How to monitor Vault with Google Cloud Platform
Monitor Vault in Google Cloud Platform with the Google Ops Agent. The Ops Agent is available on GitHub, and makes it easy to collect and ship telemetry from dozens of sources directly to your Google Cloud Platform. You can check it out here!
Below are steps to get up and running quickly with observIQ’s Google Cloud Platform integrations, and monitor metrics and logs from Vault in your Google Cloud Platform. You can check out Google’s documentation for using the Ops Agent for Vault here: https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/install-index
What signals matter?
Vault is a secrets store that can be distributed across multiple instances with a high level of encryption to securely handle data. Our integration collects metrics around the operations executed against the store as well as metrics related to token interactions. There are also audit logs related to the operation executed.
- vault.memory.usage
- This metric depicts the Vault RAM usage. Lower memory usage usually correlates to higher performance. If memory usage gets too high, interruptions, crashes, and data loss are possible.
- Vault.token.lease.count
- This metric is used to verify that leases are properly distributed and there are not more leases attempting access to the vault than expected.
- Operation counts
- Vault.storage.operation.get.count
- Vault.storage.operation.list.count
- Vault.storage.operation.put.count
- Vault.storage.operation.delete.count
- Operation counts are monitored to ensure that operations are completed correctly and that there aren’t any unexpected operations being performed.
All of the above categories can be gathered with the Vault receiver – so let’s get started.
Before you begin
If you don’t already have an Ops Agent with the latest Vault receiver installed, you’ll need to do that first. Check out the Google Cloud Platform Ops Agent documentation for installation methods, including the one-line installer.
Configuring the Vault receiver for Metrics and Logs
Navigate to your Ops Agent configuration file. You’ll find it in the following location:
- /etc/google-cloud-ops-agent/config.yaml (Linux)
Edit the configuration file for Vault metrics as shown below:
1metrics:
2 receivers:
3 vault:
4 type: vault
5 token: <VAULT_TOKEN>
6 endpoint: 127.0.0.1:8200
7 service:
8 pipelines:
9 vault:
10 receivers:
11 - vaultFor Logging, add the following in the same yaml config file:
1logging:
2 receivers:
3 vault_audit:
4 type: vault_audit
5 include_paths: [/var/log/vault_audit.log]
6 service:
7 pipelines:
8 vault:
9 receivers:
10 - vault_auditRestart the Ops Agent with the following command:
1sudo service google-cloud-ops-agent restart
2sleep 30You can edit the config file for more precise control over your agent behavior, but it is not necessary. Here is a list of the most relevant editable fields that you can edit to adjust your agent:
Metrics:
Logs:
Viewing the metrics collected
If you followed the steps detailed above, the following Vault metrics will now be delivered to your preferred destination.
List of metrics collected:
Prefix: workload
observIQ’s monitoring technology is a game changer for organizations that care about performance and efficiency. If you’re using Vault, our solutions can make a significant difference in your infrastructure monitoring. Follow this space to keep up with all our future posts and simplified configurations for various sources. For questions, requests, and suggestions, reach out to our support team at support@observIQ.com.
