HashiCorp Vault enables teams to secure, store, and control access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
Vault server’s metric endpoint supports Prometheus-formatted metrics. As with other services which expose such an endpoint, use an OpenTelemetry Collector to scrape this endpoint and get these metrics into Honeycomb.
Refer to Vault’s documentation for a list of key metrics, as well as the full telemetry reference.
Prometheus metrics are not enabled by default; therefore, the prometheus_retention_time to a non-zero value enables them.
We recommend setting this value to at least twice the scrape interval of your Collector.
The HashiCorp documentation also suggests setting disable_hostname to avoid having hostname-prefixed metrics.
A suggested configuration should be created as metrics.hcl for each Vault server as follows:
telemetry {
disable_hostname = true
prometheus_retention_time = "12h"
}
Since Vault’s /sys/metrics endpoint is authenticated, we need to create both a read-metrics ACL policy and a metrics token for the OpenTelemetry Collector to use when scraping Vault metrics.
The following is an example of creating and defining a read-metrics ACL policy that grants read capabilities to the metrics endpoint:
vault policy write read-metrics - << EOF
path "/sys/metrics" {
capabilities = ["read"]
}
EOF
Once the read-metrics ACL policy is created, the next step is to create a metrics-token for use when scraping metrics from Vault.
The following is an example of writing the token ID to the file metrics in the vault configuration directory:
vault token create \
-field=token \
-policy read-metrics \
> /etc/vault/metrics-token
Scraping the Vault server’s Prometheus metrics endpoint requires configuring a Collector with a pipeline that starts with a prometheus receiver and ends with an OTLP exporter. Depending on your chosen method of Vault deployment, the resource detection processor may be helpful to further enrich the OTLP Metrics being sent to Honeycomb.
An example Collector configuration using the system resource detector processor follows:
receivers:
prometheus:
config:
scrape_configs:
- job_name: vault
scrape_interval: 60s
metrics_path: /v1/sys/metrics
authorization:
credentials_file: /etc/vault/metrics-token
static_configs:
- targets:
- localhost:8500
processors:
batch:
resourcedetection/os:
detectors:
- system
system:
hostname_sources:
- os
exporters:
otlp/metrics:
endpoint: api.honeycomb.io:443
headers:
"x-honeycomb-team": "YOUR_API_KEY"
"x-honeycomb-dataset": "vault"
service:
pipelines:
metrics:
receivers:
- prometheus
processors:
- resourcedetection/os
- batch
exporters:
- otlp/metrics