Skip to main content

x509

Deploy this integration to collect X509 certificate metrics from URLs and send them to Logz.io. The following metrics are collected by this integration:

  • x509_age (duration in milliseconds)
  • x509_expiry (duration in milliseconds)
  • x509_start_date (in seconds passed since 1.1.1970)
  • x509_end_date (in seconds passed since 1.1.1970)

Collect certificate metrics using AWS Lambda

The integration is based on a Lambda function that will be auto-deployed together with the layer LogzioLambdaExtensionLogs.

Auto-deploy the Lambda function

👇 To begin, click this button to start the automated deployment. You will need to deploy it in your environment.

RegionDeployment
us-east-1Deploy to AWS
us-east-2Deploy to AWS
us-west-1Deploy to AWS
us-west-2Deploy to AWS
eu-central-1Deploy to AWS
eu-north-1Deploy to AWS
eu-west-1Deploy to AWS
eu-west-2Deploy to AWS
eu-west-3Deploy to AWS
sa-east-1Deploy to AWS
ap-northeast-1Deploy to AWS
ap-northeast-2Deploy to AWS
ap-northeast-3Deploy to AWS
ap-south-1Deploy to AWS
ap-southeast-1Deploy to AWS
ap-southeast-2Deploy to AWS
ca-central-1Deploy to AWS

Specify the stack details

Specify the stack details as per the table below and select Create stack.

ParameterDescription
LogzioMetricsTokenYour Logz.io metrics shipping token:<<PROMETHEUS-METRICS-SHIPPING-TOKEN>>
LogzioListenerThe Logz.io listener URL: https://<<LISTENER-HOST>>:8071 Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
CertificateURLThe URL to collect x509 certificate metrics from, including port. i.e: https://app.logz.io:443
LambdaTimeoutThe amount of time that Lambda allows a function to run before stopping it. Minimum value is 1 second and Maximum value is 900 seconds. We recommend to start with 300 seconds (5 minutes).
CloudWatchEventScheduleExpressionThe scheduling expression that determines when and how often the Lambda function runs. We recommend to start with 10 hour rate.
LogzioLogsTokenYour Logz.io log shipping token:<<LOG-SHIPPING-TOKEN>> Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Run the tests

Run the ping statistics tests to generate metrics.

Check Logz.io for your metrics

Give your metrics some time to get from your system to ours, and then open OpenSearch Dashboards. All metrics that were sent from the Lambda function will have the prefix x509 in their name.

Log in to your Logz.io account and navigate to the current instructions page inside the Logz.io app. Install the pre-built dashboard to enhance the observability of your metrics.

To view the metrics on the main dashboard, log in to your Logz.io Metrics account, and open the Logz.io Metrics tab.

Collect certificate metrics using Telegraf

The integration uses a locally hosted Telegraf agent with a Prometheus remote write plugin to send metrics to Logz.io.

Set up Telegraf v1.17 or higher

For Windows

wget https://dl.influxdata.com/telegraf/releases/telegraf-1.27.3_windows_amd64.zip

After downloading the archive, extract its content into C:\Program Files\Logzio\telegraf\.

The configuration file is located at C:\Program Files\Logzio\telegraf\.

For MacOS

brew install telegraf

The configuration file is located at /usr/local/etc/telegraf.conf.

For Linux

Ubuntu & Debian

sudo apt-get update && sudo apt-get install telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

RedHat and CentOS

sudo yum install telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

SLES & openSUSE

# add go repository
zypper ar -f obs://devel:languages:go/ go
# install latest telegraf
zypper in telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

FreeBSD/PC-BSD

sudo pkg install telegraf

The configuration file is located at /etc/telegraf/telegraf.conf.

Enable the inputs.x509_cert plug-in

Add the inputs.x509_cert section to the configuration file:

[[processors.rename]]
[[processors.rename.replace]]
measurement = "x509_cert"
dest = "x509"

[[inputs.x509_cert]]
## List certificate sources, support wildcard expands for files
## Prefix your entry with 'file://' if you intend to use relative paths
sources = ["tcp://example.org:443", "https://influxdata.com:443",
"smtp://mail.localhost:25", "udp://127.0.0.1:4433",
"/etc/ssl/certs/ssl-cert-snakeoil.pem",
"/etc/mycerts/*.mydomain.org.pem", "file:///path/to/*.pem"]

## Timeout for SSL connection
timeout = "5s"

## Pass a different name into the TLS request (Server Name Indication).
## This is synonymous with tls_server_name, and only one of the two
## options may be specified at one time.
## example: server_name = "myhost.example.org"
# server_name = "myhost.example.org"

## Only output the leaf certificates and omit the root ones.
# exclude_root_certs = false

## Optional TLS Config
# tls_ca = "/etc/telegraf/ca.pem"
# tls_cert = "/etc/telegraf/cert.pem"
# tls_key = "/etc/telegraf/key.pem"
# tls_server_name = "myhost.example.org"

## Set the proxy URL
# use_proxy = true
# proxy_url = "http://localhost:8888"

Configure the iinputs.x509_cert plugin

Specify the plugin parameters as per the table below:

ParameterDescriptionRequired/OptionalDefault
sourcesComma-separated list of your the URLs to collect metrics from.Required-
timeoutYour response timeout (seconds).Required5 (seconds)
server_nameServer Name Indication used as a different name into the TLS requestOptional-
exclude_root_certsSelector to output the leaf certificates and omit the root onesOptionalfalse
tls_caOptional TLS Config settingOptional-
tls_certOptional TLS Config settingOptional-
tls_keyOptional TLS Config settingOptional-
tls_server_nameUse the given name as the SNI server name on each URLOptional-
use_proxySelector to enable proxy URL.Optionaltrue
proxy _urlHTTP proxy URL.Optional-

Add the outputs.http plug-in

After you create a config file for Telegraf, configure the output plug-in to enable your data to be sent to Logz.io in Prometheus-format and add the following code to the configuration file:

[[outputs.http]]
url = "https://<<LISTENER-HOST>>:8053"
data_format = "prometheusremotewrite"
[outputs.http.headers]
Content-Type = "application/x-protobuf"
Content-Encoding = "snappy"
X-Prometheus-Remote-Write-Version = "0.1.0"
Authorization = "Bearer <<PROMETHEUS-METRICS-SHIPPING-TOKEN>>"

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

  • Replace <<LISTENER-HOST>> with the Logz.io Listener URL for your region, configured to use port 8052 for http traffic, or port 8053 for https traffic. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.
  • Replace <<PROMETHEUS-METRICS-SHIPPING-TOKEN>> with a token for the Metrics account you want to ship to.
    Here's how to look up your Metrics token.
note

The full list of data scraping and configuring options can be found here.

Start Telegraf

On Windows:
telegraf.exe --service start
On MacOS:
telegraf --config telegraf.conf
On Linux:

Linux (sysvinit and upstart installations)

sudo service telegraf start

Linux (systemd installations)

systemctl start telegraf

Check Logz.io for your metrics

Log in to your Logz.io account and navigate to the current instructions page inside the Logz.io app. Install the pre-built dashboard to enhance the observability of your metrics.

To view the metrics on the main dashboard, log in to your Logz.io Metrics account, and open the Logz.io Metrics tab.