Docs: known issue - audit file reload on SIGHUP (#23608)

* known issue documentation for Vault 1.15 related to file audit device - log rotation * fix caps in URL anchor * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> * PR feedback * Warning not Important tag * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * changes to known issue doc * changes to known issue doc - 2 --------- Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com> Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-10-30 02:02:43 +00:00 · 2023-10-11 19:05:48 +01:00
parent feeda224c8
commit 6fc1888cf7
3 changed files with 50 additions and 0 deletions
--- a/website/content/docs/release-notes/1.15.0.mdx
+++ b/website/content/docs/release-notes/1.15.0.mdx
@@ -17,6 +17,7 @@ Version | Issue
 ------- | -----
 1.15.0+ | [Vault no longer reports rollback metrics by mountpoint](/vault/docs/upgrading/upgrade-to-1.15.x#rollback-metrics)
 1.15.0  | [Panic in AWS auth method during IAM-based login](/vault/docs/upgrading/upgrade-to-1.15.x#panic-in-aws-auth-method-during-iam-based-login)
+1.15    | [Vault file audit devices do not honor SIGHUP signal to reload](/vault/docs/upgrading/upgrade-to-1.15.x#file-audit-devices-do-not-honor-sighup-signal-to-reload)

 ## Vault companion updates

--- a/website/content/docs/upgrading/upgrade-to-1.15.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.15.x.mdx
@@ -52,3 +52,5 @@ option.
@include 'known-issues/transit-managed-keys-sign-fails.mdx'

@include 'known-issues/aws-auth-panics.mdx'
+
+@include 'known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx'
--- a/website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx
+++ b/website/content/partials/known-issues/1_15-audit-file-sighup-does-not-trigger-reload.mdx
@@ -0,0 +1,47 @@
+### File audit devices do not honor SIGHUP signal to reload
+
+#### Affected versions
+
+- 1.15.0
+
+#### Issue
+
+The new underlying event framework for auditing causes Vault to continue using
+audit log files instead of reopening the file paths even when you send
+[`SIGHUP`](/vault/docs/audit/file#log-file-rotation) after log rotation. The
+issue impacts any Vault cluster with `file` audit devices enabled.
+
+Not honoring the `SIGHUP` signal has two key consequences when moving or
+deleting audit files.
+
+If you **move or rename your audit log file** locally, Vault continues to log
+data to the original file. For example, if you archive a file locally:
+
+```shell-session
+$ mv /var/log/vault/audit.log /var/log/vault/archive/audit.log.bak
+```
+
+Vault continues to write data to `/var/log/vault/archive/audit.log.bak`
+instead of logging audit entries to a newly created file at
+`/var/log/vault/audit.log`.
+
+If you **delete your audit log file**, the OS unlinks the file from the
+directory structure, but Vault still has the file open. Vault continues to write
+data to the deleted file, which continues to consume disk space as it grows.
+When Vault is sealed or restarted, the OS deletes the previously unlinked file,
+and you will lose all data logged to the audit file after it was tagged for
+deletion.
+
+The issue with `file` audit devices not honoring `SIGHUP` signals is fixed as a
+patch release in Vault `1.15.1`.
+
+#### Workaround
+
+Set the `VAULT_AUDIT_DISABLE_EVENTLOGGER` environment variable to `true` to
+disable the new underlying event framework and restart Vault:
+
+```shell-session
+$ export VAULT_AUDIT_DISABLE_EVENTLOGGER=true
+```
+
+On startup, Vault reverts to the audit behavior used in `1.14.x`.