PingAM 8.0.0

Monitor with Prometheus

Prometheus is third-party software used for gathering and processing monitoring data.

Prometheus can monitor and process AM metrics but your deployment might benefit from further analysis and visualization. You can use tools such as Grafana to create customized charts and graphs based on the information Prometheus collects.

Learn more about installing and running Grafana in the Grafana documentation.

Prometheus endpoints

AM exposes endpoints that Prometheus uses to gather metrics from the AM instance.

When you enable Prometheus monitoring, AM makes the Prometheus-formatted metrics available at the following endpoints:

  • /metrics/prometheus

    The path of this endpoint is format-agnostic, but the response payload is identical to that from the /json/metrics/prometheus endpoint.

    Although this endpoint is new, it is also deprecated in this release and support for its use will be removed in a future release. Move to the /metrics/prometheus/0.0.4 endpoint as soon as convenient.

  • /metrics/prometheus/0.0.4

    The path of this endpoint is format-agnostic, but the response payload is slightly different to that from the /metrics/prometheus endpoint.

    Metrics that were previously suffixed with _total are suffixed with _sum, which conforms better to the latest version of Prometheus. For example:

    • /metrics/prometheus/0.0.4 returns the metric am_authorization_policy_set_evaluate_seconds_sum{outcome=outcome,policy_set=policy-set,}

    • /metrics/prometheus returns the metric am_authorization_policy_set_evaluate_seconds_total{outcome=outcome,policy_set=policy-set,}

The /json/metrics/prometheus endpoint is deprecated. If you’re using this endpoint, change your Prometheus configuration to use one of the new endpoints:

  • If your deployment doesn’t rely on the response payload provided from the /json/metrics/prometheus endpoint, move straight to the /metrics/prometheus/0.0.4 endpoint.

  • If your deployment relies on the exact response payload provided from the /json/metrics/prometheus endpoint, move to the /metrics/prometheus endpoint first. Adapt your deployment to expect the different payload then move to the /metrics/prometheus/0.0.4 endpoint.

Configure Prometheus

Configure Prometheus to monitor the AM endpoints in the Prometheus configuration file, prometheus.yml.

Learn more about configuring Prometheus in the Prometheus configuration documentation.

Learn more about PingAM monitoring metrics in Monitoring metrics.

Enable Prometheus monitoring

  1. Ensure you have enabled monitoring.

  2. Go to Configure > Global Services > Monitoring.

  3. On Secondary Configurations tab, click prometheus, then select Enabled.

  4. In the Authentication Type menu, select one of the following options:

    • None. Prometheus doesn’t need to authenticate when accessing the endpoint.

    • HTTP Basic. Prometheus must authenticate using a username and a password when accessing the endpoint.

  5. If you selected HTTP Basic, specify a Username and Password.

    If you set a Secret Label Identifier and AM finds a matching secret in a secret store, the Password is ignored.

  6. For greater security, define a Secret Label Identifier to use a secret in a secret store and rotate the secret periodically.

    AM uses this identifier to create a specific secret label, using the template am.services.monitoring.prometheus.identifier.secret where identifier is the value of Secret Label Identifier.

    The identifier can only contain alphanumeric characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

    Learn more about using secrets in Map and rotate secrets.

  7. Save your work.