Actually struggling with this myself since the change to auth split
migration in v0.23.0
I cant seem to work out how to format my generator.yml file that is
currently work for v0.22.0 to work in v0.23.0 and above
This is my current generator.yml
modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10
max_repetitions: 10 auth: username: "${snmp_user}" password:
"${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level:
authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}"
walk: - statusGroup - chassisInformationTable - systemBIOSTable -
firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable
- controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable
- powerUsageTable - powerSupplyTable - voltageProbeTable -
amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup
- interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides:
systemModelName: type: DisplayString systemServiceTag: type: DisplayString
systemOSVersion: type: DisplayString systemOSName: type: DisplayString
systemBIOSVersionName: type: DisplayString firmwareVersionName: type:
DisplayString eventLogRecord: type: DisplayString eventLogDateName: type:
DisplayString networkDeviceProductName: type: DisplayString
networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type:
DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48
fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth:
username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA
priv_protocol: AES security_level: authPriv priv_password:
"${snmp_privpass}" community: "${snmp_community}" walk: - system -
interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem -
fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps
- fnCoreMib
On Wednesday 10 January 2024 at 12:55:45 pm UTC+1 Brian Candler wrote:
> That's interesting, thanks! AES192C and AES256C are clearly present in the
> code
> <https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>,
>
> but the documentation in generator/README.md omits to mention them.
>
> From gosnmp's source (v3_usm.go):
>
> // Changed: AES192, AES256, AES192C, AES256C added
> const (
> NoPriv SnmpV3PrivProtocol = 1
> DES SnmpV3PrivProtocol = 2
> AES SnmpV3PrivProtocol = 3
> AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192
> AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256
> AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192
> AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256
> )
>
> Some background here:
>
> https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763
>
> https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861
>
> Personally, I'd suggest using the more standard AES(128) instead. I note
> that in its implementation of TLS versions <1.3, Go prefers AES over
> AES256
> <https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265>
> when
> negotiating ciphers:
>
> // - AES-128 comes before AES-256
> //
> // The only potential advantages of AES-256 are better multi-target
> // margins, and hypothetical post-quantum properties. Neither apply to
> // TLS, and AES-256 is slower due to its four extra rounds (which don't
> // contribute to the advantages above).
>
> On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote:
>
>> If you use Cisco devices then you have to use a "C" at the end of the
>> privacy protocol because it seems Cisco has specific impelementation.
>>
>> I use
>>
>> *priv_protocol: AES256C*
>>
>> for Cisco IOS and IOS XE devices running 17.x.y version.
>>
>>
>> Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1:
>>
>>> > Please list the SNMP V3 instance configuration in generator.yml. I
>>> want to know where the configuration error is!
>>>
>>> It's in the documentation:
>>>
>>> https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format
>>>
>>> However, you don't need to compile anything to get started. Just use the
>>> supplied snmp.yml, and edit the section under "auths" so it looks like this:
>>>
>>> auths:
>>> public_v1:
>>> community: public
>>> security_level: noAuthNoPriv
>>> auth_protocol: MD5
>>> priv_protocol: DES
>>> version: 1
>>> public_v2:
>>> community: public
>>> security_level: noAuthNoPriv
>>> auth_protocol: MD5
>>> priv_protocol: DES
>>> version: 2
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> * prod_v3: version: 3 security_level: authPriv username:
>>> admin auth_protocol: SHA password: XXXXXXX priv_protocol: AES
>>> priv_password: YYYYYYY*
>>>
>>> And you're done.
>>>
>>> The next simplest option is to load multiple config files. This means
>>> you can use the existing snmp.yml completely unchanged, and a separate yml
>>> file that has just your auth(s) in it. I use the following:
>>>
>>> *snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml*
>>>
>>> Then I have /etc/prometheus/snmp.d/auth.yml (which is mine)
>>> and /etc/prometheus/snmp.d/snmp.yml (which is the standard one).
>>>
>>> You only need to use the generator if you want to scrape MIBs other than
>>> the supplied example ones. You can do this by starting with the supplied
>>> generator.yml
>>> <https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml>
>>>
>>> and modifying it. But if all you want to do is change the auths, I wouldn't
>>> bother, since the generator essentially just copies the auths from its
>>> input to its output.
>>>
>>> On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote:
>>>
>>>> I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES
>>>> still not successful, and I have to recompile the generator.yml file,
>>>> otherwise using the default snmp.yml file will have no effect!
>>>>
>>>> Please list the SNMP V3 instance configuration in generator.yml. I want
>>>> to know where the configuration error is!
>>>>
>>>> 在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道:
>>>>
>>>>> > Why is SNMP v3 so difficult to implement?
>>>>>
>>>>> It's not. It's dead easy. Do you have a working snmpwalk command line
>>>>> which talks to your device? Then you just transfer the settings to your
>>>>> snmp_exporter configuration.
>>>>>
>>>>> This has been made easier since snmp_exporter v0.23.0
>>>>> <https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>,
>>>>> because the "modules" which define the OID walking and the "auths" which
>>>>> provide the credentials have been made orthogonal. You can add new auths,
>>>>> without touching modules. You can also put them in separate files.
>>>>>
>>>>> So you end up with e.g.
>>>>>
>>>>> auths:
>>>>> prod_v3:
>>>>> version: 3
>>>>> security_level: authPriv
>>>>> username: admin
>>>>> auth_protocol: SHA
>>>>> password: XXXXXXX
>>>>> priv_protocol: AES
>>>>> priv_password: YYYYYYY
>>>>>
>>>>> then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3
>>>>>
>>>>> The default is indeed still public_v2. The only other option would be
>>>>> to have no default, i.e. snmp_exporter would fail unless you provide an
>>>>> explicit set of credentials.
>>>>>
>>>>> Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you
>>>>> can't do that, then there is a YAML trick you can do to make adding new
>>>>> auths easier:
>>>>>
>>>>> modules:
>>>>> if_mib: *&if_mib*
>>>>> .... etc
>>>>>
>>>>> # Append to end of file
>>>>>
>>>>> *if_mib_prod_v3: <<: *if_mib*
>>>>> version: 3
>>>>> timeout: 3s
>>>>> retries: 3
>>>>> auth:
>>>>> security_level: authPriv
>>>>> username: admin
>>>>> auth_protocol: SHA
>>>>> password: XXXXXXXX
>>>>> ... etc
>>>>>
>>>>> This effectively "clones" the if_mib module under a new module
>>>>> "if_mib_prod_v3", and then overrides parts of it.
>>>>>
>>>>> On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote:
>>>>>
>>>>>> see
>>>>>> https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format
>>>>>>
>>>>>> Tried various ways to achieve some parameter passing
>>>>>> username:
>>>>>> security_level:
>>>>>> password: SHA
>>>>>> auth_protocol: AES
>>>>>> priv_protocol:
>>>>>> priv_password:
>>>>>>
>>>>>> As a result, when the service is started, the default access method
>>>>>> is community: public_v2!
>>>>>>
>>>>>> Why is SNMP v3 so difficult to implement? Why are they all in SNMP V2
>>>>>> mode? Why?
>>>>>>
>>>>>
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com.
