Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now
Google Cloud

How to monitor Vault with Google Cloud Platform

Nico Stewart
Nico Stewart
Share:

Monitor Vault in Google Cloud Platform with the Google Ops Agent. The Ops Agent is available on GitHub, which makes it easy to collect and ship telemetry from dozens of sources directly to your Google Cloud Platform. You can check it out here!

Below are steps to get up and running quickly with observIQ’s Google Cloud Platform integrations, and monitor metrics and logs from Vault in your Google Cloud Platform. You can check out Google’s documentation for using the Ops Agent for Vault here: https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/install-index.

What signals matter?

Vault is a secrets store that can be distributed across multiple instances with a high level of encryption to handle data securely. Our integration collects metrics around the operations executed against the store and metrics related to token interactions. There are also audit logs related to the operation executed.

  • vault.memory.usage
    • This metric depicts the Vault RAM usage. Lower memory usage usually correlates to higher performance. If memory usage gets too high, interruptions, crashes, and data loss are possible.
  • Vault.token.lease.count
    • This metric verifies that leases are correctly distributed and no more leases are attempting access to the vault than expected.
  • Operation counts
    • Vault.storage.operation.get.count
    • Vault.storage.operation.list.count
    • Vault.storage.operation.put.count
    • Vault.storage.operation.delete.count
    • Operation counts are monitored to ensure that operations are completed correctly and that no unexpected operations are performed.

The Vault receiver can gather all the above categories – so let’s get started.

Related Content: Getting Started with BindPlane OP and Google Cloud Operations

Before you begin

If you don’t already have an Ops Agent installed with the latest Vault receiver, you’ll need to do that first. Check out the Google Cloud Platform Ops Agent documentation for installation methods, including the one-line installer.

Configuring the Vault receiver for Metrics and Logs

Navigate to your Ops Agent configuration file. You’ll find it in the following location:

  • /etc/google-cloud-ops-agent/config.yaml (Linux)

Edit the configuration file for Vault metrics as shown below:

yaml
1metrics:
2  receivers:
3    vault:
4      type: vault
5      token: <VAULT_TOKEN>
6      endpoint: 127.0.0.1:8200
7  service:
8    pipelines:
9      vault:
10        receivers:
11          - vault

For Logging, add the following in the same yaml config file:

yaml
1logging:
2  receivers:
3    vault_audit:
4      type: vault_audit
5      include_paths: [/var/log/vault_audit.log] 
6  service:
7    pipelines:
8      vault:
9        receivers:
10          - vault_audit

Restart the Ops Agent with the following command:

sh
1sudo service google-cloud-ops-agent restart
2sleep 30

You can edit the config file for more precise control over your agent behavior, but it is not necessary. Here is a list of the most relevant editable fields that you can edit to adjust your agent:

Metrics:

FieldRequired or OptionalDefaultDescription
typerequiredMust be vault.
endpointoptionallocalhost:8200hostname:port of vault instance to be monitored.
metrics_pathoptional/v1/sys/metricsthe path for metrics collection.
tokenoptionalToken used for authentication.
schemeoptionalhttpThe scheme to use for the request.
collection_intervaloptionalA [time.Duration](https://pkg.go.dev/time#ParseDuration) value, such as 30s or 5m.
insecureoptionalTRUESignals whether to use a secure TLS connection or not. If insecure is true TLS will not be enabled.
insecure_skip_verifyoptionalFALSEWhether to skip verifying the certificate or not. A false value of insecure_skip_verify will not be used if insecure is true as the connection will not use TLS at all.
cert_fileoptionalPath to the TLS cert to use for mTLS required connections.
key_fileoptionalPath to the TLS key to use for mTLS required connections.
ca_fileoptionalPath to the CA cert. As a client this verifies the server certificate. If empty, use system root CA.

Logs:

FieldDefaultDescription
typerequiredMust be vault_audit.
include_pathsrequiredThe log files to read.
exclude_paths[]Log files to exclude (if include_paths contains a glob or directory).

Viewing the metrics collected

If you follow the steps above, the following Vault metrics will now be delivered to your preferred destination.

List of metrics collected:
Prefix: workload

NameTypeUnitAttributesDescription
vault.core.request.countgauge{requests}The number of requests handled by the Vault core.
vault.core.leader.durationgaugemsThe average amount of time a core was the leader in high availability mode.
vault.token.lease.countgauge{tokens}The number of tokens that are leased for eventual expiration.
vault.token.countcumulative{tokens}namespace, clusterThe number of tokens created.
vault.token.revoke.timegaugemsThe average time taken to revoke a token.
vault.token.renew.timegaugemsThe average time taken to renew a token.
vault.audit.request.failedgauge{requests}The number of audit log requests that have failed.
vault.audit.response.failedgauge{responses}The number of audit log responses that have failed.
vault.memory.usagegaugebytesThe amount of memory used by Vault.
vault.storage.operation.put.timecumulativemsstorageThe duration of put operations executed against the storage backend.
vault.storage.operation.delete.timecumulativemsstorageThe duration of delete operations executed against the storage backend.
vault.storage.operation.list.timecumulativemsstorageThe duration of list operations executed against the storage backend.
vault.storage.operation.get.timecumulativemsstorageThe duration of get operations executed against the storage backend.
vault.storage.operation.put.countcumulativeoperationsstorageThe count of put operations executed against the storage backend.
vault.storage.operation.delete.countcumulativeoperationsstorageThe count of delete operations executed against the storage backend.
vault.storage.operation.list.countcumulativeoperationsstorageThe count of list operations executed against the storage backend.
vault.storage.operation.get.countcumulativeoperationsstorageThe count of get operations executed against the storage backend.

observIQ’s monitoring technology is a game changer for organizations that care about performance and efficiency. If you’re using Vault, our solutions can significantly impact your infrastructure monitoring. Follow this space to keep up with all our future posts and simplified configurations for various sources. For questions, requests, and suggestions, contact our support team at support@observIQ.com.

Nico Stewart
Nico Stewart
Share:

Related posts

All posts

Get our latest content
in your inbox every week

By subscribing to our Newsletter, you agreed to our Privacy Notice

Community Engagement

Join the Community

Become a part of our thriving community, where you can connect with like-minded individuals, collaborate on projects, and grow together.

Ready to Get Started

Deploy in under 20 minutes with our one line installation script and start configuring your pipelines.

Try it now