Yep i reviewed the documentation and tried the following changes to the
generator.yml
auths:
prod_v3:
version: 3
security_level: authPriv
username: "${snmp_user}"
auth_protocol: SHA
password: ${snmp_password}"
priv_protocol: AES
priv_password: "${snmp_privpass}"
community: "${snmp_community}"
modules:
# Dell Idrac
idrac:
version: 3
timeout: 20s
retries: 10
max_repetitions: 10
walk:
- statusGroup
- chassisInformationTable
- systemBIOSTable
- firmwareTableEntry
- intrusionTableEntry
- physicalDiskTable
- batteryTable
- controllerTable
- virtualDiskTable
- systemStateTable
- powerSupplyTable
- powerUsageTable
- powerSupplyTable
- voltageProbeTable
- amperageProbeTable
- systemBatteryTable
- networkDeviceTable
- thermalGroup
- interfaces
- systemInfoGroup
- 1.3.6.1.2.1.1
- eventLogTable
overrides:
systemModelName:
type: DisplayString
systemServiceTag:
type: DisplayString
systemOSVersion:
type: DisplayString
systemOSName:
type: DisplayString
systemBIOSVersionName:
type: DisplayString
firmwareVersionName:
type: DisplayString
eventLogRecord:
type: DisplayString
eventLogDateName:
type: DisplayString
networkDeviceProductName:
type: DisplayString
networkDeviceVendorName:
type: DisplayString
networkDeviceFQDD:
type: DisplayString
networkDeviceCurrentMACAddress:
type: PhysAddress48
fortigate:
version: 3
timeout: 20s
retries: 10
max_repetitions: 10
walk:
- system
- interfaces
- ip
- ifXTable
- fgModel
- fgVirtualDomain
- fgSystem
- fgFirewall
- fgMgmt
- fgIntf
- fgAntivirus
- fgApplications
- fgVpn
- fgIps
- fnCoreMib
I dont think it is correct as I'm still getting the following errors
msg="Error parsing config file" err="yaml: unmarshal errors:\n line 2:
field fortigate not found in type config.Config\n line 6410: field idrac
not found in type config.Config"
msg="Possible old config file, see
https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md";
On Friday 19 January 2024 at 5:12:23 pm UTC+1 Ben Kochie wrote:
Did you read the migration doc?
https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md
On Fri, Jan 19, 2024 at 5:10 PM Nicholas Smith wrote:
Actually struggling with this myself since the change to auth split
migration in v0.23.0
I cant seem to work out how to format my generator.yml file that is
currently work for v0.22.0 to work in v0.23.0 and above
This is my current generator.yml
modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10
max_repetitions: 10 auth: username: "${snmp_user}" password:
"${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level:
authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}"
walk: - statusGroup - chassisInformationTable - systemBIOSTable -
firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable
- controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable
- powerUsageTable - powerSupplyTable - voltageProbeTable -
amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup
- interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides:
systemModelName: type: DisplayString systemServiceTag: type: DisplayString
systemOSVersion: type: DisplayString systemOSName: type: DisplayString
systemBIOSVersionName: type: DisplayString firmwareVersionName: type:
DisplayString eventLogRecord: type: DisplayString eventLogDateName: type:
DisplayString networkDeviceProductName: type: DisplayString
networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type:
DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48
fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth:
username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA
priv_protocol: AES security_level: authPriv priv_password:
"${snmp_privpass}" community: "${snmp_community}" walk: - system -
interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem -
fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps
- fnCoreMib
On Wednesday 10 January 2024 at 12:55:45 pm UTC+1 Brian Candler wrote:
That's interesting, thanks! AES192C and AES256C are clearly present in the
code
<https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>,
but the documentation in generator/README.md omits to mention them.
>From gosnmp's source (v3_usm.go):
// Changed: AES192, AES256, AES192C, AES256C added
const (
NoPriv SnmpV3PrivProtocol = 1
DES SnmpV3PrivProtocol = 2
AES SnmpV3PrivProtocol = 3
AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192
AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256
AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192
AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256
)
Some background here:
https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763
https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861
Personally, I'd suggest using the more standard AES(128) instead. I note
that in its implementation of TLS versions <1.3, Go prefers AES over AES256
<https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265>
when
negotiating ciphers:
// - AES-128 comes before AES-256
//
// The only potential advantages of AES-256 are better multi-target
// margins, and hypothetical post-quantum properties. Neither apply to
// TLS, and AES-256 is slower due to its four extra rounds (which don't
// contribute to the advantages above).
On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote:
If you use Cisco devices then you have to use a "C" at the end of the
privacy protocol because it seems Cisco has specific impelementation.
I use
*priv_protocol: AES256C*
for Cisco IOS and IOS XE devices running 17.x.y version.
Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1:
> Please list the SNMP V3 instance configuration in generator.yml. I want
to know where the configuration error is!
It's in the documentation:
https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format
However, you don't need to compile anything to get started. Just use the
supplied snmp.yml, and edit the section under "auths" so it looks like this:
auths:
public_v1:
community: public
security_level: noAuthNoPriv
auth_protocol: MD5
priv_protocol: DES
version: 1
public_v2:
community: public
security_level: noAuthNoPriv
auth_protocol: MD5
priv_protocol: DES
version: 2
* prod_v3: version: 3 security_level: authPriv username: admin
auth_protocol: SHA password: XXXXXXX priv_protocol: AES
priv_password: YYYYYYY*
And you're done.
The next simplest option is to load multiple config files. This means you
can use the existing snmp.yml completely unchanged, and a separate yml file
that has just your auth(s) in it. I use the following:
*snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml*
Then I have /etc/prometheus/snmp.d/auth.yml (which is mine)
and /etc/prometheus/snmp.d/snmp.yml (which is the standard one).
You only need to use the generator if you want to scrape MIBs other than
the supplied example ones. You can do this by starting with the supplied
generator.yml
<https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml>
and modifying it. But if all you want to do is change the auths, I wouldn't
bother, since the generator essentially just copies the auths from its
input to its output.
On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote:
I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES still
not successful, and I have to recompile the generator.yml file, otherwise
using the default snmp.yml file will have no effect!
Please list the SNMP V3 instance configuration in generator.yml. I want to
know where the configuration error is!
在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道:
> Why is SNMP v3 so difficult to implement?
It's not. It's dead easy. Do you have a working snmpwalk command line which
talks to your device? Then you just transfer the settings to your
snmp_exporter configuration.
This has been made easier since snmp_exporter v0.23.0
<https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>, because
the "modules" which define the OID walking and the "auths" which provide
the credentials have been made orthogonal. You can add new auths, without
touching modules. You can also put them in separate files.
So you end up with e.g.
auths:
prod_v3:
version: 3
security_level: authPriv
username: admin
auth_protocol: SHA
password: XXXXXXX
priv_protocol: AES
priv_password: YYYYYYY
then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3
The default is indeed still public_v2. The only other option would be to
have no default, i.e. snmp_exporter would fail unless you provide an
explicit set of credentials.
Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you can't
do that, then there is a YAML trick you can do to make adding new auths
easier:
modules:
if_mib: *&if_mib*
.... etc
# Append to end of file
*if_mib_prod_v3: <<: *if_mib*
version: 3
timeout: 3s
retries: 3
auth:
security_level: authPriv
username: admin
auth_protocol: SHA
password: XXXXXXXX
... etc
This effectively "clones" the if_mib module under a new module
"if_mib_prod_v3", and then overrides parts of it.
On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote:
see
https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format
Tried various ways to achieve some parameter passing
username:
security_level:
password: SHA
auth_protocol: AES
priv_protocol:
priv_password:
As a result, when the service is started, the default access method is
community: public_v2!
Why is SNMP v3 so difficult to implement? Why are they all in SNMP V2 mode?
Why?
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com
<https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com?utm_medium=email&utm_source=footer>
.
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/6684812b-1b89-481e-b6dc-6615dfa34162n%40googlegroups.com.
