ipsec_exporter
ipsec_exporter copied to clipboard
sergeymakinen
Export strongswan/libreswan IPsec stats to Prometheus
Note
This repository is no longer supported or updated. If you wish to continue to develop this code yourself, consider forking it.
IPsec Exporter
Export strongswan/libreswan IPsec stats to Prometheus.
To run it:
make
./ipsec_exporter [flags]
Exported metrics
Exported for both strongswan/libreswan
| Metric | Meaning | Labels |
|---|---|---|
| ipsec_up | Was the last scrape successful. | |
| ipsec_ike_sas | Number of currently registered IKE SAs. | |
| ipsec_half_open_ike_sas | Number of IKE SAs in half-open state. | |
| ipsec_ike_sa_state | IKE SA state. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips |
| ipsec_child_sa_state | Child SA state. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_bytes_in | Number of input bytes processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_bytes_out | Number of output bytes processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
Additionally exported for strongswan-only
| Metric | Meaning | Labels |
|---|---|---|
| ipsec_uptime_seconds | Number of seconds since the daemon started. | |
| ipsec_workers_total | Number of worker threads. | |
| ipsec_idle_workers | Number of idle worker threads. | |
| ipsec_active_workers | Number of threads processing jobs. | |
| ipsec_queues | Number of queued jobs. | priority |
| ipsec_pool_ips_total | Number of addresses in the pool. | name, address |
| ipsec_online_pool_ips | Number of leases online. | name, address |
| ipsec_offline_pool_ips | Number of leases offline. | name, address |
| ipsec_ike_sa_established_seconds | Number of seconds since the IKE SA has been established. | name, uid, version, local_host, local_id, remote_host, remote_id, remote_identity, vips |
| ipsec_child_sa_packets_in | Number of input packets processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_packets_out | Number of output packets processed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
| ipsec_child_sa_installed_seconds | Number of seconds since the child SA has been installed. | ike_sa_name, ike_sa_uid, ike_sa_version, ike_sa_local_host, ike_sa_local_id, ike_sa_remote_host, ike_sa_remote_id, ike_sa_remote_identity, ike_sa_vips, name, uid, reqid, mode, protocol, local_ts, remote_ts |
strongswan state mapping
IKE SA
| Name | State value |
|---|---|
| CREATED | 0 |
| CONNECTING | 1 |
| ESTABLISHED | 2 |
| PASSIVE | 3 |
| REKEYING | 4 |
| REKEYED | 5 |
| DELETING | 6 |
| DESTROYING | 7 |
Child SA
| Name | State value |
|---|---|
| CREATED | 0 |
| ROUTED | 1 |
| INSTALLING | 2 |
| INSTALLED | 3 |
| UPDATING | 4 |
| REKEYING | 5 |
| REKEYED | 6 |
| RETRYING | 7 |
| DELETING | 8 |
| DELETED | 9 |
| DESTROYING | 10 |
libreswan state mapping
| Name | State value |
|---|---|
| STATE_MAIN_R0 | 0 |
| STATE_MAIN_I1 | 1 |
| STATE_MAIN_R1 | 2 |
| STATE_MAIN_I2 | 3 |
| STATE_MAIN_R2 | 4 |
| STATE_MAIN_I3 | 5 |
| STATE_MAIN_R3 | 6 |
| STATE_MAIN_I4 | 7 |
| STATE_AGGR_R0 | 8 |
| STATE_AGGR_I1 | 9 |
| STATE_AGGR_R1 | 10 |
| STATE_AGGR_I2 | 11 |
| STATE_AGGR_R2 | 12 |
| STATE_QUICK_R0 | 13 |
| STATE_QUICK_I1 | 14 |
| STATE_QUICK_R1 | 15 |
| STATE_QUICK_I2 | 16 |
| STATE_QUICK_R2 | 17 |
| STATE_INFO | 18 |
| STATE_INFO_PROTECTED | 19 |
| STATE_XAUTH_R0 | 20 |
| STATE_XAUTH_R1 | 21 |
| STATE_MODE_CFG_R0 | 22 |
| STATE_MODE_CFG_R1 | 23 |
| STATE_MODE_CFG_R2 | 24 |
| STATE_MODE_CFG_I1 | 25 |
| STATE_XAUTH_I0 | 26 |
| STATE_XAUTH_I1 | 27 |
| STATE_V2_PARENT_I0 | 29 |
| STATE_V2_PARENT_I1 | 30 |
| STATE_V2_PARENT_I2 | 31 |
| STATE_V2_PARENT_R0 | 32 |
| STATE_V2_PARENT_R1 | 33 |
| STATE_V2_IKE_AUTH_CHILD_I0 | 34 |
| STATE_V2_IKE_AUTH_CHILD_R0 | 35 |
| STATE_V2_NEW_CHILD_I0 | 36 |
| STATE_V2_NEW_CHILD_I1 | 37 |
| STATE_V2_REKEY_IKE_I0 | 38 |
| STATE_V2_REKEY_IKE_I1 | 39 |
| STATE_V2_REKEY_CHILD_I0 | 40 |
| STATE_V2_REKEY_CHILD_I1 | 41 |
| STATE_V2_NEW_CHILD_R0 | 42 |
| STATE_V2_REKEY_IKE_R0 | 43 |
| STATE_V2_REKEY_CHILD_R0 | 44 |
| STATE_V2_ESTABLISHED_IKE_SA | 45 |
| STATE_V2_ESTABLISHED_CHILD_SA | 46 |
| STATE_V2_IKE_SA_DELETE | 47 |
| STATE_V2_CHILD_SA_DELETE | 48 |
Flags
./ipsec_exporter --help
vici.address: VICI socket address. Example:unix:///var/run/charon.viciortcp://127.0.0.1:4502.vici.timeout: VICI socket connect timeout.collector: Collector type to scrape metrics with.vicioripsec.ipsec.command: Command to scrape IPsec metrics when the collector is configured to anipsecbinary.ipsec statusallby default. To use with libreswan, set toipsec status.web.listen-address: Address to listen on for web interface and telemetry.web.telemetry-path: Path under which to expose metrics.log.level: Logging level.infoby default.log.format: Set the log target and format. Example:logger:syslog?appname=bob&local=7orlogger:stdout?json=true.
TLS and basic authentication
The ipsec_exporter supports TLS and basic authentication.
To use TLS and/or basic authentication, you need to pass a configuration file
using the --web.config.file parameter. The format of the file is described
in the exporter-toolkit repository.
Metadata
21
Stars
16
Forks
Watchers
Owner
sergeymakinen
Metadata
Export strongswan/libreswan IPsec stats to Prometheus