Metrics Configuration

tip

You can look at all the metrics definitions and what they mean on our metrics reference page

To configure metrics exposure, you can use the metrics_port and metrics_inbound_cidr fields. metrics_port determines which port will be used to aggregate the sidecar metrics, and metrics_inbound_cidr sets security group rules to allow CIDR ranges to make requests to the configured metrics_port.

info

By default, the metrics_inbound_cidr is empty, which means nothing can access the metrics port. We recommend setting the CIDR to your metrics scraper's possible IPs.

Prometheus service discovery

Service discovery for EC2 instances is documented under the ec2_sd_config section of the Prometheus configuration docs.

A tag MetricsPort is added to the EC2 instances containing the metrics port based on the template parameter metrics_port. It makes possible to have configurations similar to the following:

scrape_configs:
  - ec2_sd_configs:
      - region: us-east-1
    job_name: AWS_SCRAPE
    relabel_configs:
      # public IP is used so that Prometheus does not have to be in the same VPC
      # as the sidecar. On a production environment, you would use the
      # `__meta_ec2_private_ip` label instead
      - source_labels: [__meta_ec2_public_ip, __meta_ec2_tag_MetricsPort]
        separator: ':'
        target_label: __address__

This configuration discovers all instances on the us-east-1 region and creates a target with its public IP and the value of the MetricsPort tag separated by a colon.

Datadog service discovery

The datadog agent is injected alongside the Cyral sidecar, and its configuration is generated automatically via the Datadog integration configuration on Cyral's control plane.