'

Very basic net-snmp setup.

February 9th, 2013 by Andrea Matesi 4207 Views

I've used this setup and it just workedTM, but I reckon it's not the best, since it doesn't supports views, groups and other (interesting) features.

You may use it to get an introduction to net-SNMP. I'm also assuming you're willing to configure it on CentOS or Ubuntu (the sudo / apt commands refer to Ubuntu).

Install NET-SNMP.

Follow those steps to install net-snmp on your system (1st command = CentOS/2nd command = Ubuntu):

yum install net-snmp-utils net-snmp-devel
apt-get install snmp libsnmp-base snmpd sysv-rc-conf

Configure NET-SNMP.

My article uses a Read-only snmp user (remove "-ro" for a rw-one). Name:"user"; Password: "p@ssword":

net-snmp-config --create-snmpv3-user -A MD5 -a p@ssword -x DES -X p@ssword -ro user
sudo net-snmp-config --create-snmpv3-user -A MD5 -a p@ssword -x DES -X p@ssword -ro user

The following autostarts snmpd:

chkconfig snmpd on
sudo sysv-rc-conf snmpd on

Make a backup copy of the original snmpd.conf:

sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.ori

Then edit it /etc/snmp/snmpd.conf:

###########################################################################
# SECTION: Access Control Setup
#
# rouser: a SNMPv3 read-only user
# arguments: user [noauth|auth|priv] [restriction_oid]
rouser user authpriv
# rocommunity: a SNMPv1/SNMPv2c read-only access community name
# arguments: community [default|hostname|network/bits] [oid]
# read-only SNMPv2c naw from all IP addresses/networks:
rocommunity public
interface eth0
agentaddress 192.168.2.11:161
interface lo0
agentaddress 127.0.0.1:161
syslocation "hq"
syscontact "andrea@pwrusr.com"

Verify NET-SNMP.

Launch snmpd:

/etc/init.d/snmpd start

Verify it works on your loopback I/F:

snmpwalk -v 3 -a sha -A p@ssword -x des -X p@ssword -u user -l authPriv localhost | less

Verify it works on your physical I/F adapter:

snmpwalk -a MD5 -A p@ssword -x DES -X p@ssword -u user -c public -l authPriv 192.168.2.11 | less

SNMP iptables rules.

# SNMP
iptables -A INPUT -p udp -m udp -s 0/0 --dport 161:162 -j ACCEPT

Verify user is inside /usr/share/snmp/snmpd.conf:

rouser user

Enable net-snmp logging.

[CentOS-only - for Ubuntu adjust accordingly] Enable net-snmp logging to snmpd.log:

sed -i 's|OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"|OPTIONS="-LS0-6d -Lf /var/log/snmpd.log -p /var/run snmpd.pid"|g' /etc/init.d/snmpd

  • Also, put snmpd.log into logrotate.d, for example:

/var/log/snmpd.log {
    notifempty
    missingok
    size 32M
    yearly
    compress
    compresscmd /usr/bin/bzip2
    compressext .bz2
    postrotate
       /sbin/service snmpd condrestart 2> /dev/null > /dev/null || true
    endscript
}

Debug NET-SNMP.

From a terminal, stop the snmpd daemon and start it manually with:

snmpd -f -L -Dread_config

Enable SNMP debug option as a default, edit /etc/init.d/snmpd:

OPTIONS="-Lsd -Lf /var/log/snmpd.log -p /var/run/snmpd.pid -a -Dread_config"

NET-SNMP AES Support.

[Bonus]: Check if your net-snmp instance supports AES (from http://www.zenoss.com/community/docs/zenoss-guide/2.4.2/apbs02.html).

snmpwalk -x AES 2>&1 | head -1

IF "No hostname specified." -> AES Supported.

IF "Invalid privacy protocol specified after -x flag: AES" -> AES NOT supported.

Posted in LINUX, System Administration | Comments Off on Very basic net-snmp setup.

Comments are closed.