Prometheus remote write
Collect metrics from Prometheus
Configuration
Example configurations
{
"sources": {
"my_source_id": {
"type": "prometheus_remote_write",
"address": "0.0.0.0:9090"
}
}
}[sources.my_source_id]
type = "prometheus_remote_write"
address = "0.0.0.0:9090"
sources:
my_source_id:
type: prometheus_remote_write
address: 0.0.0.0:9090
{
"sources": {
"my_source_id": {
"type": "prometheus_remote_write",
"address": "0.0.0.0:9090"
}
}
}[sources.my_source_id]
type = "prometheus_remote_write"
address = "0.0.0.0:9090"
sources:
my_source_id:
type: prometheus_remote_write
address: 0.0.0.0:9090
acknowledgements
optional objectDeprecated
Controls how acknowledgements are handled by this source.
This setting is deprecated in favor of enabling acknowledgements at the global or sink level.
Enabling or disabling acknowledgements at the source level has no effect on acknowledgement behavior.
See End-to-end Acknowledgements for more information on how event acknowledgement is handled.
acknowledgements.enabled
optional booladdress
required string literalThe socket address to accept connections on.
The address must include a port.
auth
optional objectConfiguration of the authentication strategy for server mode sinks and sources.
Use the HTTP authentication with HTTPS only. The authentication credentials are passed as an HTTP header without any additional encryption beyond what is provided by the transport itself.
auth.password
required string literalstrategy = "basic"auth.strategy
required string literal enum| Option | Description |
|---|---|
basic | Basic authentication. The username and password are concatenated and encoded using base64. |
custom | Custom authentication using VRL code. Takes in request and validates it using VRL code. |
auth.username
required string literalstrategy = "basic"keepalive
optional objectkeepalive.max_connection_age_jitter_factor
optional floatThe factor by which to jitter the max_connection_age_secs value.
A value of 0.1 means that the actual duration will be between 90% and 110% of the specified maximum duration.
0.1keepalive.max_connection_age_secs
optional uintThe maximum amount of time a connection may exist before it is closed by sending
a Connection: close header on the HTTP response. Set this to a large value like
100000000 to “disable” this feature
Only applies to HTTP/0.9, HTTP/1.0, and HTTP/1.1 requests.
A random jitter configured by max_connection_age_jitter_factor is added
to the specified duration to spread out connection storms.
300(seconds)tls
optional objecttls.alpn_protocols
optional [string]Sets the list of supported ALPN protocols.
Declare the supported ALPN protocols, which are used during negotiation with a peer. They are prioritized in the order that they are defined.
tls.ca_file
optional string literalAbsolute path to an additional CA certificate file.
The certificate must be in the DER or PEM (X.509) format. Additionally, the certificate can be provided as an inline string in PEM format.
tls.crt_file
optional string literalAbsolute path to a certificate file used to identify this server.
The certificate must be in DER, PEM (X.509), or PKCS#12 format. Additionally, the certificate can be provided as an inline string in PEM format.
If this is set and is not a PKCS#12 archive, key_file must also be set.
tls.enabled
optional boolWhether or not to require TLS for incoming or outgoing connections.
When enabled and used for incoming connections, an identity certificate is also required. See tls.crt_file for
more information.
tls.key_file
optional string literalAbsolute path to a private key file used to identify this server.
The key must be in DER or PEM (PKCS#8) format. Additionally, the key can be provided as an inline string in PEM format.
tls.key_pass
optional string literalPassphrase used to unlock the encrypted key file.
This has no effect unless key_file is set.
tls.server_name
optional string literalServer name to use when using Server Name Indication (SNI).
Only relevant for outgoing connections.
tls.verify_certificate
optional boolEnables certificate verification. For components that create a server, this requires that the client connections have a valid client certificate. For components that initiate requests, this validates that the upstream has a valid certificate.
If enabled, certificates must not be expired and must be issued by a trusted issuer. This verification operates in a hierarchical manner, checking that the leaf certificate (the certificate presented by the client/server) is not only valid, but that the issuer of that certificate is also valid, and so on, until the verification process reaches a root certificate.
Do NOT set this to false unless you understand the risks of not verifying the validity of certificates.
tls.verify_hostname
optional boolEnables hostname verification.
If enabled, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.
Only relevant for outgoing connections.
Do NOT set this to false unless you understand the risks of not verifying the remote hostname.
Outputs
<component_id>
Output Types
Metrics
counter
countergauge
gaugeTelemetry
Metrics
linkcomponent_discarded_events_total
counterfilter transform, or false if due to an error.component_errors_total
countercomponent_received_bytes_total
countercomponent_received_event_bytes_total
countercomponent_received_events_count
histogramA histogram of the number of events passed in each internal batch in Vector’s internal topology.
Note that this is separate than sink-level batching. It is mostly useful for low level debugging performance issues in Vector due to small internal batches.
component_received_events_total
countercomponent_sent_event_bytes_total
countercomponent_sent_events_total
counterhttp_server_handler_duration_seconds
histogramhttp_server_requests_received_total
counterhttp_server_responses_sent_total
countersource_lag_time_seconds
histogramHow it works
Authorization configuration
This component has a server component that supports authorization. Authorization supports multiple strategies. Basic access authentication is the default, which supports defining a username and password to be used when connecting to the server.
Custom authorization provides a greater flexibility. It supports writing custom authorization code using VRL. Here is an example that looks up the token in an enrichment table backed by a CSV file.
Currently custom VRL auth has access to headers, path, and address (IP
address of the client).
sources:
prometheus_remote_write_source:
type: "prometheus_remote_write"
# ...
auth:
strategy: "custom"
source: |-
# We can access request headers here
# Let's say that we expect a custom authorization header
# In format "Vector {uuid}"
parts = split!(.headers.authorization, " ", 2)
# We expect Authorization header in format "Vector {uuid}"
if parts[0] != "Vector" {
# The header didn't start with Vector, reject
# Returning false means that authentication should fail
false
} else {
# Look for uuid in enrichment table (let's say that it has a token column)
# Any errors also reject requests
# We could then do some additional checks on the result from the table
result = get_enrichment_table_record!("auth_data", { "token": parts[1] })
# No errors, so we can return true
true
}
# ...
Context
prometheus_remote_write source augments events with helpful
context keys.Duplicate tag names
Metric type interpretation
The remote_write protocol used by this source transmits only the metric tags, timestamp, and numerical value. No explicit information about the original type of the metric (i.e. counter, histogram, etc) is included. As such, this source makes a guess as to what the original metric type was.
For metrics named with a suffix of _total, this source
emits the value as a counter metric. All other metrics
are emitted as gauges.
State
Transport Layer Security (TLS)
tls.* options and/or via an
OpenSSL configuration file. The file location defaults to
/usr/local/ssl/openssl.cnf or can be specified with the OPENSSL_CONF environment variable.