HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.18.x. View latest version.

monitor

Stream Vault server logs in real-time to stdout.

$ vault monitor [flags]

$ vault monitor [-help | -h]

Description

vault monitor streams Vault server logs to stdout in real time based on the address stored in VAULT_ADDR or passed through -address. Use the -log-level flag to override the default log level set for the Vault server.

Related API endpoints

MonitorLogs - GET: /sys/monitor

Limitations and warnings

  • vault monitor runs indefinitely and only exits if an unexpected error occurs.

  • vault monitor may drop log lines if Vault is emitting log messages faster than the receiver can process the input.

Command arguments

None.

Command options

None.

Command flags


[-log-level | VAULT_LOG_LEVEL] (enum : info)

Default logging level for the Vault server.

EnumLogging behavior
traceLog everything including details about process flow within the server
debuginfo level logging and detailed server state
infowarn level logging, server events, and general server state
warnerr level logging, deprecations, and potentially harmful events/states in the server
errLog information about non-fatal errors and handled exceptions

Examples:

  • CLI flag: -log-level debug
  • Environment variable: export VAULT_LOG_LEVEL=debug


[-log-format | VAULT_LOG_FORMAT] (enum : standard)

Format of log data:

  • standard - Write log data as basic text.
  • json - Write log data as JSON.

Examples:

  • CLI flag: -log-format json
  • Environment variable: export VAULT_LOG_FORMAT=json

Standard flags

[-address | VAULT_ADDR] (string : 'https://127.0.0.1:8200')

Address of the Vault server.

Examples:

  • CLI flag: -address "https://mydomain/vault:8200"
  • Environment variable: export VAULT_ADDR="https://mydomain/vault:8200"


[-agent-address | VAULT_AGENT_ADDR] (string : "")

Address of the Vault Agent, if used.

Examples:

  • CLI flag: -agent-address "https://mydomain/vault-agent:8200"
  • Environment variable: export VAULT_AGENT_ADDR="https://mydomain/vault-agent:8200"


[-ca-cert | VAULT_CACERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used to verify SSL certificates for the server. Takes precedence over -ca_path.

Examples:

  • CLI flag: -ca-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CACERT="/path/to/certs/mycert.pem"


[-ca-path | VAULT_CAPATH] (string : "")

Path to a directory with PEM-encoded CA certificate files on the local disk. Used to verify SSL certificates for the server.

Examples:

  • CLI flag: -ca-path "/path/to/certs/dir"
  • Environment variable: export VAULT_CAPATH="/path/to/certs/dir"


[-client-cert | VAULT_CLIENT_CERT] (string : "")

Path to a PEM-encoded CA certificate file on the local disk. Used for TLS communication with the server. The specified certificate must match to the private key specified with -client-cert.

Examples:

  • CLI flag: -client-cert "/path/to/certs/mycert.pem"
  • Environment variable: export VAULT_CLIENT_CERT="/path/to/certs/mycert.pem"


[-client-key | VAULT_CLIENT_KEY] (string : "")

Path to a PEM-encoded private key that matches the client certificate set with -client-cert.

Examples:

  • CLI flag: -client-key "/path/to/keys/myprivatekey.pem"
  • Environment variable: export VAULT_CLIENT_KEY="/path/to/keys/myprivatekey.pem"


[-disable-redirects | VAULT_DISABLE_REDIRECTS] (bool : false)

Disable the default CLI redirect behavior so the CLI honors the first redirect response from the underlying API instead of following the full HTTP redirect chain.

Examples:

  • CLI flag: -disable-redirects
  • Environment variable: export VAULT_DISABLE_REDIRECTS=1

Warning

Disabling the default redirect behavior may cause commands that redirect requests to primary cluster notes (like vault operator raft snapshot) to misbehave.



[-format | VAULT_FORMAT] (enum: table)

Set the CLI output format.

ValueDescription
tableStructure the response as a table
jsonStructure the response as JSON data
yamlStructure the response as YAML data
jsonxStructure information as XML data

Examples:

  • CLI flag: -format json
  • Environment variable: export VAULT_FORMAT=json


-header (string : "")

Optional HTTP header in the form "<key>=<value>" for the CLI request. Repeat the -header flag as needed with one string per flag. User-defined headers cannot start with X-Vault-

Example: -header "Cache-Control=max-age=0"



[-mfa | VAULT_MFA] (string : "") Enterprise

A multi-factor authentication (MFA) credential, in the format mfa_method_id:passcode, that the CLI should use to authenticate to Vault. The CLI adds MFA credentials to the X-Vault-MFA header when calling the underlying API endpoint.

Examples:

  • CLI flag: -mfa "d16fd3c2-50de-0b9b-eed3-0301dadeca10:695452"
  • Environment variable: export VAULT_MFA="d16fd3c2-50de-0b9b-eed3-0301dadeca10:695452"

Note

The VAULT_MFA environment variable only accepts one MFA method specification and one credential for the specified method. To supply multiple credentials or MFA methods, use the -mfa CLI flag and repeat the flag as needed.



[-namespace | -ns | VAULT_NAMESPACE] (string : <unset>)

Root namespace for the CLI command. Setting a default namespace allow relative mount paths.

Examples:

  • CLI flag: -namespace "admin"
  • Environment variable: export VAULT_NAMESPACE="admin"


-non-interactive (bool : false)

Prevent the CLI from asking users for input through the terminal.

Example: -non-interactive



-output-curl-string (bool : false)

Print the API call(s) required to execute the CLI command as cURL strings then exit without running the command.

Example: -output-curl-string



-output-policy (bool : false)

Print the Vault policy required to execute the CLI command as HCL then exit without running the command.

Example: -output-policy



-policy-override (bool : false)

Overrides any Sentinel policy where enforcement_level is "soft-mandatory".

Example: -policy-override



[-tls-server-name | VAULT_TLS_SERVER_NAME] (string : "")

Name of the SNI host for TLS handshake resolution for TLS connections to Vault.

Examples:

  • CLI flag: -tls-server-name "hostname.domain"
  • Environment variable: export VAULT_TLS_SERVER_NAME="hostname.domain"


[-tls-skip-verify | VAULT_SKIP_VERIFY] (bool : false)

Disable verification for all TLS certificates. Use with caution. Disabling TLS certificate verification decreases the security of data transmissions to and from the Vault server.

Examples:

  • CLI flag: -tls-skip-verify
  • Environment variable: export VAULT_SKIP_VERIFY=1


-unlock-key (string : <unset>)

Plaintext key that unlocks the underlying API endpoint for a given namespace.

Example: -unlock-key "7oXtdlmvRQ"



[-wrap-ttl | VAULT_WRAP_TTL] (string : "")

Default time-to-live in <number>[s|m|h|d] format for the Cubbyhole token used to wrap CLI responses. You must use vault unwrap to view response data before the duration expires. Leave wrap_ttl unset to leave CLI responses unwrapped.

Examples:

  • CLI flag: -wrap-ttl "5m"
  • Environment variable: export VAULT_WRAP_TTL="5m"

Examples

Stream server logs at the debug log level:

$ vault monitor -log-level=debug
Edit this page on GitHub