Configure HCP Vault Dedicated metric streaming to Elasticsearch

For details on metrics scope and interpretation, see the HCP Vault Dedicated metrics documentation.

Availability

HCP Vault Dedicated metrics streaming is available for all production grade clusters. The feature is not available for Development tier clusters.

Prerequisites

To configure metrics streaming to Elasticsearch, you will need to have:

A HCP account with Admin or Contributor role assigned in HCP
A production grade HCP Vault Dedicated cluster
An Elasticsearch cluster created in Elastic Cloud with permission to create a role, and a user.
Note
If you do not have a cluster running, refer to the Create a Vault Cluster on HCP or the Deploy HCP Vault Dedicated with Terraform tutorial to create an HCP Vault Dedicated cluster.

Configure Elastic Cloud

To configure HCP Vault Dedicated metric streaming to Elasticsearch, you must provide a endpoint URL, username, and password for a user that has been assigned a role with adequate permission to the Elasticsearch cluster.

Create role

Log in to the Elastic Cloud console and navigate to the stack management security page.
For example https://<your-elastic-cloud-url>:9243/app/management/security/
Click Roles, then click Create role.
Enter hcp-vault-metric-streaming in the Role name textbox.
In the Cluster privileges pull down, select monitor.
Under Index privileges, enter * in the Indices pulldown menu.
Click the Privileges pulldown menu and select the following:
- create
- create_index
- manage
- manage_ilm
- write
Click Create role.

Create user

From the stack management security page, click Users.
Click Create user.
Enter hcp-vault-metric-streaming in the Username textbox.
Enter a secure password in the Password and Confirm password textbox. Make note of the username and password - you will need this to configure audit log streaming in the HCP Portal.
Click the Roles pulldown menu and select the hcp-vault-metric-streaming role.
Click Create user.

Retrieve Elastic URL

Navigate to https://cloud.elastic.co/home.
Click Manage for the Elastic Cloud deployment you wish to send HCP Vault Dedicated metrics to.
Under Applications click Copy endpoint for Elasticsearch. Make note of the endpoint URL - you will need this to configure metric streaming in the HCP Portal.
The URL will be in the format of https://123def789jkl.region.cloudprovider.es.io.

Enable metrics streaming

Log in to the HCP Portal and navigate to the Vault clusters page.
Click the Vault cluster you wish to enable streaming for and click Metrics.
Click Enable metric streaming.
From the Stream Vault metrics view, select Elastic as the provider and click Next.
Under Elastic configuration, enter the Endpoint URL, Elastic user, and Elastic password created in the Create user section.
Click Save.
Note
At this time, HCP Vault Dedicated only supports metrics streaming to one metrics endpoint at a time.

Example Terraform configuration (optional)

Refer to the Terraform Registry hcp_vault_cluster documentation for more information.

resource "hcp_vault_cluster" "example" {
  cluster_id = "vault-cluster"
  hvn_id     = hcp_hvn.example.hvn_id
  tier       = "standard_large"
  metrics_config {
    elasticsearch_user = "actual-user"
    elasticsearch_password = "actual-password"
    elasticsearch_endpoint = "actual-url"
  }
}

## Edit the metrics streaming configuration (optional)

To edit a metrics streaming integration, perform the following steps.

1. From the **Metrics** page, click on the **Manage** drop-down, then **Edit
   configuration**.

1. Edit the configuration, then click **Save**.

## Disable metrics streaming (optional)

To disable a metrics streaming integration, from the **Metrics** page, click on
the **Manage** drop-down, then **Disable streaming**.