HowTo: install and configure the Net-SNMP agent－藍色情懷

HowTo: install and configure the Net-SNMP agent

HOWTO IN PROGRESS

Version 0.6 (11/02/2006) : added the "dontPrintUnits" keyword
Version 0.5 (09/22/2006) : graph processes
Version 0.4 (08/30/2006) : make Net-SNMP listens on TCP, and bind to a specific IP address
Version 0.3 (08/14/2006) : build from sources instructions
Version 0.2 (08/11/2006) : added SNMP version 3, "exec" and "proxy" directives
Version 0.1 (08/10/2006) : intial release

This HowTo will explain how to install and configure the Net-SNMP agent. As the time of writing, the latest version available is 5.4 (published on 12/06/2006).

Chapter I: Getting Net-SNMP binaries

Depending on your operating system, you'll find packages or tarballs to install Net-SNMP :

Linux
Usually every Linux distribution comes with Net-SNMP packages :
- RedHat / Fedora : install the net-snmp, net-snmp-libs and net-snmp-utils packages
- Debian / Ubuntu: install the libsnmp-base, libsnmp5, snmp and snmpd packages
- SuSE : install the net-snmp package
- Gentoo : simply emerge the net-snmp ebuild
- Mandriva : install the libnet-snmp5, net-snmp and net-snmp-utils packages.
AIX
Packages are available in the University of California repository:
Solaris
Packages are available in the Sunfreeware repository :
For these packages to work, OpenSSL and GCC libraries need to be installed also.

Tarballs are also available from the Net-SNMP main site :
These tarballs have to be extracted from / has they contain absolute paths.
Files are copied to /usr/local/share/snmp, /usr/local/libs, /usr/local/include/net-snmp, /usr/local/man, /usr/local/bin and /usr/local/sbin
HP-UX
Tarballs are available from the Net-SNMP main site :
These tarballs have to be extracted from / has they contain absolute paths. Beware that these are not stripped in these tarballs, this waste a lot space.
Files are copied to /usr/local/share/snmp, /usr/local/libs, /usr/local/include/net-snmp, /usr/local/man, /usr/local/bin and /usr/local/sbin
FreeBSD
Net-SNMP is available through the ports

Chapter II: Building the Net-SNMP agent from sources

If you can't find binaries for your architecture, you can build the Net-SNMP agent from sources. Latest sources are available here.

Here's how to get the configure options of an already running Net-SNMP agent :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.100.6.0
UCD-SNMP-MIB::versionConfigureOptions.0 = STRING: "'-disable-shared' '--with-mib-modules=host/hr_system'"

Some useful mib modules are :

mibII/mta_sendmail, to graph MTA (Sendmail, Postfix, etc.) statistics
diskio, to enable to graph I/O statistics
ucd-snmp/lmSensors, for hardware monitoring (Linux and Solaris only)

Mib modules can be added like this :

Code:

$ ./configure --with-mib-modules="module1 module2"

To compile Net-SNMP and build a compressed archive, follow these steps :

Code:

$ ./configure --with-your-options
$ make
# mkdir /usr/local/dist
# make install prefix=/usr/local/dist/usr/local exec_prefix=/usr/local/dist/usr/local
# cd /usr/local/dist
# tar cvf /tmp/net-snmp-5.3.1-dist.tar usr
# gzip /tmp/net-snmp-5.3.1-dist.tar
# rm -rf /usr/local/dist

You can then copy the /tmp/net-snmp-5.3.1-dist.tar.gz file to other servers, and uncompress it from the root directory (everything will get extracted to /usr/local).

Chapter III: Configuring the Net-SNMP agent

Depending on how you've installed Net-SNMP, the main configuration file (snmpd.conf) is located in /etc/snmp (installation from package) or /usr/local/share/snmp (installation from tarball).

Please note that you need to restart (or send the HUP signal) the snmpd daemon whenever you modify snmpd.conf !

The minimum configuration is this one :

Code:

rocommunity public

This will enable SNMP version 1/2 read-only requests from any host, with the community name public.
With this minimal configuration, you'll be able to graph CPU usage, load average, network interfaces, memory / swap usage, logged in users and number of processes.

You can restrict from which hosts SNMP queries are allowed :

Code:

rocommunity public 127.0.0.1
rocommunity test 87.65.43.21

By default Net-SNMP listens on UDP port 161 on all IPv4 interfaces.
With the following example, Net-SNMP will listen on UDP port 10000 on 10.20.30.40 IP address :

Code:

agentaddress 10.20.30.40:10000

You can also make it listens on TCP, which is supported by Cacti :

Code:

agentaddress tcp:161

The "tcp" keyword can then be used in Cacti :

For those who want some more security, you can use the SNMP version 3 protocol, with MD5 or SHA hashing :

Code:

createUser frederic MD5 mypassphrase DES
group groupv3 usm frederic
view all included .iso 80
access groupv3 "" any auth exact all all all

This creates a user "frederic" whose password is "mypassphrase". To test it :

Code:

# snmpget -v 3 -l AuthNoPriv -u frederic -A mypassphrase 10.50.80.45 sysName.0
SNMPv2-MIB::sysName.0 = STRING: cyclopes

In Cacti, add your device, choose SNMP version 3, and fill the username and password fields :

Now that you're done with access control, add these 2 lines in snmpd.conf to indicate the location and contact name of your device :

Code:

syslocation Bat. C2
syscontact someone@somewhere.org

They will then appear in Cacti management interface :

Some OIDs return a unit, eg "-153 0.1 dBm".
It's a safe idea to turn this off, by adding this to snmpd.conf :

Code:

dontPrintUnits true

Next step is to graph filesystems in Cacti; the easyest way is to add this line in snmpd.conf :

Code:

includeAllDisks

When you'll run the "ucd/net - Get Monitored Partitions" Data Query, all the mounted filesystems will show up :

If you want a filesystem not to be listed here, add this line to snmpd.conf :

Code:

ignoredisk /dev/rdsk/c0t2d0

Unfortunatly, some older versions of Net-SNMP do not fully work with the includeAllDisks keyword

You'll then have to list explicitly all filesystems you want to graph :

Code:

disk /
disk /usr
disk /var
disk /oracle

You can also specify NFS mount points.

Please note that the Net-SNMP agent can only report filesystems which where mounted before its start.
If you manually mount filesystems later, you'll have to reload the Net-SNMP agent (send the HUP signal).

You can also graph processes, by adding this to snmpd.conf :

Code:

proc httpd

The result will be accessible under the ucdavis.prTable.prEntry tree :

prCount, number of current processes running with the name in question
prNames, the process name you're counting.

In our example, the number of Apache processes will be available under the .1.3.6.1.4.1.2021.2.1.5 OID

Chapter IV: Test your configuration

Once Net-SNMP is configured and started, here's how to test it :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux cronos 2.4.28 #2 SMP ven jan 14 14:12:01 CET 2005 i686

This basic query shows that your Net-SNMP agent is reachable.

You can even query which Net-SNMP version is running on a host :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.100.2.0
UCD-SNMP-MIB::versionTag.0 = STRING: 5.2.1.2

An answer like that one

Code:

$ snmpwalk -v 1 -c foo localhost .1.3.6.1.2.1.1.1.0
Timeout: No Response from localhost

indicates that either the agent is not started, or that the community string is incorrect, or that this device is unreachable.
Check your community string, add firewall rules if necessary, etc.

If using SNMP version 3, specifying an unknown user will result in this error message :

Code:

$ snmpget -v 3 -l AuthNoPriv -u john -A mypassphrase 10.50.80.45 sysName.0
snmpget: Unknown user name

An incorrect passphrase will result in this error message :

Code:

$ snmpget -v 3 -l AuthNoPriv -u frederic -A badpassphrase 10.50.80.45 sysName.0
snmpget: Authentication failure (incorrect password, community or key)

This query will show you what filesystems are mounted :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.9.1.2
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /BB
UCD-SNMP-MIB::dskPath.3 = STRING: /dev/shm

If the answer is empty, usually it means the includeAllDisks is not supported by your Net-SNMP agent (you'll have to list each filesystem you want to graph as explained in previous chapter).

Finally, this query will you display your network interfaces :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0
IF-MIB::ifDescr.3 = STRING: eth1

Chapter V: Extending the Net-SNMP agent

A great functionnality of Net-SNMP is that you can "extend" it.

Let's run the /tmp/foo.sh script :

Code:

$ /tmp/foo.sh -arg1
123

Now put this in snmpd.conf :

Code:

exec foo /bin/sh /tmp/foo.sh -arg1

The result of your script will be accessible under the ucdavis.extTable.extEntry tree :

output of the script : ucdavis.extTable.extEntry.extOutput
exit status : ucdavis.extTable.extEntry.extResult
command : ucdavis.extTable.extEntry.extCommand

You can check the result with this SNMP query :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.8.1
UCD-SNMP-MIB::extIndex.1 = INTEGER: 1
UCD-SNMP-MIB::extNames.1 = STRING: foo
UCD-SNMP-MIB::extCommand.1 = STRING: /bin/sh /tmp/foo.sh -arg1
UCD-SNMP-MIB::extResult.1 = INTEGER: 0
UCD-SNMP-MIB::extOutput.1 = STRING: 123
UCD-SNMP-MIB::extErrFix.1 = INTEGER: 0
UCD-SNMP-MIB::extErrFixCmd.1 = STRING:

extOutput translates to .1.3.6.1.4.1.2021.8.1.101
As "foo" is our first exec directive, add ".1" at the end of the OID.

In Cacti, use the "SNMP - Generic OID Template" like this :

Voila ! Result of the /tmp/foo.sh script is now graphed in Cacti.

Now let's run this second script, which returns more than one result :

Code:

$ /tmp/bar.sh
456
789

It returns two values, one per line (this is important).

Another way to call scripts from snmpd.conf is by specifying an OID, like this :

Code:

exec .1.3.6.1.4.1.2021.555 /bin/sh /tmp/bar.sh

Run this query :

Code:

$ snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.555
UCD-SNMP-MIB::ucdavis.555.1.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.555.2.1 = STRING: "/bin/sh"
UCD-SNMP-MIB::ucdavis.555.3.1 = STRING: "/tmp/bar.sh"
UCD-SNMP-MIB::ucdavis.555.100.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.555.101.1 = STRING: "456"
UCD-SNMP-MIB::ucdavis.555.101.2 = STRING: "789"
UCD-SNMP-MIB::ucdavis.555.102.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.555.103.1 = ""

First line returned by the script will be available at .1.3.6.1.4.1.2021.555.101.1, second one at .1.3.6.1.4.1.2021.555.101.2, and so on.

You can then use the "SNMP - Generic OID Template" in Cacti (one Data Source per OID).

We'll then use another interesting directive, the "proxy" one.
Let's take for example the Squid proxy : when enabled, its SNMP agent listen to UDP 3401 port.
If you want to have system graphs and Squid graphs without declaring 2 devices in Cacti, add this in snmpd.conf :

Code:

proxy -v 1 -c public localhost:3401 .1.3.6.1.4.1.3495.1

The Squid SNMP tree will be available under the .1.3.6.1.4.1.3495.1 branch.

Let's query this host :

Code:

$ snmpwalk -v 1 -c public 10.151.33.3 sysdescr
SNMPv2-MIB::sysDescr.0 = STRING: Linux srv1.foo.com 2.6.8.1-12mdk #1 Fri Oct 1 12:53:41 CEST 2004 i686

And here's the Squid part (this specific OID returns the Squid version) :

Code:

$ snmpwalk -v 1 -c public 10.151.33.3 .1.3.6.1.4.1.3495.1.2.3.0
SNMPv2-SMI::enterprises.3495.1.2.3.0 = STRING: "2.5.STABLE6"

You'll find how to enable the Squid SNMP agent here.