update 1.20 and 1.19 for rotation logging

Author: kpcraig

content/vault/v1.19.x/content/docs/auth/ldap.mdx

@@ -184,6 +184,8 @@ Use `vault path-help` for more details.
 The root bindpass can be rotated to a Vault-generated value that is not accessible by the operator.
 This will ensure that only Vault is able to access the "root" user that Vault uses to manipulate credentials.
 
+Manual root rotations will be logged to the vault.log and state that the rotation was `on user request`.
+
 ```shell-session
 vault write -f auth/ldap/config/rotate-root
 ```
@@ -231,6 +233,8 @@ TTL.
 For more details on rotating root credentials in the Azure plugin, refer to the
 [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs.
 
+@include 'rotation-manager-logging.mdx'
+
 ## Examples:
 
 ### Scenario 1

content/vault/v1.19.x/content/docs/secrets/databases/index.mdx

@@ -104,7 +104,7 @@ TTL.
 For more details on rotating root credentials in the DB Secrets engine, refer to the
 [Rotate Root credentials](/vault/api-docs/secret/databases#rotate-root-credentials) API docs.
 
-
+@include 'rotation-manager-logging.mdx'
 
 ## Setup
 
@@ -296,6 +296,9 @@ or otherwise, it will not be rotated until the next scheduled rotation.
 !> The `rotation_period` and `rotation_schedule` fields are
 mutually exclusive. One of them must be set but not both.
 
+Rotations will be logged with reference to the `name` of the role and `error`
+if failed. They will also indicate that they were rotated in a `periodic function`.
+
 ## Password generation
 
 Passwords are generated via [Password Policies](/vault/docs/concepts/password-policies).

content/vault/v1.19.x/content/docs/secrets/ldap.mdx

@@ -158,6 +158,8 @@ TTL.
 For more details on rotating root credentials in the Azure plugin, refer to the
 [Root credential rotation](/vault/api-docs/secret/ldap#rotate-root) API docs.
 
+@include 'rotation-manager-logging.mdx'
+
 ## Static credentials
 
 ### Setup
@@ -194,11 +196,18 @@ role, the response will include the time before the next rotation (`ttl`).
 The `binddn` account used by Vault should be rotated using the `rotate-root` endpoint to generate a password
 only Vault will know.
 
+Similar to the rotation manager, rotations will be logged with reference to the
+`name` of the role and `error` if failed. They will also indicate that they were rotated in
+a `periodic function`.
+
 ### Manual rotation
 
 Static roles can be manually rotated using the `rotate-role` endpoint. When manually
 rotated the rotation period will start over.
 
+Logging here will be similar to the other rotation logging, and will reference that the
+rotation happened `on user request`.
+
 ### Deleting static roles
 
 Passwords are not rotated upon deletion of a static role. The password should be manually

content/vault/v1.19.x/content/partials/rotation-manager-logging.mdx

@@ -0,0 +1,7 @@
+### Rotation Logging
+The rotation manager emits logs (to the standard `vault.log`) on any successful or failed
+rotation. In the case of success, the log will note which credential was rotated, under
+the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`.
+In the case of failure, the log will include the `rotationID` and an `err` reason.
+Other logs may be emitted, depending on the set log level. When associated with a specific
+credential, the `rotationID` will be included as the first parameter.

content/vault/v1.20.x/content/docs/auth/ldap.mdx

@@ -198,6 +198,8 @@ This will ensure that only Vault is able to access the "root" user that Vault us
 vault write -f auth/ldap/config/rotate-root
 ```
 
+Manual root rotations will be logged to the vault.log and state that the rotation was `on user request`.
+
 ### Schedule-based root credential rotation
 
 @include 'alerts/enterprise-only.mdx'
@@ -241,6 +243,8 @@ TTL.
 For more details on rotating root credentials in the Azure plugin, refer to the
 [Root credential rotation](/vault/api-docs/auth/ldap#rotate-root) API docs.
 
+@include rotation-manager-logging.mdx
+
 ## Examples:
 
 ### Scenario 1

content/vault/v1.20.x/content/docs/secrets/databases/index.mdx

@@ -105,6 +105,8 @@ TTL.
 For more details on rotating root credentials in the DB Secrets engine, refer to the
 [Rotate Root credentials](/vault/api-docs/secret/databases#rotate-root-credentials) API docs.
 
+@include 'rotation-manager-logging.mdx'
+
 ## Setup
 
 Most secrets engines must be configured in advance before they can perform their
@@ -397,6 +399,9 @@ or otherwise, it will not be rotated until the next scheduled rotation.
 !> The `rotation_period` and `rotation_schedule` fields are
 mutually exclusive. One of them must be set but not both.
 
+Rotations will be logged with reference to the `name` of the role and `error`
+if failed. They will also indicate that they were rotated in a `periodic function`.
+
 ## Password generation
 
 Passwords are generated via [Password Policies](/vault/docs/concepts/password-policies).

content/vault/v1.20.x/content/docs/secrets/ldap.mdx

@@ -155,9 +155,11 @@ of the root credential until the field is reset to `false`. If you use
 `rotation_period`, setting `disable_automated_rotation` also resets the credential
 TTL.
 
-For more details on rotating root credentials in the Azure plugin, refer to the
+For more details on rotating root credentials in the LDAP plugin, refer to the
 [Root credential rotation](/vault/api-docs/secret/ldap#rotate-root) API docs.
 
+@include 'rotation-manager-logging.mdx'
+
 ## Static credentials
 
 ### Setup
@@ -194,11 +196,18 @@ role, the response will include the time before the next rotation (`ttl`).
 The `binddn` account used by Vault should be rotated using the `rotate-root` endpoint to generate a password
 only Vault will know.
 
+Similar to the rotation manager, rotations will be logged with reference to the
+`name` of the role and `error` if failed. They will also indicate that they were rotated in
+a `periodic function`.
+
 ### Manual rotation
 
 Static roles can be manually rotated using the `rotate-role` endpoint. When manually
 rotated the rotation period will start over.
 
+Logging here will be similar to the other rotation logging, and will reference that the
+rotation happened `on user request`.
+
 ### Deleting static roles
 
 Passwords are not rotated upon deletion of a static role. The password should be manually

content/vault/v1.20.x/content/partials/rotation-manager-logging.mdx

@@ -0,0 +1,7 @@
+### Rotation Logging
+The rotation manager emits logs (to the standard `vault.log`) on any successful or failed
+rotation. In the case of success, the log will note which credential was rotated, under
+the `rotationID` key, and the anticipated time of the next rotation, under the key `expire_time`.
+In the case of failure, the log will include the `rotationID` and an `err` reason.
+Other logs may be emitted, depending on the set log level. When associated with a specific
+credential, the `rotationID` will be included as the first parameter.