Hashicorp Vault

Stay organized with collections Save and categorize content based on your preferences.

Vault is an identity-based secrets and encryption management system. This integration collects Vault's audit logs. The integration also collects token, memory, and storage metrics.

For more information about Vault, see the Hashicorp Vault documentation.

Prerequisites

To collect Vault telemetry, you must install the Ops Agent:

  • For logs, install version 2.18.1 or higher.
  • For metrics, install version 2.18.2 or higher.

This integration supports Vault version 1.6+.

Configure the Ops Agent for Vault

Following the guide for Configuring the Ops Agent, add the required elements to collect telemetry from Vault instances, and restart the agent.

Example configuration

The following command creates the configuration to collect and ingest telemetry for Vault and restarts the Ops Agent.

# Configures Ops Agent to collect telemetry from the app and restart Ops Agent.

set -e

VAULT_TOKEN=$(grep 'Initial Root Token:' init.out | awk '{print $4}')


sudo tee /etc/google-cloud-ops-agent/config.yaml > /dev/null << EOF
metrics:
  receivers:
    vault:
      type: vault
      token: $VAULT_TOKEN
      endpoint: 127.0.0.1:8200
  service:
    pipelines:
      vault:
        receivers:
          - vault
logging:
  receivers:
    vault_audit:
      type: vault_audit
      include_paths: [/var/log/vault_audit.log]
  service:
    pipelines:
      vault:
        receivers:
          - vault_audit
EOF

sudo service google-cloud-ops-agent restart

Configure logs collection

To ingest logs from Vault, you must create receivers for the logs that Vault produces and then create a pipeline for the new receivers.

To configure a receiver for your vault_audit logs, specify the following fields:

Field Default Description
exclude_paths A list of filesystem path patterns to exclude from the set matched by include_paths.
include_paths A list of filesystem paths to read by tailing each file. A wild card (*) can be used in the paths.
record_log_file_path false If set to true, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the agent.googleapis.com/log_file_path label. When using a wildcard, only the path of the file from which the record was obtained is recorded.
type The value must be vault_audit.
wildcard_refresh_interval 60s The interval at which wildcard file paths in include_paths are refreshed. Given as a time duration, for example 30s or 2m. This property might be useful under high logging throughputs where log files are rotated faster than the default interval.

What is logged

The logName is derived from the receiver IDs specified in the configuration. Detailed fields inside the LogEntry are as follows.

The vault_audit logs contain the following fields in the LogEntry:

Field Type Description
jsonPayload.auth.token_type string
jsonPayload.request.namespace.id string
jsonPayload.request.path string The requested Vault path for operation.
jsonPayload.request.operation string This is the type of operation which corresponds to path capabilities and is expected to be one of: create, read, update, delete, or list.
jsonPayload.type string The type of audit log.
jsonPayload.error string If an error occurred with the request, the error message is included in this field's value.
jsonPayload.auth.client_token string This is an HMAC of the client's token ID.
jsonPayload.auth.accessor string This is an HMAC of the client token accessor.
jsonPayload.auth.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.auth.policies object This will contain a list of policies associated with the client_token.
jsonPayload.auth.metadata object This will contain a list of metadata key/value pairs associated with the client_token.
jsonPayload.auth.entity_id string This is a token entity identifier.
jsonPayload.request.id string This is the unique request identifier.
jsonPayload.request.client_token string This is an HMAC of the client's token ID.
jsonPayload.request.client_token_accessor string This is an HMAC of the client token accessor.
jsonPayload.request.data object The data object will contain secret data in key/value pairs.
jsonPayload.request.policy_override boolean This is true when a soft-mandatory policy override was requested.
jsonPayload.request.remote_address string The IP address of the client making the request.
jsonPayload.request.wrap_ttl string If the token is wrapped, this displays configured wrapped TTL value as numeric string.
jsonPayload.request.headers object Additional HTTP headers specified by the client as part of the request.
jsonPayload.response.data.creation_time string RFC 3339 format timestamp of the token's creation.
jsonPayload.response.data.creation_ttl string Token creation TTL in seconds.
jsonPayload.response.data.expire_time string RFC 3339 format timestamp representing the moment this token will expire.
jsonPayload.response.data.explicit_max_ttl string Explicit token maximum TTL value as seconds ("0" when not set).
jsonPayload.response.data.issue_time string RFC 3339 format timestamp.
jsonPayload.response.data.num_uses number If the token is limited to a number of uses, that value will be represented here.
jsonPayload.response.data.orphan boolean Boolean value representing whether the token is an orphan.
jsonPayload.response.data.renewable boolean Boolean value representing whether the token is an orphan.
jsonPayload.response.data.id string This is the unique response identifier.
jsonPayload.response.data.path string The requested Vault path for operation.
jsonPayload.response.data.policies object This will contain a list of policies associated with the client_token.
jsonPayload.response.data.accessor string This is an HMAC of the client token accessor.
jsonPayload.response.data.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.response.data.display_name string This is the display name set by the auth method role or explicitly at secret creation time.
jsonPayload.response.data.entity_id string This is a token entity identifier.
timestamp string (Timestamp) Time the request was received

Configure metrics collection

To ingest metrics from Vault, you must create receivers for the metrics that Vault produces and then create a pipeline for the new receivers.

To configure a receiver for your vault metrics, specify the following fields:

Field Default Description
ca_file Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA.
cert_file Path to the TLS certificate to use for mTLS-required connections.
collection_interval 60s A time.Duration value, such as 30s or 5m.
endpoint localhost:8200 The 'hostname:port' used by vault
insecure true Sets whether or not to use a secure TLS connection. If set to false, then TLS is enabled.
insecure_skip_verify false Sets whether or not to skip verifying the certificate. If insecure is set to true, then the 'insecure_skip_verify` value is not used.
key_file Path to the TLS key to use for mTLS-required connections.
metrics_path /v1/sys/metrics The path for metrics collection.
token localhost:8200 Token used for authentication.
type This value must be vault.

What is monitored

The following table provides the list of metrics that the Ops Agent collects from the Vault instance.

Metric type 
Kind, Type
Monitored resources
Labels
workload.googleapis.com/vault.audit.request.failed
CUMULATIVEINT64
gce_instance
 
workload.googleapis.com/vault.audit.response.failed
CUMULATIVEINT64
gce_instance
 
workload.googleapis.com/vault.core.leader.duration
GAUGEDOUBLE
gce_instance
 
workload.googleapis.com/vault.core.request.count
GAUGEINT64
gce_instance
cluster
workload.googleapis.com/vault.memory.usage
GAUGEDOUBLE
gce_instance
 
workload.googleapis.com/vault.storage.operation.delete.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.delete.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.get.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.get.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.list.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.list.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.storage.operation.put.count
CUMULATIVEINT64
gce_instance
storage
workload.googleapis.com/vault.storage.operation.put.time
CUMULATIVEDOUBLE
gce_instance
storage
workload.googleapis.com/vault.token.count
GAUGEINT64
gce_instance
namespace
cluster
workload.googleapis.com/vault.token.lease.count
GAUGEINT64
gce_instance
 
workload.googleapis.com/vault.token.renew.time
GAUGEINT64
gce_instance
 
workload.googleapis.com/vault.token.revoke.time
GAUGEINT64
gce_instance
 

Sample dashboard

To view your Vault metrics, you must have a chart or dashboard configured. Cloud Monitoring provides a library of sample dashboards for integrations, which contain preconfigured charts. For information about installing these dashboards, see Installing sample dashboards.

Verify the configuration

This section describes how to verify that you correctly configured the Vault receiver. It might take one or two minutes for the Ops Agent to begin collecting telemetry.

To verify that the logs are ingested, go to the Logs Explorer and run the following query to view the Vault logs:

resource.type="gce_instance"
log_id("vault_audit")

To verify that the metrics are ingested, go to Metrics Explorer and run the following query in the MQL tab:

fetch gce_instance
| metric 'workload.googleapis.com/vault.memory.usage'
| every 1m

What's next

For a walkthrough on how to use Ansible to install the Ops Agent, configure a third-party application, and install a sample dashboard, see the Install the Ops Agent to troubleshoot third-party applications video.