Hashicorp Vault

Vault is an identity-based secrets and encryption management system. This integration collects Vault's audit logs. The integration also collects token, memory, and storage metrics.

For more information about Vault, see the Hashicorp Vault documentation.

Prerequisites

To collect Vault telemetry, you must install the Ops Agent:

For metrics, install version 2.18.2 or higher.
For logs, install version 2.18.1 or higher.

This integration supports Vault version 1.6+.

Configure your Vault instance

To collect telemetry from your Vault instance, you must set the prometheus_retention_time field to a non-zero value in your HCL or JSON Vault configuration file.

Full configuration options can be found at https://www.vaultproject.io/docs/configuration
telemetry {
  prometheus_retention_time = "10m"
  disable_hostname = false
}

Additionally, a root user is required to enable audit-log collection and to create a prometheus-metrics ACL policy. A root token is used to add a policy that has read capabilities to the /sys/metrics endpoint. This policy is used to create a Vault token with sufficient permission to collect Vault metrics.

If you are initializing Vault for the first time, then you can use the following script to generate a root token. Otherwise, see Generate Root Tokens Using Unseal Keys for information about generating a root token.

export VAULT_ADDR=http://localhost:8200
# Create simple Vault initialization with 1 key share and a key threshold of 1.
vault operator init -key-shares=1 -key-threshold=1 | head -n3 | cat > .vault-init
VAULT_KEY=$(grep 'Unseal Key 1'  .vault-init | awk '{print $NF}')
VAULT_TOKEN=$(grep 'Initial Root Token:' .vault-init | awk '{print $NF}')
export VAULT_TOKEN
vault operator unseal $VAULT_KEY

# Enable audit logs.
vault audit enable file file_path=/var/log/vault_audit.log

# Create Prometheus ACL policy to access metrics endpoint.
vault policy write prometheus-metrics - << EOF
path "/sys/metrics" {
  capabilities = ["read"]
}
EOF

# Create an example token with the prometheus-metrics policy to access Vault metrics.
# This token is used as `$VAULT_TOKEN` in your Ops Agent configuration for Vault.
vault token create -field=token -policy prometheus-metrics > prometheus-token

Configure the Ops Agent for Vault

Following the guide to Configure the Ops Agent, add the required elements to collect telemetry from Vault instances, and restart the agent.

Example configuration

The following commands create the configuration to collect and ingest telemetry for Vault and restart the Ops Agent.

# Configures Ops Agent to collect telemetry from the app and restart Ops Agent.

set -e

# Create a back up of the existing file so existing configurations are not lost.
sudo cp /etc/google-cloud-ops-agent/config.yaml /etc/google-cloud-ops-agent/config.yaml.bak

# Create a Vault token that has read capabilities to /sys/metrics policy.
# For more information see: https://developer.hashicorp.com/vault/tutorials/monitoring/monitor-telemetry-grafana-prometheus?in=vault%2Fmonitoring#define-prometheus-acl-policy
VAULT_TOKEN=$(cat prometheus-token)


sudo tee /etc/google-cloud-ops-agent/config.yaml > /dev/null << EOF
metrics:
  receivers:
    vault:
      type: vault
      token: $VAULT_TOKEN
      endpoint: 127.0.0.1:8200
  service:
    pipelines:
      vault:
        receivers:
          - vault
logging:
  receivers:
    vault_audit:
      type: vault_audit
      include_paths: [/var/log/vault_audit.log]
  service:
    pipelines:
      vault:
        receivers:
          - vault_audit
EOF

sudo service google-cloud-ops-agent restart

Configure logs collection

To ingest logs from Vault, you must create a receiver for the logs that Vault produces and then create a pipeline for the new receiver.

To configure a receiver for your vault_audit logs, specify the following fields:

Field	Default	Description
`exclude_paths`		A list of filesystem path patterns to exclude from the set matched by `include_paths`.
`include_paths`		A list of filesystem paths to read by tailing each file. A wild card (`*`) can be used in the paths.
`record_log_file_path`	`false`	If set to `true`, then the path to the specific file from which the log record was obtained appears in the output log entry as the value of the `agent.googleapis.com/log_file_path` label. When using a wildcard, only the path of the file from which the record was obtained is recorded.
`type`		The value must be `vault_audit`.
`wildcard_refresh_interval`	`60s`	The interval at which wildcard file paths in `include_paths` are refreshed. Given as a time duration, for example `30s` or `2m`. This property might be useful under high logging throughputs where log files are rotated faster than the default interval.

What is logged

The logName is derived from the receiver IDs specified in the configuration. Detailed fields inside the LogEntry are as follows.

The vault_audit logs contain the following fields in the LogEntry:

Field	Type	Description
`jsonPayload.auth`	struct
`jsonPayload.auth.accessor`	string	This is an HMAC of the client token accessor.
`jsonPayload.auth.client_token`	string	This is an HMAC of the client's token ID.
`jsonPayload.auth.display_name`	string	This is the display name set by the auth method role or explicitly at secret creation time.
`jsonPayload.auth.entity_id`	string	This is a token entity identifier.
`jsonPayload.auth.metadata`	object	This will contain a list of metadata key/value pairs associated with the client_token.
`jsonPayload.auth.policies`	object	This will contain a list of policies associated with the client_token.
`jsonPayload.auth.token_type`	string
`jsonPayload.error`	string	If an error occurred with the request, the error message is included in this field's value.
`jsonPayload.request`	struct
`jsonPayload.request.client_token`	string	This is an HMAC of the client's token ID.
`jsonPayload.request.client_token_accessor`	string	This is an HMAC of the client token accessor.
`jsonPayload.request.data`	object	The data object will contain secret data in key/value pairs.
`jsonPayload.request.headers`	object	Additional HTTP headers specified by the client as part of the request.
`jsonPayload.request.id`	string	This is the unique request identifier.
`jsonPayload.request.namespace.id`	string
`jsonPayload.request.operation`	string	This is the type of operation which corresponds to path capabilities and is expected to be one of: `create`, `read`, `update`, `delete`, or `list`.
`jsonPayload.request.path`	string	The requested Vault path for operation.
`jsonPayload.request.policy_override`	boolean	This is `true` when a soft-mandatory policy override was requested.
`jsonPayload.request.remote_address`	string	The IP address of the client making the request.
`jsonPayload.request.wrap_ttl`	string	If the token is wrapped, this displays configured wrapped TTL value as numeric string.
`jsonPayload.response`	struct
`jsonPayload.response.data.accessor`	string	This is an HMAC of the client token accessor.
`jsonPayload.response.data.creation_time`	string	RFC 3339 format timestamp of the token's creation.
`jsonPayload.response.data.creation_ttl`	string	Token creation TTL in seconds.
`jsonPayload.response.data.display_name`	string	This is the display name set by the auth method role or explicitly at secret creation time.
`jsonPayload.response.data.entity_id`	string	This is a token entity identifier.
`jsonPayload.response.data.expire_time`	string	RFC 3339 format timestamp representing the moment this token will expire.
`jsonPayload.response.data.explicit_max_ttl`	string	Explicit token maximum TTL value as seconds ("0" when not set).
`jsonPayload.response.data.id`	string	This is the unique response identifier.
`jsonPayload.response.data.issue_time`	string	RFC 3339 format timestamp.
`jsonPayload.response.data.num_uses`	number	If the token is limited to a number of uses, that value will be represented here.
`jsonPayload.response.data.orphan`	boolean	Boolean value representing whether the token is an orphan.
`jsonPayload.response.data.path`	string	The requested Vault path for operation.
`jsonPayload.response.data.policies`	object	This will contain a list of policies associated with the client_token.
`jsonPayload.response.data.renewable`	boolean	Boolean value representing whether the token is an orphan.
`jsonPayload.type`	string	The type of audit log.
`severity`	string (`LogSeverity`)	Log entry level (translated).

Configure metrics collection

To ingest metrics from Vault, you must create a receiver for the metrics that Vault produces and then create a pipeline for the new receiver.

This receiver does not support the use of multiple instances in the configuration, for example, to monitor multiple endpoints. All such instances write to the same time series, and Cloud Monitoring has no way to distinguish among them.

To configure a receiver for your vault metrics, specify the following fields:

Field	Default	Description
`ca_file`		Path to the CA certificate. As a client, this verifies the server certificate. If empty, the receiver uses the system root CA.
`cert_file`		Path to the TLS certificate to use for mTLS-required connections.
`collection_interval`	`60s`	A time duration value, such as `30s` or `5m`.
`endpoint`	`localhost:8200`	The 'hostname:port' used by Vault.
`insecure`	`true`	Sets whether or not to use a secure TLS connection. If set to `false`, then TLS is enabled.
`insecure_skip_verify`	`false`	Sets whether or not to skip verifying the certificate. If `insecure` is set to `true`, then the `insecure_skip_verify` value is not used.
`key_file`		Path to the TLS key to use for mTLS-required connections.
`metrics_path`	`/v1/sys/metrics`	The path for metrics collection.
`token`	`localhost:8200`	Token used for authentication.
`type`		This value must be `vault`.

What is monitored

The following table provides the list of metrics that the Ops Agent collects from the Vault instance.

Metric type
Kind, Type Monitored resources	Labels
`workload.googleapis.com/vault.audit.request.failed`
`CUMULATIVE`, `INT64` gce_instance
`workload.googleapis.com/vault.audit.response.failed`
`CUMULATIVE`, `INT64` gce_instance
`workload.googleapis.com/vault.core.leader.duration`
`GAUGE`, `DOUBLE` gce_instance
`workload.googleapis.com/vault.core.request.count`
`GAUGE`, `INT64` gce_instance	`cluster`
`workload.googleapis.com/vault.memory.usage`
`GAUGE`, `DOUBLE` gce_instance
`workload.googleapis.com/vault.storage.operation.delete.count`
`CUMULATIVE`, `INT64` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.delete.time`
`CUMULATIVE`, `DOUBLE` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.get.count`
`CUMULATIVE`, `INT64` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.get.time`
`CUMULATIVE`, `DOUBLE` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.list.count`
`CUMULATIVE`, `INT64` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.list.time`
`CUMULATIVE`, `DOUBLE` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.put.count`
`CUMULATIVE`, `INT64` gce_instance	`storage`
`workload.googleapis.com/vault.storage.operation.put.time`
`CUMULATIVE`, `DOUBLE` gce_instance	`storage`
`workload.googleapis.com/vault.token.count`
`GAUGE`, `INT64` gce_instance	`cluster` `namespace`
`workload.googleapis.com/vault.token.lease.count`
`GAUGE`, `INT64` gce_instance
`workload.googleapis.com/vault.token.renew.time`
`GAUGE`, `INT64` gce_instance
`workload.googleapis.com/vault.token.revoke.time`
`GAUGE`, `INT64` gce_instance

Verify the configuration

This section describes how to verify that you correctly configured the Vault receiver. It might take one or two minutes for the Ops Agent to begin collecting telemetry.

To verify that Vault logs are being sent to Cloud Logging, do the following:

In the Google Cloud console, go to the Logs Explorer page:
Go to Logs Explorer

If you use the search bar to find this page, then select the result whose subheading is Logging.
Enter the following query in the editor, and then click Run query:
```
resource.type="gce_instance"
log_id("vault_audit")
```

To verify that Vault metrics are being sent to Cloud Monitoring, do the following:

In the Google Cloud console, go to the Metrics explorer page:
Go to Metrics explorer

If you use the search bar to find this page, then select the result whose subheading is Monitoring.
In the toolbar of the query-builder pane, select the button whose name is either MQL or PromQL.
Verify that MQL is selected in the Language toggle. The language toggle is in the same toolbar that lets you format your query.

Enter the following query in the editor, and then click Run query:

fetch gce_instance
| metric 'workload.googleapis.com/vault.memory.usage'
| every 1m

View dashboard

To view your Vault metrics, you must have a chart or dashboard configured. The Vault integration includes one or more dashboards for you. Any dashboards are automatically installed after you configure the integration and the Ops Agent has begun collecting metric data.

You can also view static previews of dashboards without installing the integration.

To view an installed dashboard, do the following:

In the Google Cloud console, go to the Dashboards page:
Go to Dashboards

If you use the search bar to find this page, then select the result whose subheading is Monitoring.
Select the Dashboard List tab, and then choose the Integrations category.
Click the name of the dashboard you want to view.

If you have configured an integration but the dashboard has not been installed, then check that the Ops Agent is running. When there is no metric data for a chart in the dashboard, installation of the dashboard fails. After the Ops Agent begins collecting metrics, the dashboard is installed for you.

To view a static preview of the dashboard, do the following:

In the Google Cloud console, go to the Integrations page:
Go to Integrations

If you use the search bar to find this page, then select the result whose subheading is Monitoring.
Click the Compute Engine deployment-platform filter.
Locate the entry for Vault and click View Details.
Select the Dashboards tab to see a static preview. If the dashboard is installed, then you can navigate to it by clicking View dashboard.

For more information about dashboards in Cloud Monitoring, see Dashboards and charts.

For more information about using the Integrations page, see Manage integrations.

Install alerting policies

Alerting policies instruct Cloud Monitoring to notify you when specified conditions occur. The Vault integration includes one or more alerting policies for you to use. You can view and install these alerting policies from the Integrations page in Monitoring.

To view the descriptions of available alerting policies and install them, do the following:

In the Google Cloud console, go to the Integrations page:
Go to Integrations

If you use the search bar to find this page, then select the result whose subheading is Monitoring.
Locate the entry for Vault and click View Details.
Select the Alerts tab. This tab provides descriptions of available alerting policies and provides an interface for installing them.
Install alerting policies. Alerting policies need to know where to send notifications that the alert has been triggered, so they require information from you for installation. To install alerting policies, do the following:
1. From the list of available alerting policies, select those that you want to install.
2. In the Configure notifications section, select one or more notification channels. You have the option to disable the use of notification channels, but if you do, then your alerting policies fire silently. You can check their status in Monitoring, but you receive no notifications.
  
  For more information about notification channels, see Manage notification channels.
3. Click Create Policies.

For more information about alerting policies in Cloud Monitoring, see Introduction to alerting.

For more information about using the Integrations page, see Manage integrations.

What's next

For a walkthrough on how to use Ansible to install the Ops Agent, configure a third-party application, and install a sample dashboard, see the Install the Ops Agent to troubleshoot third-party applications video.