Skip to main content

Azure Key Vault

Overview​

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed HSM pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.

The Centreon Monitoring Connector Azure Key Vault can rely on Azure API or Azure CLI to collect the metrics related to the Key Vault service.

Monitoring Connector Assets​

Monitored Objects​

  • Azure Key Vault instances

Discovery rules​

The Centreon Monitoring Connector Azure Key Vault includes a Host Discovery provider to automatically discover the Azure instances of a given subscription and add them to the Centreon configuration. This provider is named Microsoft Azure Key Vault:

image

This discovery feature is only compatible with the 'api' custom mode. 'azcli' is not supported yet.

More information about the Host Discovery module is available in the Centreon documentation: Host Discovery

Collected Metrics​

Metric nameDescriptionUnit
keyvault.serviceapi.hits.countTotal Service Api HitsCount
keyvault.serviceapi.latency.millisecondsOverall Service Api LatencyB
keyvault.serviceapi.results.countTotal Service Api ResultsCount

Prerequisites​

Please find all the prerequisites needed for Centreon to get information from Azure on the dedicated page.

Setup​

  1. Install the Centreon package on every Centreon poller expected to monitor Azure Key Vault resources:
yum install centreon-plugin-Cloud-Azure-Security-KeyVault-Api
  1. On the Centreon Web interface, install the Azure Key Vault Centreon Monitoring Connector on the Configuration > Monitoring Connector Manager page

Configuration​

Host​

  • Log into Centreon and add a new Host through "Configuration > Hosts".

  • In the IP Address/FQDN field, set the following IP address: '127.0.0.1'.

  • Select the Cloud-Azure-Security-KeyVault-custom template to apply to the Host.

  • Once the template applied, some Macros marked as 'Mandatory' hereafter have to be configured. These mandatory Macros differ regarding the custom mode used:

MandatoryNomDescription
XAZURECUSTOMMODECustom mode 'api'
XAZURESUBSCRIPTIONSubscription ID
XAZURETENANTTenant ID
XAZURECLIENTIDClient ID
XAZURECLIENTSECRETClient secret
XAZURERESOURCEId of the Key Vault instance

FAQ​

How to check in the CLI that the configuration is OK and what are the main options for ?​

Once the Plugin installed, log into your Centreon Poller CLI using the centreon-engine user account and test the Plugin by running the following command:

/usr/lib/centreon/plugins/centreon_azure_security_keyvault_api.pl \
--plugin=cloud::azure::security::keyvault::plugin \
--mode=vault-availability \
--custommode=api \
--subscription='xxxxxxxxx' \
--tenant='xxxxxxxxx' \
--client-id='xxxxxxxxx' \
--client-secret='xxxxxxxxx' \
--resource='KEY001ABCD' \
--timeframe='900' \
--interval='PT5M' \
--aggregation='average' \
--warning-vault-availability-percentage='100:' \
--critical-vault-availability-percentage='50:'

Expected command output is shown below:

OK: Instance 'KEY001ABCD' Statistic 'average' Metrics Overall Vault Availability: 100.00% |
'KEY001ABCD~average#keyvault.vault.availability.percentage'=100.00%;100:;50:;0;100

The command above checks the availability of an Azure Key Vault instance using the 'api' custom-mode (--plugin=cloud::azure::security::keyvault::plugin --mode=vault-availability --custommode=api). This Key Vault is identified by its id (--resource='KEY001ABCD') and the authentication parameters to be used with the custom mode are specified in the options (--subscription='xxxxxxxxx' --tenant='xxxxxxx' --client-id='xxxxxxxx' --client-secret='xxxxxxxxxx').

The calculated metrics are an average (--aggregation='average') of values on a 900 secondes / 15 min period (--timeframe='900') with one sample per 5 minutes (--interval='PT5M').

This command would trigger a WARNING alarm if the availability of the Key Vault instance is reported as less then 100% (--warning-vault-availability-percentage) and a CRITICAL alarm if less than 50% (--critical-vault-availability-percentage='50:').

All the available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins/centreon_azure_security_keyvault_api.pl \
--plugin=cloud::azure::security::keyvault::plugin \
--mode=datapath \
--help

Troubleshooting​

The Azure credentials have changed and the Plugin does not work anymore​

The Plugin is using a cache file to keep connection information and avoid an authentication at each call. If some of the authentication parameters change, you must delete the cache file.

The cache file can be found within /var/lib/centreon/centplugins/ folder with a name similar to azureapi<md5>_<md5>_<md5>_<md5>.

UNKNOWN: Login endpoint API returns error code 'ERROR_NAME' (add --debug option for detailed message)​

When I run my command I obtain the following error message: UNKNOWN: Login endpoint API returns error code 'ERROR_NAME' (add --debug option for detailed message).

It means that some parameters used to authenticate the API request are wrong. The 'ERROR_NAME' string gives some hints about where the problem stands.

As an example, if my Client ID or Client Secret are wrong, 'ERROR_DESC' value will be 'invalid_client'.

UNKNOWN: 500 Can't connect to login.microsoftonline.com:443​

This error message means that the Centreon Plugin couldn't successfully connect to the Azure Login API. Check that no third party device (such as a firewall) is blocking the request. A proxy connection may also be necessary to connect to the API. This can be done by using this option in the command: --proxyurl='http://proxy.mycompany:8080'.

UNKNOWN: No metrics. Check your options or use --zeroed option to set 0 on undefined values​

This command result means that Azure does not have any value for the requested period. This result can be overriden by adding the --zeroed option in the command. This will force a value of 0 when no metric has been collected and will prevent the UNKNOWN error message.