Go Premium for a chance to win a PS4. Enter to Win


solaris 10 constant activity

Posted on 2013-05-18
Medium Priority
Last Modified: 2013-05-22
I have a sun blade 2500 machine running Solaris 10. recently I have noticed that there is always about 25 to 30 % of cpu activity and disk access. This was not the case before for sure for years.

I ran top and see that snmpd process always using about 25-30% of cpu and its status changes between sleep/run/cpu1.

The change that I did recently (and I noticed this issue after) was changing a hard drive on the machine. The hard drive had data only and OS hard drive did not change.

Every thing seems to be working fine, however, this change bothers me and I don't know if some set up went incorrect since I did not used to see this before.

What is the use of snmpd? What happens if I become root and kill this process?

This constant activity on machine is becoming annoying. Any idea how to stop this activity as I am sure it was not there before.
Question by:faridsaleh
  • 5
  • 3
  • 2
  • +2
LVL 40

Expert Comment

ID: 39178644
If you aren't using SNMP, killing the process should not have a harmful effect. But, the extra activity of snmpd could be a sign of some underlying problem. Determining why snmpd is doing this would be the best approach.

Author Comment

ID: 39179311
Could you please describe to me what is the SNMP. I read about it on the web but all descriptions was not clear to me. I felt I need more back ground ti understand this. I am just an application user of the Unix environment with limited sysadmin knowledge to just get my machines running at minimum requirement.
LVL 40

Expert Comment

ID: 39179365
SNMP is a monitoring and reporting system for the hardware and OS. Excessive cpu use by snmpd could be a sign that it is seeing aberrant behavior of something. The first action should be to look through the system logs for warnings or odd behavior/activity.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39179426
Thanks; I looked at the latest syslog (file attached) and see this strange email attempts. there are other syslog.# files with similar entries and previous dates almost form the time I notice constant activity.

Have no idea where they are coming from. Is this could be the reason for activities?  Note that this machine has a static IP on the net so I can login to it remotely.

Any suggestion as how to stop these activities? Have not yet killed snmpd process. If I kill this process does it interfere with my network connection?
LVL 40

Expert Comment

ID: 39179440
Sendmail is running, though it looks like it might be misconfigured. Those log entries are spammers trying to use this system as a relay. You could disable sendmail, but the OS uses it for internal messages. The better approach would be to install a firewall and block inbound traffic on port 25. And since there could be other ports open to the Internet above and beyond what the server requires, the firewall should be configured to only allow network traffic on the necessary ports.

Oh yeah, if only a few individuals ssh into the system, move ssh to some non-standard port to discourage ssh probes.

Author Comment

ID: 39179995

While I generally understand your directions, I don't know how to do this. Would installing firewall means activating ipf? If yes, I looked at the ipf.conf file and it is empty. Can you send me an example of the ipf.conf file that blocks inbound traffic. Does that prevent other network activities. This server need to do the following on the network.
- For some applications check license on a PC. PC is the license server.
- Need to see the other machines file system.
- Need to share some of its file systems with other machines.
- Should be able to communicate with ExpanDrive running on a PC to see its file system. and I guess ExpanDrive uses ssh.

LVL 62

Expert Comment

ID: 39180678
Do you use some enterprise monitoring software? That might query e.g oracle status via SNMP...
LVL 22

Expert Comment

by:Brian Utterback
ID: 39180823
The proper way to disable snmp is to run this command:

svcadm disable svc:/application/management/snmpdx:default

What does the email messages in the syslog say? Maybe snmp is just trying to send you an alert about something and can't do it.

Author Comment

ID: 39186545
Thanks for the comments. Sorry I was busy at work and did not get to this.

In response to gheist; No, I don't use and monitoring software, unless something started on the machine that I don't know. This machine is at my home office and is not part of a large network. I ran engineering applications on it.

In response to blu; I ran the command, but it does not seem to stop the snmpd. It is still running. I have a copy of syslog file attached to my previous comments if you would like to look at. based on syslog it seems that machine is trying to relay some emails that I do not know the sender or receiver.
LVL 22

Accepted Solution

Brian Utterback earned 2000 total points
ID: 39186653
I missed one service. Run this command:

svcadm disable svc:/application/management/sma:default
LVL 27

Expert Comment

ID: 39187711
Can you send me an example of the ipf.conf file that blocks inbound traffic.

# ipf sample dummy conf

 # allow outgoing traffic from the machine
pass out all

# allow incoming ssh from everywhere, log first packet of each session
pass in log first quick from any to 0/32 port = 22 keep state

# allow network traffic from lan 10
pass in from 10/8 to 0/32 keep state

# explicitely forbid email traffic from the WAN
# useless but i add it so you have the syntax for interface matching
# this is more secure than using ip addresses
# the interface name is the same as in ifconfig
block in on WANIFACE from any to any port = 25

# block everything else
block in all

Open in new window


but then such a volume of email is by no way what makes snmpd run wild

if you block the snmp port in the firewall without stopping the process, you'll be able to determine if some external device are polling snmp info or if snmp is going wild by itself

it would be very interesting to run a trace on the snmp process to know what is wrong, but if you do not need it (which i assume if you do not know about it), you can safely kill and disable it. wether you use it or not, the network will most definitely not die if you kill it

Author Comment

ID: 39189783
Thanks blu the command worked and stopped the activity. How it was enabled I have no idea.

Thanks skullnobrains too. I will keep the copy of the ipf.conf. May come handy sometime.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question