snmp_exporter: Collected metric label has unexpected help value

523 views
Skip to first unread message

Cris

unread,
Dec 14, 2020, 8:09:14 PM12/14/20
to Prometheus Users
Hi all,

I am currently trying to collect snmp data off of a Palo Alto Firewall on PAN-OS 9.0. I have downloaded snmp-exporter, built the generator, and edited the Makefile for mibs to grab the correct mibs files for my setup.

I currently get the following errors when navigating to localhost:9116/snmp?target=<IP>&module=paloalto_fw- see attached.

Upon further inspection of those specific OIDs, it has come to my attention that Palo Alto has reused the variable names "ifIndex" and "ifDescr" for their propietary OIDs. These variable names are already allocated to objects under OID .1.3.6.1.2.1.2.2). Palo Alto has them under OID .1.3.6.1.4.1.25461.2.1.2.3.11 (panIfTable). All of their other variables are prefixed with "pan" except these.

I have tried appending the fix in the Mibs file, but it just breaks the generator. The variables are named the same in PAN-OS 10.0, so an OS update won't help.

Is there any way to bypass this other than walking around those particular OIDs? Ideally, I would like to scrape all the info I possibly could. Does snmp_exporter scrape the rest of the data regardless of errors?

Thanks in advance.
Screenshot from 2020-12-14 16-37-58.png

Ben Kochie

unread,
Dec 15, 2020, 3:15:33 PM12/15/20
to Cris, Prometheus Users
Can you share your generator.yml? There are some options for working around duplicate names.

I did find a similar issue in another MIB. I'm thinking we may need some additional changes to better handle some of these edge cases.

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/c2202dc2-e45d-42d2-a6a4-eb6b92a71d66n%40googlegroups.com.

Cris Lingad

unread,
Dec 15, 2020, 3:53:21 PM12/15/20
to Ben Kochie, Prometheus Users
I pretty much kept the default file but trimmed out all the other modules I didn't need, as well as added specs for v3:

modules:
  # Default IF-MIB interfaces table with ifIndex.
  if_mib:
    walk: [sysUpTime, interfaces, ifXTable]
    lookups:
      - source_indexes: [ifIndex]
        lookup: ifAlias
      - source_indexes: [ifIndex]
        # Uis OID to avoid conflict with PaloAlto PAN-COMMON-MIB.
        lookup: 1.3.6.1.2.1.2.2.1.2 # ifDescr
      - source_indexes: [ifIndex]
        # Use OID to avoid conflict with Netscaler NS-ROOT-MIB.
        lookup: 1.3.6.1.2.1.31.1.1.1.1 # ifName
    overrides:
      ifAlias:
        ignore: true # Lookup metric
      ifDescr:
        ignore: true # Lookup metric
      ifName:
        ignore: true # Lookup metric
      ifType:
        type: EnumAsInfo


# Palo Alto Firewalls
#
# Palo Alto MIBs can be found here:
# https://www.paloaltonetworks.com/documentation/misc/snmp-mibs.html
#
  paloalto_fw:
    walk:
      - sysUpTime
      - interfaces
      - hrDevice
      - hrSystem
      - hrStorage
      - 1.3.6.1.4.1.25461.2.1.2.1 # panSys
      - 1.3.6.1.4.1.25461.2.1.2.3 # panSession
      - 1.3.6.1.4.1.25461.2.1.2.5 # panGlobalProtect
    version: 3 
    auth: 
      username: snmp_exporter 
      security_level: authPriv 
      password: pass
      auth_protocol: SHA 
      priv_protocol: AES 
      priv_password: pass

Cris

unread,
Jan 4, 2021, 3:35:33 PM1/4/21
to Prometheus Users
Hi,

Just wanted to bump this issue. Thanks in advanced :)

Orion Haywire

unread,
Sep 8, 2021, 8:23:13 PM9/8/21
to Prometheus Users
I manage to get this working.
Edit generator.yml
under the section for "paloalto_fw:"
#
    lookups:
      - source_indexes: [IfIndex]
        lookup: 1.3.6.1.4.1.25461.2.1.2.3.11.1.2 # ifDescr
    overrides:
      ifDescr:
        ignore: true #Lookup metric
#
Not an expert on this but that allowed me to pull the data without any errors.
I done a manual snmpwalk on the lookup to confirm that it was infact the ifDescr.
Then I looked at the resources/links below to determine how to override the ifDescr since that was causing the conflict.
Hope this helps others.

Resources:

Brian Candler

unread,
Sep 9, 2021, 4:49:12 AM9/9/21
to Prometheus Users
Yes, I believe that using numeric OIDs is the correct workaround when names collide.  You'll notice that current versions of generator/generator.yml already include this workaround in the opposite direction (for ifDescr under if_mib):

modules:
  # Default IF-MIB interfaces table with ifIndex.
  if_mib:
    walk: [sysUpTime, interfaces, ifXTable]
    lookups:
      - source_indexes: [ifIndex]
        lookup: ifAlias
      - source_indexes: [ifIndex]
        # Uis OID to avoid conflict with PaloAlto PAN-COMMON-MIB.
        lookup: 1.3.6.1.2.1.2.2.1.2 # ifDescr
      - source_indexes: [ifIndex]
        # Use OID to avoid conflict with Netscaler NS-ROOT-MIB.
        lookup: 1.3.6.1.2.1.31.1.1.1.1 # ifName
    overrides:
      ifAlias:
        ignore: true # Lookup metric
      ifDescr:
        ignore: true # Lookup metric
      ifName:
        ignore: true # Lookup metric
      ifType:
        type: EnumAsInfo


Reply all
Reply to author
Forward
0 new messages