Did you use or recompile the generator to make sure it matches the version with the exporter?
On Fri, Jan 19, 2024 at 5:47 PM Nicholas Smith < [email protected]> wrote: > Yep i reviewed the documentation and tried the following changes to the > generator.yml > > auths: > prod_v3: > version: 3 > security_level: authPriv > username: "${snmp_user}" > auth_protocol: SHA > password: ${snmp_password}" > priv_protocol: AES > priv_password: "${snmp_privpass}" > community: "${snmp_community}" > > modules: > # Dell Idrac > idrac: > version: 3 > timeout: 20s > retries: 10 > max_repetitions: 10 > walk: > - statusGroup > - chassisInformationTable > - systemBIOSTable > - firmwareTableEntry > - intrusionTableEntry > - physicalDiskTable > - batteryTable > - controllerTable > - virtualDiskTable > - systemStateTable > - powerSupplyTable > - powerUsageTable > - powerSupplyTable > - voltageProbeTable > - amperageProbeTable > - systemBatteryTable > - networkDeviceTable > - thermalGroup > - interfaces > - systemInfoGroup > - 1.3.6.1.2.1.1 > - eventLogTable > overrides: > systemModelName: > type: DisplayString > systemServiceTag: > type: DisplayString > systemOSVersion: > type: DisplayString > systemOSName: > type: DisplayString > systemBIOSVersionName: > type: DisplayString > firmwareVersionName: > type: DisplayString > eventLogRecord: > type: DisplayString > eventLogDateName: > type: DisplayString > networkDeviceProductName: > type: DisplayString > networkDeviceVendorName: > type: DisplayString > networkDeviceFQDD: > type: DisplayString > networkDeviceCurrentMACAddress: > type: PhysAddress48 > > fortigate: > version: 3 > timeout: 20s > retries: 10 > max_repetitions: 10 > walk: > - system > - interfaces > - ip > - ifXTable > - fgModel > - fgVirtualDomain > - fgSystem > - fgFirewall > - fgMgmt > - fgIntf > - fgAntivirus > - fgApplications > - fgVpn > - fgIps > - fnCoreMib > > I dont think it is correct as I'm still getting the following errors > > msg="Error parsing config file" err="yaml: unmarshal errors:\n line 2: > field fortigate not found in type config.Config\n line 6410: field idrac > not found in type config.Config" > msg="Possible old config file, see > https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md > " > > > On Friday 19 January 2024 at 5:12:23 pm UTC+1 Ben Kochie wrote: > > Did you read the migration doc? > > > https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md > > On Fri, Jan 19, 2024 at 5:10 PM Nicholas Smith wrote: > > Actually struggling with this myself since the change to auth split > migration in v0.23.0 > > I cant seem to work out how to format my generator.yml file that is > currently work for v0.22.0 to work in v0.23.0 and above > > This is my current generator.yml > > modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10 > max_repetitions: 10 auth: username: "${snmp_user}" password: > "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level: > authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}" > walk: - statusGroup - chassisInformationTable - systemBIOSTable - > firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable > - controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable > - powerUsageTable - powerSupplyTable - voltageProbeTable - > amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup > - interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides: > systemModelName: type: DisplayString systemServiceTag: type: DisplayString > systemOSVersion: type: DisplayString systemOSName: type: DisplayString > systemBIOSVersionName: type: DisplayString firmwareVersionName: type: > DisplayString eventLogRecord: type: DisplayString eventLogDateName: type: > DisplayString networkDeviceProductName: type: DisplayString > networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type: > DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48 > fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth: > username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA > priv_protocol: AES security_level: authPriv priv_password: > "${snmp_privpass}" community: "${snmp_community}" walk: - system - > interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem - > fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps > - fnCoreMib > > > > On Wednesday 10 January 2024 at 12:55:45 pm UTC+1 Brian Candler wrote: > > That's interesting, thanks! AES192C and AES256C are clearly present in the > code > <https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>, > but the documentation in generator/README.md omits to mention them. > > From gosnmp's source (v3_usm.go): > > // Changed: AES192, AES256, AES192C, AES256C added > const ( > NoPriv SnmpV3PrivProtocol = 1 > DES SnmpV3PrivProtocol = 2 > AES SnmpV3PrivProtocol = 3 > AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192 > AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256 > AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192 > AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256 > ) > > Some background here: > > https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763 > > https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861 > > Personally, I'd suggest using the more standard AES(128) instead. I note > that in its implementation of TLS versions <1.3, Go prefers AES over > AES256 > <https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265> > when > negotiating ciphers: > > // - AES-128 comes before AES-256 > // > // The only potential advantages of AES-256 are better multi-target > // margins, and hypothetical post-quantum properties. Neither apply to > // TLS, and AES-256 is slower due to its four extra rounds (which don't > // contribute to the advantages above). > > On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote: > > If you use Cisco devices then you have to use a "C" at the end of the > privacy protocol because it seems Cisco has specific impelementation. > > I use > > *priv_protocol: AES256C* > > for Cisco IOS and IOS XE devices running 17.x.y version. > > > Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1: > > > Please list the SNMP V3 instance configuration in generator.yml. I want > to know where the configuration error is! > > It's in the documentation: > > https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format > > However, you don't need to compile anything to get started. Just use the > supplied snmp.yml, and edit the section under "auths" so it looks like this: > > auths: > public_v1: > community: public > security_level: noAuthNoPriv > auth_protocol: MD5 > priv_protocol: DES > version: 1 > public_v2: > community: public > security_level: noAuthNoPriv > auth_protocol: MD5 > priv_protocol: DES > version: 2 > > > > > > > > * prod_v3: version: 3 security_level: authPriv username: admin > auth_protocol: SHA password: XXXXXXX priv_protocol: AES > priv_password: YYYYYYY* > > And you're done. > > The next simplest option is to load multiple config files. This means you > can use the existing snmp.yml completely unchanged, and a separate yml file > that has just your auth(s) in it. I use the following: > > *snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml* > > Then I have /etc/prometheus/snmp.d/auth.yml (which is mine) > and /etc/prometheus/snmp.d/snmp.yml (which is the standard one). > > You only need to use the generator if you want to scrape MIBs other than > the supplied example ones. You can do this by starting with the supplied > generator.yml > <https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml> > and modifying it. But if all you want to do is change the auths, I wouldn't > bother, since the generator essentially just copies the auths from its > input to its output. > > On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote: > > I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES still > not successful, and I have to recompile the generator.yml file, otherwise > using the default snmp.yml file will have no effect! > > Please list the SNMP V3 instance configuration in generator.yml. I want to > know where the configuration error is! > > 在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道: > > > Why is SNMP v3 so difficult to implement? > > It's not. It's dead easy. Do you have a working snmpwalk command line > which talks to your device? Then you just transfer the settings to your > snmp_exporter configuration. > > This has been made easier since snmp_exporter v0.23.0 > <https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>, > because the "modules" which define the OID walking and the "auths" which > provide the credentials have been made orthogonal. You can add new auths, > without touching modules. You can also put them in separate files. > > So you end up with e.g. > > auths: > prod_v3: > version: 3 > security_level: authPriv > username: admin > auth_protocol: SHA > password: XXXXXXX > priv_protocol: AES > priv_password: YYYYYYY > > then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3 > > The default is indeed still public_v2. The only other option would be to > have no default, i.e. snmp_exporter would fail unless you provide an > explicit set of credentials. > > Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you > can't do that, then there is a YAML trick you can do to make adding new > auths easier: > > modules: > if_mib: *&if_mib* > .... etc > > # Append to end of file > > *if_mib_prod_v3: <<: *if_mib* > version: 3 > timeout: 3s > retries: 3 > auth: > security_level: authPriv > username: admin > auth_protocol: SHA > password: XXXXXXXX > ... etc > > This effectively "clones" the if_mib module under a new module > "if_mib_prod_v3", and then overrides parts of it. > > On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote: > > see > https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format > > Tried various ways to achieve some parameter passing > username: > security_level: > password: SHA > auth_protocol: AES > priv_protocol: > priv_password: > > As a result, when the service is started, the default access method is > community: public_v2! > > Why is SNMP v3 so difficult to implement? Why are they all in SNMP V2 > mode? Why? > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/6684812b-1b89-481e-b6dc-6615dfa34162n%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-users/6684812b-1b89-481e-b6dc-6615dfa34162n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CABbyFmppWmQ1PNt%2Bp%2BaFbr4C4i8Z9WxPC_ZykX4%3DX3VqFHrMqA%40mail.gmail.com.
