24.6.3. Configuring Net-SNMP
To change the Net-SNMP Agent Daemon configuration, edit the
/etc/snmp/snmpd.conf
configuration file. The default snmpd.conf
file shipped with Red Hat Enterprise Linux 6 is heavily commented and serves as a good starting point for agent configuration.
This section focuses on two common tasks: setting system information and configuring authentication. For more information about available configuration directives, see the snmpd.conf(5) manual page. Additionally, there is a utility in the net-snmp package named
snmpconf
which can be used to interactively generate a valid agent configuration.
Note that the net-snmp-utils package must be installed in order to use the
snmpwalk
utility described in this section.
Note
For any changes to the configuration file to take effect, force the
snmpd
service to re-read the configuration by running the following command as root
:
service
snmpd
reload
24.6.3.1. Setting System Information
Net-SNMP provides some rudimentary system information via the
system
tree. For example, the following snmpwalk
command shows the system
tree with a default agent configuration.
~]# snmpwalk -v2c -c public localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (99554) 0:16:35.54
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: localhost.localdomain
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
By default, the
sysName
object is set to the host name. The sysLocation
and sysContact
objects can be configured in the /etc/snmp/snmpd.conf
file by changing the value of the syslocation
and syscontact
directives, for example:
syslocation Datacenter, Row 3, Rack 2 syscontact UNIX Admin <admin@example.com>
After making changes to the configuration file, reload the configuration and test it by running the
snmpwalk
command again:
~]#service snmpd reload
Reloading snmpd: [ OK ] ~]#snmpwalk -v2c -c public localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (158357) 0:26:23.57 SNMPv2-MIB::sysContact.0 = STRING: UNIX Admin <admin@example.com> SNMPv2-MIB::sysName.0 = STRING: localhost.localdomain SNMPv2-MIB::sysLocation.0 = STRING: Datacenter, Row 3, Rack 2
24.6.3.2. Configuring Authentication
The Net-SNMP Agent Daemon supports all three versions of the SNMP protocol. The first two versions (1 and 2c) provide for simple authentication using a community string. This string is a shared secret between the agent and any client utilities. The string is passed in clear text over the network however and is not considered secure. Version 3 of the SNMP protocol supports user authentication and message encryption using a variety of protocols. The Net-SNMP agent also supports tunneling over SSH, TLS authentication with X.509 certificates, and Kerberos authentication.
Configuring SNMP Version 2c Community
To configure an SNMP version 2c community, use either the
rocommunity
or rwcommunity
directive in the /etc/snmp/snmpd.conf
configuration file. The format of the directives is the following:
directive community [source [OID]]
where community is the community string to use, source is an IP address or subnet, and OID is the SNMP tree to provide access to. For example, the following directive provides read-only access to the
system
tree to a client using the community string “redhat” on the local machine:
rocommunity redhat 127.0.0.1 .1.3.6.1.2.1.1
To test the configuration, use the
snmpwalk
command with the -v
and -c
options.
~]# snmpwalk -v2c -c redhat localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (158357) 0:26:23.57
SNMPv2-MIB::sysContact.0 = STRING: UNIX Admin <admin@example.com>
SNMPv2-MIB::sysName.0 = STRING: localhost.localdomain
SNMPv2-MIB::sysLocation.0 = STRING: Datacenter, Row 3, Rack 2
Configuring SNMP Version 3 User
To configure an SNMP version 3 user, use the
net-snmp-create-v3-user
command. This command adds entries to the /var/lib/net-snmp/snmpd.conf
and /etc/snmp/snmpd.conf
files which create the user and grant access to the user. Note that the net-snmp-create-v3-user
command may only be run when the agent is not running. The following example creates the “admin” user with the password “redhatsnmp”:
~]#service snmpd stop
Stopping snmpd: [ OK ] ~]#net-snmp-create-v3-user
Enter a SNMPv3 user name to create: admin Enter authentication pass-phrase: redhatsnmp Enter encryption pass-phrase: [press return to reuse the authentication pass-phrase] adding the following line to /var/lib/net-snmp/snmpd.conf: createUser admin MD5 "redhatsnmp" DES adding the following line to /etc/snmp/snmpd.conf: rwuser admin ~]#service snmpd start
Starting snmpd: [ OK ]
The
rwuser
directive (or rouser
when the -ro
command-line option is supplied) that net-snmp-create-v3-user
adds to /etc/snmp/snmpd.conf
has a similar format to the rwcommunity
and rocommunity
directives:
directive user [noauth
|auth
|priv
] [OID]
where user is a user name and OID is the SNMP tree to provide access to. By default, the Net-SNMP Agent Daemon allows only authenticated requests (the
auth
option). The noauth
option allows you to permit unauthenticated requests, and the priv
option enforces the use of encryption. The authpriv
option specifies that requests must be authenticated and replies should be encrypted.
For example, the following line grants the user “admin” read-write access to the entire tree:
rwuser admin authpriv .1
To test the configuration, create a
.snmp
directory in your user's home directory and a configuration file named snmp.conf
in that directory (~/.snmp/snmp.conf
) with the following lines:
defVersion 3 defSecurityLevel authPriv defSecurityName admin defPassphrase redhatsnmp
The
snmpwalk
command will now use these authentication settings when querying the agent:
~]$ snmpwalk -v3 localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux localhost.localdomain 2.6.32-122.el6.x86_64 #1 SMP Wed Mar 9 23:54:34 EST 2011 x86_64
[output truncated]