Configure Secure Malware Analytics Appliance with Prometheus Monitoring Software

Introduction

This document describes the steps to export Secure Malware Analytics Appliance service metrics data to Prometheus Monitoring Software.

Contributed by Cisco TAC Engineers.

Prerequisites

Cisco recommends that you have knowledge of Secure Malware Analytics Appliance and Prometheus software.

Requirements

• Secure Malware Analytics Appliance (version 2.13  onwards)
• Prometheus software license

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

The Riemann/Elastic search-based monitoring system running on the Appliance is replaced by Prometheus-based monitoring from Secure Malware Analytics Appliance version 2.13 onwards.

Note: The main purpose of this integration is to monitor the statistics of your Secure Malware Analytics Appliance using Prometheus Monitoring System software. This includes an interface, traffic statistics, etc.

Configure

Step 1. Log in to Secure Malware Analytics Appliance, navigate to Operations > Metrics in order to find the API key and Basic Authentication Password.

Step 2. Install Prometheus Server software: https://prometheus.io/download/

Step 3. Create a .yml file, it must be calledprometheus.yml and it must has this details:

scrape_configs: 
  - job_name: 'metrics' 
bearer_token_file: 'token.jwt' 
scheme: https 

file_sd_configs: 
  - files: 
    - 'targets.json' 

relabel_configs: 
   - source_labels: [__address__] 
    regex: '[^/]+(/.*)'                             # capture '/...' part 
    target_label: __metrics_path__                  # change metrics path 
   - source_labels: [__address__] 
    regex: '([^/]+)/.*'                             # capture host:port 
    target_label: __address__                       # change target

Step 4. Run the CLI command in order to generate a JWT Token for authentication, as it is specified in the configuration file above:

curl -k -s -XPOST -d 'user=threatgrid&password=<TGA Password>&method=password' "https://_opadmin IP_:443/auth?method=password" | tee token.jwt

Step 5. Run this command to verify the Expiration Date field for the token (1 Hour Validity).

awk -F. '{print $2}' token.jwt | base64 --decode 2>/dev/null | sed -e 's;\([^}]\)$;\1};' | jq .

Command output example below:

{ 
  "user": "threatgrid", 
  "pw_method": "password", 
  "addr": "<Removed>", 
  "exp": 1604098219, 
  "iat": 1604094619, 
  "iss": "<Removed>", 
  "nbf": 1604094619 
}

Note: The time is displayed in Epoch format.

Step 6. Pull the configuration of services, after login into opadmin interface, enter this line from the UI:

https://_opadmin IP_/metrics/v1/config

Step 7. After restarting the Prometheus service, the configuration is activated.

Step 8. Access the Prometheus page:

http://localhost:9090/graph

You can see the Secure Malware Analytics Appliance services in "UP" state, as shown in the mage.

Verify

You can see the data is received from the Secure Malware Analytics Applianced devices, review the metrics in base on your own requirements, as shown in the mage.

Note: This feature works only to collect specific data. Data flow management is the responsibility of the Prometheus server.
There is no supported troubleshooting from Cisco TAC side, you can reach out 3rd party vendor support for additional feature support.