Core system telemetry

Core system telemetry provides information about the operational health of your Vault instance.

Default metrics

vault.core.active

• A value of 1 indicates that the node is active.
• A value of 0 indicates that the node is in standby.

vault.core.activity.fragment_size

The fragment size metric includes labels to indicate if the objects counted were entities or tokens.

vault.core.activity.segment_write

vault.core.check_token

vault.core.fetch_acl_and_token

vault.core.handle_login_request

vault.core.handle_request

vault.core.in_flight_requests

vault.core.leadership_lost

Leadership time updates occur whenever leadership changes. Frequent updates to vault.core.leadership_lost with low leadership times indicates flapping as leader status rotates between nodes.

vault.core.leadership_setup_failed

Setup failure time is an important health metric for your high-availability Vault installation. We strongly recommend that you closely monitor vault.core.leadership_setup_failed and set alerts that keep you informed of the overall cluster leadership status.

vault.core.license.expiration_time_epoch

vault.core.locked_users

The number of locked users refreshes every 15 minutes.

vault.core.mount_table.num_entries

Mountpoint count metrics include labels to indicate whether the relevant table is an authentication table or a logical table and whether the table is replicated or local.

vault.core.mount_table.size

Table size metrics include labels to indicate whether the relevant table is an authentication table or a logical table and whether the table is replicated or local.

vault.core.performance_standby

• A value of 1 indicates the node is a performance standby
• A value of 0 indicates the node is not a performance standby

vault.core.replication.dr.primary

• A value of 1 indicates that the node is a disaster recovery primary.
• A value of 0 indicates that the node is not a disaster recovery primary.

vault.core.replication.dr.secondary

• A value of 1 indicates that the node is a disaster recovery secondary.
• A value of 0 indicates that the node is not a disaster recovery secondary.

vault.core.replication.performance.primary

• A value of 1 indicates that the node is a performance primary.
• A value of 0 indicates that the node is not a performance primary.

vault.core.replication.performance.secondary

• A value of 1 indicates that the node is a performance secondary.
• A value of 0 indicates that the node is not a performance secondary.

vault.core.replication.write_undo_logs

• A value of 1 indicates that Vault is generating undo logs.
• A value of 0 indicates that Vault is not generating undo logs.

vault.core.step_down

Barrier metrics

vault.barrier.delete

vault.barrier.get

vault.barrier.list

vault.barrier.put

Caching metrics

vault.cache.delete

vault.cache.hit

vault.cache.miss

vault.cache.write

Metric collection metrics

vault.metrics.collection

vault.metrics.collection.error

vault.metrics.collection.interval

Quota metrics

Quota metrics relate to rate limit and lease count quotas. Each metric comes with a name label that identifies the specific quota.

vault.quota.lease_count.counter

The number of leases reported is specific to the quota rule listed in the name label, not the number of leases in general. For example, if the named rule allows for 50 leases max and there are currently 40 leases in the scope of that quota rule, the value of vault.quota.lease_count.counter is 40 even if there are 1000 other leases that are unscoped or in the scope of other quota rules.

vault.quota.lease_count.max

vault.quota.lease_count.violation

vault.quota.rate_limit.violation

Request limiter metrics

Request Limiter metrics relate to request success signals observed by the request limiter and its current state. Note the request limiter is deprecated and will be removed in future Vault versions.

vault.core.limits.concurrency.write

vault.core.limits.concurrency.special_path

vault.core.limits.concurrency.service_unavailable

vault.core.limits.concurrency.success

vault.core.limits.concurrency.dropped

vault.core.limits.concurrency.ignored

Ignored request errors result from early request cancellation. These errors are discarded from request limiter measurements to prevent skewing of latency measurements.

Rollback metrics

By default, Vault does not separate rollback metrics by mountpoint. To enable explictly named metrics for mountpoints, enable the add_mount_point_rollback_metrics option in your telemetry configuration stanza.

If you enable named metrics for mountpoints, the metric name converts forward slashes (/) in mount names to dashes (-). For example, if you have the auth/token backend configured and mountpoint names enabled for telemetry, the corresponding mount point metric string is auth-token.

vault.rollback.attempt.{MOUNTPOINT}

vault.rollback.attempt

vault.rollback.inflight

vault.rollback.queued

vault.rollback.waiting

Route metrics

Mount-specific route metrics for each configured mount point. Metric names convert forward slashes (/) in mount names to dashes (-). For example, if you have the auth/token backend configured, the corresponding mount point metric string is auth-token

By default, Vault does not separate rollback metrics by mountpoint. To enable explictly named metrics for mountpoints, enable the add_mount_point_rollback_metrics option in your telemetry configuration stanza.

vault.route.create.{MOUNTPOINT}

vault.route.delete.{MOUNTPOINT}

vault.route.list.{MOUNTPOINT}

vault.route.read.{MOUNTPOINT}

vault.route.rollback.{MOUNTPOINT}

Vault automatically schedules and performs mount point rollback operations to clean up partial errors.

vault.route.rollback

Vault automatically schedules and performs mount point rollback operations to clean up partial errors.

Runtime metrics

Runtime metrics relate specifically to the Go runtime for your Vault instance.

vault.runtime.alloc_bytes

The number of allocated bytes may peak from time to time, but should always return to a steady state value in a health Vault installation.

vault.runtime.free_count

vault.runtime.gc_pause_ns

vault.runtime.heap_objects

The vault.runtime.heap_objects metric is a good memory pressure indicator. We recommend monitoring vault.runtime.heap_objects to establish an accurate baseline and thresholds for alerting on the health of your Vault installation.

vault.runtime.malloc_count

vault.runtime.num_goroutines

The vault.runtime.num_goroutines metric is a good system load indicator. We recommend monitoring vault.runtime.num_goroutines to establish an accurate baseline and thresholds for alerting on the health of your Vault installation.

vault.runtime.sys_bytes

The total number of allocated system bytes includes space currently used by the heap plus space that has been reclaimed by, but not returned to, the operating system.

vault.runtime.total_gc_pause_ns

vault.runtime.total_gc_runs

Seal metrics

vault.core.post_unseal

vault.core.pre_seal

vault.core.seal.encrypt

vault.core.seal.encrypt.time

vault.core.seal.decrypt

vault.core.seal.decrypt.time

vault.core.seal-internal

vault.core.seal.unreachable.time

vault.core.seal-with-request

vault.core.unseal

vault.core.unsealed

• A value of 1 indicates Vault is currently unsealed and clients can read secrets.
• A value of 0 indicates Vault is currently sealed and clients cannot read secrets.