About system logs
Learn how Piiano Vault collects system logs
Vault collects system logs to enable the Piiano team to improve your experience, identify faults, and enhance Vault. System logs include system-level events and application logs. These logs are sent to DataDog.
When an unexpected error occurs, Vault sends logs to Sentry. These logs do not include any PII or other data stored in Vault.
Log content
Logs provide details about your interactions with Vault. To protect your business and its PII data, these logs do not include PII data or any information about the your configuration of Vault, such as collection or property names. This is an example of a typical log:
{
"level": "info",
"service": "pvault-dev",
"type": "log",
"version": "0.9.7-gb5f595bc9",
"vault_id": "113161596639522816",
"product": "vault",
"license_key": "...D0BEMhqNe3NArFMQ",
"customer_identifier": "<your identifier>",
"customer_env": "prod",
"dev_mode": false,
"method": "GET",
"operation_id": "list-objects",
"url": "/api/pvlt/1.0/data/collections/test/objects?adhoc_reason=&id=32077c80-3792-4a45-a957-e365bb1c9533&options=&props=email&props=id&props=first_name&props=last_name&reason=Maintenance&reload_cache=false",
"user_agent": "PiianoVault/0.9.7-gb5f595bc9",
"trace_id": "6b0323e6-b587-4f1b-8cfc-712fc4a4781f",
"reason": "Maintenance",
"collection": "test",
"status_code": 200,
"duration": 37.419042,
"time": 1667978774229,
"caller": "/app/common/rest/mws/logger.go:78",
"message": "/api/pvlt/1.0/data/collections/test/objects?adhoc_reason=&id=32077c80-3792-4a45-a957-e365bb1c9533&options=&props=email&props=id&props=first_name&props=last_name&reason=Maintenance&reload_cache=false"
}
Each log contains your unique and random Vault ID, which is used to identify your logs. You can view your Vault ID by running pvault version.
Trace ID
Every request includes a random ID that identifies the request. This ID is logged under trace_id. A request can override the generated value using the X-Request-ID header. For example:
curl --request GET --url http://localhost:8123/api/pvlt/1.0/system/info/version \
--header 'Authorization: Bearer pvaultauth' \
--header 'X-Request-ID: <your unique ID>'
In certain systems such as AWS App Runner, the X-Request-ID header is overwritten by the system. In that case you can use X-Pvault-Request-ID.
curl --request GET --url http://localhost:8123/api/pvlt/1.0/system/info/version \
--header 'Authorization: Bearer pvaultauth' \
--header 'X-Pvault-Request-ID: <your unique ID>'
Overriding is useful when you want to correlate between your client requests and the Vault logs.
Datadog logging
Vault sends logs to datadog to allow Piiano to monitor your deployment and be proactive in supporting it. Vault confirms during startup that logs are being sent to Datadog by issuing the following log:
Enabling Datadog log backend
Attention: Sending usage logs and metrics for analytics purpose and improving the product. Your data never leaves the Vault.
Default configuration
Piiano recommends on keeping the default log components of logs,stats and config. This default excludes the audit log component from being sent to Piiano. This approach allow Piiano to more easily support your self-hosted deployment.
The configuration is controlled by the environment variable PVAULT_LOG_DATADOG_ENABLE (e.g. PVAULT_LOG_DATADOG_ENABLE=logs,stats,config).
💡 You can remove additional component of logs and further scope it down to send fewer logs. It is recommended to consult Piiano before doing so.
Minimal configuration
When the configuration is set to just minimal (PVAULT_LOG_DATADOG_ENABLE=minimal), the only logs that will be sent relate to the Vault statistics. This includes items such as the number of objects and tokens per collection or general statistics such as the license and API expiration time. This information is required by Piiano for validating your usage and alerting you about license and key expirations.
Disable all Datadog logs
To completely disable the sending of logs to Datadog set the configuration to none: PVAULT_LOG_DATADOG_ENABLE=none.
The 'DataDogEnable' flag then confirms that logging is disabled like this:
...Log:{Level:info DataDogAPIKey:xxxxxxxxxxxxxxxxx DataDogEnable:none DataDogSource:prod}}"}...
Disabling all logs will significantly limit Piiano's ability to support your deployment and may impact troubleshooting.
Sentry logging
Vault confirms it is sending unexpected errors logs to Sentry by printing this to the terminal during start up:
Enabling Sentry telemetry
Attention: Sending unexpected crash telemetry
To disable the sending of logs to Sentry, add this environment variable to 'docker run':
-e PVAULT_SENTRY_ENABLE=false
The 'Sentry' flag group confirms that logging is disabled like this:
...Sentry:{Enable:false DSN:}...
Observability additional data
To identify a Vault instance in Datadog and Sentry, two additional configuration options are available. Providing these configuration options enables Piiano to proactively assist you with errors in your Vault environment.
PVAULT_LOG_CUSTOMER_IDENTIFIERto record your customer identifier.PVAULT_LOG_CUSTOMER_ENVto identify your environment. The recommended values areproduction,staging, anddev.
Setting persistence
If you run Vault with the --rm flag, the logs restarted when you restart Vault. To persist the changes across restarts, run Vault without the --rm flag.