From 2c9cb6df90ed8c26738f9dd9e30a035b0421cc5c Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Sun, 18 Jan 2026 17:27:38 +0100 Subject: [PATCH] Update Alloy configuration in README to include log level and tail_from_end setting for audit logs --- policies/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policies/README.md b/policies/README.md index f57b0a6..a987cbc 100644 --- a/policies/README.md +++ b/policies/README.md @@ -26,12 +26,15 @@ Add the following configuration to your Alloy setup: ```hcl loki.source.file "vault_audit_log" { targets = [ - {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit"}, + {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info"}, ] forward_to = [loki.write.default.receiver] + tail_from_end = true } ``` +> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries. It is (probably) required because the audit log file does not contain timestamps and only entry guids. + Check auditing configuration with: ```bash