HashiCorp Vault Integration
Monitor seal status, token lifecycle, audit log events, secret engine health, and PKI certificate expiry across your Vault clusters. Security observability meets operational monitoring.
How It Works
Enable Vault Telemetry
Add the telemetry stanza to your vault.hcl configuration. Vault exposes Prometheus-compatible metrics at /v1/sys/metrics. TigerOps scrapes this endpoint using a Vault token with the sys/metrics:read policy.
Create a Monitoring Policy
Create a Vault policy that grants read access to sys/metrics and sys/health. TigerOps uses a dedicated service token with this policy — it never requires root or admin tokens.
Configure Audit Log Ingestion
Add TigerOps as a Vault audit device using the file or socket backend. TigerOps ingests audit events for secret reads, writes, token operations, and auth method usage for security visibility.
Set Seal & Token Alerts
Configure alerts for seal status changes, token TTL expiry warnings, and error rate spikes per secret engine. TigerOps fires immediate alerts on any Vault sealed or standby transition.
What You Get Out of the Box
Seal Status & HA Health
Real-time seal status, standby node count, and active cluster leader tracking for Vault HA deployments. TigerOps fires immediate alerts on any seal or leadership change event.
Token Lifecycle Metrics
Token creation rate, TTL expiry distribution, and orphaned token accumulation. TigerOps alerts on token lease exhaustion and tracks auth method usage by source IP and entity.
Audit Log Security Events
Ingests Vault audit log entries for secret access, denied requests, and policy violations. TigerOps correlates unusual access patterns with application traces for security investigation.
Secret Engine Request Rates
Read, write, and list request rates per secret engine path (kv, pki, database, transit, ssh). Identify secret engines under high load or experiencing elevated error rates.
PKI Certificate Expiry
Track certificate expiry for all certificates issued by the Vault PKI secret engine. TigerOps alerts with configurable lead time before certificates expire to prevent outages.
Raft & Storage Health
Integrated Raft storage commit latency, leader election events, and follower replication lag for Vault Integrated Storage (Raft) deployments.
vault.hcl Telemetry Stanza
Add the telemetry stanza to your vault.hcl and create a minimal monitoring policy to enable TigerOps metric collection.
# vault.hcl — telemetry stanza for TigerOps
storage "raft" {
path = "/opt/vault/data"
node_id = "node1"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/vault.crt"
tls_key_file = "/opt/vault/tls/vault.key"
}
# Enable Prometheus-compatible metrics endpoint
telemetry {
prometheus_retention_time = "30s"
disable_hostname = false
# Expose /v1/sys/metrics for TigerOps to scrape
unauthenticated_metrics_access = false # TigerOps uses a service token
}
---
# Vault policy for TigerOps (tigerops-monitoring.hcl)
path "sys/metrics" {
capabilities = ["read"]
}
path "sys/health" {
capabilities = ["read"]
}
# Create the policy and service token
vault policy write tigerops-monitoring tigerops-monitoring.hcl
vault token create -policy="tigerops-monitoring" -period=768h -display-name="tigerops-scraper" -no-default-policy
# Optional: Audit device for TigerOps security event ingestion
vault audit enable file file_path="/var/log/vault/audit.log"
# TigerOps will tail this file via the log collector
# Or use socket audit device for real-time streaming:
# vault audit enable socket address="tigerops-collector:9095" socket_type="tcp"Common Questions
Does TigerOps need a root token to monitor Vault?
No. TigerOps uses a dedicated service token with a minimal policy that grants only sys/metrics:read and sys/health:read. This principle of least privilege means TigerOps has no access to your secrets or administrative functions.
Can TigerOps monitor Vault deployed on Kubernetes?
Yes. TigerOps supports Vault running on Kubernetes with the Vault Helm chart, Vault deployed manually, and HCP Vault Dedicated. The scrape endpoint is discovered from the Kubernetes service automatically when using the TigerOps Kubernetes agent.
Does TigerOps support Vault Enterprise namespaces?
Yes. TigerOps supports Vault Enterprise namespaces. You can configure separate monitoring tokens per namespace and view per-namespace metrics, audit events, and health status in TigerOps.
How are audit logs handled from a security perspective?
TigerOps ingests Vault audit log events with secret values redacted — only paths, auth methods, and operation types are recorded. Secret values are never extracted from the HMAC-hashed audit log. All data is encrypted in transit and at rest.
Can TigerOps alert on certificate expiry from the Vault PKI engine?
Yes. TigerOps monitors the Vault PKI secret engine and tracks all issued certificate expiry dates. You configure a lead-time threshold (e.g., alert 30 days before expiry) and TigerOps fires alerts and creates incident timeline entries before certificates expire.
Full Visibility Into Your Vault Infrastructure
No credit card required. Connect in minutes. Seal status, token metrics, and audit events immediately.