Monitoring Vault via Splunk

Hi there, I am working on creating alerts and monitoring our Vault Enterprise that is hosted in GKE using Splunk. Is there a guide I could follow or like a template of basic alerts I should be looking at creating?

Hi, if you have the Enterprise version, you can get the Splunk App:

Thanks Joffrey, yeah I saw that as well, we tried to install it but it is not getting any data at all. (perhaps we are doing something wrong so we’ll check the config).

Would you say this would have everything I need in terms of basic monitoring and alerting?

Perhaps you have some defaults monitoring points (disk full, CPU, RAM, …).
I use auditd, and send some /var/log files to Splunk to monitor Activity (of course server login).
And check http code status on the health endpoint: /sys/health - HTTP API | Vault | HashiCorp Developer

Hi! Can you share a bit more about how you configured the flow of data and metrics from Vault Enterprise to Splunk? I’ve found it to be a tricky process, even with this considerable guidance. Ta!

I am not sure of this yet, I am pretty new in Vault and Splunk (less than a year exp) so I might need to dig more deeper into this and probably i’ll start from the HashiCorp Docs. I am just hoping someone has a predefine search index I could grab the idea.

Good question. So at the moment our Vault is running in GKE and we don’t have set any telemerty in our vault config and enabled the audit logs as stdout. As of now what I knew is the server and audit logs are being pushed to GCP PubSub which Splunk are grabbing the data.