SNMP
----
SNMP on CentOS 7 :
yum install -y net-snmp
systemctl enable snmpd
systemctl start snmpd
i suggest to use a securised snmp configuration ; restart snmpd.service after any modification
## sec.name source community
com2sec solarwinds1 172.xx.xx.xx/27 public
com2sec solarwinds2 172.yy.yy.yy/27 public
## group.name sec.model sec.name
group MyROGroup v2c solarwinds1
group MyROGroup v2c solarwinds2
## incl/excl subtree mask
view systemview included .1
## context sec.model sec.level prefix read write notif
access MyROGroup "" any noauth exact systemview none none
---------------------------------------------------------------------
Install the SNMP packages:
# yum install -y net-snmp net-snmp-utils
Set up a minimal configuration:
# cd /etc/snmp # cp -p snmpd.conf snmpd.conf.dist # echo "rocommunity public">snmpd.conf # echo "syslocation here" >>snmpd.conf # echo "syscontact root@localhost" >>snmpd.conf
Activate at boot and start the SNMP service:
# systemctl enable snmpd && systemctl start snmpd
Execute a simple test:
# snmpwalk -v 1 -c public -O e 127.0.0.1 SNMPv2-MIB::sysDescr.0 = STRING: Linux rhel7.example.com 3.10.0-54.0.1.el7.x86_64 #1 SMP Tue Nov 26 16:51:22 EST 2013 x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 ...
If you plan to monitor the machine through a remote server like Cacti, update the firewall configuration:
# firewall-cmd --permanent --add-port=161/udp success # firewall-cmd --reload success
Additional Resources
If you want some details about metrics, you can have a look at the net-snmp website.
###############################################################################################
Install SNMP and SNMP Utilities
Installing SNMP and some optional SNMP utilities is as simple as running one command:
yum -y install net-snmp net-snmp-utils
Add a Basic Configuration for SNMP
Now, let’s take the default SNMP configuration file, /etc/snmp/snmpd.conf and move it to an alternate location, /etc/snmp/snmpd.conf.orig.
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig
And now we’ll create a new /etc/snmp/snmpd.conf:
vim /etc/snmp/snmpd.conf
For a refresher on editing files with vim see: New User Tutorial: Overview of the Vim Text Editor
Insert the following text into the new /etc/snmp/snmpd.conf
# Map 'idv90we3rnov90wer' community to the 'ConfigUser'
# Map '209ijvfwer0df92jd' community to the 'AllUser'
# sec.name source community
com2sec ConfigUser default idv90we3rnov90wer
com2sec AllUser default 209ijvfwer0df92jd
# Map 'ConfigUser' to 'ConfigGroup' for SNMP Version 2c
# Map 'AllUser' to 'AllGroup' for SNMP Version 2c
# sec.model sec.name
group ConfigGroup v2c ConfigUser
group AllGroup v2c AllUser
# Define 'SystemView', which includes everything under .1.3.6.1.2.1.1 (or .1.3.6.1.2.1.25.1)
# Define 'AllView', which includes everything under .1
# incl/excl subtree
view SystemView included .1.3.6.1.2.1.1
view SystemView included .1.3.6.1.2.1.25.1.1
view AllView included .1
# Give 'ConfigGroup' read access to objects in the view 'SystemView'
# Give 'AllGroup' read access to objects in the view 'AllView'
# context model level prefix read write notify
access ConfigGroup "" any noauth exact SystemView none none
access AllGroup "" any noauth exact AllView none none
The above text is noted with basic information on the function of each configuration line. In short, we’re creating two scenarios for polling information from SNMP version 2c.
Note: SNMPv2c contains some security enhancements over SNMPv1 but uses the existing SNMPv1 administration structure, which is “community” based. Areas of improvement include: transport mappings, protocol packet types, and MIB structure elements.
In the first scenario: ConfigUser is assigned to ConfigGroup and may only use SNMP security model 2c, ConfigGroup can use the SystemView, SystemView is assigned to two OID sub-trees, and all of this is referenced in an SNMP poll by the secret, and unique community string idv90we3rnov90wer.
In the second scenario: AllUser is assigned to AllGroup and may only use SNMP security model 2c, AllGroup can use the AllView, AllView is assigned to the entire OID tree, and all of this is referenced in an SNMP poll by the secret, and unique community string 209ijvfwer0df92jd.
Important Tip: Be ABSOLUTELY SURE that you choose a unique community string and replace the community strings in the above examples. Keep each secret, and keep each safe.
Exit vim, and restart the SNMP service to reload the new configuration file:
service snmpd restart
Configure SNMP to start when the server boots:
chkconfig snmpd on
Test the SNMP Configuration
Now let’s test the SNMP configuration… try running the following two commands:
snmpwalk -v 2c -c idv90we3rnov90wer -O e 127.0.0.1
snmpwalk -v 2c -c 209ijvfwer0df92jd -O e 127.0.0.1
Note: The default port for SNMP is 161 and 162. If you’re going to connect to SNMP from a remote server, be sure your server’s firewall has the appropriate ports open.
##############################################################################
yum install net-snmp net-snmp-utils -y
Verify Installation
After installing the net-snmp packages verify if the package is installed, to check package installation status, run the command;
rpm -qa | grep net-snmp*
SNMP – Configuration File
Default configuration file that is configured as per the below. To display current configuration without comments and lines non-blank lines, run command;
grep -v "^$" /etc/snmp/snmpd.conf | grep -v '^ *#'
Default Configuration File – Snippet
com2sec notConfigUser default public
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
access notConfigGroup "" any noauth exact systemview none none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
dontLogTCPWrappersConnects yes
Firewall Configuration
SNMP protocol works on UDP port “161” and this port needs to be opened in order to listen and scan the report from remote servers and for latest version of snmp service supports running on TCP port which is again on “161”.
Firewall Configuration – Open UDP Port
After installing and checking the default configuration, the next step that needs to be done is to open firewall port, snmp protocol run on UDP port 161.
firewall-cmd --permanent --add-port=161/udp
Firewall Configuration – Reload
Reload the firewall configuration.
firewall-cmd --reload
Firewall Configuration – List
After reloading firewall daemon, list the current rules set.
firewall-cmd --list-alll
snmpwalk – localhost Query
After configuring the firewall, you can go ahead and test the snmp query data on the localhost it should be able to retrieve the OID values when you run. To retrieve the information run the command;
snmpwalk -v 1 -c public -O e 127.0.0.1
snmpwalk – Remote Query
To query from a remote client to retrieve the OID values when you run. To retrieve the information run the command; in this case we are querying from a windows machine.
snmpwalk -r:54.165.245.172 -q -c:public
SNMP Configuration
In order to SNMP to work for any query requests, it should be configured only agentaddress directives is listed and configured, similarly other directives can be configured according to the business needs.
Listening address
This attribute will associate the IP address wherein the snmp service will listen on.
agentaddress 127.0.0.1:161
SNMP Daemon Management
Troubleshooting
Timeout: No Response from 127.0.0.1
Error Message
Timeout: No Response from 127.0.0.1
Cause
One of the cause is the service is not running, start the service.
Another cause is when the remote server doesn’t have port is blocked or not listening default port on the client.
systemctl status snmpd
Resolution
To resolve the issue we will start the daemon and query again for the first cause, for the second cause ensure firewall port is configured such that UDP port 161 is opened and listening, check firewall configuration section.
systemctl start snmpd
SNMP Version Features
SNMP has 3 versions currently, that can be configured based on the business needs. The below table will give insight into different versions and its features that provide device statistics.
------