Overview

Deploy this integration to collect X509 certificate metrics from URLs and send them to Logz.io. The following metrics are collected by this integration:

  • x509_age (duration in milliseconds)
  • x509_expiry (duration in milliseconds)
  • x509_start_date (in seconds passed since 1.1.1970)
  • x509_end_date (in seconds passed since 1.1.1970)

The integration is based on a Lambda function that will be auto-deployed together with the layer LogzioLambdaExtensionLogs.

Auto-deploy the Lambda function

👇 To begin, click this button to start the automated deployment. You will need to deploy it in your environment.

Region Deployment
us-east-1 Deploy to AWS
us-east-2 Deploy to AWS
us-west-1 Deploy to AWS
us-west-2 Deploy to AWS
eu-central-1 Deploy to AWS
eu-north-1 Deploy to AWS
eu-west-1 Deploy to AWS
eu-west-2 Deploy to AWS
eu-west-3 Deploy to AWS
sa-east-1 Deploy to AWS
ap-northeast-1 Deploy to AWS
ap-northeast-2 Deploy to AWS
ap-northeast-3 Deploy to AWS
ap-south-1 Deploy to AWS
ap-southeast-1 Deploy to AWS
ap-southeast-2 Deploy to AWS
ca-central-1 Deploy to AWS
Specify the stack details

Specify the stack details as per the table below and select Create stack.

Parameter Description Required/Optional Default
LogzioMetricsToken Your Logz.io metrics shipping token:<<PROMETHEUS-METRICS-SHIPPING-TOKEN>> Required -
LogzioListener The Logz.io listener URL: https://<<LISTENER-HOST>>:8071 Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071. Required -
CertificateURL The URL to collect x509 certificate metrics from, including port. i.e: https://app.logz.io:443 Required -
LambdaTimeout The amount of time that Lambda allows a function to run before stopping it. Minimum value is 1 second and Maximum value is 900 seconds. We recommend to start with 300 seconds (5 minutes). Optional 300
CloudWatchEventScheduleExpression The scheduling expression that determines when and how often the Lambda function runs. We recommend to start with 10 hour rate. Optional 10 hours
LogzioLogsToken Your Logz.io log shipping token:<<LOG-SHIPPING-TOKEN>> Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to. Required -
Run the tests

Run the ping statistics tests to generate metrics.

Check Logz.io for your metrics

Give your metrics some time to get from your system to ours, and then open OpenSearch Dashboards. All metrics that were sent from the Lambda function will have the prefix x509 in their name.

Log in to your Logz.io account and navigate to the current instructions page inside the Logz.io app. Install the pre-built dashboard to enhance the observability of your metrics.

To view the metrics on the main dashboard, log in to your Logz.io Metrics account, and open the Logz.io Metrics tab.

The integration uses a locally hosted Telegraf agent with a Prometheus remote write plugin to send metrics to Logz.io.

Set up Telegraf v1.17 or higher:
For Windows:
wget https://dl.influxdata.com/telegraf/releases/telegraf-1.19.2_windows_amd64.zip

After downloading the archive, extract its content into C:\Program Files\Logzio\telegraf\.

The configuration file is located at C:\Program Files\Logzio\telegraf\.

For MacOS:
brew install telegraf

The configuration file is located at /usr/local/etc/telegraf.conf.

For Linux:

Ubuntu & Debian

sudo apt-get update && sudo apt-get install telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

RedHat and CentOS

sudo yum install telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

SLES & openSUSE

# add go repository
zypper ar -f obs://devel:languages:go/ go
# install latest telegraf
zypper in telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

FreeBSD/PC-BSD

sudo pkg install telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

Enable the inputs.x509_cert plug-in

Add the inputs.x509_cert section to the configuration file:

[[processors.rename]]
  [[processors.rename.replace]]
    measurement = "x509_cert"
    dest = "x509"

[[inputs.x509_cert]]
  ## List certificate sources, support wildcard expands for files
  ## Prefix your entry with 'file://' if you intend to use relative paths
  sources = ["tcp://example.org:443", "https://influxdata.com:443",
            "smtp://mail.localhost:25", "udp://127.0.0.1:4433",
            "/etc/ssl/certs/ssl-cert-snakeoil.pem",
            "/etc/mycerts/*.mydomain.org.pem", "file:///path/to/*.pem"]

  ## Timeout for SSL connection
  timeout = "5s"

  ## Pass a different name into the TLS request (Server Name Indication).
  ## This is synonymous with tls_server_name, and only one of the two
  ## options may be specified at one time.
  ##   example: server_name = "myhost.example.org"
  # server_name = "myhost.example.org"

  ## Only output the leaf certificates and omit the root ones.
  # exclude_root_certs = false

  ## Optional TLS Config
  # tls_ca = "/etc/telegraf/ca.pem"
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key = "/etc/telegraf/key.pem"
  # tls_server_name = "myhost.example.org"

  ## Set the proxy URL
  # use_proxy = true
  # proxy_url = "http://localhost:8888"
Configure the iinputs.x509_cert plugin

Specify the plugin parameters as per the table below:

Parameter Description Required/Optional Default
sources Comma-separated list of your the URLs to collect metrics from. Required -
timeout Your response timeout (seconds). Required 5 (seconds)
server_name Server Name Indication used as a different name into the TLS request Optional -
exclude_root_certs Selector to output the leaf certificates and omit the root ones Optional false
tls_ca Optional TLS Config setting Optional -
tls_cert Optional TLS Config setting Optional -
tls_key Optional TLS Config setting Optional -
tls_server_name Use the given name as the SNI server name on each URL Optional -
use_proxy Selector to enable proxy URL. Optional true
proxy _url HTTP proxy URL. Optional -
Add the outputs.http plug-in

After you create a config file for Telegraf, configure the output plug-in to enable your data to be sent to Logz.io in Prometheus-format and add the following code to the configuration file:

[[outputs.http]]
  url = "https://<<LISTENER-HOST>>:8053"
  data_format = "prometheusremotewrite"
  [outputs.http.headers]
     Content-Type = "application/x-protobuf"
     Content-Encoding = "snappy"
     X-Prometheus-Remote-Write-Version = "0.1.0"
     Authorization = "Bearer <<PROMETHEUS-METRICS-SHIPPING-TOKEN>>"

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

  • Replace <<PROMETHEUS-METRICS-SHIPPING-TOKEN>> with a token for the Metrics account you want to ship to.
    Here’s how to look up your Metrics token.
  • Replace <<LISTENER-HOST>> with the Logz.io Listener URL for your region, configured to use port 8052 for http traffic, or port 8053 for https traffic. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.

The full list of data scraping and configuring options can be found here.

Start Telegraf
On Windows:
telegraf.exe --service start
On MacOS:
telegraf --config telegraf.conf
On Linux:

Linux (sysvinit and upstart installations)

sudo service telegraf start

Linux (systemd installations)

systemctl start telegraf
Check Logz.io for your metrics

Log in to your Logz.io account and navigate to the current instructions page inside the Logz.io app. Install the pre-built dashboard to enhance the observability of your metrics.

To view the metrics on the main dashboard, log in to your Logz.io Metrics account, and open the Logz.io Metrics tab.