log_request_level has to be explicitly set now in config with 1.13.9 contrary to what is documented

[pavanrangain]

Describe the bug
We are seeing excessive logs from vault after upgrade to 1.13.9 from 1.13.8. When we checked its completed_request logs which should not have been logged as out log_level is set to info and log_reqyest_level is not in the vault config. The documentation says for decativating remove log_request_level from config which was woking till 1.13.8. With 1.13.9 we have to explicitly add log_request_level in config

Expected behavior
Log completed request should not be logged if log_request_level is not in config (defaulting it to trace) as per documentation here - https://developer.hashicorp.com/vault/docs/v1.13.x/configuration/log-requests-level#deactivating-the-log-completed-requests

Environment:

• Vault Server Version 1.13.9
• Vault CLI Version - 1.13.9
• Server Operating System/Architecture: Linux

Vault server configuration file(s):

storage "raft" {
  path = "/opt/vault"
  node_id = "xxx"
  retry_join {
    leader_api_addr = "https://xxx:8202"
      leader_ca_cert_file = "/opt/vault/certs/consul-agent-ca.pem"
    }
  retry_join {
    leader_api_addr = "https://xxx:8202"
      leader_ca_cert_file = "/opt/vault/certs/consul-agent-ca.pem"
    }
}

ui = true
disable_mlock = true
log_level = "INFO"
log_format = "json"

    
listener "tcp" {
  cluster_address  = "xxx:8201"
  address  = "0.0.0.0:8200"
  tls_disable = 1

  custom_response_headers {
    "default" = {
      "Strict-Transport-Security" = ["max-age=31536000; includeSubDomains"],
      "X-Frame-Options" = ["DENY"],
      "X-Content-Type-Options" = ["nosniff"],
      "X-Xss-Protection" = ["1; mode=block"],
      "Content-Security-Policy" = ["frame-ancestors 'none'"],
      "Referrer-Policy" = ["no-referrer"]
    }
  }
}

listener "tcp" {
  cluster_address = "xxx:8201"
  address = "0.0.0.0:8202"
  tls_cert_file = "/opt/vault/certs/vault-cert-server.pem"
  tls_key_file = "/opt/vault/certs/vault-cert-server-key.pem"
    tls_cipher_suites = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  
  custom_response_headers {
    "default" = {
      "Strict-Transport-Security" = ["max-age=31536000; includeSubDomains"],
      "X-Frame-Options" = ["SAMEORIGIN"],
      "X-Content-Type-Options" = ["nosniff"],
      "X-Xss-Protection" = ["1; mode=block"],
      "Content-Security-Policy" = ["frame-ancestors 'none'"],
      "Referrer-Policy" = ["no-referrer"]
    }
  }
}

api_addr = "https://xxx:8202"
cluster_addr = "https://xxx:8201"

Additional context
Seems its broken with this change - https://github.com/hashicorp/vault/pull/23644/files#diff-a0a40b411f03b3c927d6a2eafaf8a17693cc05a44e81bfe1362045a9372b9cfeL1302-R1274. Please check

[peteski22]

Thanks for the report and the detailed write up @pavanrangain, you're right that this was a bug introduced recently 😞 . We've merged a fix for it to main and have also back-ported to 1.13.x, 1.14.x and 1.15.x release branches.