Prometheus metrics support is now available on the Aembit Edge to help customers monitor and troubleshoot edge components effectively.
Aembit Edge is a transparent proxy – deployed as a sidecar in Kubernetes or an agent in VMs – that manages non-human identity by validating workloads and injecting credentials. It integrates seamlessly with both new and existing applications, with no code changes required.
Security professionals and CSOs use observability tools, like the popular, open-source Prometheus, for real-time threat detection, anomaly detection, and incident response by monitoring metrics, logs, and cloud infrastructure.
These tools help detect unusual behaviors, monitor compliance, and ensure cloud security, while integrating with SIEM systems for enhanced incident management. They also aid in post-incident analysis, proactive vulnerability monitoring, and automated response to threats, making them vital for improving overall security posture.
Aembit implemented Prometheus-compatible metrics across all key Edge components, including the Agent Proxy, Agent Controller, and Agent Injector. This integration enables customers to seamlessly incorporate Aembit Edge into their existing observability stacks, allowing for real-time monitoring, alerting, and troubleshooting.
Aembit Edge includes a Prometheus exporter that exposes essential metrics – including request rates, error rates, and resource utilization. These metrics are available through a standardized /metrics endpoint that adheres to Prometheus naming conventions, ensuring seamless compatibility with Prometheus and other observability tools capable of scraping Prometheus metrics.
The metrics for each Aembit component are as follows:
Component | Metric | Description
|
Agent Proxy | aembit_agent_proxy_incoming_connections_total | Total incoming connections (connections established from a client workload to the Agent Proxy).
|
aembit_agent_proxy_active_incoming_connections | Active incoming connection (connections established from a client workload to the Agent Proxy). | |
aembit_agent_proxy_credentials_injections_total | Number of credentials injected by Agent Proxy. | |
credentials_cached_entries_total | The number of unexpired credentials currently cached by Agent Proxy. | |
directives_cached_entries_total | The number of unexpired directives currently cached by Agent Proxy. | |
machine_cpu_cores | Number of CPU cores available to Agent Proxy. | |
version | Agent Proxy version. | |
aembit_agent_proxy_token_expiration_unix_timestamp` | Expiration timestamp for Aembit Agent Proxy Token (to access Aembit Cloud). | |
aembit_agent_proxy_aembit_cloud_connection_status |
Whether Agent Proxy has a connection to Aembit Cloud or not. Values:
| |
process_cpu_seconds_total | Amount of CPU seconds used by the Agent Proxy.
| |
process_memory_usage_bytes | Amount of memory (in bytes) used by Agent Proxy. | |
aembit_agent_controller_token_expiration_unix_timestamp | Expiration timestamp for Aembit Agent Controller Token (to access Aembit Cloud).
| |
Agent Controller | aembit_agent_controller_access_token_requests_total | The number of Agent Controller requests to get access token (for Agent Controller use).
|
aembit_agent_controller_proxy_token_requests_total | The number of Agent Proxy requests received by the Agent Controller to get access token.
| |
aembit_agent_controller_registration_status |
Values:
| |
version | Agent Controller version
| |
Agent Injector | aembit_injector_pods_seen_total | The number of pods preceded by the agent injector. |
aembit_injector_pods_injection_total | The number of pods into which Aembit Edge components were injected. |
While Aembit administrators can export logs using log streams to AWS S3 or GCP storage buckets – which can feed into SIEM or SOAR tools – Prometheus support adds the ability to trigger alerts.
Trigger alerts in Prometheus provide admins, DevOps teams, and SOCs with real-time monitoring of infrastructure, application performance, and security anomalies.
These alerts enable teams to detect and address issues such as system overloads, application failures, and security threats before they escalate.
Customizable thresholds, predictive monitoring, and integration with external tools facilitate proactive incident management, automated remediation, and efficient alert routing. By delivering actionable insights, Prometheus trigger alerts help ensure the smooth operation of your Aembit deployment.
Support is available across all Aembit deployment models.
Below we’ll highlight Kubernetes and virtual machine (VM) deployments.
Kubernetes Deployments
Automatic Prometheus-compatible metrics exposure is implemented through Kubernetes annotations. This setup allows Prometheus to automatically discover and scrape metrics from Aembit Edge components without requiring manual configuration for each client workload.
In Kubernetes deployments, Prometheus automatically detects annotations for the Agent Controller and Agent Injector.
Because the Agent Proxy runs as part of the client workload – which may already expose Prometheus metrics and include its own annotations – a new set of annotations has been introduced. These annotations can be added to client workload pods without conflicting with existing ones.
Below is the list of annotations automatically added to client workloads where the Agent Proxy is injected.
Annotation Name | Default value
|
aembit.io/metrics-scrape | “true” |
aembit.io/metrics-path | “/metrics” |
aembit.io/metrics-port | “9099” |
Default values can be overridden by setting these annotations on a client workload deployment.
Virtual Machine Deployments
For virtual machine deployments, metrics are also enabled by default. Metrics can be disabled by setting the AEMBIT_METRICS_ENABLED=false environment variable during the installation of the Agent Controller or Agent Proxy.
- The Agent Controller exposes metrics on port 9090.
- The Agent Proxy exposes metrics on port 9099, though this port can be overridden using the AEMBIT_METRICS_PORT environment variable during installation.
Both the Agent Controller and Agent Proxy expose metrics at the ‘/metrics’ endpoint.
Pro tip:
Visualize your metrics easily with Grafana, which is also open-source and easily integrates with Prometheus.
Next Steps
Aembit continues to enable comprehensive, yet easy-to-use deployments by integrating with the tools you use today. By extending observability with security monitoring, organizations can improve their overall threat detection and response strategies as you enhance security and manage access for your workloads and non-human identities.
To learn more, visit our Docs page or watch the video below!