HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Vault
Vault Home

monitor

Stream Vault server logs in real-time to stdout.

$ vault monitor [flags]

$ vault monitor [-help | -h]

Description

vault monitor command shows a real time display of the server logs of a Vault server. This command accepts a log level as an argument, which can be different from the log level that the Vault server was started with.

vault monitor honors the VAULT_ADDR environment variable. The address specified determines the target server that will be monitored.

Limitations and warnings

  • Note that this command is designed to run indefinitely. It is similar to tail -f in the Unix world. This command will not exit on its own unless it encounters an unexpected error. As a user, you must terminate this process yourself to shut it down.

  • If Vault is emitting log messages faster than a receiver can process them, the some log lines will be dropped.

Related API endpoints

MonitorLogs - GET: /sys/monitor

Command arguments

  • None

Command options

  • None

Command flags


-log-level (enum : info)

Monitor the Vault server at this log level. Valid log levels are (in order of detail) "trace", "debug", "info", "warn", "error".

Example: -log-level debug



-log-format (string : "standard")

Format to emit logs. Valid formats are "standard", and "json".

Example: -log-format "standard"

Standard flags

[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')

Address of the Vault server.

Examples:

  • CLI flag: -address "https://mydomain/vault:8200"
  • Environment variable: export VAULT_ADDR="https://mydomain/vault:8200"


[-agent-address | VAULT_AGENT_ADDR] (string : "")

Address of the Vault Agent, if used.

Examples:

  • CLI flag: -agent-address "https://mydomain/vault-agent:8200"
  • Environment variable: export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"


[-ca-cert | VAULT_CA_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL certificates for the server. Takes precedence over -ca_path.

Examples:

  • CLI flag: -ca-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CA_CERT="/path/to/certs/mycert.pem"


[-ca-path | VAULT_CAPATH] (string : "")

Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.

Examples:

  • CLI flag: -ca-path "/path/to/certs/dir"
  • Environment variable: export VAULT_CAPATH="/path/to/certs/dir"


[-client-cert | VAULT_CLIENT_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used for TLS communication with the server. The specified certificate must match to the private key specified with -client-cert.

Examples:

  • CLI flag: -client-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"


[-client-key | VAULT_CLIENT_KEY] (string : "")

Path to a PEM-encoded private key that matches the client certificate set with -client-cert.

Examples:

  • CLI flag: -client-key "/path/to/keys/myprivatekey.pem"
  • Environment variable: export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"


[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)

Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.

Examples:

  • CLI flag: -disable-redirects
  • Environment variable: export VAULT_DISABLE_REDIRECTS=1

Warning

Disabling the default redirect behavior may cause commands that redirect requests to primary cluster notes (like vault operator raft snapshot) to misbehave.



[-format | VAULT_FORMAT] (enum: json)

Set the CLI output format.

ValueDescription
tableStructure the response as a table
jsonStructure the response as JSON data
yamlStructure the response as YAML data
jsonxStructure information as XML data

Examples:

  • CLI flag: -format table
  • Environment variable: export VAULT_FORMAT=table


-header (string : "")

Optional HTTP header in the form "<key>=<value>" for the CLI request. Repeat the -header flag as needed with one string per flag. User-defined headers cannot start with X-Vault-

Example: -header "Cache-Control=max-age=0"



[-mfa | VAULT_MFA] (string : "") Enterprise

A multi-factor authentication (MFA) credential, in the format mfa_method_name[:key[=value]], that the CLI should use to authenticate to Vault. The CLI adds MFA credentials to the X-Vault-MFA header when calling the underlying API endpoint.

Examples:

  • CLI flag: -mfa "totp:password=12345"
  • Environment variable: export VAULT_MFA="totp:password=12345"

Note

The VAULT_MFA environment variable only accepts one MFA method specification and one credential for the specified method. To supply multiple credentials or MFA methods, use the -mfa CLI flag and repeat the flag as needed.



[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)

Root namespace for the CLI command. Setting a default namespace allow relative mount paths.

Examples:

  • CLI flag: -namespace "admin"
  • Environment variable: export VAULT_NAMESPACE="admin"


-non-interactive (bool : false)

Prevent the CLI from asking users for input through the terminal.

Example: -non-interactive



-output-curl-string (bool : false)

Print the API call(s) required to execute the CLI command as cURL strings then exit without running the command.

Example: -output-curl-string



-output-policy (bool : false)

Print the Vault policy required to execute the CLI command as HCL then exit without running the command.

Example: -output-policy



-policy-override (bool : false)

Overrides any Sentinel policy where enforcement_level is "soft-mandatory".

Example: -policy-override



[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")

Name of the SNI host for TLS handshake resolution for TLS connections to Vault.

Examples:

  • CLI flag: -tls-server-name "hostname.domain"
  • Environment variable: export VAULT_TLS_SERVER_NAME="hostname.domain"


[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)

Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.

Examples:

  • CLI flag: -tls-skip-verify
  • Environment variable: export VAULT_SKIP_VERIFY=1


-unlock-key (string : <unset>)

Plaintext key that unlocks the underlying API endpoint for a given namespace.

Example: -unlock-key "7oXtdlmvRQ"



[-wrap-ttl | VAULT_WRAP_TTL] (string : "")

Default time-to-live in <number>[s|m|h|d] format for the Cubbyhole token used to wrap CLI responses. You must use vault unwrap to view response data before the duration expires. Leave wrap_ttl unset to leave CLI responses unwrapped.

Examples:

  • CLI flag: -wrap-ttl "5m"
  • Environment variable: export VAULT_WRAP_TTL="5m"

Examples

Monitor server logs at the debug log level:

$ vault monitor -log-level=debug
Edit this page on GitHub