Skip to content

Config file (netshot.conf) reference

Jump to bottom Edit New page
SCadilhac edited this page Sep 13, 2024 · 22 revisions

Some global options can be configured in the Netshot configuration file.

When started, Netshot will try to find and read a file called netshot.conf in the current directory, then /etc/netshot.conf if the first one wasn't found. If this file is not found at all, Netshot won't start.

In the configuration file, each line must be of the form:

parameter = value

If a line starts with #, it will be ignored.

Some parameters can be re-read and applied upon HUP signal, otherwise Netshot needs to be restarted after a change to the configuration file so the new parameters are taken into account.

The configuration parameters may also be passed to Netshot using environment variables: replace "."s with "_"s and convert to uppercase. Example: netshot.log.file -> NETSHOT_LOG_FILE

Logging configuration

  • netshot.log.file = /var/log/netshot/netshot.log: sets the location and name of the main Netshot log file. Log files will be automatically rotated (see next settings). The default is netshot.log (current directory).
  • netshot.log.file = CONSOLE: for debugging purpose, lets Netshot output its logs directly to stdout.
  • netshot.log.maxsize = 1: sets the maximum size of the log file to 1MB. The default is 2. The log file will rotated when reaching this size.
  • netshot.log.count = 10: sets the number of log files to keep. The default is 5.
  • netshot.log.level = INFO: sets the global level of logs to send to the file. The default is WARN. The possible values are OFF, ERROR, WARN, INFO, DEBUG, TRACE, ALL. Changing this level might create lots of logs.
  • netshot.log.class._ClassName_ = DEBUG: sets the log level of a specific class ClassName to a custom level. This obviously requires some knowledge of the Netshot internal code.
  • netshot.log.audit.file = /var/log/netshot/audit.log: enables logging of audit-related messages (authentication, authorization) to the given file. Setting the audit level to something like INFO is also required.
  • netshot.log.audit.level = INFO: sets the logging level of audit-related messages.
  • netshot.log.syslog1.host = 10.0.16.16: enables remote logging (syslog) to the specified host. Increment the number, e.g. syslog2, syslog3, etc. to configure several syslog destinations.
  • netshot.log.syslog1.port = 514: sets the Syslog remote port.
  • netshot.log.syslog1.facility = LOCAL7: sets the Syslog facility to use for the syslog server.

Database configuration

  • netshot.db.url = jdbc:postgresql://localhost:5432/netshot01?sslmode=disable: sets the URI to access the Netshot database.

  • netshot.db.username = netshot: sets the username to be used to access the database.

  • netshot.db.password = netshot: sets the password to be used to access the database.

  • netshot.db.encryptionpassword = netshot: sets the password used to encrypt sensible data (such as credentials) in the database.

  • netshot.db.readurl = jdbc:postgresql://otherserver:5432/netshot01?sslmode=disable: sets the URI to access a secondary database, in read-only mode - starting with Netshot 0.17. The default is no secondary database. Please check High availability guide for more details.

Embedded HTTP server

  • netshot.http.ssl.enabled = true: enables or disables SSL mode (https vs http) of the embedded webserver. The default is true. (Netshot >= 0.15.3)
  • netshot.http.ssl.keystore.file = /usr/local/netshot/netshot.jks: sets the location of the keystore containing the SSL certificate for the embedded HTTPS server. The default is netshot.jks in the current directory. Netshot can't start without this file.
  • netshot.http.ssl.keystore.pass = pass2: sets the password of the keystore containing the SSL certificate for the embedded HTTPS server. The default is netshotpass.
  • netshot.http.baseport = 9443: sets the TCP port of the embedded HTTPS server. The default is 8443.
  • netshot.http.trustxforwardedfor = true: trusts the X-Forwarded-For HTTP header in requests to log the request source IP address (used AAA audit). False by default. Starting with Netshot 0.17.1.

Syslog server

The embedded Syslog server listens for Syslog messages to detect when changes are made on devices.

  • netshot.syslog.port = 1514: sets the UDP port to listen Syslog messages on. The default is 514, which requires root permissions under Linux.
  • netshot.syslog.disabled = true: disables the embedded Syslog server. It is enabled by default

You can choose to make Netshot listen for Syslog on port 1514 (non root user) and use iptables to rewrite the destination port. See the installation guide.

SNMP trap receiver

The embedded SNMP trap receiver listens for SNMP traps to detect changes on devices.

  • netshot.snmptrap.port = 1162: sets the UDP port to listen SNMP traps on. The default is 162, which requires root permissions under Linux.
  • netshot.snmptrap.listenaddress = 0.0.0.0: sets the IP address to bind for. The default is 0.0.0.0. Starting with Netshot 0.20.
  • netshot.snmptrap.community = public: sets the SNMP community of the traps sent to Netshot for change detection. The default is "NETSHOT". Starting with Netshot 0.18, the parameter can be a list of communities (separated by spaces).
  • netshot.snmptrap.engineid = 00:01:02:03:04:05: sets the SNMP engine ID. The default is auto-generated at startup. Starting with Netshot 0.19.
  • netshot.snmptrap.user = user1 SHA2|AES128 netshotauth netshotpriv user2 AES256 pass2: sets the SNMPv3 user(s) to authenticate traps from devices. Starting with Netshot 0.19. Multiple entries may be provided (separated by spaces). By default, no SNMPv3 user is defined. The format of one entry is: username protocols [authkey] [privkey] with:
    • username = the SNMPv3 username
    • protocols = a pipe-separated list of authentication (MD5, SHA, HMAC128SHA224, HMAC192SHA256, HMAC256SHA384, HMAC384SHA512) and privacy (encryption) protocols (DES, 3DES, AES128, AES192, AES256) for this username
    • authkey = the authentication key, if and only if at least one authentication protocol was specified in protocols
    • privkey = the privacy key, if and only if at least one privacy protocol was specified in protocols
  • netshot.snmptrap.disabled = true: disables the embedded SNMP trap receiver. It is enabled by default.

You can choose to make Netshot listen for SNMP traps on port 1162 (non root user) and use iptables to rewrite the destination port. See the installation guide.

User authentication

Local authentication:

  • netshot.aaa.passwordpolicy.maxhistory = 5: defines the number of password hashes to keep for each user, in order to check that the same password is not re-used over the last changes. Starting with Netshot 0.20.
  • netshot.aaa.passwordpolicy.maxduration = 10: after this number of days, the user trying to login will have to change again the account password. Starting with Netshot 0.20.
  • netshot.aaa.passwordpolicy.mintotalchars = 3: the minimum length of a password. Starting with Netshot 0.20.
  • netshot.aaa.passwordpolicy.minspecialchars = 3: the minimum number of special characters (!"#$%&'()*+,-./:;<=>?@\\[\\]\\^_{}|~) in any new password. Starting with Netshot 0.20.
  • netshot.aaa.passwordpolicy.minnumericalchars = 3: the minimum number of numerical characters in any new password. Starting with Netshot 0.20.
  • netshot.aaa.passwordpolicy.minlowercasechars = 3: the minimum number of (latin) lower case characters in any new password. Starting with Netshot 0.20.
  • netshot.aaa.passwordpolicy.minuppercasechars = 3: the minimum number of (latin) upper case characters in any new password. Starting with Netshot 0.20.

RADIUS authentication:

  • netshot.aaa.radius1.ip = 1.2.3.4, netshot.aaa.radius1.authport = 1812, netshot.aaa.radius1.secret = MyKey#1: defines the first RADIUS server to be used for user authentication.
  • You can define up to 3 RADIUS servers.
  • netshot.aaa.radius1.timeout = 10: defines the timeout value (in seconds) for the first RADIUS server. The default is 5 seconds.
  • netshot.aaa.radius.method = mschapv2: sets the RADIUS method to MSCHAPv2 (this is the default). The other options are:
    • netshot.aaa.radius.method = pap: PAP.
    • netshot.aaa.radius.method = chap: CHAP.
    • netshot.aaa.radius.method = eap-md5: EAP-MD5.
    • netshot.aaa.radius.method = eap-mschapv2: EAP-MSCHAPv2.
  • netshot.aaa.radius.nasidentifier = netshotid: adds a NAS Identifier attribute to requests (no identifier is set by default).

TACACS+ authentication:

  • netshot.aaa.tacacs1.ip = 1.2.3.4, netshot.aaa.tacacs1.port = 49, netshot.aaa.tacacs1.secret = MyKey#1: defines the first TACACS+ server to be used for user authentication.
  • You can define up to 3 TACACS+ servers.
  • netshot.aaa.tacacs1.timeout = 5: defines the timeout value (in seconds) for TACACS+ requests. The default is 5 seconds.
  • netshot.aaa.tacacs.method = ascii: sets the TACACS+ inner method. Other options are chap and pap.
  • netshot.aaa.tacacs.accounting = true: enables TACACS+ accounting (all write requests will be logged as TACACS+ accounting messages).
  • netshot.aaa.tacacs.role.attributename = role: defines the name of the attribute (returned by the TACACS+ server) which contains the role for Netshot user.
  • netshot.aaa.tacacs.role.adminlevelrole = admin: name of the role as returned by the TACACS+ server which would assign admin level to the user.
  • netshot.aaa.tacacs.role.executereadwritelevelrole = execute-read-write: name of the role as returned by the TACACS+ server which would assign execute/read/write level to the user.
  • netshot.aaa.tacacs.role.readwritelevelrole = read-write: name of the role as returned by the TACACS+ server which would assign read/write level to the user.

Other:

  • netshot.aaa.maxidletime = 1200: sets the maximum idle time for a logged in user, after which he/she will be disconnected. In seconds. The default is 1800.

Drivers

  • netshot.drivers.path = /usr/local/netshot/drivers: defines a directory where to look for additional device driver files. By default, Netshot will only use the embedded drivers (in .jar file).

Snapshots

  • netshot.snapshots.dump = /usr/local/netshot/configs: defines a directory where to save device configurations after each snapshot task. By default, no directory is device, so no dump will be done.
  • netshot.snapshots.auto.interval = 16: sets the time (in minutes) to wait after a change is detected on a device, before starting a snapshot. The default is 10 minutes.
  • netshot.snapshots.auto.anyip = true: tells Netshot to look at non-management IP addresses to identify a device sending a trap or a Syslog message, when the source IP address of the message is not a known management IP address in Netshot. This feature is disabled by default.
  • netshot.snapshots.binary.path = /var/local/netshot: defines a directory where to save binary files extracts from devices (for drivers which support this format).

General

  • netshot.tasks.threadcount = 16: the number of tasks that can be executed concurrently. The default is 10.

CLI, SSH and Telnet

  • netshot.cli.telnet.connectiontimeout = 5000: the maximum time to establish a Telnet session with a device (in milliseconds).
  • netshot.cli.telnet.receivetimeout = 60000: the maximum time to wait for data in a Telnet session (in milliseconds).
  • netshot.cli.telnet.commandtimeout = 120000: the maximum time to wait for a command output in a Telnet session (in milliseconds).
  • netshot.cli.ssh.connectiontimeout = 5000: the maximum time to establish a SSH session with a device (in milliseconds).
  • netshot.cli.ssh.receivetimeout = 60000: the maximum time to wait for data in a SSH session (in milliseconds).
  • netshot.cli.ssh.commandtimeout = 120000: the maximum time to wait for a command output in a SSH session (in milliseconds).
  • netshot.cli.ssh.kexalgorithms = diffie-hellman-group16-sha512,diffie-hellman-group14-sha256: a comma-separated list of Key Exchange algorithms for SSH connections to the devices.
  • netshot.cli.ssh.hostkeyalgorithms = rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256: a comma-separated list of host key algorithms for SSH connections to the devices.
  • netshot.cli.ssh.ciphers = aes192-cbc,aes256-gcm@openssh.com: a comma-separated list of symmetric encryption algorithms for the SSH connections to the devices.
  • netshot.cli.ssh.macs = hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com: a comma-separated list of MAC algorithms for the SSH connections to the devices.

JavaScript VM

  • netshot.javascript.maxexecutiontime = 60000: maximum time (in milliseconds) a JavaScript compliance script will be allowed to run - starting with Netshot 0.17.1. The default is 60000 (ms).

Python VM - starting with Netshot 0.16

  • netshot.python.virtualenv = /usr/local/netshot/python/venv: path to a (Graal) Python virtual environment.
  • netshot.python.allowallaccess = true: true to allow all types of access to the system (unsecure!).
  • netshot.python.filesystemfilter = false: false to disable file system access restriction for Python scripts (unsecure!).
  • netshot.python.maxexecutiontime = 60000: maximum time (in milliseconds) a Python compliance script will be allowed to run - starting with Netshot 0.17.1. The default is 60000 (ms).

Clustering - starting with Netshot 0.17

  • netshot.cluster.enabled = true: enables clustering mode (default is false).
  • netshot.cluster.id = [20 lowercase letters or figures]: statically assigns a cluster member unique identifier to the local instance (this is recommended when using cluster mode).
  • netshot.cluster.master.priority = 100: sets the local instance priority to become cluster master (higher value = higher priority).
  • netshot.cluster.runner.priority = 100: sets the local instance priority to execute tasks (higher value = higher priority).
  • netshot.cluster.runner.weight = 100: sets the relative weight of the local instance to execute tasks (if selected as a runner based on the runner priority value).
Add a custom footer
Add a custom sidebar
Clone this wiki locally