Intergrating Fortigate SNMP with promethes
5,113 views
Skip to first unread message
Elvin cbl
Jan 30, 2020, 2:54:22 PM1/30/20
to Prometheus Users
Hi Team ,
I tried to intergrate Fortigate SNMP with prometheus but i am unable to get a proper connection
Steps Followed
In Fortigate enabled SNMP
In Network --> interface added the SNMP to the local network
on my prometheus linux machine i did wire shark and i was getting the logs
Step on SNMP_exporter
i used the github link to get the latest Release https://github.com/prometheus/snmp_exporter
downloaded it and ran the file using ./snmpexporter
in my prometheus.yml file added the below
scrape_configs: - job_name: 'snmp' static_configs: - targets: - 192.168.1.2 # SNMP device. metrics_path: /snmp params: module: [if_mib] relabel_configs: - source_labels: [__address__] target_label: __param_target - source_labels: [__param_target] target_label: instance - target_label: __address__ replacement: 127.0.0.1:9116 # The SNMP exporter's real hostname:port
and also tried to run SNMP Exporter Config Generator
sudo apt-get install unzip build-essential libsnmp-dev # Debian-based distros
go get github.com/prometheus/snmp_exporter/generator
cd ${GOPATH-$HOME/go}/src/github.com/prometheus/snmp_exporter/generator
go build
make mibsThe FORTIGATE mibs that i downloaded from the fortigte UI were i enabled SNMP i added the same in /usr/share/snmp/mibs/FORTINET-CORE-MIB.mib
Im not able to run the ./generator generate to crearte the snmp.yml file
i also edited the generate.yml file
fortigate_snmp:
walk:
- ifXTable
- fgVpn
- fgSystem
- fgIntf
- fgInetProto
version: 3
max_repetitions: 25
timeout: 10s
auth:
username: your_username # Required, no default. -u option to NetSNMP.
security_level: authNoPriv # Defaults to noAuthNoPriv. -l option to NetSNMP.
# Can be noAuthNoPriv, authNoPriv or authPriv.
password: your_password # Has no default. Also known as authKey, -A option to NetSNMP.
# Required if security_level is authNoPriv or authPriv.
auth_protocol: SHA # MD5 or SHA, defaults to SHA. -a option to NetSNMP.
# Used if security_level is authNoPriv or authPriv. Please help
Regards
Elvin Fernandez
Andrew Meyer
Apr 1, 2020, 8:51:11 PM4/1/20
to Prometheus Users
You need a new scrape job for each device type. However I am also struggling with the same issue. I am trying to figure out if I should add fortinet or fortigate to the generate.yml
Ben Kochie
Apr 2, 2020, 4:56:03 AM4/2/20
to Andrew Meyer, Prometheus Users
What features/OIDs are you interested in? Is there a good place to download the MIBs required?
--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/25d22ab5-2ada-49f8-98f2-14c4dcb99eae%40googlegroups.com.
Brian Candler
Apr 2, 2020, 5:17:51 AM4/2/20
to Prometheus Users
On Thursday, 30 January 2020 19:54:22 UTC, Elvin cbl wrote:
Im not able to run the ./generator generate to crearte the snmp.yml file
It sounds like you have two different problems.
(1) You are unable to run the generator.
Please show the exact command you ran, and the exact error output you got.
(2) You tried a scrape config using params: [if_mib] but it doesn't work.
The creds for if_mib are SNMPv2 and "public". So the way I suggest you work on this (without generator) is to edit the provided snmp.yml. Find this line:
if_mib:
and change it to:
if_mib: &if_mib
Then at the very end of the file, add the following:
if_mib_secret:
<<: *if_mib
version: 3
auth:
username: your_username
security_level: authNoPriv
password: your_password
auth_protocol: SHA
Restart snmp_exporter. Then query it:
curl 'localhost:9116/snmp?module=if_mib_secret&target=x.x.x.x'
If it works, great. Prometheus will be able to scrape this and collect the if_mib (but not the fortigate specific MIBs of course), and then you can next work on the generator.
If it doesn't, then you have some problem either with the SNMPv3 parameters, or with firewalling or ACL between or at the target device. At this point you should try using the net-snmp command-lien tools directly (e.g. "snmpstatus") and adjust the authentication/encryption parameters until you can get a successful query and response. Then apply those parameters to snmp_exporter.
BTW, Andrew Meyer wrote:
> You need a new scrape job for each device type.
This is not true. You just need to set __param_module appropriately for each device. This can be done in static_sd or file_sd, all within the same job: they allow you to set labels on groups of targets.
Andrew Meyer
Apr 2, 2020, 11:25:42 AM4/2/20
to Prometheus Users
Brian,
Thanks!
When setting the __param_module could you point me to an example?
For example this is what I have the fortigate devices.
- job_name: 'fortinet' static_configs: - targets: [ 10.150.1.1 ] scrape_interval: 15s metrics_path: /snmp params: module: [fortigate] relabel_configs: - source_labels: [__address__] target_label: __param_target - source_labels: [__param_target] target_label: instance - target_label: __address__ replacement: 10.150.10.25:9116 # SNMP exporterAlso does anyone know of a mib to yaml converter?
this would help especially for the fortinet/fortigate devices.
Thank you!!!
Brian Candler
Apr 2, 2020, 11:50:58 AM4/2/20
to Prometheus Users
On Thursday, 2 April 2020 16:25:42 UTC+1, Andrew Meyer wrote:
Brian,Thanks!When setting the __param_module could you point me to an example?
Since you are using static_configs:
static_configs:
- labels:
__param_module: if_mib
targets: [ 10.150.1.1 ]
- labels:
__param_module: if_mib_secret
targets: [ 10.150.1.2, 10.150.1.3 ]
But it's better to migrate to file_sd_configs, since these can be changed without having to edit prometheus.yml and without requiring a HUP to prometheus. file_sd_configs points to a file, and inside the file you have the same structure of groups of (labels + targets).
It's also a good idea to include module as a *real* label, and then use rewriting to copy it to __param_module, so that your metrics get properly labelled.
More complex example here which you can steal just what you need from.
> Also does anyone know of a mib to yaml converter?
Yes - the generator which comes with snmp_exporter. You still haven't shown how it fails for you.
Andrew Meyer
Apr 2, 2020, 2:19:10 PM4/2/20
to Prometheus Users
I will have to check out how to change my config around a bit. Also it's not really failing for me. However I was trying to see if I could get the similar granularity with some of the cisco modules (Cisco ASA) using the fortinet/fortigate modules. I don't feel like i'm getting all the stats I need but I may need to include another MIB.
Andrew Meyer
Apr 2, 2020, 2:24:37 PM4/2/20
to Prometheus Users
So this is what I have for my node exporter scraper. I was also
trying out DNS service Discovery which worked well with FreeIPA.
But I should probably model the snmp scraper similar to this ?
- job_name: "node"
scrape_interval: 15s
metrics_path: /metrics
# static_configs:
# - targets: [1.2.3.4:9100,5.6.7.8:9100]
file_sd_configs:
- files:
- '/etc/prometheus/node_exporter_targets.json'
# dns_sd_configs:
# - names:
# - "metrics"
# relabel_configs:
# - source_labels: ['__meta_dns_name']
# regex: 'metrics\.(.+?)\..+?\.example\.net'
# target_label: 'zone'
# replacement: '$1'
# - source_labels: ['__meta_dns_name']
# regex: 'metrics\..+?\.(.+?)\.example\.net'
# target_label: 'job'
# replacement: '$1'
khanhng...@gmail.com
Aug 13, 2020, 2:23:42 AM8/13/20
to Prometheus Users
https://itforvn.com/prometheus-tu-a-den-z-phan-03-giam-sat-firewall-fortigate-qua-snmp-voi-prometheus/
Vào lúc 01:24:37 UTC+7 ngày Thứ Sáu, 3 tháng 4, 2020, andre...@gmail.com đã viết:
Reply all
Reply to author
Forward
0 new messages