HCP Vault Secrets Centralized secrets lifecycle management for developers. Learn More
Vault
HCP Vault monitoring

Configure HCP Vault metrics streaming to Elasticsearch

  • 3min
  • |
  • HCP
  • Vault

This tutorial covers configuration of HCP Vault metrics streaming to your existing Elasticsearch environment. Elastic Cloud is used for demonstration purposes, but any Elasticsearch environment should work.

For details on metrics scope and interpretation, see the HCP Vault Metrics Guidance.

Availability

HCP Vault metrics streaming is available for all production grade clusters. The feature is not available for Development tier clusters.

Prerequisites

To configure metrics streaming to Elasticsearch, you will need to have:

  • An account with Admin or Contributor role assigned in HCP
  • A production grade HCP Vault cluster
  • An Elasticsearch cluster created in Elastic Cloud with permission to create a role, and a user.

Note

If you don't have a cluster running, refer to the Create a Vault Cluster on HCP tutorial to create an HCP Vault cluster through HCP Portal. Or, refer to the Deploy HCP Vault with Terraform tutorial to provision an HCP Vault cluster using Terraform.

Configure Elastic Cloud

To configure HCP Vault metric streaming to Elasticsearch, you must provide a endpoint URL, username, and password for a user that has been assigned a role with adequate permission to the Elasticsearch cluster.

Create role

  1. Log in to the Elastic Cloud console and navigate to the stack management security page.

    For example https://<your-elastic-cloud-url>:9243/app/management/security/

  2. Click Roles, then click Create role.

  3. Enter hcp-vault-metric-streaming in the Role name textbox.

  4. In the Cluster privileges pull down, select monitor.

  5. Under Index privileges, enter * in the Indices pulldown menu.

  6. Click the Privileges pulldown menu and select the following:

    • create
    • create_index
    • manage
    • manage_ilm
    • write

  7. Click Create role.

Create user

  1. From the stack management security page, click Users.

  2. Click Create user.

  3. Enter hcp-vault-metric-streaming in the Username textbox.

  4. Enter a secure password in the Password and Confirm password textbox. Make note of the username and password - you will need this to configure audit log streaming in the HCP Portal.

  5. Click the Roles pulldown menu and select the hcp-vault-metric-streaming role.

  6. Click Create user.

Retrieve Elastic URL

  1. Navigate to https://cloud.elastic.co/home.

  2. Click Manage for the Elastic Cloud deployment you wish to send HCP Vault metrics to.

  3. Under Applications click Copy endpoint for Elasticsearch. Make note of the endpoint URL - you will need this to configure metric streaming in the HCP Portal.

    The URL will be in the format of https://123def789jkl.region.cloudprovider.es.io.

Enable metrics streaming

  1. From the HCP Vault cluster Overview page, select the Metrics view. HCP Vault Portal

  2. If you have not configured metrics streaming before, click Enable streaming.

  3. From the Stream Vault metrics view, select Elastic as the provider and click Next. Select Elastic provider

  4. Under Elastic configuration, enter the Endpoint URL, Elastic user, and Elastic password created in the Create IAM user section. Configure Elastic provider

  5. Click Save.

    Note

    At this time, HCP Vault only supports metrics streaming to one metrics endpoint at a time.

Edit the metrics streaming configuration

To edit a metrics streaming integration, perform the following steps.

  1. From the Metrics page, click on the Manage drop-down, then Edit configuration.

  2. Edit the configuration, then click Save.

Disable metrics streaming

To disable a metrics streaming integration, from the Metrics page, click on the Manage drop-down, then Disable streaming.

Previous

Configure HCP Vault audit logs to Datadog

 Next

Configure HCP Vault audit logs Elasticsearch