Provided by: snmpd_5.9.3+dfsg-1ubuntu1_amd64 
NAME
snmpd.conf - configuration file for the Net-SNMP SNMP agent
DESCRIPTION
The Net-SNMP agent uses one or more configuration files to control its operation and the
management information provided. These files (snmpd.conf and snmpd.local.conf) can be
located in one of several locations, as described in the snmp_config(5) manual page.
The (perl) application snmpconf can be used to generate configuration files for the most
common agent requirements. See the snmpconf(1) manual page for more information, or try
running the command:
snmpconf -g basic_setup
There are a large number of directives that can be specified, but these mostly fall into
four distinct categories:
• those controlling who can access the agent
• those configuring the information that is supplied by the agent
• those controlling active monitoring of the local system
• those concerned with extending the functionality of the agent.
Some directives don't fall naturally into any of these four categories, but this covers
the majority of the contents of a typical snmpd.conf file. A full list of recognised
directives can be obtained by running the command:
snmpd -H
AGENT BEHAVIOUR
Although most configuration directives are concerned with the MIB information supplied by
the agent, there are a handful of directives that control the behaviour of snmpd
considered simply as a daemon providing a network service.
agentaddress [<transport-specifier>:]<transport-address>[,...]
defines a list of listening addresses, on which to receive incoming SNMP requests.
See the section LISTENING ADDRESSES in the snmpd(8) manual page for more
information about the format of listening addresses.
The default behaviour is to listen on UDP port 161 on all IPv4 interfaces.
agentgroup {GROUP|#GID}
changes to the specified group after opening the listening port(s). This may refer
to a group by name (GROUP), or a numeric group ID starting with '#' (#GID).
agentuser {USER|#UID}
changes to the specified user after opening the listening port(s). This may refer
to a user by name (USER), or a numeric user ID starting with '#' (#UID).
leave_pidfile yes
instructs the agent to not remove its pid file on shutdown. Equivalent to
specifying "-U" on the command line.
maxGetbulkRepeats NUM
Sets the maximum number of responses allowed for a single variable in a getbulk
request. Set to 0 to enable the default and set it to -1 to enable unlimited.
Because memory is allocated ahead of time, setting this to unlimited is not
considered safe if your user population can not be trusted. A repeat number
greater than this will be truncated to this value.
This is set by default to -1.
maxGetbulkResponses NUM
Sets the maximum number of responses allowed for a getbulk request. This is set by
default to 100. Set to 0 to enable the default and set it to -1 to enable
unlimited. Because memory is allocated ahead of time, setting this to unlimited is
not considered safe if your user population can not be trusted.
In general, the total number of responses will not be allowed to exceed the
maxGetbulkResponses number, and the total number returned will be an integer
multiple of the number of variables requested times the calculated number of
repeats allow to fit below this number.
Also note that processing of maxGetbulkRepeats is handled first.
ifmib_max_num_ifaces NUM
Sets the maximum number of interfaces included in IF-MIB data collection. For
servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB
processing will take a large chunk of CPU for ioctl calls (on Linux). Setting a
reasonable maximum for the CPU used will reduce the CPU load for IF-MIB processing.
For example, configuring "ifmib_max_num_ifaces 500" will include only the first 500
interfaces based on ifindex and ignore all others for IF-MIB processing.
The default (without this configured) is to include all interfaces.
include_ifmib_iface_prefix PREFIX1 PREFIX2 ...
Sets the interface name prefixes to include in the IF-MIB data collection. For
servers with a large number of interfaces (ppp, dummy, bridge, etc) the IF-MIB
processing will take a large chunk of CPU for ioctl calls (on Linux). A set of
space separated interface name prefixes will reduce the CPU load for IF-MIB
processing. For example, configuring "include_ifmib_iface_prefix eth dummy lo"
will include only interfaces with these prefixes and ignore all others for IF-MIB
processing. If regex support is compiled in, each of the prefixes is a regular
expression (which is not permitted to contain a space or tab character).
The default (without this configured) is to include all interfaces.
SNMPv3 Configuration - Real Security
SNMPv3 is added flexible security models to the SNMP packet structure so that multiple
security solutions could be used. SNMPv3 was original defined with a "User-based Security
Model" (USM) [RFC3414] that required maintaining a SNMP-specific user database. This was
later determined to be troublesome to maintain and had some minor security issues. The
IETF has since added additional security models to tunnel SNMP over SSH [RFC5592] and
DTLS/TLS [RFC-to-be]. Net-SNMP contains robust support for SNMPv3/USM, SNMPv3/TLS, and
SNMPv3/DTLS. It contains partial support for SNMPv3/SSH as well but has not been as
extensively tested. It also contains code for support for an experimental Kerberos based
SNMPv3 that never got standardized.
Hopefully more SNMP software and devices will eventually support SNMP over (D)TLS or SSH,
but it is likely that devices with original support for SNMP will only contain support for
USM users. If your network manager supports SNMP over (D)TLS or SNMP over SSH we suggest
you use one of these mechanisms instead of using USM, but as always with Net-SNMP we give
you the options to pick from so you can make the choice that is best for you.
SNMPv3 generic parameters
These parameters are generic to all the forms of SNMPv3. The SNMPv3 protocol defines
"engineIDs" that uniquely identify an agent. The string must be consistent through time
and should not change or conflict with another agent's engineID. Ever. Internally, Net-
SNMP by default creates a unique engineID that is based off of the current system time and
a random number. This should be sufficient for most users unless you're embedding our
agent in a device where these numbers won't vary between boxes on the devices initial
boot.
EngineIDs are used both as a "context" for selecting information from the device
and SNMPv3 with USM uses it to create unique entries for users in its user table.
The Net-SNMP agent offers the following mechanisms for setting the engineID, but
again you should only use them if you know what you're doing:
engineID STRING
specifies that the engineID should be built from the given text STRING.
engineIDType 1|2|3
specifies that the engineID should be built from the IPv4 address (1), IPv6 address
(2) or MAC address (3). Note that changing the IP address (or switching the
network interface card) may cause problems.
engineIDNic INTERFACE
defines which interface to use when determining the MAC address. If engineIDType 3
is not specified, then this directive has no effect.
The default is to use eth0.
SNMPv3 over TLS
SNMPv3 may be tunneled over TLS and DTLS. TLS runs over TCP and DTLS is the UDP
equivalent. Wes Hardaker (the founder of Net-SNMP) performed a study and presented it at
an IETF meeting that showed that TCP based protocols are sufficient for stable networks
but quickly becomes a problem in unstable networks with even moderate levels of packet
loss (~ 20-30%). If you are going to use TLS or DTLS, you should use the one appropriate
for your networking environment. You should potentially turn them both on so your
management system can access either the UDP or the TCP port as needed.
Many of the configuration tokens described below are prefixed with a '[snmp]' tag. If you
place these tokens in your snmpd.conf file, this take is required. See the snmp_config(5)
manual page for the meaning of this context switch.
[snmp] localCert <specifier>
This token defines the default X.509 public key to use as the server's identity.
It should either be a fingerprint or a filename. To create a public key for use,
please run the "net-snmp-cert" utility which will help you create the required
certificate.
The default value for this is the certificate in the "snmpd" named certificate
file.
[snmp] tlsAlgorithms <algorithms>
This string will select the algorithms to use when negotiating security during
(D)TLS session establishment. See the openssl manual page ciphers(1) for details
on the format. Examples strings include:
DEFAULT
ALL
HIGH
HIGH:!AES128-SHA
The default value is whatever openssl itself was configured with.
[snmp] x509CRLFile
If you are using a Certificate Authority (CA) that publishes a Certificate
Revocation List (CRL) then this token can be used to specify the location in the
filesystem of a copy of the CRL file. Note that Net-SNMP will not pull a CRL over
http and this must be a file, not a URL. Additionally, OpenSSL does not reload a
CRL file when it has changed so modifications or updates to the file will only be
noticed upon a restart of the snmpd agent.
certSecName PRIORITY FINGERPRINT OPTIONS
OPTIONS can be one of <--sn SECNAME | --rfc822 | --dns | --ip | --cn | --any>.
The certSecName token will specify how to map a certificate field from the client's
X.509 certificate to a SNMPv3 username. Use the --sn SECNAME flag to directly
specify a securityName for a given certificate. The other flags extract a
particular component of the certificate for use as a snmpv3 securityName. These
fields are one of: A SubjectAltName containing an rfc822 value (eg
hardaker@net-snmp.org), A SubjectAltName containing a dns name value (eg
foo.net-snmp.org), an IP address (eg 192.0.2.1) or a common name "Wes Hardaker".
The --any flag specifies that any of the subjecAltName fields may be used. Make
sure once a securityName has been selected that it is given authorization via the
VACM controls discussed later in this manual page.
See the http://www.net-snmp.org/wiki/index.php/Using_DTLS web page for more
detailed instructions for setting up (D)TLS.
trustCert <specifier>
For X509 to properly verify a certificate, it should be verifiable up until a trust
anchor for it. This trust anchor is typically a CA certificate but it could also
be a self-signed certificate. The "trustCert" token should be used to load
specific trust anchors into the verification engine.
SNMP over (D)TLS requires the use of the Transport Security Model (TSM), so read the
section on the usage of the Transport Security Model as well. Make sure when you
configure the VACM to accept connections from (D)TLS that you use the "tsm" security
model. E.G.:
rwuser -s tsm hardaker@net-snmp.org
SNMPv3 over SSH Support
To use SSH, you'll need to configure sshd to invoke the sshtosnmp program as well as
configure the access control settings to allow access through the tsm security model using
the user name provided to snmpd by the ssh transport.
SNMPv3 with the Transport Security Model (TSM)
The Transport Security Model [RFC5591] defines a SNMPv3 security system for use with
"tunneled" security protocols like TLS, DTLS and SSH. It is a very simple security model
that simply lets properly protected packets to pass through into the snmp application.
The transport is required to pass a securityName to use to the TSM and the TSM may
optionally prefix this with a transport string (see below).
tsmUseTransportPrefix (1|yes|true|0|no|false)
If set to true, the TSM module will take every securityName passed to it from the
transports underneath and prefix it with a string that specifically identities the
transport it came from. This is useful to avoid securityName clashes with
transports that generate identical security names. For example, if the ssh
security transport delivered the security name of "hardaker" for a SSH connection
and the TLS security transport also delivered the security name of "hardaker" for a
TLS connection then it would be impossible to separate out these two users to
provide separate access control rights. With the tsmUseTransportPrefix set to
true, however, the securityNames would be prefixed appropriately with one of:
"tls:", "dtls:" or "ssh:".
SNMPv3 with the User-based Security Model (USM)
SNMPv3 was originally defined using the User-Based Security Model (USM), which contains a
private list of users and keys specific to the SNMPv3 protocol. The operational
community, however, declared it a pain to manipulate yet another database and would prefer
to use existing infrastructure. To that end the IETF created the ISMS working group to
battle that problem, and the ISMS working group decided to tunnel SNMP over SSH and DTLS
to make use existing user and authentication infrastructures.
SNMPv3 USM Users
To use the USM based SNMPv3-specific users, you'll need to create them. It is recommended
you use the net-snmp-config command to do this, but you can also do it by directly
specifying createUser directives yourself instead:
createUser [-e ENGINEID] username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase
[DES|AES] [privpassphrase]
MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224 are the authentication types to use. DES
and AES are the privacy protocols to use. If the privacy passphrase is not
specified, it is assumed to be the same as the authentication passphrase. Note
that the users created will be useless unless they are also added to the VACM
access control tables described above.
SHA|SHA-512|SHA-384|SHA-256|SHA-224 authentication and DES/AES privacy require
OpenSSL to be installed and the agent to be built with OpenSSL support. MD5
authentication may be used without OpenSSL.
Warning: the minimum pass phrase length is 8 characters.
SNMPv3 users can be created at runtime using the snmpusm(1) command.
Instead of figuring out how to use this directive and where to put it (see below),
just run "net-snmp-config --create-snmpv3-user" instead, which will add one of
these lines to the right place.
This directive should be placed into the /var/lib/snmp/snmpd.conf file instead of
the other normal locations. The reason is that the information is read from the
file and then the line is removed (eliminating the storage of the master password
for that user) and replaced with the key that is derived from it. This key is a
localized key, so that if it is stolen it can not be used to access other agents.
If the password is stolen, however, it can be.
If you need to localize the user to a particular EngineID (this is useful mostly in
the similar snmptrapd.conf file), you can use the -e argument to specify an
EngineID as a hex value (EG, "0x01020304").
If you want to generate either your master or localized keys directly, replace the
given password with a hexstring (preceded by a "0x") and precede the hex string by
a -m or -l token (respectively). EGs:
[these keys are *not* secure but are easy to visually parse for
counting purposes. Please generate random keys instead of using
these examples]
createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405
createUser myuser SHA -m 0x0001020304050607080900010203040506070809 AES -m 0x0001020304050607080900010203040506070809
Due to the way localization happens, localized privacy keys are expected to be the
length needed by the algorithm (128 bits for all supported algorithms). Master
encryption keys, though, need to be the length required by the authentication
algorithm not the length required by the encrypting algorithm (MD5: 16 bytes, SHA:
20 bytes).
ACCESS CONTROL
snmpd supports the View-Based Access Control Model (VACM) as defined in RFC 2575, to
control who can retrieve or update information. To this end, it recognizes various
directives relating to access control.
Traditional Access Control
Most simple access control requirements can be specified using the directives
rouser/rwuser (for SNMPv3) or rocommunity/rwcommunity (for SNMPv1 or SNMPv2c).
rouser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
rwuser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
specify an SNMPv3 user that will be allowed read-only (GET and GETNEXT) or read-
write (GET, GETNEXT and SET) access respectively. By default, this will provide
access to the full OID tree for authenticated (including encrypted) SNMPv3
requests, using the default context. An alternative minimum security level can be
specified using noauth (to allow unauthenticated requests), or priv (to enforce use
of encryption). The OID field restricts access for that user to the subtree rooted
at the given OID, or the named view. An optional context can also be specified, or
"context*" to denote a context prefix. If no context field is specified (or the
token "*" is used), the directive will match all possible contexts.
If SECMODEL is specified then it will be the security model required for that user
(note that identical user names may come in over different security models and will
be appropriately separated via the access control settings). The default security
model is "usm" and the other common security models are likely "tsm" when using
(D)TLS or SSH support and "ksm" if the Kerberos support has been compiled in.
rocommunity COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
rwcommunity COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
specify an SNMPv1 or SNMPv2c community that will be allowed read-only (GET and
GETNEXT) or read-write (GET, GETNEXT and SET) access respectively. By default,
this will provide access to the full OID tree for such requests, regardless of
where they were sent from. The SOURCE token can be used to restrict access to
requests from the specified system(s) - see com2sec for the full details. The OID
field restricts access for that community to the subtree rooted at the given OID,
or named view. Contexts are typically less relevant to community-based SNMP
versions, but the same behaviour applies here.
rocommunity6 COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
rwcommunity6 COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
are directives relating to requests received using IPv6 (if the agent supports such
transport domains). The interpretation of the SOURCE, OID, VIEW and CONTEXT tokens
are exactly the same as for the IPv4 versions.
In each case, only one directive should be specified for a given SNMPv3 user, or community
string. It is not appropriate to specify both rouser and rwuser directives referring to
the same SNMPv3 user (or equivalent community settings). The rwuser directive provides all
the access of rouser (as well as allowing SET support). The same holds true for the
community-based directives.
More complex access requirements (such as access to two or more distinct OID subtrees, or
different views for GET and SET requests) should use one of the other access control
mechanisms. Note that if several distinct communities or SNMPv3 users need to be granted
the same level of access, it would also be more efficient to use the main VACM
configuration directives.
VACM Configuration
The full flexibility of the VACM is available using four configuration directives -
com2sec, group, view and access. These provide direct configuration of the underlying
VACM tables.
com2sec [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
com2sec6 [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
map an SNMPv1 or SNMPv2c community string to a security name - either from a
particular range of source addresses, or globally ("default"). A restricted source
can either be a specific hostname (or address), or a subnet - represented as
IP/MASK (e.g. 10.10.10.0/255.255.255.0), or IP/BITS (e.g. 10.10.10.0/24), or the
IPv6 equivalents. A restriction preceded by an exclamation mark (!) denies access
from that address or subnet, e.g., !10.10.10.0/24 denies requests from that sources
in that subnet. Deny restrictions must be before permit. E.g., the following
example permits access from all of 10.0.0.0/8 except for 10.10.10.0/24:
com2sec sec1 !10.10.10.0/24 public
com2sec sec1 10.0.0.0/8 public
Access from outside of 10.0.0.0/8 would still be denied.
The same community string can be specified in several separate directives
(presumably with different source tokens), and the first source/community
combination that matches the incoming request will be selected. Various
source/community combinations can also map to the same security name.
If a CONTEXT is specified (using -Cn), the community string will be mapped to a
security name in the named SNMPv3 context. Otherwise the default context ("") will
be used.
com2secunix [-Cn CONTEXT] SECNAME SOCKPATH COMMUNITY
is the Unix domain sockets version of com2sec.
group GROUP {v1|v2c|usm|tsm|ksm} SECNAME
maps a security name (in the specified security model) into a named group. Several
group directives can specify the same group name, allowing a single access setting
to apply to several users and/or community strings.
Note that groups must be set up for the two community-based models separately - a
single com2sec (or equivalent) directive will typically be accompanied by two group
directives.
view VNAME TYPE OID [MASK]
defines a named "view" - a subset of the overall OID tree. This is most commonly a
single subtree, but several view directives can be given with the same view name
(VNAME), to build up a more complex collection of OIDs. TYPE is either included or
excluded, which can again define a more complex view (e.g by excluding certain
sensitive objects from an otherwise accessible subtree).
MASK is a list of hex octets (optionally separated by '.' or ':') with the set bits
indicating which subidentifiers in the view OID to match against. If not
specified, this defaults to matching the OID exactly (all bits set), thus defining
a simple OID subtree. So:
view iso1 included .iso 0xf0
view iso2 included .iso
view iso3 included .iso.org.dod.mgmt 0xf0
would all define the same view, covering the whole of the 'iso(1)' subtree (with
the third example ignoring the subidentifiers not covered by the mask).
More usefully, the mask can be used to define a view covering a particular row (or
rows) in a table, by matching against the appropriate table index value, but
skipping the column subidentifier:
view ifRow4 included .1.3.6.1.2.1.2.2.1.0.4 0xff:a0
Note that a mask longer than 8 bits must use ':' to separate the individual octets.
access GROUP CONTEXT {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE NOTIFY
maps from a group of users/communities (with a particular security model and
minimum security level, and in a specific context) to one of three views, depending
on the request being processed.
LEVEL is one of noauth, auth, or priv. PREFX specifies how CONTEXT should be
matched against the context of the incoming request, either exact or prefix. READ,
WRITE and NOTIFY specifies the view to be used for GET*, SET and TRAP/INFORM
requests (althought the NOTIFY view is not currently used). For v1 or v2c access,
LEVEL will need to be noauth.
Typed-View Configuration
The final group of directives extend the VACM approach into a more flexible mechanism,
which can be applied to other access control requirements. Rather than the fixed three
views of the standard VACM mechanism, this can be used to configure various different view
types. As far as the main SNMP agent is concerned, the two main view types are read and
write, corresponding to the READ and WRITE views of the main access directive. See the
'snmptrapd.conf(5)' man page for discussion of other view types.
authcommunity TYPES COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
is an alternative to the rocommunity/rwcommunity directives. TYPES will usually be
read or read,write respectively. The view specification can either be an OID
subtree (as before), or a named view (defined using the view directive) for greater
flexibility. If this is omitted, then access will be allowed to the full OID tree.
If CONTEXT is specified, access is configured within this SNMPv3 context.
Otherwise the default context ("") is used.
authuser TYPES [-s MODEL] USER [LEVEL [OID | -V VIEW [CONTEXT]]]
is an alternative to the rouser/rwuser directives. The fields TYPES, OID, VIEW and
CONTEXT have the same meaning as for authcommunity.
authgroup TYPES [-s MODEL] GROUP [LEVEL [OID | -V VIEW [CONTEXT]]]
is a companion to the authuser directive, specifying access for a particular group
(defined using the group directive as usual). Both authuser and authgroup default
to authenticated requests - LEVEL can also be specified as noauth or priv to allow
unauthenticated requests, or require encryption respectively. Both authuser and
authgroup directives also default to configuring access for SNMPv3/USM requests -
use the '-s' flag to specify an alternative security model (using the same values
as for access above).
authaccess TYPES [-s MODEL] GROUP VIEW [LEVEL [CONTEXT]]
also configures the access for a particular group, specifying the name and type of
view to apply. The MODEL and LEVEL fields are interpreted in the same way as for
authgroup. If CONTEXT is specified, access is configured within this SNMPv3
context (or contexts with this prefix if the CONTEXT field ends with '*').
Otherwise the default context ("") is used.
setaccess GROUP CONTEXT MODEL LEVEL PREFIX VIEW TYPES
is a direct equivalent to the original access directive, typically listing the view
types as read or read,write as appropriate. (or see 'snmptrapd.conf(5)' for other
possibilities). All other fields have the same interpretation as with access.
SYSTEM INFORMATION
Most of the information reported by the Net-SNMP agent is retrieved from the underlying
system, or dynamically configured via SNMP SET requests (and retained from one run of the
agent to the next). However, certain MIB objects can be configured or controlled via the
snmpd.conf(5) file.
System Group
Most of the scalar objects in the 'system' group can be configured in this way:
sysLocation STRING
sysContact STRING
sysName STRING
set the system location, system contact or system name (sysLocation.0, sysContact.0
and sysName.0) for the agent respectively. Ordinarily these objects are writable
via suitably authorized SNMP SET requests. However, specifying one of these
directives makes the corresponding object read-only, and attempts to SET it will
result in a notWritable error response.
sysServices NUMBER
sets the value of the sysServices.0 object. For a host system, a good value is 72
(application + end-to-end layers). If this directive is not specified, then no
value will be reported for the sysServices.0 object.
sysDescr STRING
sysObjectID OID
sets the system description or object ID for the agent. Although these MIB objects
are not SNMP-writable, these directives can be used by a network administrator to
configure suitable values for them.
Interfaces Group
interface NAME TYPE SPEED
can be used to provide appropriate type and speed settings for interfaces where the
agent fails to determine this information correctly. TYPE is a type value as given
in the IANAifType-MIB, and can be specified numerically or by name (assuming this
MIB is loaded).
interface_fadeout TIMEOUT
specifies, for how long the agent keeps entries in ifTable after appropriate
interfaces have been removed from system (typically various ppp, tap or tun
interfaces). Timeout value is in seconds. Default value is 300 (=5 minutes).
interface_replace_old yes
can be used to remove already existing entries in ifTable when an interface with
the same name appears on the system. E.g. when ppp0 interface is removed, it is
still listed in the table for interface_fadeout seconds. This option ensures, that
the old ppp0 interface is removed even before the interface_fadeout timeour when
new ppp0 (with different ifIndex) shows up.
Host Resources Group
This requires that the agent was built with support for the host module (which is now
included as part of the default build configuration on the major supported platforms).
ignoreDisk STRING
controls which disk devices are scanned as part of populating the
hrDiskStorageTable (and hrDeviceTable). The HostRes implementation code includes a
list of disk device patterns appropriate for the current operating system, some of
which may cause the agent to block when trying to open the corresponding disk
devices. This might lead to a timeout when walking these tables, possibly
resulting in inconsistent behaviour. This directive can be used to specify
particular devices (either individually or wildcarded) that should not be checked.
Note: Please consult the source (host/hr_disk.c) and check for the
Add_HR_Disk_entry calls relevant for a particular O/S to determine the list
of devices that will be scanned.
The pattern can include one or more wildcard expressions. See snmpd.examples(5)
for illustration of the wildcard syntax.
skipNFSInHostResources true
controls whether NFS and NFS-like file systems should be omitted from the
hrStorageTable (true or 1) or not (false or 0, which is the default). If the Net-
SNMP agent gets hung on NFS-mounted filesystems, you can try setting this to '1'.
storageUseNFS [1|2]
controls how NFS and NFS-like file systems should be reported in the
hrStorageTable. as 'Network Disks' (1) or 'Fixed Disks' (2) Historically, the Net-
SNMP agent has reported such file systems as 'Fixed Disks', and this is still the
default behaviour. Setting this directive to '1' reports such file systems as
´Network Disks', as required by the Host Resources MIB.
realStorageUnits
controlls how the agent reports hrStorageAllocationUnits, hrStorageSize and
hrStorageUsed in hrStorageTable. For big storage drives with small allocation
units the agent re-calculates these values so they all fit Integer32 and
hrStorageAllocationUnits x hrStorageSize gives real size of the storage.
Example:
Linux xfs 16TB filesystem with 4096 bytes large blocks will be reported as
hrStorageAllocationUnits = 8192 and hrStorageSize = 2147483647, so 8192 x
2147483647 gives real size of the filesystem (=16 TB).
Setting this directive to '1' turns off this calculation and the agent reports real
hrStorageAllocationUnits, but it might report wrong hrStorageSize for big drives
because the value won't fit into Integer32. In this case, hrStorageAllocationUnits
x hrStorageSize won't give real size of the storage.
Process Monitoring
The hrSWRun group of the Host Resources MIB provides information about individual
processes running on the local system. The prTable of the UCD-SNMP-MIB complements this
by reporting on selected services (which may involve multiple processes). This requires
that the agent was built with support for the ucd-snmp/proc module (which is included as
part of the default build configuration).
proc NAME [MAX [MIN]]
monitors the number of processes called NAME (as reported by "/bin/ps -e") running
on the local system.
If the number of NAMEd processes is less than MIN or greater than MAX, then the
corresponding prErrorFlag instance will be set to 1, and a suitable description
message reported via the prErrMessage instance.
Note: This situation will not automatically trigger a trap to report the problem -
see the DisMan Event MIB section later.
If neither MAX nor MIN are specified, they will default to infinity and 1
respectively ("at least one"). If only MAX is specified, MIN will default to 0
("no more than MAX"). If MAX is 0 (and MIN is not), this indicates infinity ("at
least MIN"). If both MAX and MIN are 0, this indicates a process that should not
be running.
procfix NAME PROG ARGS
registers a command that can be run to fix errors with the given process NAME.
This will be invoked when the corresponding prErrFix instance is set to 1.
Note: This command will not be invoked automatically.
The procfix directive must be specified after the matching proc directive, and
cannot be used on its own.
If no proc directives are defined, then walking the prTable will fail (noSuchObject).
Disk Usage Monitoring
This requires that the agent was built with support for the ucd-snmp/disk module (which is
included as part of the default build configuration).
disk PATH [ MINSPACE | MINPERCENT% ]
monitors the disk mounted at PATH for available disk space. Disks mounted after
the agent has started will not be monitored, unless includeAllDisks option is
specified.
The minimum threshold can either be specified in kB (MINSPACE) or as a percentage
of the total disk (MINPERCENT% with a '%' character), defaulting to 100kB if
neither are specified. If the free disk space falls below this threshold, then the
corresponding dskErrorFlag instance will be set to 1, and a suitable description
message reported via the dskErrorMsg instance.
Note: This situation will not automatically trigger a trap to report the problem -
see the DisMan Event MIB section later.
includeAllDisks MINPERCENT%
configures monitoring of all disks found on the system, using the specified
(percentage) threshold. The dskTable is dynamically updated, unmounted disks
disappear from the table and newly mounted disks are added to the table. The
threshold for individual disks can be adjusted using suitable disk directives
(which can come either before or after the includeAllDisks directive).
Note: Whether disk directives appears before or after includeAllDisks may affect
the indexing of the dskTable.
Only one includeAllDisks directive should be specified - any subsequent copies will
be ignored.
The list of mounted disks will be determined from HOST-RESOURCES-MIB::hrFSTable.
If neither any disk directives or includeAllDisks are defined, then walking the dskTable
will fail (noSuchObject).
Disk I/O Monitoring
This requires that the agent was built with support for the ucd-snmp/diskio module (which
is not included as part of the default build configuration).
By default, all block devices known to the operating system are included in the
diskIOTable. On platforms other than Linux, this module has no configuration directives.
On Linux systems, it is possible to exclude several classes of block devices from the
diskIOTable in order to avoid cluttering the table with useless zero statistics for
pseudo-devices that often are not in use but are configured by default to exist in most
recent Linux distributions.
diskio_exclude_fd yes
Excludes all Linux floppy disk block devices, whose names start with "fd", e.g.
"fd0"
diskio_exclude_loop yes
Excludes all Linux loopback block devices, whose names start with "loop", e.g.
"loop0"
diskio_exclude_ram yes
Excludes all LInux ramdisk block devices, whose names start with "ram", e.g.
"ram0"
On Linux systems, it is also possible to report only explicitly accepted devices. It may
take significant amount of time to process diskIOTable data on systems with tens of
thousands of block devices and accept only the important ones avoids large CPU
consumption.
diskio <device>
Enables acceptlist of devices and adds the device to the acceptlist. Only
explicitly acceptlisted devices will be reported. This option may be used multiple
times.
System Load Monitoring
This requires that the agent was built with support for either the ucd-snmp/loadave module
or the ucd-snmp/memory module respectively (both of which are included as part of the
default build configuration).
load MAX1 [MAX5 [MAX15]]
monitors the load average of the local system, specifying thresholds for the
1-minute, 5-minute and 15-minute averages. If any of these loads exceed the
associated maximum value, then the corresponding laErrorFlag instance will be set
to 1, and a suitable description message reported via the laErrMessage instance.
Note: This situation will not automatically trigger a trap to report the problem -
see the DisMan Event MIB section later.
If the MAX15 threshold is omitted, it will default to the MAX5 value. If both MAX5
and MAX15 are omitted, they will default to the MAX1 value. If this directive is
not specified, all three thresholds will default to a value of DEFMAXLOADAVE.
If a threshold value of 0 is given, the agent will not report errors via the
relevant laErrorFlag or laErrMessage instances, regardless of the current load.
Unlike the proc and disk directives, walking the walking the laTable will succeed
(assuming the ucd-snmp/loadave module was configured into the agent), even if the load
directive is not present.
swap MIN
monitors the amount of swap space available on the local system. If this falls
below the specified threshold (MIN kB), then the memErrorSwap object will be set to
1, and a suitable description message reported via memSwapErrorMsg.
Note: This situation will not automatically trigger a trap to report the problem -
see the DisMan Event MIB section later.
If this directive is not specified, the default threshold is 16 MB.
Log File Monitoring
This requires that the agent was built with support for either the ucd-snmp/file or
ucd-snmp/logmatch modules respectively (both of which are included as part of the default
build configuration).
file FILE [MAXSIZE]
monitors the size of the specified file (in kB). If MAXSIZE is specified, and the
size of the file exceeds this threshold, then the corresponding fileErrorFlag
instance will be set to 1, and a suitable description message reported via the
fileErrorMsg instance.
Note: This situation will not automatically trigger a trap to report the problem -
see the DisMan Event MIB section later.
Note: A maximum of 20 files can be monitored.
Note: If no file directives are defined, then walking the fileTable will fail
(noSuchObject).
logmatch NAME FILE CYCLETIME REGEX
monitors the specified file for occurances of the specified pattern REGEX. The file
position is stored internally so the entire file is only read initially, every
subsequent pass will only read the new lines added to the file since the last read.
NAME name of the logmatch instance (will appear as logMatchName under
logMatch/logMatchTable/logMatchEntry/logMatchName in the ucd-snmp MIB tree)
FILE absolute path to the logfile to be monitored. Note that this path can
contain date/time directives (like in the UNIX 'date' command). See the
manual page for 'strftime' for the various directives accepted.
CYCLETIME
time interval for each logfile read and internal variable update in seconds.
Note: an SNMPGET* operation will also trigger an immediate logfile read and
variable update.
REGEX the regular expression to be used. Note: DO NOT enclose the regular
expression in quotes even if there are spaces in the expression as the
quotes will also become part of the pattern to be matched!
Example:
logmatch apache-GETs /usr/local/apache/logs/access.log-%Y-%m-%d 60
GET.*HTTP.*
This logmatch instance is named 'apache-GETs', uses 'GET.*HTTP.*' as its
regular expression and it will monitor the file named (assuming today is May
6th 2009): '/usr/local/apache/logs/access.log-2009-05-06', tomorrow it will
look for 'access.log-2009-05-07'. The logfile is read every 60 seconds.
Note: A maximum of 250 logmatch directives can be specified.
Note: If no logmatch directives are defined, then walking the logMatchTable will
fail (noSuchObject).
ACTIVE MONITORING
The usual behaviour of an SNMP agent is to wait for incoming SNMP requests and respond to
them - if no requests are received, an agent will typically not initiate any actions. This
section describes various directives that can configure snmpd to take a more active role.
Notification Handling
trapcommunity STRING
defines the default community string to be used when sending traps. Note that this
directive must be used prior to any community-based trap destination directives
that need to use it.
trapsink [-profile p] [-name n] [-tag t] [-s src] HOST [COMMUNITY [PORT]]
trap2sink [-profile p] [-name n] [-tag t] [-s src] HOST [COMMUNITY [PORT]]
informsink [-profile p] [-name n] [-tag t] [-s src] HOST [COMMUNITY [PORT]]
define the address of a notification receiver that should be sent SNMPv1 TRAPs,
SNMPv2c TRAP2s, or SNMPv2 INFORM notifications respectively. See the section
LISTENING ADDRESSES in the snmpd(8) manual page for more information about the
format of listening addresses. If COMMUNITY is not specified, the most recent
trapcommunity string will be used.
If the transport address does not include an explicit port specification, then PORT
will be used. If this is not specified, the well known SNMP trap port (162) will
be used.
Note: This mechanism is being deprecated, and the listening port should be
specified via the transport specification HOST instead.
The optional name and tag parameters specifies the name or tag that will be used
for SNMP-NOTIFICATION-MIB table entries. The profile specifies which notification
filter profile entry will be used for filtering outgoing notifications. (See
notificationFilter)
The optional src parameter specifies the source address that will be used when
sending the trap packet to this sink. It is specified as a <transport-address>,
using the same <transport-specifier> as the destination HOST. See the section
LISTENING ADDRESSES in the snmpd(8) manual page for more information about the
format.
If several sink directives are specified, multiple copies of each notification (in
the appropriate formats) will be generated.
Note: It is not normally appropriate to list two (or all three) sink directives
with the same destination.
trapsess [-profile p] [-name n] [-tag t] [-s src] [SNMPCMD_ARGS] HOST
provides a more generic mechanism for defining notification destinations.
SNMPCMD_ARGS should be the command-line options required for an equivalent snmptrap
(or snmpinform) command to send the desired notification. The option -Ci can be
used (with -v2c or -v3) to generate an INFORM notification rather than an
unacknowledged TRAP.
The optional name and tag parameters specifies the name or tag that will be used
for SNMP-NOTIFICATION-MIB table entries. The profile specifies which notification
filter profile entry will be used for filtering outgoing notifications. (See
notificationFilter)
This is the appropriate directive for defining SNMPv3 trap receivers. See
http://www.net-snmp.org/tutorial/tutorial-5/commands/snmptrap-v3.html for more
information about SNMPv3 notification behaviour.
notificationFilter NAME OID MASK TYPE
specifies a SNMP-NOTIFICATION-MIB notification filter profile, which may be used to
filter traps. TYPE must be included or excluded, Some examples:
notificationFilter all_ok .1.3 0x00 included
notificationFilter no_coldstart .1.3 0x00 included
notificationFilter no_coldstart .1.3.6.1.6.3.1.1.5.1 0x00 excluded
trapsink -profile no_coldstart 192.168.1.3:3162 secret3
authtrapenable {1|2}
determines whether to generate authentication failure traps (enabled(1)) or not
(disabled(2) - the default). Ordinarily the corresponding MIB object
(snmpEnableAuthenTraps.0) is read-write, but specifying this directive makes this
object read-only, and attempts to set the value via SET requests will result in a
notWritable error response.
v1trapaddress HOST
defines the agent address, which is inserted into SNMPv1 TRAPs. Arbitrary local
IPv4 address is chosen if this option is ommited. This option is useful mainly when
the agent is visible from outside world by specific address only (e.g. because of
network address translation or firewall).
DisMan Event MIB
The previous directives can be used to configure where traps should be sent, but are not
concerned with when to send such traps (or what traps should be generated). This is the
domain of the Event MIB - developed by the Distributed Management (DisMan) working group
of the IETF.
This requires that the agent was built with support for the disman/event module (which is
now included as part of the default build configuration for the most recent distribution).
Note: The behaviour of the latest implementation differs in some minor respects
from the previous code - nothing too significant, but existing scripts may
possibly need some minor adjustments.
iquerySecName NAME
agentSecName NAME
specifies the default SNMPv3 username, to be used when making internal queries to
retrieve any necessary information (either for evaluating the monitored expression,
or building a notification payload). These internal queries always use SNMPv3,
even if normal querying of the agent is done using SNMPv1 or SNMPv2c.
Note that this user must also be explicitly created (createUser) and given
appropriate access rights (e.g. rouser). This directive is purely concerned with
defining which user should be used - not with actually setting this user up.
monitor [OPTIONS] NAME EXPRESSION
defines a MIB object to monitor. If the EXPRESSION condition holds (see below),
then this will trigger the corresponding event, and either send a notification or
apply a SET assignment (or both). Note that the event will only be triggered once,
when the expression first matches. This monitor entry will not fire again until
the monitored condition first becomes false, and then matches again. NAME is an
administrative name for this expression, and is used for indexing the
mteTriggerTable (and related tables). Each monitor line must have a unique NAME.
Monitor lines with a duplicate name are discarded and cause snmpd to log a
duplicate index complaint. Note also that such monitors use an internal SNMPv3
request to retrieve the values being monitored (even if normal agent queries
typically use SNMPv1 or SNMPv2c). See the iquerySecName token described above.
EXPRESSION
There are three types of monitor expression supported by the Event MIB - existence,
boolean and threshold tests.
OID | ! OID | != OID
defines an existence(0) monitor test. A bare OID specifies a present(0)
test, which will fire when (an instance of) the monitored OID is created.
An expression of the form ! OID specifies an absent(1) test, which will fire
when the monitored OID is delected. An expression of the form != OID
specifies a changed(2) test, which will fire whenever the monitored value(s)
change. Note that there must be whitespace before the OID token.
OID OP VALUE
defines a boolean(1) monitor test. OP should be one of the defined
comparison operators (!=, ==, <, <=, >, >=) and VALUE should be an integer
value to compare against. Note that there must be whitespace around the OP
token. A comparison such as OID !=0 will not be handled correctly.
OID MIN MAX [DMIN DMAX]
defines a threshold(2) monitor test. MIN and MAX are integer values,
specifying lower and upper thresholds. If the value of the monitored OID
falls below the lower threshold (MIN) or rises above the upper threshold
(MAX), then the monitor entry will trigger the corresponding event.
Note that the rising threshold event will only be re-armed when the
monitored value falls below the lower threshold (MIN). Similarly, the
falling threshold event will be re-armed by the upper threshold (MAX).
The optional parameters DMIN and DMAX configure a pair of similar threshold
tests, but working with the delta differences between successive sample
values.
OPTIONS
There are various options to control the behaviour of the monitored expression.
These include:
-D indicates that the expression should be evaluated using delta differences
between sample values (rather than the values themselves).
-d OID
-di OID
specifies a discontinuity marker for validating delta differences. A -di
object instance will be used exactly as given. A -d object will have the
instance subidentifiers from the corresponding (wildcarded) expression
object appended. If the -I flag is specified, then there is no difference
between these two options.
This option also implies -D.
-e EVENT
specifies the event to be invoked when this monitor entry is triggered. If
this option is not given, the monitor entry will generate one of the
standard notifications defined in the DISMAN-EVENT-MIB.
-I indicates that the monitored expression should be applied to the specified
OID as a single instance. By default, the OID will be treated as a
wildcarded object, and the monitor expanded to cover all matching instances.
-i OID
-o OID define additional varbinds to be added to the notification payload when this
monitor trigger fires. For a wildcarded expression, the suffix of the
matched instance will be added to any OIDs specified using -o, while OIDs
specified using -i will be treated as exact instances. If the -I flag is
specified, then there is no difference between these two options.
See strictDisman for details of the ordering of notification payloads.
-r FREQUENCY
monitors the given expression every FREQUENCY, where FREQUENCY is in seconds
or optionally suffixed by one of s (for seconds), m (for minutes), h (for
hours), d (for days), or w (for weeks). By default, the expression will be
evaluated every 600s (10 minutes).
-S indicates that the monitor expression should not be evaluated when the agent
first starts up. The first evaluation will be done once the first repeat
interval has expired.
-s indicates that the monitor expression should be evaluated when the agent
first starts up. This is the default behaviour.
Note: Notifications triggered by this initial evaluation will be sent
before the coldStart trap.
-u SECNAME
specifies a security name to use for scanning the local host, instead of the
default iquerySecName. Once again, this user must be explicitly created and
given suitable access rights.
notificationEvent ENAME NOTIFICATION [-m] [-i OID | -o OID ]*
defines a notification event named ENAME. This can be triggered from a given
monitor entry by specifying the option -e ENAME (see above). NOTIFICATION should
be the OID of the NOTIFICATION-TYPE definition for the notification to be
generated.
If the -m option is given, the notification payload will include the standard
varbinds as specified in the OBJECTS clause of the notification MIB definition.
This option must come after the NOTIFICATION OID (and the relevant MIB file must be
available and loaded by the agent). Otherwise, these varbinds must be listed
explicitly (either here or in the corresponding monitor directive).
The -i OID and -o OID options specify additional varbinds to be appended to the
notification payload, after the standard list. If the monitor entry that triggered
this event involved a wildcarded expression, the suffix of the matched instance
will be added to any OIDs specified using -o, while OIDs specified using -i will be
treated as exact instances. If the -I flag was specified to the monitor directive,
then there is no difference between these two options.
setEvent ENAME [-I] OID = VALUE
defines a set event named ENAME, assigning the (integer) VALUE to the specified
OID. This can be triggered from a given monitor entry by specifying the option -e
ENAME (see above).
If the monitor entry that triggered this event involved a wildcarded expression,
the suffix of the matched instance will normally be added to the OID. If the -I
flag was specified to either of the monitor or setEvent directives, the specified
OID will be regarded as an exact single instance.
strictDisman yes
The definition of SNMP notifications states that the varbinds defined in the OBJECT
clause should come first (in the order specified), followed by any "extra" varbinds
that the notification generator feels might be useful. The most natural approach
would be to associate these mandatory varbinds with the notificationEvent entry,
and append any varbinds associated with the monitor entry that triggered the
notification to the end of this list. This is the default behaviour of the Net-
SNMP Event MIB implementation.
Unfortunately, the DisMan Event MIB specifications actually state that the trigger-
related varbinds should come first, followed by the event-related ones. This
directive can be used to restore this strictly-correct (but inappropriate)
behaviour.
Note: Strict DisMan ordering may result in generating invalid notifications
payload lists if the notificationEvent -n flag is used together with monitor
-o (or -i) varbind options.
If no monitor entries specify payload varbinds, then the setting of this directive
is irrelevant.
linkUpDownNotifications yes
will configure the Event MIB tables to monitor the ifTable for network interfaces
being taken up or down, and triggering a linkUp or linkDown notification as
appropriate.
This is exactly equivalent to the configuration:
notificationEvent linkUpTrap linkUp ifIndex ifAdminStatus ifOperStatus
notificationEvent linkDownTrap linkDown ifIndex ifAdminStatus ifOperStatus
monitor -r 60 -e linkUpTrap "Generate linkUp" ifOperStatus != 2
monitor -r 60 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
defaultMonitors yes
will configure the Event MIB tables to monitor the various UCD-SNMP-MIB tables for
problems (as indicated by the appropriate xxErrFlag column objects).
This is exactly equivalent to the configuration:
monitor -o prNames -o prErrMessage "process table" prErrorFlag != 0
monitor -o memErrorName -o memSwapErrorMsg "memory" memSwapError != 0
monitor -o extNames -o extOutput "extTable" extResult != 0
monitor -o dskPath -o dskErrorMsg "dskTable" dskErrorFlag != 0
monitor -o laNames -o laErrMessage "laTable" laErrorFlag != 0
monitor -o fileName -o fileErrorMsg "fileTable" fileErrorFlag != 0
In both these latter cases, the snmpd.conf must also contain a iquerySecName directive,
together with a corresponding createUser entry and suitable access control configuration.
DisMan Schedule MIB
The DisMan working group also produced a mechanism for scheduling particular actions (a
specified SET assignment) at given times. This requires that the agent was built with
support for the disman/schedule module (which is included as part of the default build
configuration for the most recent distribution).
There are three ways of specifying the scheduled action:
repeat FREQUENCY OID = VALUE
configures a SET assignment of the (integer) VALUE to the MIB instance OID, to be
run every FREQUENCY seconds, where FREQUENCY is in seconds or optionally suffixed
by one of s (for seconds), m (for minutes), h (for hours), d (for days), or w (for
weeks).
cron MINUTE HOUR DAY MONTH WEEKDAY OID = VALUE
configures a SET assignment of the (integer) VALUE to the MIB instance OID, to be
run at the times specified by the fields MINUTE to WEEKDAY. These follow the same
pattern as the equivalent crontab(5) fields.
Note: These fields should be specified as a (comma-separated) list of numeric
values. Named values for the MONTH and WEEKDAY fields are not supported,
and neither are value ranges. A wildcard match can be specified as '*'.
The DAY field can also accept negative values, to indicate days counting backwards
from the end of the month.
at MINUTE HOUR DAY MONTH WEEKDAY OID = VALUE
configures a one-shot SET assignment, to be run at the first matching time as
specified by the fields MINUTE to WEEKDAY. The interpretation of these fields is
exactly the same as for the cron directive.
Data Delivery via Notfiications
Note: this functionality is only available if the deliver/deliverByNotify mib module was
complied in to the agent
In some situations it may be advantageous to deliver SNMP data over SNMP Notifications
(TRAPs and INFORMs) rather than the typical process of having the manager issue requests
for the data (via GETs and GETNEXTs). Reasons for doing this are numerous, but frequently
corner cases. The most common reason for wanting this behaviour might be to monitor
devices that reside behind NATs or Firewalls that prevent incoming SNMP traffic.
It should be noted that although most management software is capable of logging
notifications, very little (if any) management software will updated their "knowledge
database" based on the contents of SNMP notifications. IE, it won't (for example) update
the interface traffic counter history that is used to produce graphs. Most larger network
management packages have a separate database for storing data received via SNMP requests
(GETs and GETNEXTs) vs those received from notifications. Researching the capabilities of
your management station software is required before assuming this functionality will solve
your data delivery requirements.
Notifications generated via this mechanism will be sent to the standard set of configured
notification targets. See the "Notification Handling" section of this document for
further information.
deliverByNotify [-p] [-m] [-s MAXSIZE] FREQUENCY OID
This directive tells the SNMP agent to self-walk the OID, collect all the data and
send it out every FREQUENCY seconds, where FREQUENCY is in seconds or optionally
suffixed by one of s (for seconds), m (for minutes), h (for hours), d (for days),
or w (for weeks). By default scalars are included in the notification that specify
the how often the notification will be sent (unless the -p option is specified) and
which message number of how many messages a particular notification is (unless -m
is specified). To break the notifications into manageable packet sizes, use the -s
flag to specify the approximate maximum number of bytes that a notification message
should be limited to. If more than MAXSIZE of bytes is needed then multiple
notifications will be sent to deliver the data. Note that the calculations for
ensuring the maximum size is met are approximations and thus it can be absolutely
guaranteed they'll be under that size, so leave a padding buffer if it is critical
that you avoid fragmentation. A value of -1 indicates force everything into a
single message no matter how big it is.
Example usage: the following will deliver the contents of the ifTable once an hour
and the contents of the system group once every 2 hours:
deliverByNotify 3600 ifTable
deliverByNotify 7200 system
deliverByNotifyMaxPacketSize SIZEINBYTES
Sets the default notification size limit (see the -s flag above).
deliverByNotifyOid OID
deliverByNotifyFrequencyOid OID
deliverByNotifyMessageNumberOid OID
deliverByNotifyMaxMessageNumberOid OID
These set the data OID that the notification will be sent under, the scalar OID,
the message number OID, and the maximum message number OID. These default to
objects in the NET-SNMP-PERIODIC-NOTIFY-MIB.
EXTENDING AGENT FUNCTIONALITY
One of the first distinguishing features of the original UCD suite was the ability to
extend the functionality of the agent - not just by recompiling with code for new MIB
modules, but also by configuring the running agent to report additional information. There
are a number of techniques to support this, including:
• running external commands (exec, extend, pass)
• loading new code dynamically (embedded perl, dlmod)
• communicating with other agents (proxy, SMUX, AgentX)
Arbitrary Extension Commands
The earliest extension mechanism was the ability to run arbitrary commands or shell
scripts. Such commands do not need to be aware of SNMP operations, or conform to any
particular behaviour - the MIB structures are designed to accommodate any form of command
output. Use of this mechanism requires that the agent was built with support for the
ucd-snmp/extensible and/or agent/extend modules (which are both included as part of the
default build configuration).
exec [MIBOID] NAME PROG ARGS
sh [MIBOID] NAME PROG ARGS
invoke the named PROG with arguments of ARGS. By default the exit status and first
line of output from the command will be reported via the extTable, discarding any
additional output.
Note: Entries in this table appear in the order they are read from the
configuration file. This means that adding new exec (or sh) directives and
restarting the agent, may affect the indexing of other entries.
The PROG argument for exec directives must be a full path to a real binary, as it
is executed via the exec() system call. To invoke a shell script, use the sh
directive instead.
If MIBOID is specified, then the results will be rooted at this point in the OID
tree, returning the exit statement as MIBOID.100.0 and the entire command output in
a pseudo-table based at MIBNUM.101 - with one 'row' for each line of output.
Note: The layout of this "relocatable" form of exec (or sh) output does not
strictly form a valid MIB structure. This mechanism is being deprecated -
please see the extend directive (described below) instead.
The agent does not cache the exit status or output of the executed program.
execfix NAME PROG ARGS
registers a command that can be invoked on demand - typically to respond to or fix
errors with the corresponding exec or sh entry. When the extErrFix instance for a
given NAMEd entry is set to the integer value of 1, this command will be called.
Note: This directive can only be used in combination with a corresponding exec or
sh directive, which must be defined first. Attempting to define an
unaccompanied execfix directive will fail.
exec and sh extensions can only be configured via the snmpd.conf file. They cannot be set
up via SNMP SET requests.
extend [-cacheTime TIME] [-execType TYPE] [MIBOID] NAME PROG ARGS
works in a similar manner to the exec directive, but with a number of improvements.
The MIB tables (nsExtendConfigTable etc) are indexed by the NAME token, so are
unaffected by the order in which entries are read from the configuration files.
There are two result tables - one (nsExtendOutput1Table) containing the exit
status, the first line and full output (as a single string) for each extend entry,
and the other (nsExtendOutput2Table) containing the complete output as a series of
separate lines.
If -cacheTime is specified, then its argument is used as the cache timeout (in
whole seconds) for this extend entry. This mechanism provides a non-volatile way to
specify the cache timeout.
If -execType is specified and has a value of sh, then this extend entry will be run
in a shell. Otherwise it will be run in the default exec fashion. This mechanism
provides a non-volatile way to specify the exec type.
If MIBOID is specified, then the configuration and result tables will be rooted at
this point in the OID tree, but are otherwise structured in exactly the same way.
This means that several separate extend directives can specify the same MIBOID
root, without conflicting.
The exit status and output is cached for each entry individually, and can be
cleared (and the caching behaviour configured) using the nsCacheTable.
extendfix NAME PROG ARGS
registers a command that can be invoked on demand, by setting the appropriate
nsExtendRunType instance to the value run-command(3). Unlike the equivalent
execfix, this directive does not need to be paired with a corresponding extend
entry, and can appear on its own.
MIB-Specific Extension Commands
The first group of extension directives invoke arbitrary commands, and rely on the MIB
structure (and management applications) having the flexibility to accommodate and
interpret the output. This is a convenient way to make information available quickly and
simply, but is of no use when implementing specific MIB objects, where the extension must
conform to the structure of the MIB (rather than vice versa). The remaining extension
mechanisms are all concerned with such MIB-specific situations - starting with "pass-
through" scripts. Use of this mechanism requires that the agent was built with support
for the ucd-snmp/pass and ucd-snmp/pass_persist modules (which are both included as part
of the default build configuration).
pass [-p priority] MIBOID PROG
will pass control of the subtree rooted at MIBOID to the specified PROG command.
GET and GETNEXT requests for OIDs within this tree will trigger this command,
called as:
PROG -g OID
PROG -n OID
respectively, where OID is the requested OID. The PROG command should return the
response varbind as three separate lines printed to stdout - the first line should
be the OID of the returned value, the second should be its TYPE (one of the text
strings integer, gauge, counter, timeticks, ipaddress, objectid, octet, or string
), and the third should be the value itself. (Note: octets are sent as ASCII,
space-separated hex strings, e.g. "00 3f dd 00 c6 be".)
If the command cannot return an appropriate varbind - e.g the specified OID did not
correspond to a valid instance for a GET request, or there were no following
instances for a GETNEXT - then it should exit without producing any output. This
will result in an SNMP noSuchName error, or a noSuchInstance exception.
Note: The SMIv2 type counter64 and SNMPv2 noSuchObject exception are not
supported.
A SET request will result in the command being called as:
PROG -s OID TYPE VALUE
where TYPE is one of the tokens listed above, indicating the type of the value
passed as the third parameter.
If the assignment is successful, the PROG command should exit without producing any
output. Errors should be indicated by writing one of the strings not-writable, or
wrong-type to stdout, and the agent will generate the appropriate error response.
Note: The other SNMPv2 errors are not supported.
In either case, the command should exit once it has finished processing. Each
request (and each varbind within a single request) will trigger a separate
invocation of the command.
The default registration priority is 127. This can be changed by supplying the
optional -p flag, with lower priority registrations being used in preference to
higher priority values.
pass_persist [-p priority] MIBOID PROG
will also pass control of the subtree rooted at MIBOID to the specified PROG
command. However this command will continue to run after the initial request has
been answered, so subsequent requests can be processed without the startup
overheads.
Upon initialization, PROG will be passed the string "PING\n" on stdin, and should
respond by printing "PONG\n" to stdout.
For GET and GETNEXT requests, PROG will be passed two lines on stdin, the command
(get or getnext) and the requested OID. It should respond by printing three lines
to stdout - the OID for the result varbind, the TYPE and the VALUE itself - exactly
as for the pass directive above. If the command cannot return an appropriate
varbind, it should print print "NONE\n" to stdout (but continue running).
For SET requests, PROG will be passed three lines on stdin, the command (set) and
the requested OID, followed by the type and value (both on the same line). If the
assignment is successful, the command should print "DONE\n" to stdout. Errors
should be indicated by writing one of the strings not-writable, wrong-type,
wrong-length, wrong-value or inconsistent-value to stdout, and the agent will
generate the appropriate error response. In either case, the command should
continue running.
The registration priority can be changed using the optional -p flag, just as for
the pass directive.
pass and pass_persist extensions can only be configured via the snmpd.conf file. They
cannot be set up via SNMP SET requests.
Embedded Perl Support
Programs using the previous extension mechanisms can be written in any convenient
programming language - including perl, which is a common choice for pass-through
extensions in particular. However the Net-SNMP agent also includes support for embedded
perl technology (similar to mod_perl for the Apache web server). This allows the agent to
interpret perl scripts directly, thus avoiding the overhead of spawning processes and
initializing the perl system when a request is received.
Use of this mechanism requires that the agent was built with support for the embedded perl
mechanism, which is not part of the default build environment. It must be explicitly
included by specifying the '--enable-embedded-perl' option to the configure script when
the package is first built.
If enabled, the following directives will be recognised:
disablePerl true
will turn off embedded perl support entirely (e.g. if there are problems with the
perl installation).
perlInitFile FILE
loads the specified initialisation file (if present) immediately before the first
perl directive is parsed. If not explicitly specified, the agent will look for the
default initialisation file /usr/share/snmp/snmp_perl.pl.
The default initialisation file creates an instance of a NetSNMP::agent object - a
variable $agent which can be used to register perl-based MIB handler routines.
perl EXPRESSION
evaluates the given expression. This would typically register a handler routine to
be called when a section of the OID tree was requested:
perl use Data::Dumper;
perl sub myroutine { print "got called: ",Dumper(@_),"\n"; }
perl $agent->register('mylink', '.1.3.6.1.8765', \&myroutine);
This expression could also source an external file:
perl 'do /path/to/file.pl';
or perform any other perl-based processing that might be required.
Dynamically Loadable Modules
Most of the MIBs supported by the Net-SNMP agent are implemented as C code modules, which
were compiled and linked into the agent libraries when the suite was first built. Such
implementation modules can also be compiled independently and loaded into the running
agent once it has started. Use of this mechanism requires that the agent was built with
support for the ucd-snmp/dlmod module (which is included as part of the default build
configuration).
dlmod NAME PATH
will load the shared object module from the file PATH (an absolute filename), and
call the initialisation routine init_NAME.
Note: If the specified PATH is not a fully qualified filename, it will be
interpreted relative to /usr/lib/x86_64-linux-gnu/snmp/dlmod, and .so will
be appended to the filename.
This functionality can also be configured using SNMP SET requests to the UCD-DLMOD-MIB.
Proxy Support
Another mechanism for extending the functionality of the agent is to pass selected
requests (or selected varbinds) to another SNMP agent, which can be running on the same
host (presumably listening on a different port), or on a remote system. This can be
viewed either as the main agent delegating requests to the remote one, or acting as a
proxy for it. Use of this mechanism requires that the agent was built with support for
the ucd-snmp/proxy module (which is included as part of the default build configuration).
proxy [-Cn CONTEXTNAME] [SNMPCMD_ARGS] HOST OID [REMOTEOID]
will pass any incoming requests under OID to the agent listening on the port
specified by the transport address HOST. See the section LISTENING ADDRESSES in
the snmpd(8) manual page for more information about the format of listening
addresses.
Note: To proxy the entire MIB tree, use the OID .1.3 (not the top-level .1)
The SNMPCMD_ARGS should provide sufficient version and administrative information to
generate a valid SNMP request (see snmpcmd(1)).
Note: The proxied request will not use the administrative settings from the original
request.
If a CONTEXTNAME is specified, this will register the proxy delegation within the named
context in the local agent. Defining multiple proxy directives for the same OID but
different contexts can be used to query several remote agents through a single proxy, by
specifying the appropriate SNMPv3 context in the incoming request (or using suitable
configured community strings - see the com2sec directive).
Specifying the REMOID parameter will map the local MIB tree rooted at OID to an equivalent
subtree rooted at REMOID on the remote agent.
SMUX Sub-Agents
The Net-SNMP agent supports the SMUX protocol (RFC 1227) to communicate with SMUX-based
subagents (such as gated, zebra or quagga). Use of this mechanism requires that the agent
was built with support for the smux module, which is not part of the default build
environment, and must be explicitly included by specifying the '--with-mib-modules=smux'
option to the configure script when the package is first built.
Note: This extension protocol has been officially deprecated in favour of AgentX
(see below).
smuxpeer OID PASS
will register a subtree for SMUX-based processing, to be authenticated using the
password PASS. If a subagent (or "peer") connects to the agent and registers this
subtree then requests for OIDs within it will be passed to that SMUX subagent for
processing.
A suitable entry for an OSPF routing daemon (such as gated, zebra or quagga) might
be something like
smuxpeer .1.3.6.1.2.1.14 ospf_pass
smuxsocket <IPv4-address>
defines the IPv4 address for SMUX peers to communicate with the Net-SNMP agent.
The default is to listen on all IPv4 interfaces ("0.0.0.0"), unless the package has
been configured with "--enable-local-smux" at build time, which causes it to only
listen on 127.0.0.1 by default. SMUX uses the well-known TCP port 199.
Note the Net-SNMP agent will only operate as a SMUX master agent. It does not support
acting in a SMUX subagent role.
AgentX Sub-Agents
The Net-SNMP agent supports the AgentX protocol (RFC 2741) in both master and subagent
roles. Use of this mechanism requires that the agent was built with support for the
agentx module (which is included as part of the default build configuration), and also
that this support is explicitly enabled (e.g. via the snmpd.conf file).
There are two directives specifically relevant to running as an AgentX master agent:
master agentx
will enable the AgentX functionality and cause the agent to start listening for
incoming AgentX registrations. This can also be activated by specifying the '-x'
command-line option (to specify an alternative listening socket).
agentXPerms SOCKPERMS [DIRPERMS [USER|UID [GROUP|GID]]]
Defines the permissions and ownership of the AgentX Unix Domain socket, and the
parent directories of this socket. SOCKPERMS and DIRPERMS must be octal digits
(see chmod(1) ). By default this socket will only be accessible to subagents which
have the same userid as the agent.
There is one directive specifically relevant to running as an AgentX sub-agent:
agentXPingInterval NUM
will make the subagent try and reconnect every NUM seconds to the master if it ever
becomes (or starts) disconnected.
The remaining directives are relevant to both AgentX master and sub-agents:
agentXSocket [<transport-specifier>:]<transport-address>[,...]
defines the address the master agent listens at, or the subagent should connect to.
The default is the Unix Domain socket "/var/agentx/master". Another common
alternative is tcp:localhost:705. See the section LISTENING ADDRESSES in the
snmpd(8) manual page for more information about the format of addresses.
Note: Specifying an AgentX socket does not automatically enable AgentX
functionality (unlike the '-x' command-line option).
agentXTimeout NUM
defines the timeout period (NUM seconds) for an AgentX request. Default is 1
second. NUM also be specified with a suffix of one of s (for seconds), m (for
minutes), h (for hours), d (for days), or w (for weeks).
agentXRetries NUM
defines the number of retries for an AgentX request. Default is 5 retries.
net-snmp ships with both C and Perl APIs to develop your own AgentX subagent.
OTHER CONFIGURATION
override [-rw] OID TYPE VALUE
This directive allows you to override a particular OID with a different value (and
possibly a different type of value). The -rw flag will allow snmp SETs to modify
it's value as well. (note that if you're overriding original functionality, that
functionality will be entirely lost. Thus SETS will do nothing more than modify
the internal overridden value and will not perform any of the original
functionality intended to be provided by the MIB object. It's an emulation only.)
An example:
override sysDescr.0 octet_str "my own sysDescr"
That line will set the sysDescr.0 value to "my own sysDescr" as well as make it
modifiable with SNMP SETs as well (which is actually illegal according to the MIB
specifications).
Note that care must be taken when using this. For example, if you try to override
a property of the 3rd interface in the ifTable with a new value and later the
numbering within the ifTable changes it's index ordering you'll end up with
problems and your modified value won't appear in the right place in the table.
Valid TYPEs are: integer, uinteger, octet_str, object_id, counter, null (for
gauges, use "uinteger"; for bit strings, use "octet_str"). Note that setting an
object to "null" effectively delete's it as being accessible. No VALUE needs to be
given if the object type is null.
More types should be available in the future.
If you're trying to figure out aspects of the various mib modules (possibly some that
you've added yourself), the following may help you spit out some useful debugging
information. First off, please read the snmpd manual page on the -D flag. Then the
following configuration snmpd.conf token, combined with the -D flag, can produce useful
output:
injectHandler HANDLER modulename [beforeThis]
This will insert new handlers into the section of the mib tree referenced by
"modulename". If "beforeThis" is specified then the module will be injected before
the named module. This is useful for getting a handler into the exact right
position in the chain.
The types of handlers available for insertion are:
stash_cache
Caches information returned from the lower level. This greatly help the
performance of the agent, at the cost of caching the data such that its no
longer "live" for 30 seconds (in this future, this will be configurable).
Note that this means snmpd will use more memory as well while the
information is cached. Currently this only works for handlers registered
using the table_iterator support, which is only a few mib tables. To use
it, you need to make sure to install it before the table_iterator point in
the chain, so to do this:
injectHandler stash_cache NAME table_iterator
If you want a table to play with, try walking the nsModuleTable with and
without this injected.
debug Prints out lots of debugging information when the -Dhelper:debug flag is
passed to the snmpd application.
read_only
Forces turning off write support for the given module.
serialize
If a module is failing to handle multiple requests properly (using the new
5.0 module API), this will force the module to only receive one request at a
time.
bulk_to_next
If a module registers to handle getbulk support, but for some reason is
failing to implement it properly, this module will convert all getbulk
requests to getnext requests before the final module receives it.
dontLogTCPWrappersConnects
If the snmpd was compiled with TCP Wrapper support, it logs every connection made
to the agent. This setting disables the log messages for accepted connections.
Denied connections will still be logged.
Figuring out module names
To figure out which modules you can inject things into, run snmpwalk on the
nsModuleTable which will give a list of all named modules registered within the
agent.
Internal Data tables
table NAME
add_row NAME INDEX(ES) VALUE(S)
NOTES
o The Net-SNMP agent can be instructed to re-read the various configuration files,
either via an snmpset assignment of integer(1) to
UCD-SNMP-MIB::versionUpdateConfig.0 (.1.3.6.1.4.1.2021.100.11.0), or by sending a
kill -HUP signal to the agent process.
o All directives listed with a value of "yes" actually accept a range of boolean
values. These will accept any of 1, yes or true to enable the corresponding
behaviour, or any of 0, no or false to disable it. The default in each case is for
the feature to be turned off, so these directives are typically only used to enable
the appropriate behaviour.
EXAMPLE CONFIGURATION FILE
See the EXAMPLE.CONF file in the top level source directory for a more detailed example of
how the above information is used in real examples.
FILES
/etc/snmp/snmpd.conf
SEE ALSO
snmpconf(1), snmpusm(1), snmp.conf(5), snmp_config(5), snmpd(8), EXAMPLE.conf,
netsnmp_config_api(3).