Observability
The HTTP endpoint /api/v1/status will return metadata and health info about the engine's cluster.
Description of returned values:
Key | Description |
clusters_joined | IDs of the cluster or clusters this proxy is part of. |
web_connected | Indicates whether the engine is connected to the web frontend. |
credential_adapters | Adapters for reading and writing database credentials. |
key_adapters | Adapters for reading and writing encryption keys. |
ports | Ports that the engine is listening on for different protocols. |
Metrics on flow and cluster status are collected by default. They can be emitted to several locations based on the environment variables set on the engine.
For metrics with tags, a separate timeseries is created for every combination of tags within a metric. For example, policy.handling.total will be reported separately for every handling value.
The following metrics are reported for all backends. Prometheus metrics are named slightly differently - dots are replaced with underscores, eg database_total instead of database.total.
Name | Unit | Tags | Description |
vm.memory.total | byte | - | Amount of memory consumed by the application VM |
vm.total_run_queue_lengths.total | last | - | Queue length for all VM operations |
vm.total_run_queue_lengths.cpu | last | - | Queue length for CPU operations |
vm.total_run_queue_lengths.io | last | - | Queue length for IO operations |
policy.handling.total | last | handling | Number of policies configured |
database.total | last | - | Number of upstream databases configured for proxying |
database.connection.total | count | database, client | Number of clients currently connected to a proxied database |
database.encryption.percent | last | database, table, field | Percentage of rows for a given field that are encrypted in the database. Only reported for fields that are matched by an encryption policy. |
database.decryption.percent | last | database, table, field | Percentage of rows for a given field that are decrypted in the database. Only reported for fields that are matched by an encryption policy. |
database.tokenization.percent | last | database, table, field | Percentage of rows for a given field that are tokenized in the database. Only reported for fields that are matched by a tokenization policy. |
database.detokenization.percent | last | database, table, field | Percentage of rows for a given field that are not tokenized in the database. Only reported for fields that are matched by a tokenization policy. |
proxy.database.access.count | count | session, database, client, path | Number of times a client has accessed a specific field.. |
Metrics are emitted over UDP to the configured statsd host by default. In addition to the common metrics, the following metrics are reported:
Name | Unit | Tags | Description |
policy.database.client.duration | timer | policy, database, client | Millisecond duration of how long a policy took to apply |
database.client.duration | timer | database, client | Millisecond duration of how long a database query took, including applying policies |
StatsD can be configured with these variables:
Name | Default | Description |
JUMPWIRE_STATSD_HOST | 127.0.0.1 | Hostname or IP of the statsd collector |
JUMPWIRE_STATSD_PORT | 8125 | Port of the statsd collector |
JUMPWIRE_STATSD_TYPE | - | Special formatting for the statsd metrics. The only allowed value is datadog |
JUMPWIRE_STATSD_PREFIX | jumpwire | A prefix to prepend to all metric names |
DataDog is configured through the StatsD metrics exporter. JUMPWIRE_STATSD_TYPE should be set to datadog for compatibility with DogStatsD in the Datadog Agent.
When using the datadog type, the following metrics will have a different format than the base statsd:
Name | Unit | Tags | Description |
policy.database.client.duration | distribution | policy, database, client | Millisecond duration of how long a policy took to apply. Bucketed values of 10, 100, 500, 1000, 10_000, 60_000 |
database.client.duration | distribution | database, client | Millisecond duration of how long a database query took, including applying policies. Bucketed values of 10, 100, 500, 1000, 10_000, 60_000 |
Enabled by default. Prometheus metrics are exposed on port 9568 at /metrics. In addition to the common metrics, the following metrics are reported:
Name | Unit | Tags | Description |
policy_database_client_duration | distribution | policy, database, client | Millisecond duration of how long a policy took to apply. Bucketed values of 10, 100, 500, 1000, 10_000, 60_000 |
database_client_duration | distribution | database, client | Millisecond duration of how long a database query took, including applying policies. Bucketed values of 10, 100, 500, 1000, 10_000, 60_000 |
Access to the configured CloudWatch namespace is granted through IAM credentials.
In addition to the common metrics, the following metrics are reported:
Name | Unit | Tags | Description |
policy.database.client.duration | summary | policy, database, client | Millisecond duration of how long a policy took to apply |
database.client.duration | summary | database, client | Millisecond duration of how long a database query took, including applying policies |
CloudWatch can be configured with these variables:
Name | Default | Description |
JUMPWIRE_CLOUDWATCH_NAMESPACE | jumpwire | Which CloudWatch namespace to publish metrics to |
JUMPWIRE_CLOUDWATCH_INTERVAL_SECONDS | 30 | How often to publish metrics, in seconds |
JUMPWIRE_CLOUDWATCH_ENABLED | false | Boolean to enable/disable CloudWatch metrics |
