monitoring: default to "public" snmp community

monitoring: monitor switches in the ANS via snmp
monitoring: install snmp_exporter
2022-11-21 03:00:57 +01:00 · 2022-11-21 02:58:13 +01:00 · 2022-11-21 02:56:59 +01:00
7 changed files with 41 additions and 2 deletions
--- a/files/alerting_rules.yml
+++ b/files/alerting_rules.yml
@ -54,3 +54,13 @@ groups:
          annotations:
            summary: Host out of inodes (instance {{ $labels.instance }})
            description: "Disk is almost running out of available inodes (< 10% left)\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
+
+  - name: Network
+    rules:
+      - alert: PortChangedState
+        expr: changes(ifLastChange[2h]) != 0
+        labels:
+          severity: warning
+        annotations:
+          summary: A switch port changed it's state {{ $value }}x time
+          description: "For some reason a switch port changed it's state\n LABELS = {{ $labels }}"
--- a/files/pf.wg2.conf
+++ b/files/pf.wg2.conf
@ -6,3 +6,6 @@ pass on wg2 proto ospf

 # allow prometheus on wg2
 pass on wg2 proto tcp from any to self port 9100
+
+# allow outgoing snmp on wg2
+pass out on wg2 proto udp from self to any port snmp
--- a/password-store/snmp-community.gpg
+++ b/password-store/snmp-community.gpg
--- a/playbook_provision_monitoring.yml
+++ b/playbook_provision_monitoring.yml
@ -61,6 +61,7 @@
      package:
        name:
          - prometheus
+          - snmp_exporter
          - alertmanager
          - grafana

@ -148,6 +149,7 @@
        state: started
      with_items:
        - prometheus
+        - snmp_exporter
        - alertmanager
        - grafana

--- a/templates/gateways/ffl-ans-gw-core01/etc/config/firewall
+++ b/templates/gateways/ffl-ans-gw-core01/etc/config/firewall
@ -58,6 +58,14 @@ config rule
        option dest_port        9100
        option target           ACCEPT

+config rule
+	option name		From-BACKBONE-Into-MGMT-Allow-SNMP
+	option src		backbone
+	option dest		mgmt
+	option proto		udp
+	option dest_port	161
+	option target		ACCEPT
+
 config rule
 	option name		From-Any-Allow-SSH
 	option src		*
--- a/templates/gs1900-10hp-stock.cfg.j2
+++ b/templates/gs1900-10hp-stock.cfg.j2
@ -39,8 +39,7 @@ spanning-tree mst configuration
 !
 !
 !
-no snmp community "public"
-snmp community "{{ lookup('passwordstore', 'snmp-community') }}"  ro
+snmp community "public" ro
 !
 !
 ip ssh
--- a/templates/prometheus.yml
+++ b/templates/prometheus.yml
@ -36,6 +36,23 @@ scrape_configs:

 {% endfor %}

+  - job_name: 'snmp'
+    static_configs:
+      - targets:
+{% for host in groups['switches_stock'] %}
+          - {{ hostvars[host]['ip'] }}
+{% endfor %}
+    metrics_path: /snmp
+    params:
+      module: [if_mib]
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: 127.0.0.1:9116  # The SNMP exporter's real hostname:port.
+
  - job_name: 'blackbox'
    static_configs:
      - targets:
Author	SHA1	Message	Date
Gregor Michels	64721148d8	monitoring: default to "public" snmp community	2022-11-21 03:00:57 +01:00
Gregor Michels	e3b111f2c7	monitoring: monitor switches in the ANS via snmp	2022-11-21 02:58:13 +01:00
Gregor Michels	5fa5b13da7	monitoring: install snmp_exporter	2022-11-21 02:56:59 +01:00