diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index c7b0ff1..2736675 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -4,7 +4,21 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
-profiles::vault::server::audit_log: /data/vault/audit.log
+profiles::vault::server::audit_devices:
+  - file:
+      audit_raw:
+        options:
+          path: audit_raw
+          type: file
+          file_path: /data/vault/audit_raw.log
+          log_raw: "true"
+  - file:
+      audit_file:
+        options:
+          path: audit_file
+          type: file
+          file_path: /data/vault/audit.log
+          log_raw: "false"
 vault::package_name: openbao
 vault::package_ensure: latest
 
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index e5dcf9c..2adf773 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -15,7 +15,7 @@ class profiles::vault::server (
   Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
   Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
   Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
-  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
+  Optional[Array[Hash]] $audit_devices = undef,
 ){
 
   # set a datacentre/cluster name
@@ -64,18 +64,9 @@ class profiles::vault::server (
       },
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
-        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
-        audit        => [
-          {
-            file => {
-              'audit-file' => {
-                options => {
-                  file_path => $audit_log,
-                }
-              }
-            }
-          }
-        ],
+        cluster_addr                    => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        audit                           => $audit_devices,
+        unsafe_allow_api_audit_creation => true,
       },
       listener           => [
         {
@@ -97,18 +88,11 @@ class profiles::vault::server (
       ]
     }
 
-    # ensure the vault audit log exists
-    file { $audit_log:
-      ensure => 'file',
-      owner  => 'vault',
-      group  => 'vault',
-      mode   => '0600',
-    }
 
     service { 'vault':
       ensure    => true,
       enable    => true,
-      subscribe => [File[$ssl_crt], File[$ssl_key]],
+      subscribe => [File[$ssl_crt], File[$ssl_key], File['/etc/vault/config.json']],
     }
 
     # include classes to manage vault