Comments (7)
dragoangel
commented on August 17, 2024
Also another option is to add label with reason of failures, instead creating other metrics :)
It would be cool if all data that now written to logs about check failures will be available via metric label so user can create alert description that will indicate exact reason of failure. aka:
read tcp x:x->x:x: i/o timeout
dial tcp x:x: operation was canceled
regex: ^x didn't match: ...
dial tcp x:25: connect: connection refused
...
etc
from ssl_exporter.
ribbybibby
commented on August 17, 2024
The up metric records the success/failure of requests from Prometheus -> the exporter. I don't think it would be right for us to return a non-2xx response if the exporter is fine but the issue is with the upstream.
You make a good point about non-TLS related failures though. Perhaps we should ignore errors from the upstream as long as we can successfully establish a TLS connection and extract certificates?
from ssl_exporter.
dragoangel
commented on August 17, 2024
My point that I want to see that host is down or timeout separetly from ssl. This could be explicitly each separate metric but it requires a lot of alerts, or reason could be recorded as a label - then only one alert can cover all issues and throw exact reason of failure
from ssl_exporter.
ribbybibby
commented on August 17, 2024
What are some examples of SSL related errors? TLS verification failing? Is there anything else that can happen?
I suppose bugs in our regex matching for starttls? Or servers that do things in a way we haven't accounted for?
from ssl_exporter.
ribbybibby
commented on August 17, 2024
Putting raw error log strings into metrics strikes me as the wrong approach. Metrics are not designed for that kind of information.
We could have some coarser labels like 'starttls' I guess? What would you actually use this delineation for though? How would you treat a host that is timing out vs a host that is failing the starttls handshake differently?
from ssl_exporter.
dragoangel
commented on August 17, 2024
Yes I would definetly treat host with failed ssl definitely compared of host that down, because it could be server totally off. Alerting that provide exact reason what is going on always better that alert that could be due to different reasons because you need to check all of them. And in historical view - you would know what it was, without going and reading logs of remote ssl exporter that setuped somewhere far away :)
from ssl_exporter.
dragoangel
commented on August 17, 2024
What are some examples of SSL related errors? TLS verification failing? Is there anything else that can happen?
I suppose bugs in our regex matching for starttls? Or servers that do things in a way we haven't accounted for?
For example regex can not match in smtp when server is totally overloaded and do not return any data, just open connection, saw it couple of times
from ssl_exporter.
Related Issues (20)
- OCSP server check? HOT 3
- Container has runAsNonRoot and image has non-numeric user (ssl), cannot verify user is non-root HOT 1
- go-restful lib in 2.4.1 having CRTICAL vulnerability HOT 1
- Consider defaulting to no modules
- Request for `dry-run` feature
- Consider allowing setting up custom headers on the HTTPS module HOT 3
- Crypto Go :we are a research group to help developers build secure applications.
- X-Prometheus-Scrape-Timeout-Seconds and network latency
- ssl_exporter dont export timestamp to prometheus HOT 2
- How can I custom the resolve IP for tls certificate check ? HOT 2
- The Certificate is revoked, but exporter ssl_ocsp_response_status is Good
- What format is the serial number in? HOT 1
- OCSP status HOT 2
- How can I monitor an IPv6 domain name? HOT 1
- Is it possible to use this exporter to monitor PEM files within each pod? HOT 1
- Allow to use remote http\https resources in PEM file module HOT 3
- Monitor expiring bundle certificate HOT 1
- List of all secrets does not work in restricted cluster - SSL Exporter needs to scope secret listing to a single namespace where possible
- Add JKS (Java KeyStore) support? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ssl_exporter.