Conjur Nodes and/or docker containers monitoring

Hello Conjur Gurus,

We are trying to setup monitoring for Conjur service as well as the disk on the follower host nodes. We are running version 11.2 and the AWS AMIs don’t support cloudwatch agent installation. Can you please chime in with some guidance. Thanks.

Are you using the conjur AWS AMI or you have Conjur enterprise on top of Docker?

We are Using Conjur AWS AMI.

@vmaddirala I have not had exposure with AWS AMI.

@nathan.whipple might have some inputs on this.

Hi Vamsi,

As of 11.7, we’ve moved the host OS of the AMIs to use Amazon Linux 2. Once you’ve upgraded to the latest version using these new AMIs you should be able to install the CloudWatch agent without issue. Let’s get a conversation going with Jason G. about upgrading and if you’d prefer PS assistance to perform the upgrade. At a high level, the upgrade process would look like this:

  • Request the latest AMI versions
  • Deploy new EC2 instances based on this AMI
  • Generate a backup on your old master
  • Restore backup on new master
  • Update DNS records to point original FQDN to new master instance IP address
  • Configure standbys and followers
  • Update DNS records for standbys and followers

Note: If the original FQDNs of the old instances cannot be reused, new certificates with the new names will be required. Depending on your certificate age, it may be desirable to refresh the certificates as part of this effort anyhow.

HTH!

Regards,
Nate

Good news switching to Amazon Linux 2, the current CoreOS AMI is unfriendly for any third party installations (Cloudwatch/Zabbix etc).

I think the upgrade discussion with Jason is in progress, we might be looking for PS assistance before the end of the year.

Thanks

Vamsi.

Hi Nathan,

Any other ideas for monitoring the service and the disk on the nodes in the mean time?

Thanks

Vamsi.

Hi Vamsi,

If funneling the monitoring information into CloudWatch is a requirement, I’d look into doing this via syslog. A quick google search turns up a couple of tools that might work to that end. A tool of your choosing would be deployed as a syslog receiver and DAP would send docker logs and the like to that, which would then forward on to CloudWatch. It’s an admittedly poor solution to this challenge, but possibly adequate as a stop-gap.

Regards,
Nate

Could you provide any specific syslog tool and notes around setting up DAP to send docker logs, if possible.

Thanks

Vamsi.

Hi Vamsi,

Unfortunately, I can’t endorse a particular tool or vendor.

Regards,
Nate