TLS

Supported OS Linux Windows Mac OS

Integration version2.18.0

Overview

This check monitors TLS protocol versions, certificate expiration and validity, etc.

Notes:

  1. Only TCP is supported.
  2. Only leaf / end user certificates are verified (not intermediate and root certificates).

Setup

Installation

The TLS check is included in the Datadog Agent package. No additional installation is needed on your server.

Configuration

    Host

    To configure this check for an Agent running on a host:

    1. Edit the tls.d/conf.yaml file, in the conf.d/ folder at the root of your Agent’s configuration directory to start collecting your TLS data. See the sample tls.d/conf.yaml for all available configuration options.

    2. Restart the Agent.

    Containerized

    For containerized environments, see the Autodiscovery Integration Templates for guidance on applying the parameters below.

    ParameterValue
    <INTEGRATION_NAME>tls
    <INIT_CONFIG>blank or {}
    <INSTANCE_CONFIG>{"server": "%%host%%", "port":"443"}

    Note: If you are using internal certificates that are not from a well-known, trusted CA, certain metrics may not report to Datadog. Use tls_verify: false in your integration template to report all metrics in this instance.

    Validation

    Run the Agent’s status subcommand and look for tls under the Checks section.

    Data Collected

    Metrics

    tls.days_left
    (gauge)    		Days until X.509 certificate expiration
    Shown as day
    tls.issued_days
    (count)    		Day duration of timespan certificate is issued for
    Shown as day
    tls.issued_seconds
    (count)    		Second duration of timespan certificate is issued for
    Shown as second
    tls.seconds_left
    (gauge)    		Seconds until X.509 certificate expiration
    Shown as second

    Events

    TLS does not include any events.

    Service Checks

    tls.can_connect
    Returns CRITICAL if the Agent is unable to connect to the monitored endpoint, otherwise returns OK.
    Statuses: ok, critical

    tls.version
    Returns CRITICAL if a connection is made with a protocol version that is not allowed, otherwise returns OK.
    Statuses: ok, critical

    tls.cert_validation
    Returns CRITICAL if the certificate is malformed or does not match the server hostname, otherwise returns OK.
    Statuses: ok, critical

    tls.cert_expiration
    Returns CRITICAL if the certificate has expired or expires in less than days_critical/seconds_critical, returns WARNING if the certificate expires in less than days_warning/seconds_warning, otherwise returns OK.
    Statuses: ok, warning, critical

    Troubleshooting

    Need help? Contact Datadog support.