Debug Log Reporting

Debug logs for the HashiCorp Vault integration are written by the Tenable Nessus scanner during the scan. The debug logging settings in Tenable Nessus control log output.

Log File Names

The integration writes to log files named after the credential plugin that invoked it:

  • SSH scans: ssh_settings.nasl~Hashicorp Vault

  • Windows scans: logins.nasl~Hashicorp Vault

  • Database scans: database_settings.nasl~Hashicorp Vault

The integration attaches log files to the Debugging Log Report (84239) plugin output.

What the Logs Contain

The debug logs record the full integration lifecycle for each scan, including:

  • Configuration settings loaded from the scan policy (with sensitive values masked)

  • The authentication method used and whether authentication succeeded

  • The HashiCorp Vault API requests and the HTTP response status

  • Whether the secret was found and whether its value was parsed successfully

  • Cache hit/miss information for repeated credential retrievals

  • Any errors returned by theHashiCorp Vault API, including authentication failures and secret-not-found responses

Common Reasons for Credentialed Checks Showing "No" Status

  • The HashiCorp Vault authentication type does not have an Access Role that grants read access to the specified secret.

  • The HashiCorp Vault host is unreachable from the scanner (firewall, incorrect hostname, or port).

  • An incorrect or misspelled path for the Authentication URL.

  • An invalid JSON parameters file is provided for the SSH Signed Certificates vault type.

  • An error occurs when utilizing the SSH Signed Certificates vault type if the Secrets Engine URL contains an incorrect role during the creation or signing of a public key.

  • SSL certificate verification fails because the HashiCorp Vault integration instance uses a self-signed certificate and Verify SSL Certificate is enabled.