Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
LogicMonitor stores sensitive information including credentials, secrets, etc., for hosts, devices, services. LogicMonitor also offers integration with Credential Vault and provides better control over credentials management to users using their own Credential Vault. The LogicMonitor Collector provides the integration with Thycotic as a Credential Vault solution. For more information, see Thycotic Secret Server documentation.
The Thycotic Secret Server publishes REST API to manage various entities. For more information, see https://docs.thycotic.com/ss/10.9.0/api-scripting/rest-api-reference-download.
The Secret Server (SS) REST API guides are version-specific. Please ensure you refer to the correct version Secret Server guide.
The LM Thycotic Secret Server integration uses the OAuth2 token-based REST API of the Thycotic Secret Server. In this approach, you receive the OAuth2 token for authentication, which is used to perform the various entity operations of the Thycotic Secret Server.
To configure the Thycotic vault, complete the following steps:
1. Configure the vault properties on the devices. The properties consist of the vault metadata and vault keys. For more information, see the Thycotic Vault properties section.
2. Once the vault properties are configured, set the vault.bypass agent configuration as false.
Note: You can change the default agent configuration settings as required. For more information, see Thycotic Collector Agent Configuration Settings
The below table contains the collector agent configuration related to the vault.
You can view the agent configuration properties by navigating to Settings > Collector > click the gear next to the required collector name > Support > Collector Configuration.
Vault properties, such as Vault Metadata and Vault Keys for the Collector, can be configured at the device or device group level.
The following table lists the Vault Metadata properties.
You can configure lmvault.keys in the following two ways:
LogicMonitor calls the Thycotic API to get the secret id for these secret paths, and these secret ids are further used for the credentials retrieval.
Note: As this approach will require additional API calls, you must use this approach only when required.
Example:LogicMonitor provides the two approaches for the secret id retrieval using the secret path:
1. Default Approach: LogicMonitor searches for the folder and Secrets. In this approach, the folders and the secrets are searched to form the secret_path_name relation with secret id.
2. Thycotic Reporting: LogicMonitor uses Thycotic reporting to retrieve the secret id using a secret path. This is an efficient approach for the secret path as compared to the Default Approach.
Note: Ensure that you can access the Thycotic Report “What secrets a user can see” in the Thycotic Secret Server portal. For more information on configuring the Thycotic reports, see Configuring Thycotic Report Properties.
To configure Thycotic report properties, complete the following steps:
1. Navigate to Settings > Collector > select the required collector and click the Gear icon.
2. On the Manage Collector dialog box, select Collector Configuration from the Support drop-down list.
3. Click the Agent Configurations tab and enter the following Thycotic report properties :
1. How to confirm API using postman?Ans: The LogicMonitor Thycotic Secret Server integration uses the OAuth2 token-based REST API of the Thycotic Secret Server. You will receive the OAuth2 token for authentication, which is used to perform the various entity operations of the Thycotic Secret Server. The APIs can be confirmed using the postman. To confirm APIs using Postman, refer to the following images:
Note: For more information on REST APIs, see Thycotic Secret Server REST API.
2. How to get collector vault logs?
Ans: To get the collector vault logs, use the !tail debug command. The vault logs are a part of the wrapper.log file, which you can directly access. For more details, refer to the following screenshot:
3. How to enable the debug logs for the vault to get more data?Ans: To enable the debug logs for the vault, complete the following steps:1. Navigate to Settings > Collectors > select the required collector.2. On the Manage Collector, select Collector Configuration from the Support drop-down list.3. Click the Agent Config tab and set the logger.level value as debug.4. Once you have added the configuration details, click on Save and Restart. Refer to the following image:
In This Article