SNMPv3 configuration *NIX
Hello
Trying to configure SNMP on my *NIX servers, never done this before so have looked at some documentation to get going, the requirement is to not use SNMPv1 or v2.
On our SLES boxes we have Net-SNMP 5.3, seem to be ok. I have a rough config after running the 'snmpconf -g basic_setup' command.
I have also created a user and credentials to successfully run 'snmpwalk' from a remote machine with the same user/credentials. Now I need to tell SNMP to send traps to a specific IP address (somewhere other than where the servers are physically).
I am sure I need to configure addtional settings in snmpd.conf but do not really understand what .
Here is my /etc/snmp/snmpd.conf;
##########################
#
# snmpd.conf
#
# - created by the snmpconf configuration program
#
##########################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.
# rwuser: a SNMPv3 read-write user
# arguments: user [noauth|auth|priv] [restriction_oid]
rwuser auser auth system
rwuser buser
# rouser: a SNMPv3 read-only user
# arguments: user [noauth|auth|priv] [restriction_oid]
rouser auserro
##########################
# SECTION: Monitor Various Aspects of the Running Host
#
# The following check up on various aspects of a host.
# proc: Check for processes that should be running.
# proc NAME [MAX=0] [MIN=0]
#
# NAME: the name of the process to check for. It must match
# exactly (ie, http will not find httpd processes).
# MAX: the maximum number allowed to be running. Defaults to 0.
# MIN: the minimum number to be running. Defaults to 0.
#
# The results are reported in the prTable section of the UCD-SNMP-MIB tree
# Special Case: When the min and max numbers are both 0, it assumes
# you want a max of infinity and a min of 1.
proc sshd 1 1
procfix service sshd start
# disk: Check for disk space usage of a partition.
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
#
# disk PATH [MIN=100000]
#
# PATH: mount path to the disk in question.
# MIN: Disks with space below this value will have the Mib's errorFlag set.
# Can be a raw byte value or a percentage followed by the %
# symbol. Default value = 100000.
#
# The results are reported in the dskTable section of the UCD-SNMP-MIB tree
disk / 10%
# load: Check for unreasonable load average values.
# Watch the load average levels on the machine.
#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX: If the 1 minute load average is above this limit at query
# time, the errorFlag will be set.
# 5MAX: Similar, but for 5 min average.
# 15MAX: Similar, but for 15 min average.
#
# The results are reported in the laTable section of the UCD-SNMP-MIB tree
load 60 60 60
# file: Check on the size of a file.
# Display a files size statistics.
# If it grows to be too large, report an error about it.
#
# file /path/to/file [maxsize_in_bytes]
#
# if maxsize is not specified, assume only size reporting is needed.
#
# The results are reported in the fileTable section of the UCD-SNMP-MIB tree
file /var/log/messages 20000000
##########################
# SECTION: Trap Destinations
#
# Here we define who the agent will send traps to.
# trapsink: A SNMPv1 trap receiver
# arguments: host [community] [portnum]
trapsink x.x.x.x
# trap2sink: A SNMPv2c trap receiver
# arguments: host [community] [portnum]
trap2sink x.x.x.x
# informsink: A SNMPv2c inform (acknowledged trap) receiver
# arguments: host [community] [portnum]
informsink x.x.x.x
# trapcommunity: Default trap sink community to use
# arguments: community-string
trapcommunity mycommunitystring
# authtrapenable: Should we send traps when authentication failures occur
# arguments: 1 | 2 (1 = yes, 2 = no)
authtrapenable 1
##########################
# SECTION: System Information Setup
#
# This section defines some of the information reported in
# the "system" mib group in the mibII tree.
# syslocation: The [typically physical] location of the system.
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysLocation.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: location_string
syslocation "Server room"
# syscontact: The contact information for the administrator
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysContact.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: contact_string
syscontact admin@serverroom.com
# sysservices: The proper value for the sysServices object.
# arguments: sysservices_number
sysservices 64
#END OF FILE
******************
As you can see I have trapsinks in, but I am not sure if SNMPv3 traps will forward to these.
Thanks
P
Trying to configure SNMP on my *NIX servers, never done this before so have looked at some documentation to get going, the requirement is to not use SNMPv1 or v2.
On our SLES boxes we have Net-SNMP 5.3, seem to be ok. I have a rough config after running the 'snmpconf -g basic_setup' command.
I have also created a user and credentials to successfully run 'snmpwalk' from a remote machine with the same user/credentials. Now I need to tell SNMP to send traps to a specific IP address (somewhere other than where the servers are physically).
I am sure I need to configure addtional settings in snmpd.conf but do not really understand what .
Here is my /etc/snmp/snmpd.conf;
##########################
#
# snmpd.conf
#
# - created by the snmpconf configuration program
#
##########################
# SECTION: Access Control Setup
#
# This section defines who is allowed to talk to your running
# snmp agent.
# rwuser: a SNMPv3 read-write user
# arguments: user [noauth|auth|priv] [restriction_oid]
rwuser auser auth system
rwuser buser
# rouser: a SNMPv3 read-only user
# arguments: user [noauth|auth|priv] [restriction_oid]
rouser auserro
##########################
# SECTION: Monitor Various Aspects of the Running Host
#
# The following check up on various aspects of a host.
# proc: Check for processes that should be running.
# proc NAME [MAX=0] [MIN=0]
#
# NAME: the name of the process to check for. It must match
# exactly (ie, http will not find httpd processes).
# MAX: the maximum number allowed to be running. Defaults to 0.
# MIN: the minimum number to be running. Defaults to 0.
#
# The results are reported in the prTable section of the UCD-SNMP-MIB tree
# Special Case: When the min and max numbers are both 0, it assumes
# you want a max of infinity and a min of 1.
proc sshd 1 1
procfix service sshd start
# disk: Check for disk space usage of a partition.
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
#
# disk PATH [MIN=100000]
#
# PATH: mount path to the disk in question.
# MIN: Disks with space below this value will have the Mib's errorFlag set.
# Can be a raw byte value or a percentage followed by the %
# symbol. Default value = 100000.
#
# The results are reported in the dskTable section of the UCD-SNMP-MIB tree
disk / 10%
# load: Check for unreasonable load average values.
# Watch the load average levels on the machine.
#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX: If the 1 minute load average is above this limit at query
# time, the errorFlag will be set.
# 5MAX: Similar, but for 5 min average.
# 15MAX: Similar, but for 15 min average.
#
# The results are reported in the laTable section of the UCD-SNMP-MIB tree
load 60 60 60
# file: Check on the size of a file.
# Display a files size statistics.
# If it grows to be too large, report an error about it.
#
# file /path/to/file [maxsize_in_bytes]
#
# if maxsize is not specified, assume only size reporting is needed.
#
# The results are reported in the fileTable section of the UCD-SNMP-MIB tree
file /var/log/messages 20000000
##########################
# SECTION: Trap Destinations
#
# Here we define who the agent will send traps to.
# trapsink: A SNMPv1 trap receiver
# arguments: host [community] [portnum]
trapsink x.x.x.x
# trap2sink: A SNMPv2c trap receiver
# arguments: host [community] [portnum]
trap2sink x.x.x.x
# informsink: A SNMPv2c inform (acknowledged trap) receiver
# arguments: host [community] [portnum]
informsink x.x.x.x
# trapcommunity: Default trap sink community to use
# arguments: community-string
trapcommunity mycommunitystring
# authtrapenable: Should we send traps when authentication failures occur
# arguments: 1 | 2 (1 = yes, 2 = no)
authtrapenable 1
##########################
# SECTION: System Information Setup
#
# This section defines some of the information reported in
# the "system" mib group in the mibII tree.
# syslocation: The [typically physical] location of the system.
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysLocation.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: location_string
syslocation "Server room"
# syscontact: The contact information for the administrator
# Note that setting this value here means that when trying to
# perform an snmp SET operation to the sysContact.0 variable will make
# the agent return the "notWritable" error code. IE, including
# this token in the snmpd.conf file will disable write access to
# the variable.
# arguments: contact_string
syscontact admin@serverroom.com
# sysservices: The proper value for the sysServices object.
# arguments: sysservices_number
sysservices 64
#END OF FILE
******************
As you can see I have trapsinks in, but I am not sure if SNMPv3 traps will forward to these.
Thanks
P
You need a monitor statement to watch the prTable and issue the trap. This page has a good example of setting this up with v3 traps:
http://www.adventuresinoss.com/?p=1220
Although I'm not sure whether the trap would get issued considering you have a procfix command, so prErrorFlag might never get set.
http://www.adventuresinoss.com/?p=1220
Although I'm not sure whether the trap would get issued considering you have a procfix command, so prErrorFlag might never get set.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found own solution
ASKER
Just need to figure out why traps are not being sent when I stop the process I have set up to be monitored (sshd in configuration above).
Any thoughts about this would be welcome.
Cheers. P.