StoredSafe Metrics via SNMPv3

Note

Health metrics via SNMPv3 are available from StoredSafe versions later than 4.1.0 (build 7120).

Overview

StoredSafe exposes health and operational metrics via SNMPv3 using the standard NET-SNMP-EXTEND-MIB. All monitoring access is read-only and performed via SNMP.

Only SNMPv3 is supported. SNMPv1 and SNMPv2c are intentionally not available.

Architecture

StoredSafe uses a two-stage metrics architecture designed for stability, security, and low operational overhead.

1) Internal audit (scheduled)

An internal audit process runs periodically (typically every 5 minutes). The audit:

• evaluates system state (backups, database, storage, RAID, certificates, licenses, etc.)

• evaluates rolling 7-day activity statistics

• writes the current state to an internal status file

This process is fully controlled by the appliance and cannot be triggered, modified, or influenced by customers.

2) Metrics exposure (on-demand via SNMP extend)

When a monitoring system polls the SNMP extend OID, the appliance executes a lightweight metrics script. The script:

• reads the most recent audit results

• formats them as numeric metrics

• returns the result via SNMP

Polling metrics:

• does not trigger audits

• does not trigger backups

• does not change system state

It only returns the most recently audited state.

Output format

Metrics are returned as plain text using the format:

key value

• One metric per line

• All values are numeric

• Metric names are stable

This format is intentionally simple and deterministic to support SNMP-based monitoring systems.

Recommended SNMP object

StoredSafe exposes metrics via Net-SNMP extend.

Recommended (one metric per line):

• MIB: NET-SNMP-EXTEND-MIB

• Object: nsExtendOutLine

• Extend name: metrics

This returns one metric per SNMP instance, which is easier to consume for monitoring systems.

Compatibility / debugging:

• Object: nsExtendOutputFull

• Returns the full output as a single multi-line string

Both objects expose identical data.

Numeric OID reference

The extend token metrics is exposed via the following numeric OID:

1.3.6.1.4.1.8072.1.3.2.4.1.2.7.109.101.116.114.105.99.115

This corresponds to:

• NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics"

• string index "metrics" (length 7, ASCII-encoded)

Example (nsExtendOutLine)

NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".1 = STRING: "metrics_schema 1"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".2 = STRING: "uptime_s 1922817"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".3 = STRING: "cpu_count 1"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".4 = STRING: "cpu_util_pct 8"
...
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".71 = STRING: "version_major 4"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".72 = STRING: "version_minor 1"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".73 = STRING: "version_patch 0"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".74 = STRING: "version_build 7120"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".75 = STRING: "version_full 4107120"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".76 = STRING: "version_info v4.1.0 build 7120"
NET-SNMP-EXTEND-MIB::nsExtendOutLine."metrics".77 = ok 1

Example output (healthy)

metrics_schema 1
uptime_s 1925456
cpu_count 1
cpu_util_pct 7
cpu_load1 0.0
physmem_total 2029895680
mem_used_pct 38
disk_free 39166111744
disk_free_pct 70
disk_used 14703271936
disk_used_pct 26
disk_total 56263483392
raid_ok 1
critical_drives 0
failed_drives 0
degraded_drives 0
audit_last_update_epoch 1768423806
audit_stale_s 119
db_ok 1
db_latency_ms 2
backup_completed_ok 1
backup_completed_last_ok_epoch 1768348810
backup_completed_age_s 75115
backup_completed_stale 0
backup_completed_error 0
backup_completed_missing 0
backup_transfer_ok 1
backup_transfer_last_ok_epoch 1768351503
backup_transfer_age_s 72422
backup_transfer_stale 0
backup_transfer_error 0
backup_transfer_missing 0
backup_occupies_bytes 135422165
violations 1
violations_count 2
warnings 0
warnings_count 0
noauth_warnings 0
noauth_warnings_count 0
crl_fetch_error 0
crl_invalid_file 0
crl_invalid_signature 0
crl_expired 0
stats7d_auth_failure 10
stats7d_weak_passphrase 14
stats7d_login 14
stats7d_decrypt 0
stats7d_vaults_deleted 2
stats7d_objects_deleted 1
stats7d_vaults_created 0
stats7d_objects_created 0
active_users 176
deactivated_users 136
licensed_users 100
active_vaults 165
active_objects 12020
deleted_vaults_total 251
deleted_objects_total 3489
password_licensed 1
file_licensed 1
certificate_licensed 1
2fa_licensed 1
password_expires_epoch 0
file_expires_epoch 1822348800
certificate_expires_epoch 1822348800
2fa_expires_epoch 1822348800
password_expired 0
file_expired 0
certificate_expired 0
2fa_expired 0
version_major 4
version_minor 1
version_patch 0
version_build 7120
version_full 4107120
version_info v4.1.0 build 7120
ok 1

Metric semantics

Metrics schema and system information

metrics_schema

Integer identifier for the metrics output schema. This value is incremented when the metrics output format or semantics change in a backward-incompatible way.

cpu_count

Number of CPU cores detected by the system during audit.

cpu_util_pct

Average CPU utilization percentage at audit time.

physmem_total

Total physical memory available to the system (bytes).

version_info

Human-readable version string intended for dashboards and inventory views.

Overall health

ok

Overall health indicator.

• 1 = system healthy

• 0 = immediate attention required

The value is derived from the audited state. Mandatory backup failures will force ok = 0.

Audit freshness

audit_last_update_epoch

Unix epoch timestamp of the last successful audit update.

audit_stale_s

Seconds since the last audit update. If the audit process stops running, this value increases continuously.

CPU metrics

cpu_load1

System load average over 1 minute.

cpu_util_pct

Percentage of CPU time spent executing non-idle tasks.

Database health

db_ok

1 if database connectivity and a test query succeeded during audit, otherwise 0.

db_latency_ms

Database round-trip time measured during audit (milliseconds).

Storage and RAID

raid_ok

Indicates RAID health. A value of 0 is considered critical and will force the overall ok metric to 0.

critical_drives / degraded_drives / failed_drives

Drive-level health indicators derived from the audit.

Disk capacity metrics

disk_total / disk_used / disk_free

Disk capacity values reported in bytes.

disk_used_pct / disk_free_pct

Disk usage percentages derived from allocatable capacity.

Note

Disk capacity metrics represent allocatable storage as evaluated by the audit process. Percentages may not sum to 100% due to reserved space and filesystem metadata.

Backup metrics (mandatory)

Backups are mandatory and enforced by the platform.

backup_completed_ok / backup_transfer_ok

1 if the audit recorded a recent successful backup/transfer with no warnings. 0 if the audit detected missing backups, errors, or missing log entries.

A value of 0 is considered critical and results in ok = 0.

backup_*_last_ok_epoch

Unix epoch timestamp of the last successful backup/transfer. Reported as 0 when the corresponding *_ok is 0.

backup_*_age_s

Age in seconds of the last successful backup/transfer. Reported as 0 when the corresponding *_ok is 0.

backup_*_stale / backup_*_error / backup_*_missing

Optional classification flags derived from audit warnings. These simplify alert routing but are not required for parsing.

backup_occupies_bytes

Estimated backup storage footprint (bytes) as recorded during audit.

Violations and warnings

violations

1 if at least one license or policy violation exists. Violations are typically administrative, not outage conditions.

violations_count

Total number of active violations detected during audit.

warnings

1 if at least one warning condition exists.

warnings_count

Total number of active warnings detected during audit.

Note

violations and warnings are convenience flags derived from the corresponding *_count metrics.

mTLS / CRL related warnings

noauth_warnings / noauth_warnings_count

Indicates issues that may affect certificate-based (mTLS) authentication.

crl_fetch_error / crl_invalid_file / crl_invalid_signature / crl_expired

Fine-grained CRL-related indicators.

7-day activity statistics

Rolling 7-day totals (GAUGE semantics):

• stats7d_auth_failure

• stats7d_weak_passphrase

• stats7d_login

• stats7d_decrypt

• stats7d_vaults_deleted / stats7d_objects_deleted

• stats7d_vaults_created / stats7d_objects_created

Note

If a specific activity has not occurred during the last 7 days, the corresponding stats7d_* metric is reported as 0.

Current inventory

active_users / deactivated_users / active_vaults / active_objects

Current inventory counts from the most recent audit.

licensed_users

Number of users permitted by the active license.

User and object metrics semantics

StoredSafe exposes both cumulative counters and current state metrics. It is important to distinguish between these categories when building dashboards and alerts.

Object and vault state

The following metrics represent the current state of the system and may increase or decrease over time:

• active_vaults

• active_objects

Object and vault counters

The following metrics are cumulative counters and represent totals since the StoredSafe system was installed:

• deleted_vaults_total

• deleted_objects_total

These values are monotonically increasing and are not reset when objects or vaults are removed. They are intended for historical insight and capacity trend analysis, not for alerting on instantaneous state.

User state metrics

User-related metrics reflect the current operational state of the system.

• active_users Number of users that are enabled and allowed to authenticate (users with the ACTIVE status flag set).

• deactivated_users Number of users that are disabled and not allowed to authenticate (users with the ACTIVE status flag unset).

These metrics represent a point-in-time snapshot and may increase or decrease as user accounts are activated or deactivated.

Note

active_users does not indicate currently logged-in users. It represents the number of accounts that are permitted to log in at the time of polling.

License and feature status

*_licensed

Indicates whether the corresponding feature is licensed.

• 1 = licensed

• 0 = not licensed

Available metrics: - password_licensed - file_licensed - certificate_licensed - 2fa_licensed

*_expires_epoch

Unix epoch timestamp when the corresponding license expires. 0 indicates no expiration.

*_expired

1 if the feature license is expired. 0 otherwise.

Metric usage guidance

• Use cumulative counters for trend analysis and reporting.

• Use state metrics (such as active_users and deactivated_users) for dashboards and operational visibility.

• Avoid alerting on cumulative counters directly, as they are not expected to decrease.

Version information

version_major / version_minor / version_patch / version_build

StoredSafe release information.

version_full

Numeric composite version, useful for comparisons:

major*1_000_000 + minor*100_000 + patch*1_000 + build

Example:

4.1.0 build 7034 → 4107034

version_info

Human-readable version string, intended for dashboards and inventory systems.

Polling behavior

• SNMP polling executes the metrics script only.

• Polling does not affect audit cadence or backups.

• Recommended polling interval: ≥300 seconds.

Note

Consumers should use metrics_schema to detect incompatible output changes rather than relying on version numbers alone.

Security

• SNMPv3 with authentication and encryption is required.

• Access is read-only.

• No secrets, credentials, or sensitive payload data are exposed.