Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Common Parameters
  • Prometheus Parameters

Was this helpful?

  1. Documentation
  2. Setup
  3. vHSM Server Configuration

vHSM Telemetry Parameters

Learn about the telemetry parameters that you need for an aggregation software such as Prometheus.

PreviousParametersNextvHSM Agent

Last updated 27 days ago

Was this helpful?

The vHSM server collects runtime telemetry to provide insight into the performance of its internal components and subsystems. Metrics are aggregated every 10 seconds and stored in-memory for one minute. High-cardinality metrics, are reported every 10 minutes, or at a custom interval defined in the telemetry stanza.

To persist and monitor these metrics, vHSM can stream telemetry data to external aggregation software such as .

These tools can be configured within vHSM’s telemetry stanza to receive and process metrics for long-term storage and monitoring. For example, Prometheus can scrape metrics from the /v1/sys/metrics endpoint for visualization and alerting.

Common Parameters

Parameter
Type
Default
Description

usage_gauge_period

string

"10m"

Interval for collecting high-cardinality usage data. Set to "none" to disable.

maximum_gauge_cardinality

int

500

Maximum cardinality of gauge labels.

disable_hostname

bool

false

Prefixes gauge values with the local hostname if set to false.

enable_hostname_label

bool

false

Adds host label with local hostname to all metrics. Recommended to enable disable_hostname if this is used.

metrics_prefix

string

"vhsm"

Prefix for metric values.

lease_metrics_epsilon

string

"1h"

Size of buckets for lease expiration metrics.

num_lease_metrics_buckets

int

168

Number of lease expiration buckets.

add_lease_metrics_namespace_labels

bool

false

Adds namespace labels to lease expiration metrics. May increase cardinality.

add_mount_point_rollback_metrics

bool

false

Enables rollback metrics per mount point. May increase cardinality.

filter_default

bool

true

Whether to allow metrics not matched by any filter.

prefix_filter

array

[]

Filters metrics by prefix. Example: ["+vhsm.token", "-vhsm.expire"]

Prometheus Parameters

Parameter
Type
Default
Description

prometheus_retention_time

string

"24h"

Duration Prometheus metrics are retained. Set to 0 to disable.

disable_hostname

bool

false

Disables hostname prefix in metrics. Recommended to enable for Prometheus.

Prometheus Endpoint

The /v1/sys/metrics endpoint is only accessible on active vHSM nodes. To enable it on standby nodes, unauthenticated metrics access must be enabled. Querying the endpoint with headers such as Accept: prometheus/telemetry will return Prometheus-formatted data.

Authorization

A vHSM token with ["read", "list"] capabilities to /v1/sys/metrics is required. The Prometheus bearer_token or bearer_token_file must be specified.

Prometheus Scrape Job Example

# prometheus.yml
scrape_configs:
  - job_name: 'vhsm'
    metrics_path: "/v1/sys/metrics"
    scheme: https
    tls_config:
      ca_file: <your_ca_here.pem>
    bearer_token: "<your_vhsm_token_here>"
    static_configs:
      - targets: ['<your_vhsm_server_here:8200>']

vHSM Telemetry Configuration Example

telemetry {
  prometheus_retention_time = "30s"
  disable_hostname = true
}
Prometheus