Prometheus_SNMP监控防火墙流量

简介

本文主要借鉴whale_life的CSDN的博客专栏:https://blog.51cto.com/liujingyu/2541726

职场环境内经常出现网速缓慢,领导就想监控下职场的流量情况

安装部署

各程序说明
  • Prometheus:用于做主监控端,收集 snmp_exporter 数据信息
  • snmp_exporter:用于监控交换机设备,收集交换机数据信息
  • Grafana: 把 Prometheus 收集的数据进行比较友好的界面展示
使用版本
  • CentOS 7.6.1810-Minimal(2核 4G 100G)
  • prometheus 版本 2.21.0 监听 9090 端口
  • snmp_exporter 版本 0.19.0 监听 9116 端口,SNMP 是 UDP 协议 161 和 162 端口,所以不建议 docker 部署
  • Grafana 版本 7.3.5(docker部署) 监听 3000 端口
服务器初始化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
yum install wget yum-utils net-tools vim ntpdate unzip bash-completion -y

yum update -y

ulimit -n
sed -i "s/* soft nofile 65535/ /g" /etc/security/limits.conf
sed -i "s/* hard nofile 65535/ /g" /etc/security/limits.conf
echo "* soft nofile 65535" >>/etc/security/limits.conf
echo "* hard nofile 65535" >>/etc/security/limits.conf
ulimit -n 65535
echo "修改后文件数量"
ulimit -n

echo "优化内核参数"
echo "net.ipv4.ip_local_port_range = 1024 65535" >>/etc/sysctl.conf
echo "net.ipv4.tcp_syncookies = 1" >>/etc/sysctl.conf
echo "net.ipv4.tcp_tw_reuse = 1" >>/etc/sysctl.conf
echo "net.ipv4.tcp_tw_recycle = 1" >>/etc/sysctl.conf
echo "net.ipv4.tcp_fin_timeout = 30" >>/etc/sysctl.conf
echo "net.core.somaxconn = 20480" >>/etc/sysctl.conf
echo "net.core.netdev_max_backlog = 20480" >>/etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog = 20480" >>/etc/sysctl.conf
echo "net.ipv4.tcp_max_tw_buckets = 800000" >>/etc/sysctl.conf

sysctl -p

sed -i 's/=enforcing/=disabled/g' /etc/selinux/config
setenforce 0
systemctl disabled firewalld
systemctl stop firewalld
#注意服务器的时间问题,服务器的时间的不同会导致各个组件的数据时间不一致
ntpdate ntp.aliyun.com

下载安装prometheus和snmp_exporter
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

wget https://github.com/prometheus/prometheus/releases/download/v2.21.0/prometheus-2.21.0.linux-amd64.tar.gz

wget https://github.com/prometheus/snmp_exporter/releases/download/v0.19.0/snmp_exporter-0.19.0.linux-amd64.tar.gz


tar -xvf prometheus-2.21.0.linux-amd64.tar.gz
mv prometheus-2.21.0.linux-amd64 /opt/prometheus

tar -xf snmp_exporter-0.19.0.linux-amd64.tar.gz
mv snmp_exporter-0.19.0.linux-amd64 /opt/snmp_exporter

tar -xf alertmanager-0.21.0.linux-amd64.tar.gz
mv alertmanager-0.21.0.linux-amd64 /opt/alertmanager

cat > /etc/systemd/system/prometheus.service <<EOF
[Unit]
Description=Prometheus
After=network.target
[Service]
ExecStart=/opt/prometheus/prometheus --config.file=/opt/prometheus/prometheus.yml --storage.tsdb.path=/opt/prometheus/data
User=prometheus
[Install]
WantedBy=multi-user.target
EOF

cat > /etc/systemd/system/snmp_exporter.service <<EOF
[Unit]
Description=node_exporter
After=network.target

[Service]
ExecStart=/opt/snmp_exporter/snmp_exporter --config.file=/opt/snmp_exporter/snmp.yml
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF



useradd prometheus
chown -R prometheus:prometheus /opt/{snmp_exporter,prometheus}

systemctl daemon-reload
systemctl enable prometheus && systemctl enable snmp_exporter 
systemctl start prometheus && systemctl start snmp_exporter

安装Granfana
1
2
3
4
5
6
7
wget -P /etc/yum.repos.d/ https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce
systemctl enable docker && systemctl start docker

docker pull grafana/grafana
docker run -tdi --name grafana-server --restart=always -p 3000:3000 -v /app/grafana/:/var/lib/grafana  -v /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime  imageid

SNMP_EXPORT配置修改

采用的是if_mib模块。所以需要修改if_mib模块的配置文件

可以在服务器上通过snmpwalk命令进行测试验证
1
2
3
4
5
6
7
8
yum -y install net-snmp-utils

# 查看交换机接口详细信息,如果可以正常返回接口信息则说明关键字正确
[root@localhost ~]# snmpwalk -v 2c -c ABCDEFG IP_ADDRESS  1.3.6.1.2.1.2
IF-MIB::ifNumber.0 = INTEGER: 146
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.4 = INTEGER: 4
IF-MIB::ifIndex.5 = INTEGER: 5
防火墙开启 SNMP认证

登陆防火墙-——-系统—配置—SNMP
这个只读团体就是snmp.yml配置文件中的password

配置文件修改

snmp_exporter/snmp.yml 配置文件中有if_mib模块,在配置文件中找到if_mib关键字,添加auth认证即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
if_mib:
  auth:
    community: password
  walk:
  - 1.3.6.1.2.1.2
  - 1.3.6.1.2.1.31.1.1
 ________________________________________
 [root@localhost ~]# systemctl restart snmp_exporter

[root@localhost ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      20451/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      20561/master
tcp6       0      0 :::22                   :::*                    LISTEN      20451/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      20561/master
tcp6       0      0 :::9116                 :::*                    LISTEN      27273/snmp_exporter
验证SNMP_exporter

snmp_exporter 接入至 prometheus

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
vim /opt/prometheus/prometheus.yml #添加如下内容
···
  - job_name: 'BJ-BG-Center-3750-A'  # 交换机的名称表示采用Job做区分,然后多个交换机写多个Job对应即可
    static_configs:
      - targets: ['192.168.4.1']  # 交换机的IP地址
    metrics_path: /snmp
    params:
      module: [if_mib] # 如果是其他设备,可以采用其他模块,比如cisco_wlc AP设备, ddwrt 软路由等等
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 192.168.202.239:9116  # The SNMP exporter's real hostname:port.
···

# 我的 prometheus 部署到 docker 容器中,部署到宿主机即可
[root@e36188d4c068 /]# cd /opt/prometheus/
[root@e36188d4c068 prometheus]# ./promtool check config prometheus.yml

Grafana进行展示

添加数据源

导入11169模板

Prometheus
#Prometheus #SNMP
Prometheus_SNMP监控防火墙流量
https://imwang77.github.io/2020/12/21/Prometheus_SNMP监控防火墙流量/
作者
imwang77
发布于
2020年12月21日
更新于
2021年5月28日
许可协议