Configure HCP Vault metrics streaming to Elasticsearch
This tutorial covers configuration of HCP Vault metrics streaming to your existing Elasticsearch environment. Elastic Cloud is used for demonstration purposes, but any Elasticsearch environment should work.
For details on metrics scope and interpretation, see the HCP Vault Metrics Guidance.
Availability
HCP Vault metrics streaming is available for all production grade clusters. The feature is not available for Development tier clusters.
Prerequisites
To configure metrics streaming to Elasticsearch, you will need to have:
- An account with Admin or Contributor role assigned in HCP
- A production grade HCP Vault cluster
- An Elasticsearch cluster created in Elastic Cloud with permission to create a role, and a user.
Note
If you don't have a cluster running, refer to the Create a Vault Cluster on HCP tutorial to create an HCP Vault cluster through HCP Portal. Or, refer to the Deploy HCP Vault with Terraform tutorial to provision an HCP Vault cluster using Terraform.
Configure Elastic Cloud
To configure HCP Vault metric streaming to Elasticsearch, you must provide a endpoint URL, username, and password for a user that has been assigned a role with adequate permission to the Elasticsearch cluster.
Create role
Log in to the Elastic Cloud console and navigate to the stack management security page.
For example
https://<your-elastic-cloud-url>:9243/app/management/security/
Click Roles, then click Create role.
Enter
hcp-vault-metric-streaming
in the Role name textbox.In the Cluster privileges pull down, select monitor.
Under Index privileges, enter
*
in the Indices pulldown menu.Click the Privileges pulldown menu and select the following:
- create
- create_index
- manage
- manage_ilm
- write
Click Create role.
Create user
From the stack management security page, click Users.
Click Create user.
Enter
hcp-vault-metric-streaming
in the Username textbox.Enter a secure password in the Password and Confirm password textbox. Make note of the username and password - you will need this to configure audit log streaming in the HCP Portal.
Click the Roles pulldown menu and select the hcp-vault-metric-streaming role.
Click Create user.
Retrieve Elastic URL
Navigate to
https://cloud.elastic.co/home
.Click Manage for the Elastic Cloud deployment you wish to send HCP Vault metrics to.
Under Applications click Copy endpoint for Elasticsearch. Make note of the endpoint URL - you will need this to configure metric streaming in the HCP Portal.
The URL will be in the format of
https://123def789jkl.region.cloudprovider.es.io
.
Enable metrics streaming
From the HCP Vault cluster Overview page, select the Metrics view.
If you have not configured metrics streaming before, click Enable streaming.
From the Stream Vault metrics view, select Elastic as the provider and click Next.
Under Elastic configuration, enter the Endpoint URL, Elastic user, and Elastic password created in the Create IAM user section.
Click Save.
Note
At this time, HCP Vault only supports metrics streaming to one metrics endpoint at a time.
Edit the metrics streaming configuration
To edit a metrics streaming integration, perform the following steps.
From the Metrics page, click on the Manage drop-down, then Edit configuration.
Edit the configuration, then click Save.
Disable metrics streaming
To disable a metrics streaming integration, from the Metrics page, click on the Manage drop-down, then Disable streaming.