Skip to content

Audit log entry schema

Stronghold logs audit entries as individual JSON objects separated by line breaks. Audit log entries include attributes that are common across all API endpoints and endpoint-specific request and response attributes.

Audit log entries represent API requests received by Stronghold and API response sent by Stronghold. You can match response entries to the corresponding request entry with the ID field of the request object (.request.id) included in both entries.

Attribute Type Description
auth object authentication object describing the authenticated principal making the API call.
error string Error string generated by the request or returned in the response. Omitted for successful transactions.
forwarded_from string Host and port of the performance standby node forwarding the request. Omitted for requests not forwarded.
request object request object describing the request details.
response object response object describing response details. Omitted for request entries.
time string Date and time of the API request/response in ISO 8601 format.
type string Type of the audit log entry. One of request or response. 

{
  "auth": <authentication object>,
  "error": "error converting input {\"name\":\"John\"} for field \"data\": '' expected a map, got 'string'",
  "forwarded_from": "vault-1.prod.corp.com:443",
  "request": <request object>,
  "time": "2025-06-05T16:10:22.292517Z",
  "type": "request"
}


{
  "auth": <original authentication object>,
  "error": "1 error occurred:\n\t* invalid request\n\n",
  "forwarded_from": "vault-1.prod.corp.com:443",
  "request": <original request object>,
  "response": <response object>,
  "time": "2025-06-05T16:10:22.292639Z",
  "type": "response"
}

Authentication object

Stronghold omits irrelevant authentication object attributes from the audit entry. For example, accessor and client_token are irrelevant for unauthenticated requests and metadata is irrelevant if the authentication token lacks metadata.

Attribute Type Description
accessor string Accessor of the Stronghold token that performed the request. This value is hashed by default; the example shows a non-hashed token accessor. Refer to token accessors for more information.
client_token string Stronghold token that performed the request, in hashed form.
display_name string Name associated with the Stronghold token that performed the request. This is a non-sensitive value that can help identify tokens. If a display name is not set, "token" will be shown.
token_type string Whether the Stronghold token is a service, batch, or periodic token. Refer to token types.
token_issue_time string Date and time when the Stronghold token was issued, in ISO 8601 format.
token_ttl integer Validity period of the Stronghold token, in seconds and as of when the token was first issued, relative to token_issue_time. Note that this value is not updated when the token's lifetime is changed subsequent to initial issuance.
metadata object Metadata associated with the Stronghold token.
num_uses integer When the API request results in a token being issued, which token has a limited number of uses, the number of uses on that token.
remaining_uses integer If the Stronghold token has a limit on the number of uses, the number of uses remaining prior to the current request.
entity_created boolean Whether the request resulted in an entity being created, i.e. an authorized principal logs into Stronghold for the first time. Omitted when false.
entity_id string If the Stronghold token is associated with an entity, the ID of that entity.
policies list(string) List of the names of the ACL policies associated with either the Stronghold token or the corresponding entity.
identity_policies list(string) If the Stronghold token is associated with an entity, a list of the names of the ACL policies associated (directly or via group membership) with that entity.
token_policies list(string) A list of the names of the ACL policies associated directly with the Stronghold token.
no_default_policy boolean Whether the Stronghold token does not have Stronghold's "default" ACL policy associated with it. Omitted when false.
external_namespace_ policies object If the Stronghold token is associated with an entity, and that entity inherits ACL policies from a namespace other than the namespace in which the entity exists, a JSON object containing a boolean attribute allowed and granting_policies, a list of those inherited ACL policies. Refer to the JSON structure below for more information about granting_policies.
policy_results object JSON object containing a boolean attribute allowed and granting_policies, a list of ACL policies associated with either the Stronghold token or the corresponding entity that resulted in the request being allowed. Refer to the JSON structure below for more information about granting_policies. 
{
  "accessor": "",
  "client_token": "",
  "display_name": "",
  "entity_created": "",
  "entity_id": "",
  "external_namespace_policies": {
    "allowed": true,
    "granting_policies": [
      {
        "name": "",
        "namespace_id": "",
        "namespace_path": "",
        "type": ""
      }
    ]
  },
  "identity_policies": [""],
  "metadata": {},
  "no_default_policy": false,
  "num_uses": 10,
  "policies": [""],
  "policy_results": {
    "allowed": true,
    "granting_policies": [
      {
        "name": "",
        "namespace_id": "",
        "namespace_path": "",
        "type": ""
      }
    ]
  },
  "remaining_uses": 5,
  "token_policies": [""],
  "token_issue_time": "",
  "token_ttl": 3600,
  "token_type": ""
}

Request object ((#request))

The following request object definition includes example data with simple types (string, bool, int) and used in other JSON examples that include a <request> object.

Attribute Type Description
id string Random ID generated by Stronghold to uniquely identify the API request.
operation string Whether the request is a create, read, update, delete, or list operation.
namespace object JSON object with the namespace's unique id and its path.
path string API path that received the request.
request_uri string The original request path from the HTTP request, if it differs from path (e.g., when the Stronghold namespace is specified as an HTTP header).
mount_accessor string Unique identifier of the Stronghold mount (secret engine or authentication backend) that received the API request.
mount_type string Type of Stronghold mount that received the API request.
mount_running_version string Version string for the Stronghold mount that received the API request.
mount_running_sha256 string If the mount that received the API request is an external plugin, the SHA-256 hash of the plugin's running version.
mount_is_external_ plugin boolean Whether the mount that received the API request is an external plugin.
remote_address string IP address of the client making the request, as seen by Stronghold. Note that load balancers, proxies, and reverse proxies may all mask the true client's IP address.
remote_port integer Port number used by the client making the request, as seen by Stronghold.
headers object JSON object containing request headers configured to be logged.
policy_override boolean Whether the client requested an override of a Sentinel policy.
client_id string ID of the Stronghold client making the request.
client_token string Stronghold token that performed the request, in hashed form.
client_token_accessor string Accessor of the Stronghold token that performed the request. This value is hashed by default; the example shows a non-hashed token accessor. Refer to token accessors for more information.
client_certificate_ serial_number string If the client's connection to Stronghold is mutually authenticated, the serial number of the client's TLS certificate.
wrap_ttl integer If the client requested the response to be wrapped, the number of seconds for which the wrapped response will be available.
data object JSON object containing the request's payload. This is dependent on the API endpoint called.
replication_cluster string If the request was forwarded from a Performance Replication secondary cluster, the name of the secondary cluster. 
{
  "client_certificate_serial_number": "",
  "client_id": "",
  "client_token": "",
  "client_token_accessor": "",
  "data": {},
  "id": "",
  "headers": {},
  "mount_accessor": "",
  "mount_class": "",
  "mount_point": "",
  "mount_type": "",
  "mount_running_version": "",
  "mount_running_sha256": "",
  "mount_is_external_plugin": "",
  "namespace": {
    "id": "",
    "path": ""
  },
  "operation": "",
  "path": "",
  "policy_override": true,
  "remote_address": "",
  "remote_port": 1234,
  "replication_cluster": "",
  "request_uri": "",
  "wrap_ttl": 60
}

Response object ((#response))

The following response object definition includes example data with simple types (string, bool, int) and used in other JSON examples that include a <response> object.

Attribute Type Description
auth object If the request results in a token being created, an authentication object with the token information. See authentication above.
headers object Set of HTTP response headers sent by the plugin that handled the API request.
redirect string For requests sent to authentication backends, the URL to which the authentication backend redirected the user for further authentication.
warnings list(string) If the API returned one or more warnings, a list of the warning messages.
data object JSON object containing the response payload. This is dependent on the API endpoint called.
secret object If the API returned a leased secret, a JSON object with one attribute, lease_id, that identifies that leased secret.
wrap_info object If the API returned a response-wrapped secret, a JSON object containing the properties of the wrapping token. See below for the attributes in the JSON object.
mount_class string Type of API mount, auth or secret.
mount_accessor string Unique identifier of the Stronghold mount (secret engine or authentication backend) that responded to the API request.
mount_type string Type of Stronghold mount that responded to the API request.
mount_running_plugin_version string Version string for the Stronghold mount that responded to the API request.
mount_running_sha256 string If the mount that received the API request is an external plugin, the SHA-256 hash of the plugin's running version.
mount_is_external_plugin boolean Whether the mount that received the API request is an external plugin. 
{
  "auth": <auth>,
  "data": {},
  "headers": {},
  "mount_accessor": "",
  "mount_class": "",
  "mount_is_external_plugin": false,
  "mount_point": "",
  "mount_running_sha256": "",
  "mount_running_plugin_version": "",
  "mount_type": "",
  "redirect": "",
  "secret": {
    "lease_id": ""
  },
  "wrap_info": {
    "accessor": "",
    "creation_path": "",
    "creation_time": "",
    "token": "",
    "ttl": 60,
    "wrapped_accessor": ""
  },
  "warnings": [
    ""
  ]
}

Full entry examples

{
  "auth": {
    "accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
    "client_token": "hmac-sha256:c39c69748f0894cb4cd0333c779e72343ba45af287649d0fbcc37e9b079abe5d",
    "display_name": "userpass-alice",
    "entity_id": "62ff123b-7609-1ed9-5707-ea621da72de7",
    "metadata": { "username": "alice" },
    "policies": ["default"],
    "policy_results": {
      "allowed": true,
      "granting_policies": [
        { "type": "" },
        { "name": "default", "namespace_id": "root", "type": "acl" }
      ]
    },
    "token_policies": ["default"],
    "token_issue_time": "2025-06-04T16:01:31-04:00",
    "token_ttl": 2764800,
    "token_type": "service"
  },
  "request": {
    "client_id": "62ff123b-7609-1ed9-5707-ea621da72de7",
    "client_token": "hmac-sha256:3431e8c2ce0e5f5e179a857fcf9d948afd83363de9f64a5e956851262e1285e0",
    "client_token_accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
    "headers": { "user-agent": ["Go-http-client/1.1"] },
    "id": "79cc9b26-488f-eabf-2a97-303ed3bef0d6",
    "mount_class": "auth",
    "mount_point": "auth/token/",
    "mount_running_version": "v1.19.1+builtin.vault",
    "mount_type": "token",
    "namespace": { "id": "root" },
    "operation": "read",
    "path": "auth/token/lookup-self",
    "remote_address": "127.0.0.1",
    "remote_port": 64199
  },
  "time": "2025-06-04T20:02:46.117181Z",
  "type": "request"
}


{
  "auth": {
    "accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
    "client_token": "hmac-sha256:c39c69748f0894cb4cd0333c779e72343ba45af287649d0fbcc37e9b079abe5d",
    "display_name": "userpass-alice",
    "entity_id": "62ff123b-7609-1ed9-5707-ea621da72de7",
    "metadata": { "username": "alice" },
    "policies": ["default"],
    "policy_results": {
      "allowed": true,
      "granting_policies": [
        { "type": "" },
        { "name": "default", "namespace_id": "root", "type": "acl" }
      ]
    },
    "token_policies": ["default"],
    "token_issue_time": "2025-06-04T16:01:31-04:00",
    "token_ttl": 2764800,
    "token_type": "service"
  },
  "request": {
    "client_id": "62ff123b-7609-1ed9-5707-ea621da72de7",
    "client_token": "hmac-sha256:3431e8c2ce0e5f5e179a857fcf9d948afd83363de9f64a5e956851262e1285e0",
    "client_token_accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
    "headers": { "user-agent": ["Go-http-client/1.1"] },
    "id": "79cc9b26-488f-eabf-2a97-303ed3bef0d6",
    "mount_accessor": "auth_token_d43d387d",
    "mount_class": "auth",
    "mount_point": "auth/token/",
    "mount_running_version": "v1.19.1+builtin.vault",
    "mount_type": "token",
    "namespace": { "id": "root" },
    "operation": "read",
    "path": "auth/token/lookup-self",
    "remote_address": "127.0.0.1",
    "remote_port": 64199
  },
  "response": {
    "data": {
      "accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
      "creation_time": 1749067291,
      "creation_ttl": 2764800,
      "display_name": "hmac-sha256:e9fb3affb6ae22b7f747e1a60bdda5b57809c9e64ae6f39ebac24e371e6b9d89",
      "entity_id": "hmac-sha256:d2458e3011b3567a0070f22bcdd5e513aeb3473457922e1866f01463ccce2b11",
      "expire_time": "2025-07-06T16:01:31.771304-04:00",
      "explicit_max_ttl": 0,
      "id": "hmac-sha256:c39c69748f0894cb4cd0333c779e72343ba45af287649d0fbcc37e9b079abe5d",
      "issue_time": "2025-06-04T16:01:31.771306-04:00",
      "meta": {
        "username": "hmac-sha256:b93081f3689ff25929e88d5c323631ccf7d6145cd9f33c0c5129a7a340248b9a"
      },
      "num_uses": 0,
      "orphan": true,
      "path": "hmac-sha256:82f79af6be9e1d33d6821a8cfcfcba3196e5ec68512c1f5ed4c919acd8443dd6",
      "policies": [
        "hmac-sha256:1b1a37ccd3a6a78da781140396f04eb50e3460504492d2da75b446d775d3325b"
      ],
      "renewable": true,
      "ttl": 2764725,
      "type": "hmac-sha256:b835fe7ff7616f2023c77f6dbddc7afd83ef5c6644aba61c574c378dda710809"
    },
    "mount_accessor": "auth_token_d43d387d",
    "mount_class": "auth",
    "mount_point": "auth/token/",
    "mount_running_plugin_version": "v1.19.1+builtin.vault",
    "mount_type": "token"
  },
  "time": "2025-06-04T20:02:46.117567Z",
  "type": "response"
}