Frequently Asked Questions
General
What is Sauron?
Sauron is a CSSAP approved, OCI-based operations platform for monitoring any workload, but especially workloads running in Kubernetes. Sauron platform provides logging, metrics, data visualization, alerting, DNS, certificate management, and external monitoring components. Sauron team provides a 24x7x365 managed service to multiple teams within Oracle. Start with this FAQ, the topic-specific help pages, or the troubleshooting guide for generic setup and usage questions.
- Prometheus: Metrics collection and persistence engine with alert generation
- Thanos: Allows Prometheus to be HA and operate at scale.
- PushProx: Allows pulling metrics from network locked tenancies
- Alertmanager: Alert router
- Grafana: Metrics visualizer
- Pushgateway: Incoming metrics collector
- OpenSearch: Text intake and storage
- OpenSearch Dashboards: Log visualizer
- API: Exposes API to modify configurations
- Help: Sauron documentation
Value add pieces our service provides includes:
- Automated provisioning and life cycle management
- Automated Backups
- Automated DNS management
- HA via Kubernetes and OCI block volume provisioner
- DR via backup recovery process
- Automated SSL Certificate management
- API endpoints exposed to manage each individual instance
- Metric and log based alerting
Sauron uses only CNCF/open-source technology. Sauron is in operational use today by multiple teams within Oracle, including teams that are currently "live" providing services to Oracle customers in the cloud.
At the moment, Sauron is not available to external Oracle customers.
How do I get started?
If you already have Sauron endpoints, start from the task pages linked on the
Help home page. If you need a new Sauron provisioned, post a provisioning
request in #sauron-support. This channel is in the
Proddev-paas-fmw workspace. If you
cannot access it, email sauron_dev_ww_grp@oracle.com and include the request
details below.
In order to create a Sauron system, our team will require some information:
- Short team name or acronym (included in endpoint domain names) e.g.
fgbuorrsys - Email of the VP of your team
- Email addresses of contacts for the Sauron
- Cost center
- List of regions to provision Sauron
- SSO group, if you already have one, or the team name to use when creating OIM entitlements
- Components you intend to use, such as metrics, logs, Grafana dashboards, Alertmanager, Shuttleproxy, or OpenSearch
- Any hard deadline or customer-impacting urgency
The SSO group is the team identity used to create OIM entitlements for your Sauron. For example, the Sauron team may create Admin, Viewer, or Editor entitlements for the team name you provide. If you do not already know the right group name, provide the service/team name and approver contacts, and the Sauron team can help map it to the right OIM entitlements.
If you are planning a large regional deployment, include the number of regions, data centers, scrape targets, expected metrics volume, and expected log volume. The Sauron team can help decide whether one Sauron instance is enough or whether separate regional instances are a better fit.
Actual provisioning of a Sauron system takes minutes, so most requests for new Saurons can be honored within a few hours. Once the endpoints are provisioned, our automated provisioner generates a message to the contact email addresses containing details about how to connect. The generated message includes the Sauron endpoint URLs, such as Help, API, Console, Grafana, Prometheus, Thanos, Alertmanager, OpenSearch, and Kibana, depending on the features enabled for your Sauron.
Would you recommend migrating to Sauron before being fully on OCI?
We do have teams who are not fully on OCI and using us.
What is the pricing model?
At this time we are not yet cross charging for Sauron usage. However at some point in the future internal cross-charging will be established. At a minimum, it is expected that the cross charging will include the OCI charges for running your Sauron instance.
What OCI services does Sauron integrate with off the shelf?
Sauron is internally integrated with most of the native OCI services: LoadBalancers, BlockVolume, Object Storage, Compute, VCN, HealthCheck and others based on the needs of our Sauron platform.
How are responsibilities divided between your team and my team?
Our team:
- provisions your requested Sauron instance
- regularly backs up all monitoring data and system logs to OCI Object Storage
- monitors health of your Sauron installation 24x7x365,
- provides support through the Sauron support channel.
Your team:
- identifies and pushes relevant metrics/logs of interest to your Sauron
- defines your alerting rules
- installs rules via the Sauron API endpoint
- responds to requests from the Sauron team if problems occur
- builds your own Grafana and OpenSearch Dashboards dashboards.
How is Sauron packaged?
Currently, each managed Sauron runs in its own isolated unique Kubernetes namespace in a given OCI region. We have network policy and other Kubernetes policies defined to ensure that the pods, storage, and other resources in your namespace are not accessible to anyone else running on the same cluster. We have one or more Kubernetes clusters running in all commercial OCI region and in some government regions.
The customer view of a Sauron system is simply a set of endpoints, including a self-management API endpoint that allows customer teams to configure their own alerting rules and other features.
What do you offer to help me integrate with Sauron?
Every Sauron comes with personalized help. The help is focused on integration. Our integration documentation is contained in the help. You may be using your Sauron's help to read this FAQ. If not, you are reading this at a centralized location. Try our help and the topic-specific pages first; escalate only after the documented integration steps do not answer your question.
Is Sauron CSSAP approved?
Sauron is CSSAP approved. Our CSSAP approval id is 11822.
What SLAs does Sauron service provide?
Our aim is to provide 99.99 SLA. We have business dashboards which monitor the SLA for all our managed instances. Key tenets of our team – it's all about the customer:
- Security
- Operational excellence
- Customer Features
Sauron team uses a 24x7 on call "follow the sun" 8am-8pm schedule with twice daily hand-offs between North America and APAC.
Does Sauron provide a central console to monitor all my endpoints and its current configuration?
Sauron provides a console endpoint to monitor all your endpoints. Open https://console.stage.apatil.developers.oracledx.com for this Sauron.
How does a service integrate with Sauron?
Logs:
- Sauron team recommends using any client that communicates with OpenSearch. Filebeat and other "Beats", Logstash, and Fluentd are popular among Sauron users.
- Please see https://help.stage.apatil.developers.oracledx.com/logs/ for more information.
Metrics:
- To pull metrics, we recommended you set up an intermediate Prometheus server instance ("aggregating Prometheus") in your tenancy. Sauron will scrape from this server. You provide metric data to the aggregating Prometheus via statsd, nodexporter, or other well known metric exporters.
- To push metrics, we recommend setting up PushProx client running on each metrics node
- Please see https://help.stage.apatil.developers.oracledx.com/metrics/ for more information.
In Sauron environment:
- If pulling metrics into Sauron, you will need to configure federation targets and scrape intervals in Sauron Prometheus config using the Sauron APIs. This will allow Sauron to scrape from your intermediate Prometheus.
- Configure your alert routes and receivers (Ocean) integration
Where does Sauron run? Does it run in my tenancy?
Sauron does not run in your tenancy. The Sauron team maintains its own OCI tenancy where all Sauron instances run. Sauron users do not need to worry about maintaining the infrastructure where Sauron runs.
What kind of load can Sauron handle?
For metrics, we have seen customer's services generate up to 20 millions time series at 60-second scrape interval.
For logs, we have seen customer's services generate up to 2 terabytes indices per day.
Retentions
What is the default online retention period for my Prometheus metrics in Sauron? Is it configurable?
Default online retention period for Prometheus metrics in Sauron is 30 days. This value is configurable. Request a retention change in #sauron-support with the Sauron URL, requested value, reason, and expected impact.
What is the default online retention period for my logs in Sauron? Is it configurable?
Default online retention period for OpenSearch logs is 7 days. This value is configurable. Request a retention change in #sauron-support with the Sauron URL, requested value, reason, and expected impact.
What is the default backup retention period for metrics and logs? Are they configurable?
Default backup retention period for both metrics and logs is 90 days. These values are configurable. Request a retention change in #sauron-support with the Sauron URL, requested value, reason, and expected impact.
What is the total retention period for metrics and logs?
Total retention period = Online retention period + Backup retention period
For metrics, by default, you can look back 30 + 90 = 120 days. For logs, by default, you can look back 7 + 90 = 97 days.
Can I restore older metrics from the backups outside of the online retention period?
You can restore older metrics as long as metrics are within total retention period. Restore work requires Sauron-team action; request it in #sauron-support with the Sauron URL, time range, metric scope, reason, and impact window.
Can I restore older logs from the backups outside of the online retention period?
You can restore older logs as long as they are within total retention period. Please see our help for details.
How can I download my logs from OpenSearch?
Please see our help for details.
Where are the backups stored? Are they encrypted?
Backups are stored in OCI Object Storage. OCI Object Storage provides automated encryption in transit and at rest.
Will Sauron automatically retire indices from OpenSearch?
Sauron will automatically prune OpenSearch indices based on certain timestamp patterns in the index name.
What max size a Prometheus can get to before performance significantly downgrades?
Storage used is proportional to ingestion rate i.e. how many samples per sec are sent to Prometheus.
Rough math is 10k samples/s would need 650 GB of storage for 1 year retention assuming 2 bytes per sample.
Our recommendation has always been to stay under 1 TB. Once you cross the 500GB threshold with BVs the query time will keep getting higher and will be pretty much unusable after 1 TB. Prometheus by default does not do any downsampling so all the data is stored in high precision at the configured scrape interval of 30s or 1m.
Best way to support longer retention periods would be to use Thanos with ObjectStorage and downsampling enabled.
Integrations
Does Sauron support OCI metrics querying and alerting
Sauron does support OCI metrics querying and alerting. Please see our help for details.
Does Sauron support ingesting data from AWS?
Sauron supports ingesting data from AWS. We have customers doing this. Their services run on AWS and they use Sauron to monitor them. Start with the metrics and logs setup pages. If ingestion still fails after those checks, use the troubleshooting guide and include the failed check when you escalate.
Does Sauron provide direct integration with Slack?
Sauron provides direct integration with Slack. Please see our help for further details.
Can Sauron send my alerts directly to email i.e. Alertmanager/Grafana email integration?
Sauron can send your alerts directly to email. Please see our help for further details.
Can I trigger an alert based on logs in OpenSearch?
You can trigger alert based on logs in OpenSearch. Please see our help for further details.
Are there any Sauron SDK/CLI available?
Sauron exposes API endpoint, which exposes various APIs to configure and manage your Sauron instance.
Please see our help for further details.
Can Sauron Prometheus pull/federate metrics from dev boxes running inside Oracle network?
If you have a metrics server running from a lockdown/air-gapped tenancy such that the scrape target is not reachable from Sauron Prometheus, we can use PushProx which works on same Pull model using a Client/Proxy connection.
Please see our help for more details.
Does Sauron support RBAC for Grafana to control access for dashboards, etc?
Sauron supports RBAC integration with Grafana. Please see our help for more details.
Where can I read more about exporters and beats
- Metrics: Exporters and Integrations
- Logs: Lightweight Data Shippers
Now that I have my metrics and logs in Sauron, how do I configure my alerts?
More details here: https://help.stage.apatil.developers.oracledx.com/alerts/
Now that the endpoints are set up for my Sauron, how do I create data sources in Grafana?
Sauron Grafana is configured with a default data source which points to Sauron Thanos, which seamlessly merges the data from multiple highly-available Prometheus instances within a Sauron instance. If you need to configure other types of data source, you may follow the detailed instructions here.
Security
We take lot of pride in making sure our platform as secure as it can be. By default all Sauron endpoints are secured by TLS and strong password. We also make it easy to integrate all Sauron UI endpoints with Oracle SSO for additional security. Using OIM entitlements we can also restrict access to Sauron endpoints to only users that you define and manage.
Does Sauron support RBAC in addition to SSO integration?
Grafana provides a limited RBAC capability. Sauron endpoint access is covered by the SSO and OIM role guidance in the access pages.
How does Sauron handle security patching?
We have automation to apply security patches to all our instances on a monthly basis AND/OR when they become available.
I want to integrate my endpoints with Oracle SSO. How do I do it?
Please see our help for details on how to enable SSO.
I want to change HTTP basic authentication credentials for my Sauron. How do I do it?
The Sauron admin user password can be changed through the API server.
How do you ensure all software you run on your cluster free of known CVEs?
All software we use is:
- built by ourselves directly from trusted source. We make necessary fixes during PLS approval if any CVE is identified.
- built with tools obtained from trusted source (e.g. most recent Golang from Oracle's yum server).
- built on top of hardened and most up-to-date Oracle Linux Container images (e.g. oraclelinux:8-slim).
- scanned by Trivy against the latest CVE database on a daily basis.
- promptly upgraded if any CVE is reported by Trivy scan.
Do you make the build from source images you use available to internal customers?
Please check this page for a list of images that Sauron customer can use.
However, please note that PLS approvals obtained by Sauron team for using such images within Sauron do not extend to our customer's business use case.
You are still responsible for PLS approvals for your own business use case.
Architecture
Do you have a high level architecture overview?
Please see https://help.stage.apatil.developers.oracledx.com/architecture/ for architecture overview.
Is Sauron HA?
All our managed endpoints have HA enabled out of the box. OpenSearch clusters have "N" configured master/ingest/data nodes which are run with node and AD anti-affinity policies. Even if compute instances go down or an entire Availability domain in OCI region goes down, our OpenSearch service will continue to run with no downtime.
Prometheus instances also have at least two replica servers. All queries are made through Thanos, which seamlessly merges data from the replica instances.
Sauron team also routinely scales OpenSearch servers in customer instances to handle increased load and add data capacity. These scaling activities are completely transparent to the customer.
Note: our ability to provide high availability in single-AD regions is naturally limited by the physical topology of the region.
How does Sauron handle upgrades?
- We run all Sauron instances on OCI OKE clusters. We upgrade to the latest Kubernetes version offered by OKE shortly after it becomes available. These migrations cause no downtime aside from the possible need to reconnect to a Grafana or OpenSearch Dashboards instances.
- We use the same strategy to perform regular OCI Compute patching on all Kubernetes worker nodes in order to comply with Oracle security policy.
- We obtain PLS approvals for all software. We upgrade the endpoint servers (OpenSearch, Prometheus, etc.) in compliance with Oracle policy about staying current.
Does Sauron have Disaster Recovery support?
Sauron disaster recovery support consists of recovering from backup. Backups are stored in OCI Object Storage in the region where the Sauron instance is hosted. If all OCI connectivity to a region is lost, Sauron does not have the ability to recover data from that region until connectivity is restored.
Migration
Does the Sauron Team provide support for migration?
Only general advice.
There are simple scripts you can write to export Grafana dashboards and other artifacts from one instance to another. Also, OpenSearch provides some APIs and utilities for export and import.
All our metrics data is using InfluxDB in our self hosted cluster; do you support migration to Prometheus?
No. From our knowledge there is no easy migration path from InfluxDB to Prometheus though both of them use the TSDB back end. Grafana supports both InfluxDB and Prometheus data sources. In the short term you may need to configure Grafana to use both data sources until you have sufficient data on your Sauron Prometheus and can turn off the InfluxDB data source pointing to your hosted InfluxDB cluster.
Troubleshooting and common support questions
Why am I getting SSO or OIM access denied for Grafana, Prometheus, Thanos, Alertmanager, API, Help, or Console?
First, confirm that your Sauron is configured for the SSO group you are using. Sauron access is controlled through OIM entitlements for that group.
- Admin entitlement gives full access to Sauron endpoints, including API write access.
- Viewer entitlement gives read-only access to supported UI endpoints and GET-only API access.
- Editor entitlement applies to Grafana Editor access.
If your entitlement was just added or changed, sign out of Oracle SSO and sign back in before testing again. If access still fails after the SSO and OIM checks, escalate with the Sauron endpoint URL, your OIM entitlement name, the endpoint that failed, the exact error, and whether another endpoint for the same Sauron works.
More details:
- https://help.stage.apatil.developers.oracledx.com/sso/
- https://help.stage.apatil.developers.oracledx.com/oim/
What CIDRs or IPs should I allowlist for Sauron, Shuttleproxy, OpenSearch, or Prometheus scraping?
The right allowlist depends on the traffic direction:
- For Sauron Prometheus scraping your targets directly, allow the Sauron egress CIDRs returned by the Sauron API. See https://help.stage.apatil.developers.oracledx.com/metrics/#obtaining-the-list-of-cidrs-that-need-to-be-added-to-security-lists.
- For Shuttleproxy clients connecting out to Sauron, allow outbound access from your client network to the Shuttleproxy endpoint.
- For clients sending logs to OpenSearch, allow traffic from the client public IP or NAT gateway to the OpenSearch endpoint.
- For on-premises or non-OCI sources, provide the public CIDRs, NAT gateways, or firewall egress points used by the client.
If the connection still fails, collect the source network or NAT gateway, destination endpoint, region, whether the failure is ingress or egress, and the error from the client logs before contacting Sauron support.
More details:
- https://help.stage.apatil.developers.oracledx.com/metrics/
- https://help.stage.apatil.developers.oracledx.com/shuttleproxy/#ip-whitelisting--network-rule-information
Why does Shuttleproxy show 403, 504, DNS errors, registration failures, or no scrapeable targets?
Shuttleproxy failures usually come from one of four areas: DNS or egress from the client, mismatched domain ID or client ID, a target that is not registered or scrapeable, or a Sauron endpoint/IP allowlist change.
Check these items first:
- The Shuttleproxy client can resolve the Shuttleproxy endpoint DNS name.
- The client can make outbound HTTPS connections to the Shuttleproxy endpoint.
- The configured domain ID and client ID match the Sauron Shuttleproxy setup.
- The Prometheus target is visible on the Prometheus targets page.
- Any recent Sauron endpoint IP change has been allowlisted on the client side.
If the problem continues, collect the Sauron name, region, Shuttleproxy endpoint, domain ID, client ID, target host, target error from Prometheus, and relevant client/server log lines before contacting Sauron support.
More details:
Prometheus accepted my config update, but targets or metrics are missing. What should I check?
A successful API response means Sauron accepted the configuration request. It does not guarantee that every target is reachable or that every Prometheus rule and scrape job is valid.
Check these items:
- Fetch the current Prometheus config from the API and confirm your scrape job is present.
- Validate the YAML before upload.
- Check the Prometheus targets page for the scrape job and target health.
- Confirm the target endpoint is reachable from Sauron or through Shuttleproxy.
- For file-based service discovery or secret material, confirm referenced auxiliary files exist and are named exactly as the config expects.
- For Kubernetes discovery, confirm ServiceMonitor labels, namespaces, and service ports match the config.
If targets or metrics are still missing, collect the Sauron endpoint, scrape job name, target URL, expected metric name, current target health, and the first time the data went missing before contacting Sauron support.
More details:
- https://help.stage.apatil.developers.oracledx.com/metrics/
- https://help.stage.apatil.developers.oracledx.com/api-server/
Why do Thanos or Grafana queries show no data, inconsistent data, or slow dashboards?
For no-data or inconsistent results, first check whether the same query works in Prometheus, Thanos, and Grafana for the same time range and labels. Grafana variables can also hide valid data if the variable values no longer match the series labels.
For slow dashboards, look for expensive variable queries, high-cardinality labels, large time ranges, or queries that scan many series. Prefer narrower label matchers, shorter time ranges, recording rules for expensive expressions, and scrape intervals of 30 seconds or higher when possible.
If the query or dashboard still does not behave as expected, collect the dashboard URL, panel name, PromQL query, time range, datasource, whether the query works in Thanos directly, and whether the issue affects all labels or only selected variables before contacting Sauron support.
More details:
- https://help.stage.apatil.developers.oracledx.com/metrics/
- https://help.stage.apatil.developers.oracledx.com/metrics-dashboards/
- https://help.stage.apatil.developers.oracledx.com/thanos-additional-stores/
Why are Thanos additional stores missing, denied, or not visible after a config change?
Start with the Sauron API and Thanos Stores page for the Sauron where the
additional store should appear. GET /v1/thanos/additionalstores lists the
configured store names, and GET /v1/thanos/additionalstores/{name} shows the
stored details for a specific entry.
For a store that is configured but not visible or not queryable, check the
thanos-grpc URL, store name, certificate and key, SSO registration timing, and
network reachability from the querying Sauron to the remote store. If Global SSO
is enabled, allow time for the new Thanos Store endpoint to register before
treating the missing endpoint as a failure.
If the store is still missing, denied, or not queryable, collect both Sauron
API URLs, additional store name, thanos-grpc URL, API response code, Stores
page behavior, and any Thanos query or pod-log error before contacting Sauron
support. Do not share certificates or keys in support channels.
More details:
How do I create or update Grafana dashboards through UI or API?
Sauron Grafana includes a default datasource backed by Thanos. You can create dashboards in the Grafana UI, export dashboard JSON, or use Grafana API calls if your SSO/OIM entitlement allows the required access.
For API updates, make sure the request uses the Grafana dashboard API shape, not only the inner dashboard JSON. If a save returns an error, include the HTTP status, API response message, dashboard UID, folder, and whether the same dashboard can be saved in the UI.
More details:
- https://help.stage.apatil.developers.oracledx.com/metrics-dashboards/
- https://help.stage.apatil.developers.oracledx.com/sso/
Why are logs missing in Kibana or OpenSearch, and can I use Filebeat or Logstash 8.x?
Sauron uses OpenSearch. Use an OpenSearch-compatible Beat such as Filebeat 7.12.1 OSS when sending directly to OpenSearch. Filebeat 8.x is not a direct replacement for OpenSearch ingestion; if you need a newer shipper, send through Fluentd or Logstash and use an OpenSearch output plugin. For Logstash 8.x, disable ECS compatibility mode when required by your pipeline so documents are sent in the expected format.
For missing logs, check the client output plugin, endpoint URL, index name, credentials, proxy settings, bulk request errors, and OpenSearch/Kibana time range.
If logs are still missing, collect the Sauron OpenSearch endpoint, client type and version, output plugin, index pattern, sample error, and whether any documents are visible for a wider time range before contacting Sauron support.
More details:
What should I check for OpenSearch yellow/red health, unassigned shards, or restore requests?
For yellow or red cluster health, first separate expected transient shard movement from a persistent allocation problem. Recent deployments, node restarts, disk pressure, index/template changes, retention changes, or restore activity can all affect shard allocation.
Before restore work, check cluster health and index status. The restore guide
recommends making sure indices are green before proceeding with a self-service
restore. If you need to restore many indices, contact #sauron-support because
large restores can add capacity, performance, and backup pressure.
If the cluster health problem persists after those checks, or you need a restore, collect the OpenSearch endpoint, affected indices, current cluster health, shard allocation symptom, first-seen time, recent deployment or retention changes, and whether this is a partial or full restore request before contacting Sauron support.
More details:
- https://help.stage.apatil.developers.oracledx.com/restore-opensearch-indices/
- https://help.stage.apatil.developers.oracledx.com/logs/
How do I configure Alertmanager Ocean webhooks, bearer tokens, or email alerts?
For Ocean webhooks, follow the Ocean help or Ocean team process to obtain the webhook bearer token, then update your Alertmanager receiver configuration. Do not share tokens in support channels. If a token expiration alert fires, rotate the token and update the receiver that references it.
For email alerts, use the Sauron Alertmanager or Grafana email guidance and confirm sender, recipient, route, and notification policy settings. If delivery fails, include the receiver name, route matchers, alert name, and delivery error without including secrets.
More details:
Why do Grafana email alerts fail or hit delivery limits?
Grafana email alerts depend on both Sauron Grafana SMTP configuration and the OCI Email setup owned by your team. Confirm SMTP is enabled for the Grafana endpoint, the approved sender exists, SMTP credentials are valid, and the notification channel or contact point uses the expected recipients.
If the error mentions a delivery limit, rejected sender, authentication failure, or maximum message count, check the OCI Email sender and SMTP credential path before changing alert rules. Do not share SMTP passwords or full credentials in support channels.
If delivery still fails, collect the Grafana URL, alert or contact point name, sanitized error text, approved sender, recipient pattern, first failure time, and whether a test notification succeeds before contacting Sauron support.
More details:
How do I request Sauron decommission or termination?
Post the request in #sauron-support or open the agreed support ticket for
your team. Include the full Sauron endpoint, region, owner contacts, reason for
decommission, requested date, and whether metrics, logs, dashboards, alerts, or
backups need to be preserved before termination.
Do not assume that a single Grafana or Kibana URL is enough to identify the full Sauron environment. Provide the Help or API endpoint when possible.
How do I request a retention change or preserve data after decommission?
Sauron has separate retention settings for online metrics, online logs, and backups. Increasing one of them can affect storage, query latency, backup usage, and restore expectations, so provide the requested component and reason before asking for a change.
For a metrics retention increase, include the Sauron URL, current retention, requested retention, expected ingestion volume, dashboard or query need, target date, and whether this is temporary or permanent.
For decommission or EOL cases, state whether metrics, logs, dashboards, alerts, or backups must remain available after the Sauron is terminated. If logs or metrics need to be kept beyond Sauron's configured backup retention, plan an export or ownership transfer before decommission starts.
Why does Basic Auth return 403, and where do I request credential resets?
HTTP 403 from a Basic Auth call usually means the credential is wrong, expired/rotated, the wrong account type is being used, or Basic Auth is not enabled for the endpoint you are calling.
Check the Sauron contact email with GET /v1/contactemail; credential reset
emails usually go to that owner/contact path. Confirm whether you need Admin or
Reporter credentials before requesting a reset.
Do not share credentials, tokens, password reset links, or secret values in support channels. If the problem continues, collect the Sauron API URL, account type, exact HTTP status, contact email owner, and whether the same call worked before.
How do I find the Sauron component URLs for a new instance or region?
For a newly provisioned Sauron, use the generated welcome/help URLs as the source of truth. Sauron endpoint families usually follow the component prefix pattern for the selected Sauron name and region:
console.api.grafana.prometheus.thanos.alertmanager.kibana.elasticsearch.help.
Do not guess production URLs for firewall or allowlist requests. If you need
Sauron-provided CIDR evidence, use the Sauron API endpoint GET /v1/cidrs.
For new-region planning, provide the desired OCI region, nearest acceptable Sauron-hosted region, environment type, components needed, and whether the new instance can reuse an existing Sauron pattern.
What should I do if Prometheus rejects scrapes after content-type changes?
Some Prometheus versions are stricter about scrape response Content-Type
headers. If a target exposes compatible Prometheus metrics but does not send an
acceptable content-type header, fallback_scrape_protocol may be needed in the
scrape config.
Before changing production, validate the target response headers and scrape config in a safe environment. A successful Sauron API response means the config request was accepted; it does not guarantee every target will scrape successfully.
If scrapes still fail, collect the Sauron URL, scrape job, target URL, response content-type, current scrape error, and whether the fallback setting was tested outside production before contacting Sauron support.
Why do API updates fail with Changes not allowed while Observability is locked?
This means the Sauron is locked, so most non-GET API changes are rejected with a conflict response while the lock is active. Locks are commonly used during controlled maintenance, migration, troubleshooting, or other operator-managed work where customer config changes should pause.
Do not keep retrying PUT, POST, or DELETE requests while the lock is active. Check whether there is an announced migration or maintenance window, and escalate only if the lock blocks urgent work or no maintenance context is available.
If you need the lock reviewed, collect the Sauron API URL, attempted operation, exact error text, first failure time, urgency, and whether a deployment, DR activity, or regional migration is in progress before contacting Sauron support.
How should I configure dynamic scraping when a pod has multiple containers or ports?
Dynamic discovery relies on the Kubernetes resources, labels, annotations, ServiceMonitor, service ports, and Prometheus scrape config all agreeing on the target to scrape. For pods with multiple containers or multiple metrics ports, do not rely on a single ambiguous annotation if each container exposes a different path or port.
Prefer a clear service and ServiceMonitor shape for each metrics endpoint, or
separate scrape entries with explicit port names and paths. Confirm the service
selector, namespace selector, labels, endpoint port names, scheme, TLS, and
metrics_path match the actual container endpoints.
If discovery still does not produce the expected targets, collect the pod/deployment name, container names, service YAML, ServiceMonitor YAML, expected paths and ports, current Prometheus target status, and any scrape error before contacting Sauron support.
More details:
- https://help.stage.apatil.developers.oracledx.com/metrics/
- https://help.stage.apatil.developers.oracledx.com/shuttleproxy/
How do I create Jira tickets from alerts or dashboard firing alerts?
Sauron no longer supports enabling new Jiralert integrations. If an older Sauron still has legacy Jiralert configuration, treat it as legacy state and do not depend on it for new alert routing without a Sauron-team review.
For supported alert delivery, first confirm the alert is firing in Prometheus, Thanos Ruler, or Alertmanager. Then check route matchers, receiver configuration, grouping, repeat intervals, and whether the supported receiver is configured for the delivery path you expect.
If you want a Grafana dashboard of firing alerts, confirm that an ALERTS
metric or equivalent recording rule is available and has the labels you need.
If the metric is not available, use the Thanos Ruler or Alertmanager APIs as
evidence and plan a durable recording rule or documented API-backed workflow.
If alert delivery still does not match your expected workflow, collect the Sauron URL, alert name, receiver, desired delivery workflow, route matchers, start time, and sanitized receiver configuration before contacting Sauron support. Do not share webhook tokens or Jira credentials in support channels.
Can Sauron enable new Grafana or OpenSearch plugins?
New Grafana or OpenSearch plugins are platform changes. They require approval and review before they can be installed in Sauron.
For Grafana plugins, provide the plugin name, version, source URL, business need, environments that need it, and approval/ticket links. The plugin must go through PLS approval, Third Party approval, license review, and CVE/security review before rollout can be considered.
For OpenSearch plugins or Machine Learning features, provide the current Sauron OpenSearch version, requested feature, business need, and whether the request requires new plugins, new images, or an OCI OpenSearch migration path. Do not assume OCI OpenSearch feature availability maps directly to the current Sauron-managed OpenSearch runtime.
Where is encryption at rest covered for Sauron?
Sauron stores backups and other backup-related objects in OCI Object Storage. OCI Object Storage provides automated encryption in transit and at rest for that data.
Encryption details for live Sauron data depend on the component and data path in scope. When asking for audit or compliance evidence, identify which data path you need covered:
- Prometheus metrics
- Thanos object storage
- OpenSearch logs
- Grafana dashboards and configuration
- Sauron backups
- API or UI traffic
If you need a formal audit response, include the Sauron URL, region, component/data path, and the control question being asked. The Sauron team can then provide the current architecture or service-specific evidence for that scope.
What information is needed for an mTLS enablement request?
Sauron supports TLS-based integrations, including client-certificate authentication for applicable scrape or endpoint flows. mTLS changes affect how clients authenticate to a Sauron endpoint, so they should be planned and validated before production use.
For an mTLS enablement request, include:
- Sauron URL
- region
- endpoint or component
- certificate/CA owner
- client identity expectations
- rollout window
- validation plan
- rollback plan
- approval or ticket link
Before production rollout, validate the certificate chain, client trust, endpoint routing, and non-production behavior.
What should I include before asking the Sauron team to restart, unlock, restore, patch, or delete something?
Restart, unlock, restore, patch, and delete requests can affect a live Sauron environment. Please include enough context for the Sauron team to validate the request and execute it safely:
- Sauron URL
- component
- requested action
- reason and evidence
- production impact
- rollback expectation
- approval or ticket link
For restore requests, also include the exact indices, desired snapshot or backup time, target environment, whether this is partial or full restore, and the impact window.
Still need help?
I am facing issues with my Sauron; what do I do?
First read the page for the component you are using, then follow the
Troubleshoot checklist.
If the documented checks do not resolve the issue, escalate in
#sauron-support with the Sauron URL, component, completed checks,
approximate start time, expected behavior, actual behavior, exact error text or
screenshot, recent changes, and production impact.
I didn't get an answer for my question in FAQs, what do I do?
Start with the Help home page, this FAQ, and the Troubleshoot page. If the
question is still unanswered, post in #sauron-support with the page or
checklist you followed and the missing answer you need.