Vault

Prometheus Metrics

HashCorp Vault is a secrets management tool that exposes Prometheus-formatted metrics through its telemetry subsystem.

Prometheus Metrics

Service Configuration

Enable Prometheus telemetry in your Vault configuration file (HCL format):

telemetry {
  prometheus_retention_time = "30s"
  disable_hostname = true
}

Restart Vault for the changes to take effect. The metrics endpoint will be available at http://localhost:8200/v1/sys/metrics?format=prometheus.

This endpoint requires a valid Vault token with operator permissions. You can verify it works with:

curl -H "X-Vault-Token: <YOUR_TOKEN>" \
  "http://localhost:8200/v1/sys/metrics?format=prometheus"

Glouton Configuration

Because the endpoint requires authentication, you must include the Vault token in the request headers. Replace <YOUR_VAULT_TOKEN> with a valid token that has permissions to read the sys/metrics endpoint.

Linux

sudo tee /etc/glouton/conf.d/99-vault.conf > /dev/null << 'EOF'
metric:
  prometheus:
    targets:
      - url: "http://localhost:8200/v1/sys/metrics?format=prometheus"
        name: "vault"
        headers:
          X-Vault-Token: "<YOUR_VAULT_TOKEN>"
        allow_metrics:
          - "vault_core_unsealed"
          - "vault_runtime_alloc_bytes"
          - "vault_audit_log_request_count"
          - "vault_token_count"
          - "vault_secret_lease_creation"
          - "vault_runtime_num_goroutines"
          - "vault_runtime_sys_bytes"
          - "vault_expire_num_leases"
          - "vault_core_active"
EOF

Windows

Create or edit C:\ProgramData\glouton\conf.d\99-vault.conf:

metric:
  prometheus:
    targets:
      - url: "http://localhost:8200/v1/sys/metrics?format=prometheus"
        name: "vault"
        headers:
          X-Vault-Token: "<YOUR_VAULT_TOKEN>"
        allow_metrics:
          - "vault_core_unsealed"
          - "vault_runtime_alloc_bytes"
          - "vault_audit_log_request_count"
          - "vault_token_count"
          - "vault_secret_lease_creation"
          - "vault_runtime_num_goroutines"
          - "vault_runtime_sys_bytes"
          - "vault_expire_num_leases"
          - "vault_core_active"

Customize collected metrics

The metrics below are our recommended defaults. You can adjust the allow_metrics list to include any metric from Vault’s telemetry reference, or use deny_metrics to exclude specific ones. See Metrics Filtering for details.

Metric	Description
vault_core_unsealed	Whether the Vault node is unsealed (1) or sealed (0)
vault_core_active	Whether the Vault node is the active node in the cluster
vault_runtime_alloc_bytes	Number of bytes allocated by the Vault process
vault_runtime_num_goroutines	Number of active goroutines in the Vault process
vault_runtime_sys_bytes	Total bytes of memory obtained from the OS
vault_audit_log_request_count	Number of audit log requests processed
vault_token_count	Number of active tokens in Vault
vault_secret_lease_creation	Number of secret lease creations
vault_expire_num_leases	Number of currently active leases