monitor

Stream Vault server logs in real-time to stdout.

$ vault monitor [flags]

$ vault monitor [-help | -h]

Description

vault monitor streams Vault server logs to stdout in real time based on the address stored in VAULT_ADDR or passed through -address. Use the -log-level flag to override the default log level set for the Vault server.

Limitations and warnings

• vault monitor runs indefinitely and only exits if an unexpected error occurs.

• vault monitor may drop log lines if Vault is emitting log messages faster than the receiver can process the input.

Command arguments

None.

Command options

None.

Command flags

[-log-level | VAULT_LOG_LEVEL] (enum : info)

Default logging level for the Vault server.

Examples:

• CLI flag: -log-level debug
• Environment variable: export VAULT_LOG_LEVEL=debug

[-log-format | VAULT_LOG_FORMAT] (enum : standard)

Format of log data:

• standard - Write log data as basic text.
• json - Write log data as JSON.

Examples:

• CLI flag: -log-format json
• Environment variable: export VAULT_LOG_FORMAT=json

Standard flags

[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')

Address of the Vault server.

Examples:

• CLI flag: -address "https://mydomain/vault:8200"
• Environment variable: export VAULT_ADDR="https://mydomain/vault:8200"

[-agent-address | VAULT_AGENT_ADDR] (string : "")

Address of the Vault Agent, if used.

Examples:

• CLI flag: -agent-address "https://mydomain/vault-agent:8200"
• Environment variable: export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"

[-ca-cert | VAULT_CACERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL certificates for the server. Takes precedence over -ca_path.

Examples:

• CLI flag: -ca-cert "/path/to/certs/mycert.pem"
• Environment variable: export VAULT_CACERT="/path/to/certs/mycert.pem"

[-ca-path | VAULT_CAPATH] (string : "")

Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.

Examples:

• CLI flag: -ca-path "/path/to/certs/dir"
• Environment variable: export VAULT_CAPATH="/path/to/certs/dir"

[-client-cert | VAULT_CLIENT_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used for TLS communication with the server. The specified certificate must match to the private key specified with -client-cert.

Examples:

• CLI flag: -client-cert "/path/to/certs/mycert.pem"
• Environment variable: export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"

[-client-key | VAULT_CLIENT_KEY] (string : "")

Path to a PEM-encoded private key that matches the client certificate set with -client-cert.

Examples:

• CLI flag: -client-key "/path/to/keys/myprivatekey.pem"
• Environment variable: export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"

[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)

Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.

Examples:

• CLI flag: -disable-redirects
• Environment variable: export VAULT_DISABLE_REDIRECTS=1

[-format | VAULT_FORMAT] (enum: json)

Set the CLI output format.

Examples:

• CLI flag: -format table
• Environment variable: export VAULT_FORMAT=table

-header (string : "")

Optional HTTP header in the form "<key>=<value>" for the CLI request. Repeat the -header flag as needed with one string per flag. User-defined headers cannot start with X-Vault-

Example: -header "Cache-Control=max-age=0"

[-mfa | VAULT_MFA] (string : "") EnterpriseEnterprise

A multi-factor authentication (MFA) credential, in the format mfa_method_name[:key[=value]], that the CLI should use to authenticate to Vault. The CLI adds MFA credentials to the X-Vault-MFA header when calling the underlying API endpoint.

Examples:

• CLI flag: -mfa "totp:password=12345"
• Environment variable: export VAULT_MFA="totp:password=12345"

[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)

Root namespace for the CLI command. Setting a default namespace allow relative mount paths.

Examples:

• CLI flag: -namespace "admin"
• Environment variable: export VAULT_NAMESPACE="admin"

-non-interactive (bool : false)

Prevent the CLI from asking users for input through the terminal.

Example: -non-interactive

-output-curl-string (bool : false)

Print the API call(s) required to execute the CLI command as cURL strings then exit without running the command.

Example: -output-curl-string

-output-policy (bool : false)

Print the Vault policy required to execute the CLI command as HCL then exit without running the command.

Example: -output-policy

-policy-override (bool : false)

Overrides any Sentinel policy where enforcement_level is "soft-mandatory".

Example: -policy-override

[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")

Name of the SNI host for TLS handshake resolution for TLS connections to Vault.

Examples:

• CLI flag: -tls-server-name "hostname.domain"
• Environment variable: export VAULT_TLS_SERVER_NAME="hostname.domain"

[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)

Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.

Examples:

• CLI flag: -tls-skip-verify
• Environment variable: export VAULT_SKIP_VERIFY=1

-unlock-key (string : <unset>)

Plaintext key that unlocks the underlying API endpoint for a given namespace.

Example: -unlock-key "7oXtdlmvRQ"

[-wrap-ttl | VAULT_WRAP_TTL] (string : "")

Default time-to-live in <number>[s|m|h|d] format for the Cubbyhole token used to wrap CLI responses. You must use vault unwrap to view response data before the duration expires. Leave wrap_ttl unset to leave CLI responses unwrapped.

Examples:

• CLI flag: -wrap-ttl "5m"
• Environment variable: export VAULT_WRAP_TTL="5m"

Examples

Stream server logs at the debug log level:

$ vault monitor -log-level=debug