Yep i reviewed the documentation and tried the following changes to the generator.yml
auths: prod_v3: version: 3 security_level: authPriv username: "${snmp_user}" auth_protocol: SHA password: ${snmp_password}" priv_protocol: AES priv_password: "${snmp_privpass}" community: "${snmp_community}" modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10 max_repetitions: 10 walk: - statusGroup - chassisInformationTable - systemBIOSTable - firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable - controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable - powerUsageTable - powerSupplyTable - voltageProbeTable - amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup - interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides: systemModelName: type: DisplayString systemServiceTag: type: DisplayString systemOSVersion: type: DisplayString systemOSName: type: DisplayString systemBIOSVersionName: type: DisplayString firmwareVersionName: type: DisplayString eventLogRecord: type: DisplayString eventLogDateName: type: DisplayString networkDeviceProductName: type: DisplayString networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type: DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48 fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 walk: - system - interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem - fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps - fnCoreMib I dont think it is correct as I'm still getting the following errors msg="Error parsing config file" err="yaml: unmarshal errors:\n line 2: field fortigate not found in type config.Config\n line 6410: field idrac not found in type config.Config" msg="Possible old config file, see https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md" On Friday 19 January 2024 at 5:12:23 pm UTC+1 Ben Kochie wrote: Did you read the migration doc? https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md On Fri, Jan 19, 2024 at 5:10 PM Nicholas Smith wrote: Actually struggling with this myself since the change to auth split migration in v0.23.0 I cant seem to work out how to format my generator.yml file that is currently work for v0.22.0 to work in v0.23.0 and above This is my current generator.yml modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth: username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level: authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}" walk: - statusGroup - chassisInformationTable - systemBIOSTable - firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable - controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable - powerUsageTable - powerSupplyTable - voltageProbeTable - amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup - interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides: systemModelName: type: DisplayString systemServiceTag: type: DisplayString systemOSVersion: type: DisplayString systemOSName: type: DisplayString systemBIOSVersionName: type: DisplayString firmwareVersionName: type: DisplayString eventLogRecord: type: DisplayString eventLogDateName: type: DisplayString networkDeviceProductName: type: DisplayString networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type: DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48 fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth: username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level: authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}" walk: - system - interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem - fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps - fnCoreMib On Wednesday 10 January 2024 at 12:55:45 pm UTC+1 Brian Candler wrote: That's interesting, thanks! AES192C and AES256C are clearly present in the code <https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>, but the documentation in generator/README.md omits to mention them. >From gosnmp's source (v3_usm.go): // Changed: AES192, AES256, AES192C, AES256C added const ( NoPriv SnmpV3PrivProtocol = 1 DES SnmpV3PrivProtocol = 2 AES SnmpV3PrivProtocol = 3 AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192 AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256 AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192 AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256 ) Some background here: https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763 https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861 Personally, I'd suggest using the more standard AES(128) instead. I note that in its implementation of TLS versions <1.3, Go prefers AES over AES256 <https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265> when negotiating ciphers: // - AES-128 comes before AES-256 // // The only potential advantages of AES-256 are better multi-target // margins, and hypothetical post-quantum properties. Neither apply to // TLS, and AES-256 is slower due to its four extra rounds (which don't // contribute to the advantages above). On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote: If you use Cisco devices then you have to use a "C" at the end of the privacy protocol because it seems Cisco has specific impelementation. I use *priv_protocol: AES256C* for Cisco IOS and IOS XE devices running 17.x.y version. Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1: > Please list the SNMP V3 instance configuration in generator.yml. I want to know where the configuration error is! It's in the documentation: https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format However, you don't need to compile anything to get started. Just use the supplied snmp.yml, and edit the section under "auths" so it looks like this: auths: public_v1: community: public security_level: noAuthNoPriv auth_protocol: MD5 priv_protocol: DES version: 1 public_v2: community: public security_level: noAuthNoPriv auth_protocol: MD5 priv_protocol: DES version: 2 * prod_v3: version: 3 security_level: authPriv username: admin auth_protocol: SHA password: XXXXXXX priv_protocol: AES priv_password: YYYYYYY* And you're done. The next simplest option is to load multiple config files. This means you can use the existing snmp.yml completely unchanged, and a separate yml file that has just your auth(s) in it. I use the following: *snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml* Then I have /etc/prometheus/snmp.d/auth.yml (which is mine) and /etc/prometheus/snmp.d/snmp.yml (which is the standard one). You only need to use the generator if you want to scrape MIBs other than the supplied example ones. You can do this by starting with the supplied generator.yml <https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml> and modifying it. But if all you want to do is change the auths, I wouldn't bother, since the generator essentially just copies the auths from its input to its output. On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote: I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES still not successful, and I have to recompile the generator.yml file, otherwise using the default snmp.yml file will have no effect! Please list the SNMP V3 instance configuration in generator.yml. I want to know where the configuration error is! 在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道: > Why is SNMP v3 so difficult to implement? It's not. It's dead easy. Do you have a working snmpwalk command line which talks to your device? Then you just transfer the settings to your snmp_exporter configuration. This has been made easier since snmp_exporter v0.23.0 <https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>, because the "modules" which define the OID walking and the "auths" which provide the credentials have been made orthogonal. You can add new auths, without touching modules. You can also put them in separate files. So you end up with e.g. auths: prod_v3: version: 3 security_level: authPriv username: admin auth_protocol: SHA password: XXXXXXX priv_protocol: AES priv_password: YYYYYYY then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3 The default is indeed still public_v2. The only other option would be to have no default, i.e. snmp_exporter would fail unless you provide an explicit set of credentials. Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you can't do that, then there is a YAML trick you can do to make adding new auths easier: modules: if_mib: *&if_mib* .... etc # Append to end of file *if_mib_prod_v3: <<: *if_mib* version: 3 timeout: 3s retries: 3 auth: security_level: authPriv username: admin auth_protocol: SHA password: XXXXXXXX ... etc This effectively "clones" the if_mib module under a new module "if_mib_prod_v3", and then overrides parts of it. On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote: see https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format Tried various ways to achieve some parameter passing username: security_level: password: SHA auth_protocol: AES priv_protocol: priv_password: As a result, when the service is started, the default access method is community: public_v2! Why is SNMP v3 so difficult to implement? Why are they all in SNMP V2 mode? Why? -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com <https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/6684812b-1b89-481e-b6dc-6615dfa34162n%40googlegroups.com.