Configuring host agents using agent configuration file

You can configure the Instana host agent to suit your business requirements by using the agent configuration file <instana-agent-dir>/etc/instana/configuration.yaml.

The format of the agent configuration file is YAML, which is sensitive to blank spaces. Therefore, make sure to not use unnecessary spaces in the file. To create an indentation, use only two blank spaces.

Creating multiple configuration files

To provide modularity in configurations, you can create multiple <instana-agent-dir>/etc/instana/configuration-<suffix>.yaml files. Replace <suffix> with an alphanumeric combination.

All <instana-agent-dir>/etc/instana/configuration-<suffix>.yaml files are merged with <instana-agent-dir>/etc/instana/configuration.yaml file in the alphabetical order of the file system. For example, the configuration-cde.yaml file comes after the configuration-abc.yaml file. Nested structures that are specified in different configuration files such as tags are merged, and values are overwritten.

See the following sections to learn how to use the agent configuration file to configure the agent:

Integrating the host agent with secret managers

Instana doesn't support encrypting confidential data such as password directly in the agent configuration file.

Therefore, when you add sensitive information (such as credentials or other information) in the agent configuration file, the contents might look like the following example:

com.instana.example:
  user: 'instana'
  password: <password>

However, you might not want to put the sensitive information in plain text in the agent configuration file. In such circumstances, you can use secret managers such as IBM Cloud Secrets Manager or HashiCorp Vault to store the secrets and retrieve them into the agent configuration file as required.

HashiCorp Vault

The Vault integration requires the agent bootstrap version 1.2.9 or later.

Instana agent uses HashiCorp Vault to securely obtain values for sensitive settings in the agent configuration file.

You must provide the Vault integration configuration parameters to the host agent by adding the following lines to the agent configuration file:

com.instana.configuration.integration.vault:
  connection_url: <vault_server_base_url> # The address (URL) of the Vault server instance(e.g. http://127.0.0.1:8200 or https://exapmle.com:8200)
  prefix: <optional_prefix> # Optional prefix path required if kv_version 2 is used and the /data/ must be injected further down
  token: <vault_access_token> # Vault access token with assigned, at least, `read` access policy to relevant Vault paths, optional if other auth providers are present
  github: # Optional auth method if Vault access token is not provided, has higher priority than approle if present
    github_token: <github_token> # Personal Access Token, must provide at least read:org scope, must be present if github is used as an auth provider
    auth_mount: github # Optional mount path for GitHub Auth, defaults to github
  approle: # Optional auth method if Vault access token or github auth is not provided
    role_id: <roleId> # AppRole RoleId, must be present if approle is used as an auth provider
    secret_id: <secretId> # AppRole SecretId, must be present if approle is used as an auth provider
    auth_mount: approle # Optional mount path for AppRole Auth, defaults to approle
  path_to_pem_file: <path_to_X.509_CA_certificate> # X.509 CA certificate (UTF8 encoded) in unencrypted PEM format, used by the Agent when communicating with Vault over HTTPS
  secret_refresh_rate: 24 # This configuration option allows you to account for rotating credentials, refresh rate in hours, default 24
  kv_version: 2 # The Key/Value secrets engine version, default is 2

For an example of configuring Vault with MySQL and adding secrets, see Sample Vault configuration for MySQL.

After the initial configuration of Vault, in the agent configuration file, you can specify the retrieval of secrets for various sensors.

See the following example in which the password is retrieved from HashiCorp Vault instead of directly adding it in the agent configuration file:

com.instana.example:
  user: 'instana'
  password:
    configuration_from:
      type: vault
      secret_key:
        path: <vault_path>
        key: <vault_secret_key>

You can replace the sensitive data string value with the YAML structure that specifies the Vault coordinates, and the host agent automatically retrieves the secret.

Also, you are not limited to integrating with secret managers for password fields. You can use the secrets managers for any configuration with a string as a value in the agent configuration file configuration.yaml.

For more information, see the following Vault concepts that are relevant for the Instana agent integration:

IBM Cloud Secrets Manager

The IBM Cloud Secrets Manager is based on open-source HashiCorp Vault and provides the same API and the same configuration as HashiCorp Vault. For more information about configuring the integration, see HashiCorp Vault.

Starting with version 1.0.11 of the Vault component, the IBM Cloud Secrets Manager SDK with IAM Keys are supported to be used in Vault.

You must provide the IBM Cloud Secrets Manager integration configuration parameters to the host agent by adding the following lines to the agent configuration file:

com.instana.configuration.integration.vault:
  connection_url: <secrets-manager-address> # The address (URL) of the IBM Cloud Secrets Manager server instance(e.g. https://f022446e-1024-4aa9-a00c-72bf15aa9e7b.us-south.secrets-manager.appdomain.cloud)
  ibm_secrets_manager: <iam_key> # IAM Key that can be used to create access tokens
  secret_refresh_rate: 24 # This configuration option allows you to account for rotating credentials, refresh rate in hours, default 24

You can find endpoint descriptions in IBM Cloud Docs - Secrets Manager or within the IBM Secrets Manager dashboard.

To create an IAM key, see IBM Cloud - IAM Keys.

After you integrate the IBM Cloud Secrets Manager to the host agent, in the agent configuration file, you can specify the retrieval of secrets for various sensors.

See the following example in which the password is retrieved from the IBM Cloud Secrets Manager instead of directly adding it in the agent configuration file:

com.instana.example:
  user: 'instana'
  password:
    configuration_from:
      type: vault
      secret_key:
        path: <secret-id> # The id of the Secret within the IBM Secrets Manager, (e.g. cc32688d-89c0-6fa8-c0b4-6cc88c232e66)
        key: <kv-key-entry> # The Key inside the Secret Object of type KV (e.g. login)
      poll_rate: 300 # seconds

Sample Vault configuration for MySQL

See the following sample configuration in the <instana-agent-dir>/etc/instana/configuration.yaml file to integrate HashiCorp Vault with MySQL database:

Before you start configuring the Vault for MySQL, ensure that Vault and MySQL are installed and configured in your system.

com.instana.configuration.integration.vault:
  connection_url: http://127.0.0.1:8200
  prefix: secret
  token:  secret-vault-token

The prefix attribute is optional.

com.instana.plugin.mysql:
  user: 'myuser'
  password:
    configuration_from:
      type: vault
      secret_key:
        path: secret/my-secret
        key: password

The /data/ path is not mentioned in the MySQL plug-in. If you use kv_version 2, omit any /data/ within the path.

Run the following command to see the secrets:

vault kv get secret/my-secret

The secrets are displayed as follows:

==== Secret Path ====
secret/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2024-07-08T06:53:10.830770915Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

====== Data ======
Key         Value
---         -----
password    *****
username    myuser

Kubernetes secrets

To retrieve sensitive information from Kubernetes secrets into the agent's sensor configuration, combine the following two processes:

Configure your workloads to mount Kubernetes secrets into environment variables or files within the workload's pod.
Adapt the agent's configuration.yaml file to read configuration values from process-specific environment variables or files.

By combining these two processes, your workloads can carry sensitive information in pod-specific or process-specific environment variables or files. In addition, the agent can get these environment variables or files to read the sensitive information and apply the information to the workload-specific configuration.

Obtaining configurations from process environment and files

You can configure the agent to read configuration values from the process that are to be monitored. This approach is useful in the following situations:

When you do not want to hardcode any information in your configuration.yaml.
When you have several instances of one technology, such as MySQL, on the same node, and each instance needs different configurations.

The agent reads the configuration values by looking up the values from specific environment variables (supports only YAML literals, such as a string, a Boolean, or a number), or as content of specific files (supports complex YAML structures, like lists and maps).

An intentional symmetry exists between these capabilities of the host agent and the way that you mount secrets in Kubernetes. However, these capabilities are available on all supported Operating Systems and all supported container runtimes.

Numeric values in the environment variables and specific files are converted to integer values. The Boolean values true and false are converted to Booleans.

Obtaining configurations from process environment

For configuration values that are taken from the target process environment, modify the configuration.yaml file as follows:

com.instana.plugin.mysql:
  user: 'instana'
  password:
    configuration_from:
      type: env
      env_name: <environment variable name>
      default_value: <set this when no env var is found on this process>

If you do not specify a default value, and if the environment variable is not present on the process to be monitored, then the configuration.yaml file considers that no value is entered.

Notes:

On Kubernetes, this function works with mounting ConfigMap entries as environment variables in your containers. Therefore, you need to complete the following steps:

Mount the ConfigMaps to the application containers as environment variables.
Allow the configurations in the host agent to use those environment variables.

The values from environment variables can be only YAML literals, such as a string, a Boolean, or a number. Complex YAML structures, such as lists and maps, are not supported. You cannot change the plug-in `enabled/disabled` setting by using configurations from the process environment and specific files.

Obtaining configurations from process file system

For configuration values that are taken from a file, modify the configuration.yaml file as follows:

com.instana.plugin.mysql:
  user: 'instana'
  password:
    configuration_from:
      type: file
      file_path: <absolute path to a file containing the configuration value>
      default_value: <set this when the file is not found>
      common_value: <set this in addition to the configuration value from file>

In the following example, the agent reads the /jmx-config-map.yaml file from the process file system with the property type: file. The default_value property accepts complex YAML structures. The common_value property is later merged with every process-specific configuration and is common to all monitored processes:

com.instana.plugin.java:
  jmx:
    configuration_from:
      type: file
      file_path: /jmx-config-map.yaml
      default_value:
        - object_name: 'java.lang:type=OperatingSystem'
          metrics:
          - attributes: 'CommittedVirtualMemorySize'
            type: 'absolute'
      common_value:
        - object_name: 'java.lang:type=OperatingSystem'
          metrics:
          - attributes: 'ProcessCpuLoad'
            type: 'delta'

In the following example, the /jmx-config-map.yaml file is mounted from a Kubernetes ConfigMap into the application container that provides the following content:

- object_name: 'java.lang:type=Compilation'
  metrics:
  - attributes: 'TotalCompilationTime'
    type: 'delta'
- object_name: 'java.lang:type=ClassLoading'
  metrics:
  - attributes: 'LoadedClassCount'
    type: 'absolute'

This process results in the following final configuration. Note the common_value addition for ProcessCpuLoad:

com.instana.plugin.java:
  jmx:
  - object_name: 'java.lang:type=Compilation'
    metrics:
    - attributes: 'TotalCompilationTime'
      type: 'delta'
  - object_name: 'java.lang:type=ClassLoading'
    metrics:
    - attributes: 'LoadedClassCount'
      type: 'absolute'
  - object_name: 'java.lang:type=OperatingSystem'
    metrics:
    - attributes: 'ProcessCpuLoad'
      type: 'delta'

If the process that is to be monitored is running inside a container, then the absolute path of the file is resolved against that container's file system.

Notes:

Referencing files on the host's operating system when you try to resolve a configuration value for a containerized process is not supported.
On Kubernetes, this function works with mounting ConfigMap entries as volumes in your containers. Therefore, you can define the configurations in ConfigMaps as follows:

Mount the ConfigMaps to pods as files.
Mount the ConfigMap volume into the application containers with a volume mount.
Allow the configurations in the host agent to read particular configurations from the file path that you used to mount the ConfigMap volume inside the application container.

YAML structures are supported for process-specific file-based configurations. The plug-in enabled/disabled cannot be changed by using the configurations from the process environment and specific files.

Monitoring extra file systems

By default, the agent monitors local file systems only. To add extra file systems, add the name of the file system (the first column in mtab or df).

For example, to monitor the server:/usr/local/pub /pub nfs rsize=8192,wsize=8192,timeo=14,intr file system, add the following line in the uncommented file systems list of the host section in the agent configuration file:

com.instana.plugin.host:
  filesystems:
    - 'server:/usr/local/pub'

Specifying host tags

To specify tags for an agent in the com.instana.plugin.host configuration file, add a section in the following format:

com.instana.plugin.host:
  tags:
    - 'production'
    - 'app1'

Alternatively, you can use the INSTANA_TAGS=production,app1 environment variable to specify tags for an agent (tags from environment variable and config file are additive).

The production and app1 tags are added to the specific agent, which enables searching and filtering of tags in the UI:

Extracting the installed packages list

The host agent can report to Instana about the packages that are installed on the underpinning Linux operating system.

This configuration is disabled by default.

The following Linux distributions are supported:

Debian and its derivatives that use dpkg as package manager.
Red Hat OpenShift and its derivatives that use rpm and yum as package managers.

To enable this feature, set the collectInstalledSoftware property to true.

com.instana.plugin.host:
  collectInstalledSoftware: false #  Valid values: true, false

After you enable the feature, the installed packages on an operating system are extracted once daily.

Setting custom zones

By default, Instana uses Amazon Web Services, Google Compute Engine, or OpenStack Nova availability zone information to group hosts. To customize the default host grouping in Instana, you can define a new group for the specific host in the section com.instana.plugin.generic.hardware by using the following format:

com.instana.plugin.generic.hardware:
  enabled: true
  availability-zone: 'Demozone'

You can also provide this configuration by using the INSTANA_ZONE environment variable, which then overrides the zone that is specified in the configuration file. After the configuration, the hosts are grouped into zones on the infrastructure map.

Monitoring custom processes

By default, Instana automatically monitors the process metrics of higher-level sensors, such as Java® or MySQL. To monitor an OS process that is not automatically covered by Instana, configure it by using both the process name and its arguments:

com.instana.plugin.process:
  processes:
    - 'sshd'
    - 'slapd'
  arguments:
    - '/opt/script.sh'

Configuring secrets

Tracing data might contain sensitive data. Therefore, the Instana agent supports the specification of patterns for secrets (data to be redacted agent-side from the tracing data). Data that is treated as secrets can't reach the Instana SaaS for processing, and therefore they are not available for analysis in the UI or retrieval by using API.

Specify the secrets as follows:

com.instana.secrets:
  # One of: 'equals-ignore-case', 'equals', 'contains-ignore-case', 'contains', 'regex'
  matcher: 'contains-ignore-case'
  list:
    - 'key'
    - 'password'
    - 'secret'

If you do not specify any custom secrets configuration, then Instana uses this secrets configuration by default. If a key matches an entry from the list, the value is redacted, and not sent to the Instana backend.

Generally, secrets are filtered from static data. When a process is running, filtering is highly optimized, and the changes that are made to configure secret scrubbing are not applied. To make a secret configuration effective immediately, either restart the host agent or the running monitored component.

Instana supports secrets at the infrastructure and platform levels through the following configuration elements:

Process environment variables
Docker container information
Kubernetes annotations and container environment variables (Supporting secrets through this option requires an extra configuration. For more information, see Kubernetes secrets).

Instana supports secrets in the following runtime elements:

Database connection strings
HTTP query parameters (virtually for all supported runtimes, see the following support matrix), such as https://my.domain/accounts/status?account=<secret_1>&user=<secret_2>.
HTTP matrix path parameters, such as https://my.domain/accounts/account=<secret_1>;user=<secret_1>/status.

The following runtimes are supported:

Table 1: Supported runtime information
Language	Secrets in HTTP Query parameters	Secrets in HTTP Matrix parameters
Go	✅	❌
Java®	✅	✅
NGINX	✅	❌
Node.js	✅	❌
.NET Core	✅	✅
.NET Framework	✅	✅
PHP	✅	✅
Python	✅	❌
Ruby	✅	❌
HTTPd	✅	❌

Notes:

Instana does not support treating the arbitrary segments in a URL path as secrets. For example, https://my.domain/accounts//status is not supported. This restriction is because URLs with secrets embedded in them require regular expressions to filter out the secrets, which is performance-intensive and therefore not encouraged. However, URLs such as https://my.domain/accounts/account=;user=/status is supported.
Instana does not capture the following information that is related to the interaction with the databases:
- SQL parameters from stored procedures
- Connection credentials
For arbitrary segments in paths, you must strip the literals from SQL queries and instead use parametrized queries.
The Instana PHP sensor can strip SQL literals by using the sanitizeSql configuration option . However, this option might impact the performance of the Instana agent.

Capturing custom HTTP headers

By default, Instana doesn't collect HTTP headers when it traces HTTP calls.

If required, you can enable this feature by applying the following configuration in the agent configuration file:

com.instana.tracing:
  extra-http-headers:
    - 'x-request-id'
    - 'x-loadtest-id'
    - ...

The values are case-insensitive. The headers that are collected are shown in the call details (in the Call details section). You can also use the header names and their values to search for calls and traces (in the UI or by using the API) and for service configuration.

This feature currently has the following restrictions:

All tracers capture request headers on HTTP entries (HTTP calls that the instrumented process receives).
Some tracers might capture response headers on HTTP entries. See Table 2.
Some tracers might capture request and response headers on HTTP exits (HTTP calls where the instrumented process is the client). See Table 2.
If the same header is present as a request header and a response header, one of the two values might not be captured by the tracer.

Table 2: Tracer request and response header information
Tracer	Request Headers on HTTP Entries	Response Headers on HTTP Entries	Request Headers on HTTP Exits	Response Headers on HTTP Exits
Go	✅	✅	✅	✅
Java	✅	✅ ^[1]	❌	❌
.NET	✅	❌	❌	❌
Node.js	✅	✅	✅	✅
PHP	✅	❌	❌	❌
NGINX	✅	❌	N.A.	N.A.
Python	✅	✅	✅	✅
Ruby	✅	❌	❌	❌
HTTPd	✅	❌	N.A.	N.A.

Configuring Kafka trace correlation headers

You can configure the format for Kafka trace correlation headers that are used by Instana tracers by using the setting com.instana.tracing.kafka.header-format. Valid values are binary, string, or both. See the following example:

com.instana.tracing:
  kafka:
    header-format: string # possible values: binary, both, string

You must not disable the Kafka trace correlation entirely. However, if you need to disable the Kafka trace correlation entirely, then set com.instana.tracing.kafka.trace-correlation: false. See the following example:

com.instana.tracing:
  kafka:
    trace-correlation: false

For more information, see Kafka Header Migration.

Ignoring endpoints

You can exclude specific endpoints from tracing. For example, if you are using the redis package and want to avoid the tracing of commands, such as GET, TYPE, or others, you can use the ignore-endpoints configuration option.

Notes: The ignore endpoints feature currently has the following restrictions:

Only specific packages are supported.
Not all tracers are supported.

For more information about the specific packages and tracers that support this feature, see Support information.

Filtering options

You can filter the traces by using the following options:

Filtering by method name: With this option, you can filter traces based only on method names. It is useful when you want to ignore specific operations, such as GET calls in Redis or QUERY calls in DynamoDB.
Filtering by method name and endpoint: With this option, you can exclude traces based on both method and specific endpoints. This option is especially useful for technologies, such as Kafka, where you can exclude traces for a specific method (for example, consume) but only for certain topics (for example, topic1 ortopic2).

Filtering rules

The rules for filtering traces are as follows:

When a trace is ignored, all subsequent downstream traces are also ignored.
Use * to ignore all endpoints or methods.
Endpoint values (such as Kafka topic names) remain consistent across services.
Method names might vary depending on the programming language and technology. To determine the correct method and endpoint for your service, refer to the Instana UI.

The following Instana UI screenshot provides a visual reference for identifying the correct method and endpoint for configuration:

Figure 4. Methods and endpoints in the UI

Configuring endpoints to be excluded

When your system uses multiple services in different programming languages, make sure that all necessary method names are included in the agent configuration file, as they might vary from one language to another.

To configure the endpoints to be ignored, specify the endpoints that must be excluded from monitoring in the com.instana.tracing.ignore-endpoints section in your agent configuration file as shown in the following example:

com.instana.tracing:
  ignore-endpoints:

    # Filtering by Method Name  
    redis:  
      - 'get'   
      - 'type'  
    dynamodb:
      - 'query'
    kafka:
      - 'send'

    # Filtering by Method Name and Endpoint for Kafka  
    kafka: 
      - methods: ["consume"]
        endpoints: ["topic1", "topic2"]  # Exclude consume calls for topic1 and topic2

      - methods: ["consume", "send"]
        endpoints: ["topic3"]  # Exclude both consume and send calls for topic3

      - methods: ["*"]  
        endpoints: ["topic4"]  # Exclude all methods for topic4

      - methods: ["consume"]
        endpoints: ["*"]  # Exclude consume method for all topics

In the preceding example, the following traces are ignored for the listed filtering options:

Filtering by method (Redis, DynamoDB, and Kafka)
- GET and TYPE commands in Redis
- QUERY command in DynamoDB
- SEND method in Kafka and all downstream traces
Filtering by method and endpoint (Kafka only)
- CONSUME method for topic1 and topic2 in Kafka and all downstream traces
- CONSUME and SEND methods for topic3 in Kafka all downstream traces
- All methods (*) for topic4 in Kafka and all downstream traces
- CONSUME method for all topics (*) and all downstream traces

Support information

The following table lists the tracers and packages that support ignoring endpoints:

Table 3: Tracers and packages that support ignoring endpoints
Supported packages	Node.js	Java	Go	PHP	Python	Ruby	.NET	NGINX
Redis	✅	❌	❌	❌	✅	❌	❌	❌
DynamoDB	✅	❌	❌	❌	❌	❌	❌	❌
Kafka	✅	❌	❌	❌	❌	❌	❌	❌

Ignoring processes

You can exclude specific processes from tracing.

To ignore monitoring of certain processes, uncomment the com.instana.ignore section in the agent configuration file and list all the process names of the processes that do not require monitoring.

You can define either processes or arguments. For example, if you define a process called nginx and an argument called /opt/server/server.js, both the NGINX process and the nodeJS process (that calls the file /opt/server/server.js) are ignored. See the following example:

com.instana.ignore:
  processes:
    - 'java'
    - 'httpd'
  arguments:
    - '-batch-file=/tmp/batch.def'

For Windows, the process names in the list are case-sensitive.

Processes and arguments are not related or codependent.

Sometimes, scripts or other jobs are started through the same command, but only the execution of a single command must be ignored. In this scenario, use arguments to specify any argument that causes a process to be ignored.

When you specify arguments, make sure to retrieve arguments and environmental variables that are defined in Process > Arguments in the Instana UI.

Instana takes in arguments based on the blank spaces between arguments. For example, if you run a command with /usr/bin/java -p 4654 -Djava.locale.providers=CLDR,JRE,SPI, the space between -p and 4654 causes Instana to identify them as two different arguments.

Deactivating agent capabilities that are enabled in Instana UI

If you want to deactivate all the agent capabilities that are enabled in the Instana UI, add the following line to the <instana-agent-dir>/etc/instana/com.instana.agent.main.config.Agent.cfg configuration file:

backchannel.enabled = false

Uploading code source files to Instana

The Instana agent can retrieve on-demand source code of the processes that it monitors and associate it with the collected tracing data.

To disable the on-demand upload of the source files into Instana, complete the following steps:

Set the following configuration in the <instana-agent-dir>/etc/instana/com.instana.agent.main.config.Agent.cfg configuration file:

source.download.enabled = false

Restart the Instana agent to apply this setting.

Configuring error report events (only AIX operating system)

To specify the time interval to poll the error events from AIX system, set the aixEventsPollRate event in seconds (minimum is 900 seconds).

com.instana.plugin.host:
  aixEventsPollRate: 900 # (Optional) Only for AIX systems. Setting a value to 900 seconds or larger will enable error report event collection and removing it will stop it.

To disable the feature, remove aixEventsPollRate event from the agent configuration files.

Supported technologies include Servlet, Spring, Tomcat, and http4s. ↩︎