Did you read the migration doc? https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md
On Fri, Jan 19, 2024 at 5:10 PM Nicholas Smith < [email protected]> wrote: > Actually struggling with this myself since the change to auth split > migration in v0.23.0 > > I cant seem to work out how to format my generator.yml file that is > currently work for v0.22.0 to work in v0.23.0 and above > > This is my current generator.yml > > modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10 > max_repetitions: 10 auth: username: "${snmp_user}" password: > "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level: > authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}" > walk: - statusGroup - chassisInformationTable - systemBIOSTable - > firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable > - controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable > - powerUsageTable - powerSupplyTable - voltageProbeTable - > amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup > - interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides: > systemModelName: type: DisplayString systemServiceTag: type: DisplayString > systemOSVersion: type: DisplayString systemOSName: type: DisplayString > systemBIOSVersionName: type: DisplayString firmwareVersionName: type: > DisplayString eventLogRecord: type: DisplayString eventLogDateName: type: > DisplayString networkDeviceProductName: type: DisplayString > networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type: > DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48 > fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth: > username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA > priv_protocol: AES security_level: authPriv priv_password: > "${snmp_privpass}" community: "${snmp_community}" walk: - system - > interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem - > fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps > - fnCoreMib > > > > On Wednesday 10 January 2024 at 12:55:45 pm UTC+1 Brian Candler wrote: > >> That's interesting, thanks! AES192C and AES256C are clearly present in >> the code >> <https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>, >> but the documentation in generator/README.md omits to mention them. >> >> From gosnmp's source (v3_usm.go): >> >> // Changed: AES192, AES256, AES192C, AES256C added >> const ( >> NoPriv SnmpV3PrivProtocol = 1 >> DES SnmpV3PrivProtocol = 2 >> AES SnmpV3PrivProtocol = 3 >> AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192 >> AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256 >> AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192 >> AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256 >> ) >> >> Some background here: >> >> https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763 >> >> https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861 >> >> Personally, I'd suggest using the more standard AES(128) instead. I note >> that in its implementation of TLS versions <1.3, Go prefers AES over >> AES256 >> <https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265> >> when >> negotiating ciphers: >> >> // - AES-128 comes before AES-256 >> // >> // The only potential advantages of AES-256 are better multi-target >> // margins, and hypothetical post-quantum properties. Neither apply to >> // TLS, and AES-256 is slower due to its four extra rounds (which >> don't >> // contribute to the advantages above). >> >> On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote: >> >>> If you use Cisco devices then you have to use a "C" at the end of the >>> privacy protocol because it seems Cisco has specific impelementation. >>> >>> I use >>> >>> *priv_protocol: AES256C* >>> >>> for Cisco IOS and IOS XE devices running 17.x.y version. >>> >>> >>> Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1: >>> >>>> > Please list the SNMP V3 instance configuration in generator.yml. I >>>> want to know where the configuration error is! >>>> >>>> It's in the documentation: >>>> >>>> https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format >>>> >>>> However, you don't need to compile anything to get started. Just use >>>> the supplied snmp.yml, and edit the section under "auths" so it looks like >>>> this: >>>> >>>> auths: >>>> public_v1: >>>> community: public >>>> security_level: noAuthNoPriv >>>> auth_protocol: MD5 >>>> priv_protocol: DES >>>> version: 1 >>>> public_v2: >>>> community: public >>>> security_level: noAuthNoPriv >>>> auth_protocol: MD5 >>>> priv_protocol: DES >>>> version: 2 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> * prod_v3: version: 3 security_level: authPriv username: >>>> admin auth_protocol: SHA password: XXXXXXX priv_protocol: AES >>>> priv_password: YYYYYYY* >>>> >>>> And you're done. >>>> >>>> The next simplest option is to load multiple config files. This means >>>> you can use the existing snmp.yml completely unchanged, and a separate yml >>>> file that has just your auth(s) in it. I use the following: >>>> >>>> *snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml* >>>> >>>> Then I have /etc/prometheus/snmp.d/auth.yml (which is mine) >>>> and /etc/prometheus/snmp.d/snmp.yml (which is the standard one). >>>> >>>> You only need to use the generator if you want to scrape MIBs other >>>> than the supplied example ones. You can do this by starting with the >>>> supplied generator.yml >>>> <https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml> >>>> and modifying it. But if all you want to do is change the auths, I wouldn't >>>> bother, since the generator essentially just copies the auths from its >>>> input to its output. >>>> >>>> On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote: >>>> >>>>> I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES >>>>> still not successful, and I have to recompile the generator.yml file, >>>>> otherwise using the default snmp.yml file will have no effect! >>>>> >>>>> Please list the SNMP V3 instance configuration in generator.yml. I >>>>> want to know where the configuration error is! >>>>> >>>>> 在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道: >>>>> >>>>>> > Why is SNMP v3 so difficult to implement? >>>>>> >>>>>> It's not. It's dead easy. Do you have a working snmpwalk command line >>>>>> which talks to your device? Then you just transfer the settings to your >>>>>> snmp_exporter configuration. >>>>>> >>>>>> This has been made easier since snmp_exporter v0.23.0 >>>>>> <https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>, >>>>>> because the "modules" which define the OID walking and the "auths" which >>>>>> provide the credentials have been made orthogonal. You can add new auths, >>>>>> without touching modules. You can also put them in separate files. >>>>>> >>>>>> So you end up with e.g. >>>>>> >>>>>> auths: >>>>>> prod_v3: >>>>>> version: 3 >>>>>> security_level: authPriv >>>>>> username: admin >>>>>> auth_protocol: SHA >>>>>> password: XXXXXXX >>>>>> priv_protocol: AES >>>>>> priv_password: YYYYYYY >>>>>> >>>>>> then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3 >>>>>> >>>>>> The default is indeed still public_v2. The only other option would be >>>>>> to have no default, i.e. snmp_exporter would fail unless you provide an >>>>>> explicit set of credentials. >>>>>> >>>>>> Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you >>>>>> can't do that, then there is a YAML trick you can do to make adding new >>>>>> auths easier: >>>>>> >>>>>> modules: >>>>>> if_mib: *&if_mib* >>>>>> .... etc >>>>>> >>>>>> # Append to end of file >>>>>> >>>>>> *if_mib_prod_v3: <<: *if_mib* >>>>>> version: 3 >>>>>> timeout: 3s >>>>>> retries: 3 >>>>>> auth: >>>>>> security_level: authPriv >>>>>> username: admin >>>>>> auth_protocol: SHA >>>>>> password: XXXXXXXX >>>>>> ... etc >>>>>> >>>>>> This effectively "clones" the if_mib module under a new module >>>>>> "if_mib_prod_v3", and then overrides parts of it. >>>>>> >>>>>> On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote: >>>>>> >>>>>>> see >>>>>>> https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format >>>>>>> >>>>>>> Tried various ways to achieve some parameter passing >>>>>>> username: >>>>>>> security_level: >>>>>>> password: SHA >>>>>>> auth_protocol: AES >>>>>>> priv_protocol: >>>>>>> priv_password: >>>>>>> >>>>>>> As a result, when the service is started, the default access method >>>>>>> is community: public_v2! >>>>>>> >>>>>>> Why is SNMP v3 so difficult to implement? Why are they all in SNMP >>>>>>> V2 mode? Why? >>>>>>> >>>>>> -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CABbyFmpt7-%3DNH3Rq2WJz03y2DCCK6vxmqCbG4eX%2BvKAeMfQZig%40mail.gmail.com.
