Best Practices

Monitoring HashiCorp Vault with LogicMonitor


Posted by Juan Carlos Reyes, Technical Marketing Engineer at LogicMonitor
Sep 6, 2019

Monitoring HashiCorp Vault with LogicMonitor HashiCorp Vault is an open-source secret management tool that allows organizations to easily "secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API." This solution prevents sensitive information from being stored in unsecured places, and at times stored in plaintext, throughout the organization’s infrastructure. HashiCorp Vault and all of its components play a critical role in a company, thus making it vital to monitor its health and status. Enter LogicMonitor.
LogicMonitor has the necessary DataSources (Vault Health, Leader, and Replication) to make sure your Vault deployment is running as intended.


Monitoring Your HashiCorp Vault Health and Status

Aside from the usual host metrics (CPU, Memory, Disk, and Network), LogicMonitor can display the current status of your Vault servers and send alerts if any changes occur. LogicMonitor tracks the initiation status of all your servers. If a Vault server is uninitialized, then it has not gone through a configuration process, meaning encryption keys have not been generated, unseal keys have not been created, and the initial root token has not been set up. Know the seal-state of your servers. A sealed Vault performs almost no operations and can hinder other applications' performance. Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. You can receive an alert when a server changes status out of schedule.

Key Haschicorp Vault health metrics monitored in LogicMonitor.
Key Haschicorp Vault health metrics monitored in LogicMonitor.


Vault Leader and High Availability

A key offering of Vault Enterprise is the high availability (HA) feature. If you are running Vault in multiple servers within multiple data centers, it is essential to keep track of the leader and any possible failover events. When running in HA mode, Vault servers have two states they can be in standby or active. Only the active server in an HA topology will process requests. You will be able to display the standby status of all your servers and make sure there is always an active server. LogicMonitor will alert you when there is a change in the standby status of a Vault server.


Tracking Vault Replication Status

With multiple servers and data centers, it is essential to make sure all the data gets replicated across your environment. LogicMonitor can track the performance replication status (disabled, secondary, and primary) of each server and alert when there is an unexpected change. Along with the status, you can also see the last Write-Ahead Log (WAL) position. The WALs are used to perform log shipping between Vault clusters. By monitoring the WAL position, you can determine if the servers are struggling to stay synced, helping you to get ahead of an out-of-sync situation. If the servers are out-of-sync, then causes other applications not to access the data they require.
These are just a few examples of how LogicMonitor can provide insights into your HashiCorp Vault environment. There are plenty of more use cases and data points that are collected. If you are attending HashiConf this year, make sure to visit our booth, and we will be happy to answer any questions. Not attending? Don’t worry, request a free trial or visit our blog for more information that can be helpful as you manage your HashiCorp Suite.

Let's get started.

Get a 14-day free trial, no CC required.

Sign Up Free explore platform