SNMP

----

 SNMP on CentOS 7 :

 

yum install -y net-snmp

systemctl enable snmpd

systemctl start snmpd

 

i suggest to use a securised snmp configuration ; restart snmpd.service after any modification

 

 

##       sec.name  source          community

com2sec solarwinds1 172.xx.xx.xx/27 public

com2sec solarwinds2 172.yy.yy.yy/27 public

 

 

##     group.name sec.model  sec.name

group MyROGroup  v2c       solarwinds1

group MyROGroup  v2c       solarwinds2

 

 

##           incl/excl subtree                          mask

view    systemview    included   .1

 

 

##                context sec.model sec.level prefix read   write  notif

access MyROGroup ""      any       noauth    exact      systemview    none   none

---------------------------------------------------------------------

Install the SNMP packages:

# yum install -y net-snmp net-snmp-utils

Set up a minimal configuration:

# cd /etc/snmp # cp -p snmpd.conf snmpd.conf.dist # echo "rocommunity public">snmpd.conf # echo "syslocation here" >>snmpd.conf # echo "syscontact root@localhost" >>snmpd.conf

Activate at boot and start the SNMP service:

# systemctl enable snmpd && systemctl start snmpd

Execute a simple test:

# snmpwalk -v 1 -c public -O e 127.0.0.1 SNMPv2-MIB::sysDescr.0 = STRING: Linux rhel7.example.com 3.10.0-54.0.1.el7.x86_64 #1 SMP Tue Nov 26 16:51:22 EST 2013 x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 ...

If you plan to monitor the machine through a remote server like Cacti, update the firewall configuration:

# firewall-cmd --permanent --add-port=161/udp success # firewall-cmd --reload success

Additional Resources

If you want some details about metrics, you can have a look at the net-snmp website.

      ###############################################################################################

Install SNMP and SNMP Utilities

Installing SNMP and some optional SNMP utilities is as simple as running one command:

yum -y install net-snmp net-snmp-utils

Add a Basic Configuration for SNMP

Now, let’s take the default SNMP configuration file, /etc/snmp/snmpd.conf and move it to an alternate location, /etc/snmp/snmpd.conf.orig.

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

And now we’ll create a new /etc/snmp/snmpd.conf:

vim /etc/snmp/snmpd.conf

For a refresher on editing files with vim see: New User Tutorial: Overview of the Vim Text Editor

Insert the following text into the new /etc/snmp/snmpd.conf

# Map 'idv90we3rnov90wer' community to the 'ConfigUser'

# Map '209ijvfwer0df92jd' community to the 'AllUser'

#       sec.name        source          community

com2sec ConfigUser      default         idv90we3rnov90wer

com2sec AllUser         default         209ijvfwer0df92jd

# Map 'ConfigUser' to 'ConfigGroup' for SNMP Version 2c

# Map 'AllUser' to 'AllGroup' for SNMP Version 2c

#                       sec.model       sec.name

group   ConfigGroup     v2c             ConfigUser

group   AllGroup        v2c             AllUser

# Define 'SystemView', which includes everything under .1.3.6.1.2.1.1 (or .1.3.6.1.2.1.25.1)

# Define 'AllView', which includes everything under .1

#                       incl/excl       subtree

view    SystemView      included        .1.3.6.1.2.1.1

view    SystemView      included        .1.3.6.1.2.1.25.1.1

view    AllView         included        .1

# Give 'ConfigGroup' read access to objects in the view 'SystemView'

# Give 'AllGroup' read access to objects in the view 'AllView'

#                       context model   level   prefix  read            write   notify

access  ConfigGroup     ""      any     noauth  exact   SystemView      none    none

access  AllGroup        ""      any     noauth  exact   AllView         none    none

The above text is noted with basic information on the function of each configuration line. In short, we’re creating two scenarios for polling information from SNMP version 2c.

Note: SNMPv2c contains some security enhancements over SNMPv1 but uses the existing SNMPv1 administration structure, which is “community” based. Areas of improvement include: transport mappings, protocol packet types, and MIB structure elements.

In the first scenario: ConfigUser is assigned to ConfigGroup and may only use SNMP security model 2c, ConfigGroup can use the SystemView, SystemView is assigned to two OID sub-trees, and all of this is referenced in an SNMP poll by the secret, and unique community string idv90we3rnov90wer.

In the second scenario: AllUser is assigned to AllGroup and may only use SNMP security model 2c, AllGroup can use the AllView, AllView is assigned to the entire OID tree, and all of this is referenced in an SNMP poll by the secret, and unique community string 209ijvfwer0df92jd.

Important Tip: Be ABSOLUTELY SURE that you choose a unique community string and replace the community strings in the above examples. Keep each secret, and keep each safe.

Exit vim, and restart the SNMP service to reload the new configuration file:

service snmpd restart

Configure SNMP to start when the server boots:

chkconfig snmpd on

Test the SNMP Configuration

Now let’s test the SNMP configuration… try running the following two commands:

snmpwalk -v 2c -c idv90we3rnov90wer -O e 127.0.0.1

snmpwalk -v 2c -c 209ijvfwer0df92jd -O e 127.0.0.1

Note: The default port for SNMP is 161 and 162. If you’re going to connect to SNMP from a remote server, be sure your server’s firewall has the appropriate ports open.

##############################################################################

yum install net-snmp net-snmp-utils -y

Verify Installation

After installing the net-snmp packages verify if the package is installed, to check package installation status, run the command;

rpm -qa | grep net-snmp*

SNMP – Configuration File

Default configuration file that is configured as per the below. To display current configuration without comments and lines non-blank lines, run command;

grep -v "^$" /etc/snmp/snmpd.conf | grep -v '^ *#'

Default Configuration File – Snippet

com2sec notConfigUser  default       public

group   notConfigGroup v1           notConfigUser

group   notConfigGroup v2c           notConfigUser

view    systemview    included   .1.3.6.1.2.1.1

view    systemview    included   .1.3.6.1.2.1.25.1.1

access  notConfigGroup ""      any       noauth    exact  systemview none none

syslocation Unknown (edit /etc/snmp/snmpd.conf)

syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)

dontLogTCPWrappersConnects yes

Firewall Configuration

SNMP protocol works on UDP port “161” and this port needs to be opened in order to listen and scan the report from remote servers and for latest version of snmp service supports running on TCP port which is again on “161”.

Firewall Configuration – Open UDP Port

After installing and checking the default configuration, the next step that needs to be done is to open firewall port, snmp protocol run on UDP port 161.

firewall-cmd --permanent --add-port=161/udp

Firewall Configuration – Reload

Reload the firewall configuration.

firewall-cmd --reload

Firewall Configuration – List

After reloading firewall daemon, list the current rules set.

firewall-cmd --list-alll

snmpwalk – localhost Query

After configuring the firewall, you can go ahead and test the snmp query data on the localhost it should be able to retrieve the OID values when you run. To retrieve the information run the command;

snmpwalk -v 1 -c public -O e 127.0.0.1

snmpwalk – Remote Query

To query from a remote client to retrieve the OID values when you run. To retrieve the information run the command; in this case we are querying from a windows machine.

snmpwalk -r:54.165.245.172 -q -c:public

SNMP Configuration

In order to SNMP to work for any query requests, it should be configured only agentaddress directives is listed and configured, similarly other directives can be configured according to the business needs.

Listening address

This attribute will associate the IP address wherein the snmp service will listen on.

agentaddress 127.0.0.1:161

SNMP Daemon Management

Troubleshooting

Timeout: No Response from 127.0.0.1

Error Message

Timeout: No Response from 127.0.0.1

Cause

One of the cause is the service is not running, start the service.

Another cause is when the remote server doesn’t have port is blocked or not listening default port on the client.

systemctl status snmpd

Resolution

To resolve the issue we will start the daemon and query again for the first cause, for the second cause ensure firewall port is configured such that UDP port 161 is opened and listening, check firewall configuration section.

systemctl start snmpd

SNMP Version Features

SNMP has 3 versions currently, that can be configured based on the business needs. The below table will give insight into different versions and its features that  provide device statistics.

------