SNMPD.INTERNAL
Section: Net-SNMP (5)Updated: 06 Dec 2005
Index Return to Main Contents
NAME
snmpd.internal - internal configuration of the Net-SNMP agentDESCRIPTION
The snmpd.conf(5) man page defines the syntax and behaviour of the main configuration directives that can be used to control the operation of the Net-SNMP agent, and the management information it provides.However there are several other configuration directives (many of which, though not all, start with a leading underscore) that are recognised by the agent. These are typically used to retain configuration across agent restarts, and are not intended for direct user access. This man page list these directives, giving a brief indication of where they are used. For full details - see the relevant source files. If you can't follow that source, you probably shouldn't be fiddling with these directives!
AGENT BEHAVIOUR
- quit
ACCESS CONTROL
VACM Configuration
- vacmView / vacmGroup / vacmAccess
- These directives are used to retain dynamically configured access control settings.
SYSTEM INFORMATION
System Group
- setSerialNo
- This directive is used to implement the advisory lock object snmpSetSerialNo.
- psyslocation / psyscontact / psysname
- These directives are used to retain dynamically configured system settings. They will be overridden by the corresponding sysLocation, sysContact and sysName directives.
ACTIVE MONITORING
Notification Handling
- pauthtrapenable
- This directive is used to retain the dynamically configured setting of whether the agent should generate authenticationFailure traps. It will be overridden by the corresponding authtrapenable directive.
- snmpNotify*Table
- targetAddr / targetParams
- These directives are used to retain dynamically configured notification destination settings.
DisMan Event MIB
- _mteE*Table, _mteOTable, _mteT*Table
- These directives are used to retain dynamically configured event, object and monitor trigger settings.
- mteObjectsTable / mteTriggerTable
- These directives are for compatibility with the previous disman/event-mib implementation.
DisMan Schedule MIB
- _schedTable
- This directive is used to retain dynamically configured scheduled events.
EXTENDING AGENT FUNCTIONALITY
Arbitrary Extension Commands
- extend-sh
- exec2 / sh2 / execFix2
- These directives were defined by analogy with equivalent directives in the previous ucd-snmp/extensible implementation. They are deprecated, and should not be used.
FILES
/etc/snmp/snmpd.confSEE ALSO
snmpconf(1), snmpd.conf(5), snmp.conf(5), snmp_config(5), snmpd(8), EXAMPLE.conf, netsnmp_config_api(3).
Index
- NAME
- DESCRIPTION
- AGENT BEHAVIOUR
- ACCESS CONTROL
- SYSTEM INFORMATION
- ACTIVE MONITORING
- EXTENDING AGENT FUNCTIONALITY
- FILES
- SEE ALSO
This document was created by man2html, using the manual pages.
Time: 04:45:54 GMT, September 16, 2022 Content-type: text/html; charset=UTF-8
SNMPD.EXAMPLES
Section: Net-SNMP (5)Updated: 13 Oct 2006
Index Return to Main Contents
NAME
snmpd.examples - example configuration for the Net-SNMP agentDESCRIPTION
The snmpd.conf(5) man page defines the syntax and behaviour of the various configuration directives that can be used to control the operation of the Net-SNMP agent, and the management information it provides.This companion man page illustrates these directives, showing some practical examples of how they might be used.
AGENT BEHAVIOUR
Listening addresses
The default agent behaviour (listing on the standard SNMP UDP port on all interfaces) is equivalent to the directive:- agentaddress udp:161
- agentaddress 161
- agentaddress localhost:161 # (udp implicit)
- agentaddress 127.0.0.1 # (udp and standard port implicit)
- agentaddress udp:161,tcp:161,udp6:161,tcp6:161
Run-time privileges
The agent can be configured to relinquish any privileged access once it has opened the initial listening ports. Given a suitable "snmp" group (defined in /etc/group), this could be done using the directives:-
agentuser nobody agentgroup snmp
-
agentuser #10 agentgroup #10
SNMPv3 Configuration
Rather than being generated pseudo-randomly, the engine ID for the agent could be calculated based on the MAC address of the second network interface (eth1), using the directives:- engineIDType 3 engineIDNic eth1
- engineIDType 1
- engineID "XXX - WHAT FORMAT"
ACCESS CONTROL
SNMPv3 Users
The following directives will create three users, all using exactly the same authentication and encryption settings:-
createUser me MD5 "single pass phrase" createUser myself MD5 "single pass phrase" DES createUser andI MD5 "single pass phrase" DES "single pass phrase"
Separate pass phrases can be specified for authentication and encryption:
- createUser onering SHA "to rule them all" AES "to bind them"
Traditional Access Control
The SNMPv3 users defined above can be granted access to the full MIB tree using the directives:-
rouser me rwuser onering
-
rouser myself .1.3.6.1.2 rwuser andI system
Note that a combination repeating the same user, such as:
-
rouser onering rwuser onering
The directives:
-
rocommunity public rwcommunity private
-
- Note:
- It would also be a very good idea to change private to something a little less predictable!
A slightly less vulnerable configuration might restrict what information could be retrieved:
- rocommunity public default system
- rwcommunity private 10.10.10.0/24
VACM Configuration
This last pair of settings are equivalent to the full VACM definitions:-
# sec.name source community com2sec public default public com2sec mynet 10.10.10.0/24 private com2sec6 mynet fec0::/64 private # sec.model sec.name group worldGroup v1 public group worldGroup v2c public group myGroup v1 mynet group myGroup v2c mynet # incl/excl subtree [mask] view all included .1 view sysView included system # context model level prefix read write notify (unused) access worldGroup "" any noauth exact system none none access myGroup "" any noauth exact all all none
There are several points to note in this example:
The group directives must be repeated for both SNMPv1 and SNMPv2c requests.
The com2sec security name is distinct from the community string that is mapped to it. They can be the same ("public") or different ("mynet"/"private") - but what appears in the group directive is the security name, regardless of the original community string.
Both of the view directives are defining simple OID subtrees, so neither of these require an explicit mask. The same holds for the "combined subtree2 view defined below. In fact, a mask field is only needed when defining row slices across a table (or similar views), and can almost always be omitted.
In general, it is advisible not to mix traditional and VACM-based access configuration settings, as these can sometimes interfere with each other in unexpected ways. Choose a particular style of access configuration, and stick to it.
Typed-View Configuration
A similar configuration could also be configured as follows:-
view sys2View included system view sys2View included .1.3.6.1.2.1.25.1 authcommunity read public default -v sys2View authcommunity read,write private 10.10.10.0/8
This mechanism allows multi-subtree (or other non-simple) views to be used with the one-line rocommunity style of configuration.
It would also support configuring "write-only" access, should this be required.
SYSTEM INFORMATION
System Group
The full contents of the 'system' group (with the exception of sysUpTime) can be explicitly configured using:-
# Override 'uname -a' and hardcoded system OID - inherently read-only values sysDescr Universal Turing Machine mk I sysObjectID .1.3.6.1.4.1.8072.3.2.1066 # Override default values from 'configure' - makes these objects read-only sysContact Alan.Turing@pre-cs.man.ac.uk sysName tortoise.turing.com sysLocation An idea in the mind of AT # Standard end-host behaviour sysServices 72
Host Resources Group
The list of devices probed for potential inclusion in the hrDiskStorageTable (and hrDeviceTable) can be amended using any of the following directives:- ignoredisk /dev/rdsk/c0t2d0
-
ignoredisk /dev/rdsk/c0t[!6]d0 ignoredisk /dev/rdsk/c0t[0-57-9a-f]d0
- ignoredisk /dev/rdsk/c1*
- ignoredisk /dev/rdsk/c?t0d0
Process Monitoring
The list of services running on a system can be monitored (and provision made for correcting any problems), using:-
# At least one web server process must be running at all times proc httpd procfix httpd /etc/rc.d/init.d/httpd restart # There should never be more than 10 mail processes running # (more implies a probable mail storm, so shut down the mail system) proc sendmail 10 procfix sendmail /etc/rc.d/init.d/sendmail stop # There should be a single network management agent running # ("There can be only one") proc snmpd 1 1
Disk Usage Monitoring
The state of disk storage can be monitored using:-
includeAllDisks 10% disk /var 20% disk /usr 3% # Keep 100 MB free for crash dumps disk /mnt/crash 100000
System Load Monitoring
A simple check for an overloaded system might be:- load 10
- load 30 10 5
Log File Monitoring
TODO- file FILE [MAXSIZE]
- logmatch NAME PATH CYCLETIME REGEX
ACTIVE MONITORING
Notification Handling
Configuring the agent to report invalid access attempts might be done by:-
authtrapenable 1 trapcommunity public trap2sink localhost
- informsink localhost public
-
trapsink localhost trap2sink localhost informsink localhost
TODO - discuss SNMPv3 traps
- trapsess snmpv3 options localhost:162
TODO - mention trapd access configuration
DisMan Event MIB
The simplest configuration for active self-monitoring of the agent, by the agent, for the agent, is probably:-
# Set up the credentials to retrieve monitored values createUser _internal MD5 "the first sign of madness" iquerySecName _internal rouser _internal # Active the standard monitoring entries defaultMonitors yes linkUpDownNotifications yes # If there's a problem, then tell someone! trap2sink localhost
The first block sets up a suitable user for retrieving the information to by monitored, while the following pair of directives activates various built-in monitoring entries.
Note that the DisMan directives are not themselves sufficient to actively report problems - there also needs to be a suitable destination configured to actually send the resulting notifications to.
A more detailed monitor example is given by:
- monitor -u me -o hrSWRunName "high process memory" hrSWRunPerfMem > 10000
This defines an explicit boolean monitor entry, looking for any process using more than 10MB of active memory. Such processes will be reported using the (standard) DisMan trap mteTriggerFired, but adding an extra (wildcarded) varbind hrSWRunName.
This entry also specifies an explicit user (me, as defined earlier) for retrieving the monitored values, and building the trap.
Objects that could potentially fluctuate around the specified level are better monitored using a threshold monitor entry:
- monitor -D -r 10 "network traffic" ifInOctets 1000000 5000000
This will send a mteTriggerRising trap whenever the incoming traffic rises above (roughly) 500 kB/s on any network interface, and a corresponding mteTriggerFalling trap when it falls below 100 kB/s again.
Note that this monitors the deltas between successive samples (-D) rather than the actual sample values themselves. The same effect could be obtained using:
- monitor -r 10 "network traffic" ifInOctets - - 1000000 5000000
The linkUpDownNotifications directive above is broadly equivalent to:
-
notificationEvent linkUpTrap linkUp ifIndex ifAdminStatus ifOperStatus notificationEvent linkDownTrap linkDown ifIndex ifAdminStatus ifOperStatus monitor -r 60 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 monitor -r 60 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
This defines the traps to be sent (using notificationEvent), and explicitly references the relevant notification in the corresponding monitor entry (rather than using the default DisMan traps).
The defaultMonitors directive above is equivalent to a series of (boolean) monitor entries:
-
monitor -o prNames -o prErrMessage "procTable" prErrorFlag != 0 monitor -o memErrorName -o memSwapErrorMsg "memory" memSwapError != 0 monitor -o extNames -o extOutput "extTable" extResult != 0 monitor -o dskPath -o dskErrorMsg "dskTable" dskErrorFlag != 0 monitor -o laNames -o laErrMessage "laTable" laErrorFlag != 0 monitor -o fileName -o fileErrorMsg "fileTable" fileErrorFlag != 0
An alternative approach would be to automatically invoke the corresponding "fix" action:
-
setEvent prFixIt prErrFix = 1 monitor -e prFixIt "procTable" prErrorFlag != 0
DisMan Schedule MIB
The agent could be configured to reload its configuration once an hour, using:- repeat 3600 versionUpdateConfig.0 = 1
Alternatively this could be configured to be run at specific times of day (perhaps following rotation of the logs):
- cron 10 0 * * * versionUpdateConfig.0 = 1
The one-shot style of scheduling is rather less common, but the secret SNMP virus could be activated on the next occurance of Friday 13th using:
- at 13 13 13 * 5 snmpVirus.0 = 1
EXTENDING AGENT FUNCTIONALITY
Arbitrary Extension Commands
Old Style-
exec [MIBOID] NAME PROG ARGS" sh [MIBOID] NAME PROG ARGS" execfix NAME PROG ARGS"
-
extend [MIBOID] NAME PROG ARGS" extendfix [MIBOID] NAME PROG ARGS"
MIB-Specific Extension Commands
One-Shot- "pass [-p priority] MIBOID PROG"
-
Persistent
- "pass_persist [-p priority] MIBOID PROG"
Embedded Perl Support
If embedded perl support is enabled in the agent, the default initialisation is equivalent to the directives:-
disablePerl false perlInitFile /usr/share/snmp/snmp_perl.pl
-
perl use Data::Dumper; perl sub myroutine { print "got called: ",Dumper(@_),"\n"; } perl $agent->register('mylink', '.1.3.6.1.8765', \&myroutine);
This relies on the $agent object, defined in the example snmp_perl.pl file.
A more realistic MIB handler might be:
-
XXX - WHAT ???
- perl 'do /usr/share/snmp/perl_example.pl';
Dynamically Loadable Modules
TODO- dlmod NAME PATH"
Proxy Support
A configuration for acting as a simple proxy for two other SNMP agents (running on remote systems) might be:-
com2sec -Cn rem1context rem1user default remotehost1 com2sec -Cn rem2context rem2user default remotehost2 proxy -Cn rem1context -v 1 -c public remotehost1 .1.3 proxy -Cn rem2context -v 1 -c public remotehost2 .1.3
The same proxy directives would also work with (incoming) SNMPv3 requests, which can specify a context directly. It would probably be more sensible to use contexts of remotehost1 and remotehost2 - the names above were chosen to indicate how these directives work together.
Note that the administrative settings for the proxied request are specified explicitly, and are independent of the settings from the incoming request.
An alternative use for the proxy directive is to pass part of the OID tree to another agent (either on a remote host or listening on a different port on the same system), while handling the rest internally:
- proxy -v 1 -c public localhost:6161 .1.3.6.1.4.1.99
A less usual approach is to map one subtree into a different area of the overall MIB tree (either locally or on a remote system):
-
# uses SNMPv3 to access the MIB tree .1.3.6.1.2.1.1 on 'remotehost' # and maps this to the local tree .1.3.6.1.3.10 proxy -v 3 -l noAuthNoPriv -u user remotehost .1.3.6.1.3.10 .1.3.6.1.2.1.1
SMUX Sub-Agents
-
smuxsocket 127.0.0.1 smuxpeer .1.3.6.1.2.1.14 ospf_pass
AgentX Sub-Agents
The Net-SNMP agent could be configured to operate as an AgentX master agent (listening on a non-standard named socket, and running using the access privileges defined earlier), using:-
master agentx agentXSocket /tmp/agentx/master agentXPerms 0660 0550 nobody snmp
-
netsnmp_ds_set_string(NETSNMP_DS_APPLICATION_ID, NETSNMP_DS_AGENT_X_SOCKET, "/tmp/agentx/master");
A loopback networked AgentX configuration could be set up using:
-
agentXSocket tcp:localhost:705 agentXTimeout 5 agentXRetries 2
-
agentXSocket tcp:localhost:705 agentXTimeout 10 agentXRetries 1 agentXPingInterval 600
Note that the timeout and retry settings can be asymmetric for the two directions, and the sub-agent can poll the master agent at regular intervals (600s = every 10 minutes), to ensure the connection is still working.
OTHER CONFIGURATION
- override sysDescr.0 octet_str "my own sysDescr"
- injectHandler stash_cache NAME table_iterator
FILES
/etc/snmp/snmpd.confSEE ALSO
snmpconf(1), snmpd.conf(5), snmp.conf(5), snmp_config(5), snmpd(8), EXAMPLE.conf, netsnmp_config_api(3).
Index
- NAME
- DESCRIPTION
- AGENT BEHAVIOUR
- ACCESS CONTROL
- SYSTEM INFORMATION
- ACTIVE MONITORING
- EXTENDING AGENT FUNCTIONALITY
- OTHER CONFIGURATION
- FILES
- SEE ALSO
This document was created by man2html, using the manual pages.
Time: 04:45:56 GMT, September 16, 2022
0 댓글