicies | String |
RequestClientID | String |
RequestClientToken | String |
RequestClientAccessor | String |
RequestID | String |
RequestMountAccessor | String |
RequestMountClass | String |
RequestMountPoint | String |
RequestMountRunningVersion | String |
RequestMountType | String |
RequestOperation | String |
RequestPath | String |
RequestRemoteAddress | String |
RequestRemotePort | Int |
RequestNamespaceID | String |
ResponseMountAccessor | String |
ResponseMountClass | String |
ResponseMountPoint | String |
ResponseMountRunningPluginVersion | String |
ResponseMountType | String |
ResponseDataAccessor | String |
ResponseDataCreationTime | Int |
ResponseDataCreationTTL | Int |
ResponseDataDisplayName | String |
ResponseDataEntityID | String |
ResponseDataExpireTime | Nullable(DateTime) |
ResponseDataExplicitMaxTTL | Int |
ResponseDataID | String |
ResponseDataIdentityPolicies | Array(String) |
ResponseDataIssueTime | Nullable(DateTime) |
ResponseDataNumUses | Int |
ResponseDataOrphan | Bool |
ResponseDataPath | String |
ResponseDataPolicies | Array(String) |
ResponseDataRenewable | Bool |
ResponseDataTTL | Int |
ResponseDataType | String |
ResponseDataMetaRole | String |
ResponseDataExternalNamespacePolicies | String |