Conjur Nodes and/or docker containers monitoring

vmaddirala · October 28, 2020, 2:01am

Hello Conjur Gurus,

We are trying to setup monitoring for Conjur service as well as the disk on the follower host nodes. We are running version 11.2 and the AWS AMIs don’t support cloudwatch agent installation. Can you please chime in with some guidance. Thanks.

sjohnkennedy · October 28, 2020, 3:11pm

Are you using the conjur AWS AMI or you have Conjur enterprise on top of Docker?

vmaddirala · October 28, 2020, 7:23pm

We are Using Conjur AWS AMI.

sjohnkennedy · October 28, 2020, 10:26pm

@vmaddirala I have not had exposure with AWS AMI.

@nathan.whipple might have some inputs on this.

nathan.whipple · October 29, 2020, 4:34pm

Hi Vamsi,

As of 11.7, we’ve moved the host OS of the AMIs to use Amazon Linux 2. Once you’ve upgraded to the latest version using these new AMIs you should be able to install the CloudWatch agent without issue. Let’s get a conversation going with Jason G. about upgrading and if you’d prefer PS assistance to perform the upgrade. At a high level, the upgrade process would look like this:

Request the latest AMI versions
Deploy new EC2 instances based on this AMI
Generate a backup on your old master
Restore backup on new master
Update DNS records to point original FQDN to new master instance IP address
Configure standbys and followers
Update DNS records for standbys and followers

Note: If the original FQDNs of the old instances cannot be reused, new certificates with the new names will be required. Depending on your certificate age, it may be desirable to refresh the certificates as part of this effort anyhow.

HTH!

Regards,
Nate

vmaddirala · October 29, 2020, 4:59pm

Good news switching to Amazon Linux 2, the current CoreOS AMI is unfriendly for any third party installations (Cloudwatch/Zabbix etc).

I think the upgrade discussion with Jason is in progress, we might be looking for PS assistance before the end of the year.

Thanks

Vamsi.

vmaddirala · October 29, 2020, 5:02pm

Hi Nathan,

Any other ideas for monitoring the service and the disk on the nodes in the mean time?

Thanks

Vamsi.

nathan.whipple · October 29, 2020, 6:01pm

Hi Vamsi,

If funneling the monitoring information into CloudWatch is a requirement, I’d look into doing this via syslog. A quick google search turns up a couple of tools that might work to that end. A tool of your choosing would be deployed as a syslog receiver and DAP would send docker logs and the like to that, which would then forward on to CloudWatch. It’s an admittedly poor solution to this challenge, but possibly adequate as a stop-gap.

Regards,
Nate

vmaddirala · October 29, 2020, 7:16pm

Could you provide any specific syslog tool and notes around setting up DAP to send docker logs, if possible.

Thanks

Vamsi.

nathan.whipple · October 29, 2020, 8:22pm

Hi Vamsi,

Unfortunately, I can’t endorse a particular tool or vendor.

Regards,
Nate

Topic		Replies	Views
Starting the Conjur Journey - Sever Setup Secrets Management - Conjur, Secrets Hub & CP	4	1049	February 13, 2020
Am I missing a Trick? Conjur Enterprise howto , dap	3	548	May 5, 2021
Container monitoring Conjur Enterprise	3	601	November 5, 2019
DAP on Amzon EKS Conjur Enterprise howto , dap	2	602	March 26, 2021
Follower logs to troubleshoot for container not ready Conjur Enterprise	5	953	June 24, 2020

Conjur Nodes and/or docker containers monitoring

Related Topics