From fe38e97e0218eccb5a8ee251aa5a69bd93c0f132 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sun, 18 Jan 2026 12:06:56 +0100
Subject: [PATCH] Add auditing section to README with configuration and
 commands

---
 policies/README.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/policies/README.md b/policies/README.md
index 5ad8f9d..f57b0a6 100644
--- a/policies/README.md
+++ b/policies/README.md
@@ -10,3 +10,36 @@ vault policy delete <policy-name>
 ```
 
 Format a policy file using `vault policy fmt <policy-file.hcl>`.
+
+## Auditing
+
+To enable auditing, use the following command:
+
+```bash
+vault audit enable file file_path=/var/log/vault_audit.log mode=0640
+```
+
+Configure Alloy to read the audit logs from the specified file path.
+
+Add the following configuration to your Alloy setup:
+
+```hcl
+loki.source.file "vault_audit_log" {
+    targets = [
+        {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit"},
+    ]
+    forward_to = [loki.write.default.receiver]
+}
+```
+
+Check auditing configuration with:
+
+```bash
+vault audit list -detailed
+```
+
+To disable auditing, use:
+
+```bash
+vault audit disable file
+```