Vault
Enable Vault telemetry gathering
Collect telemetry data from your Vault installation.
Before you start
- You must have Vault 1.14 or later installed and running.
- You must have access to your Vault configuration file.
Step 1: Choose an aggregation agent
Vault uses the go-metrics
package to export telemetry and supports the
following aggregation agents for time-series monitoring:
Config prefix | Name | Company |
---|---|---|
circonus | Circonus | Circonus |
dogstatsd | DogStatsD | Datadog |
prometheus | Prometheus | Prometheus / Open source |
stackdriver | Cloud Operations | |
statsd | Statsd | Open source |
statsite | Statsite | Open source |
Step 2: Enable at least one audit device
To include audit-related metrics, you must enable auditing on at least one device
with the vault audit enable
command. For example, to enable auditing for the
file
device and save the logs to /var/log/vault_audit.log
:
$ vault audit enable file file_path=/var/log/vault_audit.log
By default, Enterprise installations replicate audit devices to the secondary
performance nodes in a cluster. To limit performance replication for an audit
device, use the local
flag to mark the device as local to the current node:
$ vault audit enable file -local file_path=/var/log/vault_audit.log
Step 3: Configure telemetry collection
To configure telemetry collection, update the telemetry stanza in your Vault configuration with your collection preferences and aggregation agent details.
For example, the following telemetry
stanza configures Vault with the standard
telemetry defaults and connects it to a Statsite agent running on the default
port within a company intranet at mycompany.statsite
:
telemetry {
usage_gauge_period = "10m"
maximum_gauge_cardinality = 500
disable_hostname = false
enable_hostname_label = false
lease_metrics_epsilon = "1h"
num_lease_metrics_buckets = 168
add_lease_metrics_namespace_labels = false
filter_default = true
statsite_address = "mycompany.statsite:8125"
}
Many metrics solutions charge by the metric. You can set filter_default
to
false and use the prefix_filter
parameter to include and exclude specific
values based on metric name to avoid paying for irrelevant information.
For example, to limit your telemetry to the core token metrics plus the number of leases set to expire:
telemetry {
filter_default = false
prefix_filter = ["+vault.token", "-vault.expire", "+vault.expire.num_leases"]
}
Step 4: Choose a reporting solution
You need to save or forward your telemetry data to a separate storage solution for reporting, analysis, and alerting. Which solution you need depends on the feature set provided by your aggregation agent and the protocol support of your reporting platform.
Popular reporting solutions compatible with Vault:
- Grafana
- Graphite
- InfluxData: Telegraf
- InfluxData: InfluxDB
- InfluxData: Chronograf
- InfluxData: Kapacitor
- Splunk
Next steps
- Review the Key metrics for common health checks guide to identify metrics you may want to start monitoring immediately.
- Review the full list of available telemetry parameters.
- Review the Monitor telemetry and audit device log data tutorial for general monitoring guidance and steps to configure your Vault telemetry for Splunk using Telegraf and Fluentd.
- Review the Monitor telemetry with Prometheus and Grafana tutorial to configure your Vault telemetry for Prometheus and Grafana.