splunk / splunk-connect-for-snmp

Splunk connect for SNMP
https://splunk.github.io/splunk-connect-for-snmp/
Apache License 2.0
35 stars 15 forks source link

SNMP-inventory error (v 1.12) only ask for an (A-record) on ipv6 only hosts #1109

Open thel1988 opened 1 week ago

thel1988 commented 1 week ago

It run directly on DOCKER not kubernetes. It seems we have hit a bit of an error when we a host in the inventory file which only have a ipv6 host-adress, which causes the inventory container to fail during startup, as it seems to only ask for an: A-record instead of a AAAA-record:

log from inventory container {"message": "Group exampleipv6.com doesn't exist in the configuration. Treating exampleipv6.com as a hostname", "time": "2024-10-21T10:18:23.102008", "level": "WARNING"} {"message": "Exception raised for exampleipv6.com:161: 1 validation error for InventoryRecord\naddress\n field address must be an IP or a resolvable hostname exampleipv6.com (type=value_error)", "time": "2024-10-21T10:18:23.112384", "exc_info": "Traceback (most recent call last):\n File \"/app/.venv/lib/python3.10/site-packages/splunk_connect_for_snmp/inventory/loader.py\", line 209, in load\n ir = InventoryRecord(**new_source_record)\n File \"/app/.venv/lib/python3.10/site-packages/splunk_connect_for_snmp/common/inventory_record.py\", line 53, in __init__\n super().__init__(*args, **kwargs)\n File \"pydantic/main.py\", line 341, in pydantic.main.BaseModel.__init__\npydantic.error_wrappers.ValidationError: 1 validation error for InventoryRecord\naddress\n field address must be an IP or a resolvable hostname exampleipv6.com (type=value_error)", "level": "ERROR"}

Coredns log: [INFO] [{src_ipv6}]:51761 - 1337 "A IN exampleipv6.com. udp 57 false 1200" NOERROR qr,rd,ra 141 0.002197727s

ajasnosz commented 1 week ago

Hello, could you attach how your group configuration and inventory looks like in yaml?

thel1988 commented 1 week ago

Ofcause: Here you go Inventory (Random ipv6): address,port,version,community,secret,securityEngine,walk_interval,profiles,smart_profiles,delete 8c0e:9f54:bfdc:6ecd:7085:d0c0:786b:20e3,161,2c,public,,,60,,,

scheduler-config.yaml: communities: 2c: public: communityIndex: contextEngineId: contextName: tag: securityName:

ajasnosz commented 1 week ago

The ipv6 address for the device is ip or hostname? If it is a problem with resolving the hostname, I see that the configuration might be missing the ipv6 dns server. Below I will attach updated configuration for coredns files. You can remove the containers, and recreate them with new configuration.

In Corefile:

.:53 {
    log
    errors
    auto
    reload
    forward . 8.8.8.8 2001:4860:4860::8888
}

.env

COREDNS_ADDRESS_IPv6=fd02:0:0:0:7fff:ffff:ffff:ffff

If you configured different than default ipv6 subnet for sc4snmp_network, the COREDNS_ADDRESS_IPv6 should be assigned from that range.

docker-compose-coredns.yaml

version: '3.8'
services:
  coredns:
    image: ${COREDNS_IMAGE}:${COREDNS_TAG:-latest}
    command: ["-conf", "/Corefile"]
    container_name: coredns
    restart: on-failure
    expose:
        - '53'
        - '53/udp'
    volumes:
        - '${COREFILE_ABS_PATH}:/Corefile'
    networks:
        sc4snmp_network:
            ipv4_address: ${COREDNS_ADDRESS}
            ipv6_address: ${COREDNS_ADDRESS_IPv6}

Let me know if this solution was helpful.

thel1988 commented 1 week ago

The Hostname is normally resolvable from the host, but the coredns is not asked for a AAAA record, but an : A from the worker process. I have already setup the corefile and the envs.

When traps are coming in with a IPV6 they are easily resolved to a hostname. Coredns seems to already setup correctly: Corefile: IP have been masked for privacy reasons

.:53 {
    log
    errors
    auto
    reload
    forward . [2001:4860:4860::8888]:53
}

.env (IP have been masked, aka copied from your example):

COREDNS_ADDRESS=fd02:0:0:0:7fff:ffff:ffff:ffff

docker-compose-coredns.yaml:

      sc4snmp_network:
        ipv6_address: ${COREDNS_ADDRESS}
ajasnosz commented 1 week ago

The method responsible for host translation is supporting only ipv4 address resolution. That probably is main cause why only A request is sent. I will update the code with new method that will support both ipv4 and ipv6 and let you know when the new version is ready.

ajasnosz commented 1 week ago

Hello, The fix to the issue was developed and I published it on the docker repository. Could you change these 2 values in .env and test if the solution works in your environment?

SC4SNMP_IMAGE="ajasnosz558/sc4snmp-dev-hostname"
SC4SNMP_TAG="dns-fix"
thel1988 commented 1 week ago

It seems to get a little further now, but still hits a snag:

  line: [2024-10-23 12:20:45,213: ERROR/ForkPoolWorker-3] Task splunk_connect_for_snmp.snmp.tasks.walk[774bc6fa-bc99-4498-9c32-9b49e5bbc036] raised unexpected: UnpickleableExceptionWrapper('pysnmp.error', 'PySnmpError', ("Bad IPv4/UDP transport address xxxx.console.xxx.xxxx@161: [Errno -5] No address associated with hostnamecaused by <class 'socket.gaierror'>: [Errno -5] No address associated with hostname",), 'PySnmpError("Bad IPv4/UDP transport address xxxxxx.console.xxx.xxxxx@161: [Errno -5] No address associated with hostnamecaused by <class \'socket.gaierror\'>: [Errno -5] No address associated with hostname")')
   source: stderr
   tag: eba689586118

In Coredns i see the AAAA record request now:

"AAAA IN xxxxx.console.xxxx.xxx. udp 57 false 1200" NOERROR qr,rd,ra 113 0.002093611s
ajasnosz commented 6 days ago

Issue require release of new version with fixed DNS for IPv6. For now the quick fix is available with using the image:

image:
  repository: ajasnosz558/sc4snmp-dev-hostname
  tag: "dns-connection-fix"