IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Enhancing Security Visibility: Sending HashiCorp Audit Logs to IBM QRadar SIEM via Syslog

By Surajprakash Vidhani posted 14 hours ago

  

Integrating Vault audit logs with IBM QRadar SIEM using the Syslog protocol allows enterprises to consolidate and analyze all Vault access events within their security monitoring infrastructure - helping detect anomalies, enforce compliance, and strengthen operational security. 

Why Focus on Vault Audit Logs? 

HashiCorp Vault’s audit logs are shared JSON format. Below are few metadata information from the hashicorp audit log: 

  • time (When Vault processed the request) 

  • auth.client_token (The HMAC of the client token used) 

  • request.path (The Vault endpoint or secret path) 

  • request.operation (Action type like read, write, or delete) 

  • request.remote_address (Originating client’s IP) 

  • auth.token_type / auth.display_name (Token, AppRole, LDAP, etc.) 

Flow Diagram 

Below is the flow diagram for forwarding Vault audit logs to QRadar SIEM. 

Configure HashiCorp by Following Steps: 

Step 1: Enable Vault Audit Logging to Syslog 

Vault supports multiple audit type events. To enable Syslog auditing, modify the Vault configuration in file /etc/vault.d/vault.hcl. 

 

audit { 

  type = "syslog" 

  options = { 

    tag = "vault_audit" 

    facility = "LOCAL0" // One of type of Audit type log 

  } 

} 

 

After making to change to config file it is recommended to restart vault with below command. 

 

systemctl restart vault 

 

To confirm the restart of vault is successfully completed you can validate with below command. 

systemctl status vault  

 

Step 2: Configure Syslog to Forward events to QRadar SIEM 

By default, Linux uses rsyslog which required to configured forwarding events to Qradar SIEM Event Collector: 

To do so eithter you can modify /etc/rsyslog.conf file or recommended to create a file in /etc/rsyslog.d/vault.conf: 

 

local0.*    @@<QRADAR_IP>:514 

 

  • Use @ for UDP or @@ for TCP forwarding. 

  • Replace <QRADAR_IP> with your QRadar SIEM Event Collector IP. 

  • Local0.* is the facility name which we have defined in /etc/vault.d/vault.hcl file. 

  • By default, Qradar SIEM Syslog protocol listens to 514 ports only. So, it is not recommended to modify this port. 

After completion of Step#1 and Step#2, Restart rsyslog service with command. 

 

systemctl restart rsyslog 

 

Configure Qradar SIEM 

Configure QRadar SIEM to listen to Audit Logs of HashiCorp Vault. 

In the QRadar Console: 

  1. Navigate to Admin -> Log Source -> Add New Log Source: 

  1. NameMeaningful label for your reference. In Our case we have given syloghashicorp as shown in below screenshot. 

  1. Log Source Type: Select relevant Log source Type. In our case select HashiCorp Vault. 

  1. Protocol Type: Select Syslog Type. 

 

  1. Log Source Identifier: This can be identified from the payload header information. As per our sample payload it is “hashi-corp-vault1". Usually, it is a hostname from the Syslog header or or IP address of Vault host. In case of Auto Detect is enabled Qradar will auto detect Log source identifier from Syslog header. 

 

Sample Payload:  

<38>Nov 6 03:23:42 hashi-corp-vault1 vault[954]: {"auth":{"client_token":"hmac-sha256:1234","policy_results":{"allowed":true},"token_type":"default"},"request":{"client_token":"hmac-sha256:1234","headers":{"user-agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0"]},"id":"d395ad84-a7b1-1d97-11f5-d4cea7544384","mount_accessor":"system_45667fef","mount_class":"secret","mount_point":"sys/","mount_running_version":"v1.20.4+builtin.vault","mount_type":"system","namespace":{"id":"root"},"operation":"read","path":"sys/internal/ui/unauthenticated-messages","remote_address":"10.0.0.1","remote_port":52781},"response":{"mount_accessor":"system_45667fef","mount_class":"secret","mount_point":"sys/","mount_running_plugin_version":"v1.20.4+builtin.vault","mount_type":"system"},"time":"2025-11-06T11:23:42.733530272Z","type":"response"} 

  1. Save the log source. 

  1. To Deploy the Newly configured Log source we need to deploy the changes by navigating to Admin page.  Admin -> Deploy changes. 

 

  1. Once the log source is added and deployed, follow these steps to verify that QRadar SIEM is successfully ingesting HashiCorp Vault audit events.  

    1. Navigate to Log Activate Tab  

             2. Under Log Source, select your configured source name (for example, sysloghashicorp in our case) 

 

Integrating HashiCorp Vault audit logs with IBM QRadar SIEM provides unified visibility into secrets management activities across the enterprise. By forwarding Vault’s structured audit data through Syslog, security teams can monitor authentication, access, and system operations in real time. This integration enables faster detection of abnormal behavior, stronger correlation with other infrastructure events, and compliance-ready audit trails. From a business standpoint, it enhances governance, reduces operational risk, and improves incident response efficiency. Overall, embedding Vault telemetry into QRadar strengthens organizational security posture and delivers measurable value in risk management and data protection. 

0 comments
2 views

Permalink

https://community.ibm.com/community/user/blogs/surajprakash-vidhani/2025/11/10/hashicorp-vault-logs-to-qradar-syslog