HashiCorp Vault
Monitor Vault seal status, token counts, request rates, and audit log health.
Key Metrics
| Metric | Description |
|---|---|
vault_core_active | Whether this node is the active leader |
vault_core_sealed | Seal status (1=sealed) |
vault_token_count_total | Total token count |
vault_barrier_get_count | Barrier GET operations |
vault_core_handle_request_count | Requests handled |
vault_runtime_alloc_bytes | Memory allocated by Vault |
Prerequisites
- HashiCorp Vault 1.3+
- Telemetry enabled in Vault config
Configuration
Enable telemetry in vault.hcl
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
Metrics are available at https://localhost:8200/v1/sys/metrics?format=prometheus with a valid Vault token.
Option A — Prometheus scrape
scrape_configs:
- job_name: vault
metrics_path: /v1/sys/metrics
params:
format: [prometheus]
bearer_token: <vault-token>
static_configs:
- targets: ['localhost:8200']
remote_write:
- url: https://<region>.xscalerlabs.com/api/v1/push
headers:
X-Scope-OrgID: <tenant-id>
basic_auth:
password: <api-token>
Option B — Grafana Alloy
prometheus.scrape "vault" {
targets = [{"__address__" = "localhost:8200"}]
metrics_path = "/v1/sys/metrics"
params = { format = ["prometheus"] }
bearer_token = "<vault-token>"
forward_to = [prometheus.remote_write.xscaler.receiver]
}
prometheus.remote_write "xscaler" {
endpoint {
url = "https://<region>.xscalerlabs.com/api/v1/push"
headers = { "X-Scope-OrgID" = "<tenant-id>" }
basic_auth { password = "<api-token>" }
}
}
Option C — OpenTelemetry Collector
receivers:
prometheus:
config:
scrape_configs:
- job_name: vault
metrics_path: /v1/sys/metrics
params:
format: [prometheus]
bearer_token: ${VAULT_TOKEN}
static_configs:
- targets: ['localhost:8200']
exporters:
prometheusremotewrite:
endpoint: https://<region>.xscalerlabs.com/api/v1/push
headers:
Authorization: Bearer <api-token>
X-Scope-OrgID: <tenant-id>
service:
pipelines:
metrics:
receivers: [prometheus]
exporters: [prometheusremotewrite]
Logs
Collect HashiCorp Vault audit log and server log via systemd journal. Add the following to your Alloy config:
loki.source.journal "vault_journal" {
forward_to = [loki.write.xscaler.receiver]
relabel_rules = loki.relabel.vault_journal.rules
labels = {
job = "integrations/vault",
instance = constants.hostname,
}
}
loki.relabel "vault_journal" {
forward_to = []
rule {
source_labels = ["__journal__systemd_unit"]
target_label = "unit"
}
}
loki.write "xscaler" {
endpoint {
url = "https://euw1-01.l.xscalerlabs.com/api/v1/logs/push"
http_client_config {
authorization {
type = "Bearer"
credentials = env("XSCALER_TOKEN")
}
}
headers = { "X-Scope-OrgID" = env("XSCALER_TENANT_ID") }
}
}