snmp_exporter-0.20 cannot monitor SNMP V3?

[Awemnhd]

see https://github.com/prometheus/snmp_exporter/tree/main/generator#file-format

Tried various ways to achieve some parameter passing
username:
security_level:
password: SHA
auth_protocol: AES
priv_protocol:
priv_password:

As a result, when the service is started, the default access method is community: public_v2!

Why is SNMP v3 so difficult to implement? Why are they all in SNMP V2 mode? Why?

[Brian Candler]

> Why is SNMP v3 so difficult to implement?

It's not. It's dead easy. Do you have a working snmpwalk command line which talks to your device? Then you just transfer the settings to your snmp_exporter configuration.

This has been made easier since snmp_exporter v0.23.0, because the "modules" which define the OID walking and the "auths" which provide the credentials have been made orthogonal. You can add new auths, without touching modules. You can also put them in separate files.

So you end up with e.g.

auths:
  prod_v3:
    version: 3
    security_level: authPriv
    username: admin
    auth_protocol: SHA
    password: XXXXXXX
    priv_protocol: AES
    priv_password: YYYYYYY

then you call /snmp?target=x.x.x.x&module=if_mib&auth=prod_v3

The default is indeed still public_v2. The only other option would be to have no default, i.e. snmp_exporter would fail unless you provide an explicit set of credentials.

Hence I'd definitely recommend moving to snmp_exporter 0.25.0. If you can't do that, then there is a YAML trick you can do to make adding new auths easier:

modules:

  if_mib: &if_mib
  .... etc

# Append to end of file

if_mib_prod_v3:
  <<: *if_mib
  version: 3
  timeout: 3s
  retries: 3
  auth:
    security_level: authPriv
    username: admin
    auth_protocol: SHA
    password: XXXXXXXX
    ... etc

This effectively "clones" the if_mib module under a new module "if_mib_prod_v3", and then overrides parts of it.

[Awemnhd]

I tried using snmp_exporter-0.25.0, using SNMP v3 mode, SHA and AES still not successful, and I have to recompile the generator.yml file, otherwise using the default snmp.yml file will have no effect!

Please list the SNMP V3 instance configuration in generator.yml. I want to know where the configuration error is!

[Brian Candler]

> Please list the SNMP V3 instance configuration in generator.yml. I want to know where the configuration error is!

It's in the documentation:

https://github.com/prometheus/snmp_exporter/blob/main/generator/README.md#file-format

However, you don't need to compile anything to get started. Just use the supplied snmp.yml, and edit the section under "auths" so it looks like this:

auths:
  public_v1:
    community: public
    security_level: noAuthNoPriv
    auth_protocol: MD5
    priv_protocol: DES
    version: 1
  public_v2:
    community: public
    security_level: noAuthNoPriv
    auth_protocol: MD5
    priv_protocol: DES
    version: 2

  prod_v3:
    version: 3
    security_level: authPriv
    username: admin
    auth_protocol: SHA
    password: XXXXXXX
    priv_protocol: AES
    priv_password: YYYYYYY

And you're done.

The next simplest option is to load multiple config files. This means you can use the existing snmp.yml completely unchanged, and a separate yml file that has just your auth(s) in it.  I use the following:

snmp_exporter --config.file=/etc/prometheus/snmp.d/*.yml

Then I have /etc/prometheus/snmp.d/auth.yml (which is mine) and /etc/prometheus/snmp.d/snmp.yml (which is the standard one).

You only need to use the generator if you want to scrape MIBs other than the supplied example ones. You can do this by starting with the supplied generator.yml and modifying it. But if all you want to do is change the auths, I wouldn't bother, since the generator essentially just copies the auths from its input to its output.

[Alexander Wilke]

If you use Cisco devices then you have to use a "C" at the end of the privacy protocol because it seems Cisco has specific impelementation.

I use

priv_protocol: AES256C

for Cisco IOS and IOS XE devices running 17.x.y version.

[Brian Candler]

That's interesting, thanks! AES192C and AES256C are clearly present in the code, but the documentation in generator/README.md omits to mention them.

From gosnmp's source (v3_usm.go):

// Changed: AES192, AES256, AES192C, AES256C added
const (
        NoPriv  SnmpV3PrivProtocol = 1
        DES     SnmpV3PrivProtocol = 2
        AES     SnmpV3PrivProtocol = 3
        AES192  SnmpV3PrivProtocol = 4 // Blumenthal-AES192
        AES256  SnmpV3PrivProtocol = 5 // Blumenthal-AES256
        AES192C SnmpV3PrivProtocol = 6 // Reeder-AES192
        AES256C SnmpV3PrivProtocol = 7 // Reeder-AES256
)

Some background here:

https://community.cisco.com/t5/network-management/snmpv3-aes192-256-key-localization-not-done-via-aes-draft/td-p/2954763

https://github.com/markabrahams/node-net-snmp/issues/154#issuecomment-757456861

Personally, I'd suggest using the more standard AES(128) instead. I note that in its implementation of TLS versions <1.3, Go prefers AES over AES256 when negotiating ciphers:

//   - AES-128 comes before AES-256
//
//     The only potential advantages of AES-256 are better multi-target
//     margins, and hypothetical post-quantum properties. Neither apply to
//     TLS, and AES-256 is slower due to its four extra rounds (which don't
//     contribute to the advantages above).

[Nicholas Smith]

Actually struggling with this myself since the change to auth split migration in v0.23.0

I cant seem to work out how to format my generator.yml file that is currently work for v0.22.0 to work in v0.23.0 and above 

This is my current generator.yml

modules: # Dell Idrac idrac: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth: username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level: authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}" walk: - statusGroup - chassisInformationTable - systemBIOSTable - firmwareTableEntry - intrusionTableEntry - physicalDiskTable - batteryTable - controllerTable - virtualDiskTable - systemStateTable - powerSupplyTable - powerUsageTable - powerSupplyTable - voltageProbeTable - amperageProbeTable - systemBatteryTable - networkDeviceTable - thermalGroup - interfaces - systemInfoGroup - 1.3.6.1.2.1.1 - eventLogTable overrides: systemModelName: type: DisplayString systemServiceTag: type: DisplayString systemOSVersion: type: DisplayString systemOSName: type: DisplayString systemBIOSVersionName: type: DisplayString firmwareVersionName: type: DisplayString eventLogRecord: type: DisplayString eventLogDateName: type: DisplayString networkDeviceProductName: type: DisplayString networkDeviceVendorName: type: DisplayString networkDeviceFQDD: type: DisplayString networkDeviceCurrentMACAddress: type: PhysAddress48 fortigate: version: 3 timeout: 20s retries: 10 max_repetitions: 10 auth: username: "${snmp_user}" password: "${snmp_password}" auth_protocol: SHA priv_protocol: AES security_level: authPriv priv_password: "${snmp_privpass}" community: "${snmp_community}" walk: - system - interfaces - ip - ifXTable - fgModel - fgVirtualDomain - fgSystem - fgFirewall - fgMgmt - fgIntf - fgAntivirus - fgApplications - fgVpn - fgIps - fnCoreMib

[Ben Kochie]

Did you read the migration doc?

https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/b986f278-12ca-4b10-98e7-56ccd7805dc3n%40googlegroups.com.

[Nicholas Smith]

Yep i reviewed the documentation and tried the following changes to the generator.yml

auths:
  prod_v3:
    version: 3
    security_level: authPriv

    username: "${snmp_user}"
    auth_protocol: SHA
    password: ${snmp_password}"
    priv_protocol: AES

    priv_password: "${snmp_privpass}"
    community: "${snmp_community}"

modules:
  # Dell Idrac
  idrac:
    version: 3
    timeout: 20s
    retries: 10
    max_repetitions: 10

    walk:
      - system
      - interfaces
      - ip
      - ifXTable
      - fgModel
      - fgVirtualDomain
      - fgSystem
      - fgFirewall
      - fgMgmt
      - fgIntf
      - fgAntivirus
      - fgApplications
      - fgVpn
      - fgIps

      - fnCoreMib

I dont think it is correct as I'm still getting the following errors

msg="Error parsing config file" err="yaml: unmarshal errors:\n  line 2: field fortigate not found in type config.Config\n  line 6410: field idrac not found in type config.Config"

msg="Possible old config file, see https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md"

 

On Friday 19 January 2024 at 5:12:23 pm UTC+1 Ben Kochie wrote:

Did you read the migration doc?

https://github.com/prometheus/snmp_exporter/blob/main/auth-split-migration.md

[Ben Kochie]

Did you use or recompile the generator to make sure it matches the version with the exporter?

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/6684812b-1b89-481e-b6dc-6615dfa34162n%40googlegroups.com.