Did you read the migration doc?
https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md
On Fri, Jan 19, 2024 at 5:10 PM Nicholas Smith <
nicholas.john.smit...@gmail.com> wrote:
> Actually struggling with this myself since the change to auth split
> migration in v0.23.0
>
> I cant seem to work out how to format my generator.yml file that is
> currently work for v0.22.0 to work in v0.23.0 and above
>
> This is my current generator.yml
>
> modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10
> max_repetitions: 10 auth: username: "${snmp_user}" password:
> "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level:
> authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}"
> walk: - statusGroup - chassisInformationTable - systemBIOSTable -
> firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable
> - controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable
> - powerUsageTable - powerSupplyTable - voltageProbeTable -
> amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup
> - interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides:
> systemModelName: type: DisplayString systemServiceTag: type: DisplayString
> systemOSVersion: type: DisplayString systemOSName: type: DisplayString
> systemBIOSVersionName: type: DisplayString firmwareVersionName: type:
> DisplayString eventLogRecord: type: DisplayString eventLogDateName: type:
> DisplayString networkDeviceProductName: type: DisplayString
> networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type:
> DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48
> fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth:
> username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA
> priv_protocol: AES security_level: authPriv priv_password:
> "${snmp_privpass}" community: "${snmp_community}" walk: - system -
> interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem -
> fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps
> - fnCoreMib
>
>
>
> On Wednesday 10 January 2024 at 12:55:45 pm UTC+1 Brian Candler wrote:
>
>> That's interesting, thanks! AES192C and AES256C are clearly present in
>> the code
>> <https://github.com/prometheus/snmp_exporter/blob/v0.25.0/config/config.go#L152-L165>,
>> but the documentation in generator/README.md omits to mention them.
>>
>> From gosnmp's source (v3_usm.go):
>>
>> // Changed: AES192, AES256, AES192C, AES256C added
>> const (
>> NoPriv SnmpV3PrivProtocol = 1
>> DES SnmpV3PrivProtocol = 2
>> AES SnmpV3PrivProtocol = 3
>> AES192 SnmpV3PrivProtocol = 4 // Blumenthal-AES192
>> AES256 SnmpV3PrivProtocol = 5 // Blumenthal-AES256
>> AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192
>> AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256
>> )
>>
>> Some background here:
>>
>> https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763
>>
>> https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861
>>
>> Personally, I'd suggest using the more standard AES(128) instead. I note
>> that in its implementation of TLS versions <1.3, Go prefers AES over
>> AES256
>> <https://github.com/golang/go/blob/go1.21.6/src/crypto/tls/cipher_suites.go#L260-L265>
>> when
>> negotiating ciphers:
>>
>> // - AES-128 comes before AES-256
>> //
>> // The only potential advantages of AES-256 are better multi-target
>> // margins, and hypothetical post-quantum properties. Neither apply to
>> // TLS, and AES-256 is slower due to its four extra rounds (which
>> don't
>> // contribute to the advantages above).
>>
>> On Wednesday 10 January 2024 at 11:40:57 UTC Alexander Wilke wrote:
>>
>>> If you use Cisco devices then you have to use a "C" at the end of the
>>> privacy protocol because it seems Cisco has specific impelementation.
>>>
>>> I use
>>>
>>> *priv_protocol: AES256C*
>>>
>>> for Cisco IOS and IOS XE devices running 17.x.y version.
>>>
>>>
>>> Brian Candler schrieb am Mittwoch, 10. Januar 2024 um 12:32:08 UTC+1:
>>>
>>>> > Please list the SNMP V3 instance configuration in generator.yml. I
>>>> want to know where the configuration error is!
>>>>
>>>> It's in the documentation:
>>>>
>>>> https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format
>>>>
>>>> However, you don't need to compile anything to get started. Just use
>>>> the supplied snmp.yml, and edit the section under "auths" so it looks like
>>>> this:
>>>>
>>>> auths:
>>>> public_v1:
>>>> community: public
>>>> security_level: noAuthNoPriv
>>>> auth_protocol: MD5
>>>> priv_protocol: DES
>>>> version: 1
>>>> public_v2:
>>>> community: public
>>>> security_level: noAuthNoPriv
>>>> auth_protocol: MD5
>>>> priv_protocol: DES
>>>> version: 2
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> * prod_v3: version: 3 security_level: authPriv username:
>>>> admin auth_protocol: SHA password: XXXXXXX priv_protocol: AES
>>>> priv_password: YYYYYYY*
>>>>
>>>> And you're done.
>>>>
>>>> The next simplest option is to load multiple config files. This means
>>>> you can use the existing snmp.yml completely unchanged, and a separate yml
>>>> file that has just your auth(s) in it. I use the following:
>>>>
>>>> *snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml*
>>>>
>>>> Then I have /etc/prometheus/snmp.d/auth.yml (which is mine)
>>>> and /etc/prometheus/snmp.d/snmp.yml (which is the standard one).
>>>>
>>>> You only need to use the generator if you want to scrape MIBs other
>>>> than the supplied example ones. You can do this by starting with the
>>>> supplied generator.yml
>>>> <https://github.com/prometheus/snmp_exporter/blob/main/generator/generator.yml>
>>>> and modifying it. But if all you want to do is change the auths, I wouldn't
>>>> bother, since the generator essentially just copies the auths from its
>>>> input to its output.
>>>>
>>>> On Wednesday 10 January 2024 at 10:36:09 UTC Awemnhd wrote:
>>>>
>>>>> I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES
>>>>> still not successful, and I have to recompile the generator.yml file,
>>>>> otherwise using the default snmp.yml file will have no effect!
>>>>>
>>>>> Please list the SNMP V3 instance configuration in generator.yml. I
>>>>> want to know where the configuration error is!
>>>>>
>>>>> 在2024年1月9日星期二 UTC+8 22:54:36<Brian Candler> 写道:
>>>>>
>>>>>> > Why is SNMP v3 so difficult to implement?
>>>>>>
>>>>>> It's not. It's dead easy. Do you have a working snmpwalk command line
>>>>>> which talks to your device? Then you just transfer the settings to your
>>>>>> snmp_exporter configuration.
>>>>>>
>>>>>> This has been made easier since snmp_exporter v0.23.0
>>>>>> <https://github.com/prometheus/snmp_exporter/releases/tag/v0.23.0>,
>>>>>> because the "modules" which define the OID walking and the "auths" which
>>>>>> provide the credentials have been made orthogonal. You can add new auths,
>>>>>> without touching modules. You can also put them in separate files.
>>>>>>
>>>>>> So you end up with e.g.
>>>>>>
>>>>>> auths:
>>>>>> prod_v3:
>>>>>> version: 3
>>>>>> security_level: authPriv
>>>>>> username: admin
>>>>>> auth_protocol: SHA
>>>>>> password: XXXXXXX
>>>>>> priv_protocol: AES
>>>>>> priv_password: YYYYYYY
>>>>>>
>>>>>> then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3
>>>>>>
>>>>>> The default is indeed still public_v2. The only other option would be
>>>>>> to have no default, i.e. snmp_exporter would fail unless you provide an
>>>>>> explicit set of credentials.
>>>>>>
>>>>>> Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you
>>>>>> can't do that, then there is a YAML trick you can do to make adding new
>>>>>> auths easier:
>>>>>>
>>>>>> modules:
>>>>>> if_mib: *&if_mib*
>>>>>> .... etc
>>>>>>
>>>>>> # Append to end of file
>>>>>>
>>>>>> *if_mib_prod_v3: <<: *if_mib*
>>>>>> version: 3
>>>>>> timeout: 3s
>>>>>> retries: 3
>>>>>> auth:
>>>>>> security_level: authPriv
>>>>>> username: admin
>>>>>> auth_protocol: SHA
>>>>>> password: XXXXXXXX
>>>>>> ... etc
>>>>>>
>>>>>> This effectively "clones" the if_mib module under a new module
>>>>>> "if_mib_prod_v3", and then overrides parts of it.
>>>>>>
>>>>>> On Tuesday 9 January 2024 at 10:04:57 UTC Awemnhd wrote:
>>>>>>
>>>>>>> see
>>>>>>> https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format
>>>>>>>
>>>>>>> Tried various ways to achieve some parameter passing
>>>>>>> username:
>>>>>>> security_level:
>>>>>>> password: SHA
>>>>>>> auth_protocol: AES
>>>>>>> priv_protocol:
>>>>>>> priv_password:
>>>>>>>
>>>>>>> As a result, when the service is started, the default access method
>>>>>>> is community: public_v2!
>>>>>>>
>>>>>>> Why is SNMP v3 so difficult to implement? Why are they all in SNMP
>>>>>>> V2 mode? Why?
>>>>>>>
>>>>>> --
> You received this message because you are subscribed to the Google Groups
> "Prometheus Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to prometheus-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com
> <https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to prometheus-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/CABbyFmpt7-%3DNH3Rq2WJz03y2DCCK6vxmqCbG4eX%2BvKAeMfQZig%40mail.gmail.com.
