How to monitor Vault with Google Cloud Platform

Monitor Vault in Google Cloud Platform with the Google Ops Agent. The Ops Agent is available on GitHub, which makes it easy to collect and ship telemetry from dozens of sources directly to your Google Cloud Platform. You can check it out here!

Below are steps to get up and running quickly with observIQ’s Google Cloud Platform integrations, and monitor metrics and logs from Vault in your Google Cloud Platform. You can check out Google’s documentation for using the Ops Agent for Vault here: https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/install-index.

What signals matter?

Vault is a secrets store that can be distributed across multiple instances with a high level of encryption to handle data securely. Our integration collects metrics around the operations executed against the store and metrics related to token interactions. There are also audit logs related to the operation executed.

• vault.memory.usage
  • This metric depicts the Vault RAM usage. Lower memory usage usually correlates to higher performance. If memory usage gets too high, interruptions, crashes, and data loss are possible.
• Vault.token.lease.count
  • This metric verifies that leases are correctly distributed and no more leases are attempting access to the vault than expected.
• Operation counts
  • Vault.storage.operation.get.count
  • Vault.storage.operation.list.count
  • Vault.storage.operation.put.count
  • Vault.storage.operation.delete.count
  • Operation counts are monitored to ensure that operations are completed correctly and that no unexpected operations are performed.

The Vault receiver can gather all the above categories – so let’s get started.

Related Content: Getting Started with BindPlane OP and Google Cloud Operations

Before you begin

If you don’t already have an Ops Agent installed with the latest Vault receiver, you’ll need to do that first. Check out the Google Cloud Platform Ops Agent documentation for installation methods, including the one-line installer.

Configuring the Vault receiver for Metrics and Logs

Navigate to your Ops Agent configuration file. You’ll find it in the following location:

• /etc/google-cloud-ops-agent/config.yaml (Linux)

Edit the configuration file for Vault metrics as shown below:

1metrics:
2  receivers:
3    vault:
4      type: vault
5      token: <VAULT_TOKEN>
6      endpoint: 127.0.0.1:8200
7  service:
8    pipelines:
9      vault:
10        receivers:
11          - vault

For Logging, add the following in the same yaml config file:

1logging:
2  receivers:
3    vault_audit:
4      type: vault_audit
5      include_paths: [/var/log/vault_audit.log] 
6  service:
7    pipelines:
8      vault:
9        receivers:
10          - vault_audit

Restart the Ops Agent with the following command:

1sudo service google-cloud-ops-agent restart
2sleep 30

You can edit the config file for more precise control over your agent behavior, but it is not necessary. Here is a list of the most relevant editable fields that you can edit to adjust your agent:

Metrics:

Logs:

Viewing the metrics collected

If you follow the steps above, the following Vault metrics will now be delivered to your preferred destination.

List of metrics collected:
Prefix: workload

observIQ’s monitoring technology is a game changer for organizations that care about performance and efficiency. If you’re using Vault, our solutions can significantly impact your infrastructure monitoring. Follow this space to keep up with all our future posts and simplified configurations for various sources. For questions, requests, and suggestions, contact our support team at support@observIQ.com.