1SNMPD.CONF(5)                      Net-SNMP                      SNMPD.CONF(5)
2
3
4

NAME

6       snmpd.conf - configuration file for the Net-SNMP SNMP agent
7

DESCRIPTION

9       The  Net-SNMP agent uses one or more configuration files to control its
10       operation  and  the  management  information  provided.   These   files
11       (snmpd.conf  and  snmpd.local.conf)  can  be  located in one of several
12       locations, as described in the snmp_config(5) manual page.
13
14       The (perl) application snmpconf can be used to  generate  configuration
15       files for the most common agent requirements.  See the snmpconf(1) man‐
16       ual page for more information, or try running the command:
17
18              snmpconf -g basic_setup
19
20       There are a large number of directives that can be specified, but these
21       mostly fall into four distinct categories:
22
23       ·      those controlling who can access the agent
24
25       ·      those configuring the information that is supplied by the agent
26
27       ·      those controlling active monitoring of the local system
28
29       ·      those concerned with extending the functionality of the agent.
30
31       Some directives don't fall naturally into any of these four categories,
32       but this covers the majority of the contents of  a  typical  snmpd.conf
33       file.   A full list of recognised directives can be obtained by running
34       the command:
35
36              snmpd -H
37

AGENT BEHAVIOUR

39       Although most configuration  directives  are  concerned  with  the  MIB
40       information  supplied  by  the agent, there are a handful of directives
41       that control the behaviour of snmpd considered simply as a daemon  pro‐
42       viding a network service.
43
44       agentaddress [<transport-specifier>:]<transport-address>[,...]
45              defines  a  list  of  listening  addresses,  on which to receive
46              incoming SNMP requests.  See the section LISTENING ADDRESSES  in
47              the  snmpd(8)  manual page for more information about the format
48              of listening addresses.
49
50              The default behaviour is to listen on UDP port 161 on  all  IPv4
51              interfaces.
52
53       agentgroup {GROUP|#GID}
54              changes  to  the  specified  group  after  opening the listening
55              port(s).  This may refer to  a  group  by  name  (GROUP),  or  a
56              numeric group ID starting with '#' (#GID).
57
58       agentuser {USER|#UID}
59              changes  to  the  specified  user  after  opening  the listening
60              port(s).  This may refer to a user by name (USER), or a  numeric
61              user ID starting with '#' (#UID).
62
63       leave_pidfile yes
64              instructs  the  agent  to  not  remove its pid file on shutdown.
65              Equivalent to specifying "-U" on the command line.
66
67       maxGetbulkRepeats NUM
68              Sets the maximum number of responses allowed for a single  vari‐
69              able  in  a getbulk request.  Set to 0 to enable the default and
70              set it to -1 to enable unlimited.  Because memory  is  allocated
71              ahead  of time, sitting this to unlimited is not considered safe
72              if your user population can not be  trusted.   A  repeat  number
73              greater than this will be truncated to this value.
74
75              This is set by default to -1.
76
77       maxGetbulkResponses NUM
78              Sets  the  maximum  number  of  responses  allowed for a getbulk
79              request.  This is set by default to 100.  Set to 0 to enable the
80              default and set it to -1 to enable unlimited.  Because memory is
81              allocated ahead of time, sitting this to unlimited is  not  con‐
82              sidered safe if your user population can not be trusted.
83
84              In general, the total number of responses will not be allowed to
85              exceed the  maxGetbulkResponses  number  and  the  total  number
86              returned  will be an integer multiple of the number of variables
87              requested times the calculated number of repeats  allow  to  fit
88              below this number.
89
90              Also not that processing of maxGetbulkRepeats is handled first.
91
92   SNMPv3 Configuration
93       SNMPv3  requires  an SNMP agent to define a unique "engine ID" in order
94       to respond to SNMPv3 requests.  This ID  will  normally  be  determined
95       automatically,   using   two  reasonably  non-predictable  values  -  a
96       (pseudo-)random number and the current time in  seconds.  This  is  the
97       recommended  approach.  However  the  capacity  exists  to  define  the
98       engineID in other ways:
99
100       engineID STRING
101              specifies that the engineID should be built from the given  text
102              STRING.
103
104       engineIDType 1|2|3
105              specifies  that  the  engineID  should  be  built  from the IPv4
106              address (1), IPv6 address (2) or MAC  address  (3).   Note  that
107              changing  the  IP  address  (or  switching the network interface
108              card) may cause problems.
109
110       engineIDNic INTERFACE
111              defines which interface to use when determining the MAC address.
112              If  engineIDType  3 is not specified, then this directive has no
113              effect.
114
115              The default is to use eth0.
116

SNMPv3 AUTHENTICATION

118       SNMPv3 was originally  defined  using  the  User-Based  Security  Model
119       (USM),  which contains a private list of users and keys specific to the
120       SNMPv3 protocol.  The operational community,  however,  declared  it  a
121       pain  to manipulate yet another database and would prefer to use exist‐
122       ing infrastructure.  To that end the  IETF  created  the  ISMS  working
123       group  to  battle  that  problem, and the ISMS working group decided to
124       tunnel SNMP over SSH and DTLS to make use existing user and authentica‐
125       tion infrastructures.
126
127   SNMPv3 USM Users
128       To use the USM based SNMPv3-specific users, you'll need to create them.
129       It is recommended you use the net-snmp-config command to do  this,  but
130       you  can  also do it by directly specifying createUser directives your‐
131       self instead:
132
133       createUser [-e ENGINEID] username  (MD5|SHA)  authpassphrase  [DES|AES]
134       [privpassphrase]
135
136              MD5  and  SHA  are the authentication types to use.  DES and AES
137              are the privacy protocols to use.  If the privacy passphrase  is
138              not  specified,  it is assumed to be the same as the authentica‐
139              tion passphrase.  Note that the users created  will  be  useless
140              unless  they  are  also  added to the VACM access control tables
141              described above.
142
143              SHA authentication and DES/AES privacy  require  OpenSSL  to  be
144              installed  and  the agent to be built with OpenSSL support.  MD5
145              authentication may be used without OpenSSL.
146
147              Warning: the minimum pass phrase length is 8 characters.
148
149              SNMPv3 users can be created at runtime using the snmpusm(1) com‐
150              mand.
151
152              Instead  of  figuring out how to use this directive and where to
153              put  it  (see  below),  just  run   "net-snmp-config   --create-
154              snmpv3-user"  instead,  which will add one of these lines to the
155              right place.
156
157              This  directive  should  be  placed   into   the   /var/lib/net-
158              snmp/snmpd.conf file instead of the other normal locations.  The
159              reason is that the information is read from the  file  and  then
160              the line is removed (eliminating the storage of the master pass‐
161              word for that user) and replaced with the key  that  is  derived
162              from  it.   This key is a localized key, so that if it is stolen
163              it can not be used to access other agents.  If the  password  is
164              stolen, however, it can be.
165
166              If  you need to localize the user to a particular EngineID (this
167              is useful mostly in the similar snmptrapd.conf  file),  you  can
168              use  the  -e argument to specify an EngineID as a hex value (EG,
169              "0x01020304").
170
171              If you want to generate either your  master  or  localized  keys
172              directly, replace the given password with a hexstring (preceeded
173              by a "0x") and precede the hex  string  by  a  -m  or  -l  token
174              (respectively).  EGs:
175
176              [these keys are *not* secure but are easy to visually parse for
177              counting purposes.  Please generate random keys instead of using
178              these examples]
179
180              createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405
181              createUser myuser SHA -m 0x0001020304050607080900010203040506070809 AES -m 0x0001020304050607080900010203040506070809
182
183              Due  to the way localization happens, localized privacy keys are
184              expected to be the length needed by the algorithm (128 bits  for
185              all supported algorithms).  Master encryption keys, though, need
186              to be the length required by the  authentication  algorithm  not
187              the  length required by the encrypting algorithm (MD5: 16 bytes,
188              SHA: 20 bytes).
189
190   SSH Support
191       To use SSH, you'll need to configure sshd to invoke sshtosnmp  as  well
192       as  configure  the  access control settings to allow access through the
193       tsm security model using the user name provided to  snmpd  by  the  ssh
194       transport.
195
196   DTLS Support
197       For DTLS, snmpd will need to be configured with it's own X.509 certifi‐
198       cate as well as the certificates of the client users to be  allowed  to
199       connect  to  the  agent.   The access control will need to be set up as
200       well to allow access through the tsm security model.  The CommonName of
201       the  Subject  from the X.509 certificate will be passed to snmpd as the
202       SNMPv3    username     to     use.      See     the     http://www.net-
203       snmp.org/wiki/index.php/Using_DTLS  web page for more detailed instruc‐
204       tions for setting up DTLS.
205
206       defX509ServerPub FILE
207
208       defX509ServerPriv FILE
209              These two directives specify the public and  private  key  files
210              for  the  certificate that snmpd should present to incoming con‐
211              nections.
212
213       defX509ClientCerts FILE
214              This directive specifies a file containing  all  of  the  public
215              keys  (or  CAs of public keys) for clients to connect the server
216              with.
217

ACCESS CONTROL

219       snmpd supports the View-Based Access Control Model (VACM) as defined in
220       RFC  2575,  to control who can retrieve or update information.  To this
221       end, it recognizes various directives relating to access control.
222
223   Traditional Access Control
224       Most simple access control requirements  can  be  specified  using  the
225       directives  rouser/rwuser  (for SNMPv3) or rocommunity/rwcommunity (for
226       SNMPv1 or SNMPv2c).
227
228       rouser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
229
230       rwuser [-s SECMODEL]  USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
231              specify an SNMPv3 user that will be allowed read-only  (GET  and
232              GETNEXT)  or  read-write  (GET,  GETNEXT and SET) access respec‐
233              tively.  By default, this will provide access to  the  full  OID
234              tree  for  authenticated  (including encrypted) SNMPv3 requests,
235              using the default  context.   An  alternative  minimum  security
236              level  can  be  specified using noauth (to allow unauthenticated
237              requests), or priv (to enforce  use  of  encryption).   The  OID
238              field  restricts  access  for that user to the subtree rooted at
239              the given OID, or the named view.  An optional context can  also
240              be  specified,  or "context*" to denote a context prefix.  If no
241              context field is specified (or  the  token  "*"  is  used),  the
242              directive will match all possible contexts.
243
244              If  SECMODEL  is  specified  then  it will be the security model
245              required for that user (note that identical user names may  come
246              in over different security models and will be appropriately sep‐
247              arated via the access control settings).  The  default  security
248              model  is  "usm" and the other common security models are likely
249              "tsm" when using SSH or DTLS support and "ksm" if  the  Kerberos
250              support has been compiled in.
251
252       rocommunity COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
253
254       rwcommunity COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
255              specify  an  SNMPv1  or  SNMPv2c  community that will be allowed
256              read-only (GET and GETNEXT) or read-write (GET, GETNEXT and SET)
257              access  respectively.   By  default, this will provide access to
258              the full OID tree for such requests, regardless  of  where  they
259              were  sent from. The SOURCE token can be used to restrict access
260              to requests from the specified system(s) - see com2sec  for  the
261              full details.  The OID field restricts access for that community
262              to the subtree rooted at the given OID, or named view.  Contexts
263              are  typically  less  relevant to community-based SNMP versions,
264              but the same behaviour applies here.
265
266       rocommunity6 COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
267
268       rwcommunity6 COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
269              are directives relating to requests received using IPv6 (if  the
270              agent  supports  such transport domains).  The interpretation of
271              the SOURCE, OID, VIEW and CONTEXT tokens are exactly the same as
272              for the IPv4 versions.
273
274       In each case, only one directive should be specified for a given SNMPv3
275       user, or community string.  It  is  not  appropriate  to  specify  both
276       rouser  and  rwuser  directives  referring  to the same SNMPv3 user (or
277       equivalent community settings). The rwuser directive provides  all  the
278       access  of  rouser  (as  well as allowing SET support).  The same holds
279       true for the community-based directives.
280
281       More complex access requirements (such as access to two  or  more  dis‐
282       tinct OID subtrees, or different views for GET and SET requests) should
283       use one of the other access control mechanisms.  Note that  if  several
284       distinct  communities or SNMPv3 users need to be granted the same level
285       of access, it would also be more efficient to use the main VACM config‐
286       uration directives.
287
288   VACM Configuration
289       The  full flexibility of the VACM is available using four configuration
290       directives - com2sec, group, view and  access.   These  provide  direct
291       configuration of the underlying VACM tables.
292
293       com2sec  [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
294
295       com2sec6 [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
296              map  an  SNMPv1 or SNMPv2c community string to a security name -
297              either from a particular range of source addresses, or  globally
298              ("default").  A restricted source can either be a specific host‐
299              name (or address), or a subnet - represented  as  IP/MASK  (e.g.
300              10.10.10.0/255.255.255.0),  or  IP/BITS (e.g. 10.10.10.0/24), or
301              the IPv6 equivalents.
302
303              The same community string can be specified in  several  separate
304              directives  (presumably  with  different source tokens), and the
305              first source/community combination  that  matches  the  incoming
306              request will be selected.  Various source/community combinations
307              can also map to the same security name.
308
309              If a CONTEXT is specified (using -Cn), the community string will
310              be mapped to a security name in the named SNMPv3 context. Other‐
311              wise the default context ("") will be used.
312
313       com2secunix [-Cn CONTEXT] SECNAME SOCKPATH COMMUNITY
314              is the Unix domain sockets version of com2sec.
315
316       group GROUP {v1|v2c|usm|tsm|ksm} SECNAME
317              maps a security name (in the specified security  model)  into  a
318              named  group.   Several  group  directives  can specify the same
319              group name, allowing a single access setting to apply to several
320              users and/or community strings.
321
322              Note that groups must be set up for the two community-based mod‐
323              els separately - a single com2sec (or equivalent) directive will
324              typically be accompanied by two group directives.
325
326       view VNAME TYPE OID [MASK]
327              defines  a named "view" - a subset of the overall OID tree. This
328              is most commonly a single subtree, but several  view  directives
329              can be given with the same view name (VNAME), to build up a more
330              complex  collection  of  OIDs.   TYPE  is  either  included   or
331              excluded,  which  can  again  define a more complex view (e.g by
332              excluding certain sensitive objects from an otherwise accessible
333              subtree).
334
335              MASK  is  a  list  of hex octets (optionally separated by '.' or
336              ':') with the set bits indicating which  subidentifiers  in  the
337              view  OID  to match against.  If not specified, this defaults to
338              matching the OID exactly (all bits set), thus defining a  simple
339              OID subtree.  So:
340                     view iso1 included .iso  0xf0
341                     view iso2 included .iso
342                     view iso3 included .iso.org.dod.mgmt  0xf0
343
344              would  all  define  the  same  view,  covering  the whole of the
345              'iso(1)' subtree (with the third example ignoring the subidenti‐
346              fiers not covered by the mask).
347
348              More  usefully, the mask can be used to define a view covering a
349              particular row (or rows) in a table,  by  matching  against  the
350              appropriate  table index value, but skipping the column subiden‐
351              tifier:
352
353                     view ifRow4 included .1.3.6.1.2.1.2.2.1.0.4  0xff:a0
354
355              Note that a mask longer than 8 bits must use ':' to separate the
356              individual octets.
357
358       access  GROUP  CONTEXT  {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE
359       NOTIFY
360              maps from a group of users/communities (with a particular  secu‐
361              rity  model  and  minimum security level, and in a specific con‐
362              text) to one of three views, depending on the request being pro‐
363              cessed.
364
365              LEVEL is one of noauth, auth, or priv.  PREFX specifies how CON‐
366              TEXT should be matched  against  the  context  of  the  incoming
367              request,  either exact or prefix.  READ, WRITE and NOTIFY speci‐
368              fies the view to be used for GET*, SET and TRAP/INFORM  requests
369              (althought  the  NOTIFY  view is not currently used).  For v1 or
370              v2c access, LEVEL will need to be noauth.
371
372   Typed-View Configuration
373       The final group of directives extend the  VACM  approach  into  a  more
374       flexible  mechanism,  which  can  be  applied  to  other access control
375       requirements. Rather than the fixed three views of  the  standard  VACM
376       mechanism,  this can be used to configure various different view types.
377       As far as the main SNMP agent is concerned, the two main view types are
378       read  and  write, corresponding to the READ and WRITE views of the main
379       access directive.  See the 'snmptrapd.conf(5)' man page for  discussion
380       of other view types.
381
382       authcommunity TYPES  COMMUNITY   [SOURCE [OID | -V VIEW [CONTEXT]]]
383              is  an  alternative  to  the rocommunity/rwcommunity directives.
384              TYPES will usually be read or read,write respectively.  The view
385              specification  can  either  be  an OID subtree (as before), or a
386              named view (defined using the view directive) for greater flexi‐
387              bility.   If this is omitted, then access will be allowed to the
388              full OID tree.  If CONTEXT is specified,  access  is  configured
389              within  this SNMPv3 context.  Otherwise the default context ("")
390              is used.
391
392       authuser   TYPES [-s MODEL] USER  [LEVEL [OID | -V VIEW [CONTEXT]]]
393              is an alternative to the rouser/rwuser directives.   The  fields
394              TYPES,  OID, VIEW and CONTEXT have the same meaning as for auth‐
395              community.
396
397       authgroup  TYPES [-s MODEL] GROUP [LEVEL [OID | -V VIEW [CONTEXT]]]
398              is a companion to the authuser directive, specifying access  for
399              a particular group (defined using the group directive as usual).
400              Both authuser and authgroup default to authenticated requests  -
401              LEVEL can also be specified as noauth or priv to allow unauthen‐
402              ticated requests,  or  require  encryption  respectively.   Both
403              authuser  and  authgroup  directives also default to configuring
404              access for SNMPv3/USM requests - use the '-s' flag to specify an
405              alternative  security model (using the same values as for access
406              above).
407
408       authaccess TYPES [-s MODEL] GROUP VIEW [LEVEL [CONTEXT]]
409              also configures the access for a  particular  group,  specifying
410              the  name  and type of view to apply. The MODEL and LEVEL fields
411              are interpreted in the same way as for authgroup.  If CONTEXT is
412              specified,  access  is configured within this SNMPv3 context (or
413              contexts with this prefix if the CONTEXT field ends  with  '*').
414              Otherwise the default context ("") is used.
415
416       setaccess GROUP CONTEXT MODEL LEVEL PREFIX VIEW TYPES
417              is  a  direct equivalent to the original access directive, typi‐
418              cally listing the view types as read or read,write as  appropri‐
419              ate.  (or see 'snmptrapd.conf(5)' for other possibilities).  All
420              other fields have the same interpretation as with access.
421

SYSTEM INFORMATION

423       Most of the information reported by the  Net-SNMP  agent  is  retrieved
424       from  the  underlying  system,  or  dynamically configured via SNMP SET
425       requests (and retained from one run of the agent to  the  next).   How‐
426       ever,  certain  MIB  objects  can  be  configured or controlled via the
427       snmpd.conf(5) file.
428
429   System Group
430       Most of the scalar objects in the 'system' group can be  configured  in
431       this way:
432
433       sysLocation STRING
434
435       sysContact STRING
436
437       sysName STRING
438              set the system location, system contact or system name (sysLoca‐
439              tion.0, sysContact.0 and sysName.0) for the agent  respectively.
440              Ordinarily  these  objects are writeable via suitably authorized
441              SNMP SET requests.  However, specifying one of these  directives
442              makes the corresponding object read-only, and attempts to SET it
443              will result in a notWritable error response.
444
445       sysServices NUMBER
446              sets the value of the sysServices.0 object.  For a host  system,
447              a  good  value is 72 (application + end-to-end layers).  If this
448              directive is not specified, then no value will be  reported  for
449              the sysServices.0 object.
450
451       sysDescr STRING
452
453       sysObjectID OID
454              sets  the  system  description  or  object  ID  for  the  agent.
455              Although these MIB objects are not SNMP-writable,  these  direc‐
456              tives  can be used by a network administrator to configure suit‐
457              able values for them.
458
459   Interfaces Group
460       interface NAME TYPE SPEED
461              can be used to provide appropriate type and speed  settings  for
462              interfaces  where  the agent fails to determine this information
463              correctly.  TYPE is a type value as given in the IANAifType-MIB,
464              and  can  be specified numerically or by name (assuming this MIB
465              is loaded).
466
467   Host Resources Group
468       This requires that the agent was built with support for the host module
469       (which  is  now  included as part of the default build configuration on
470       the major supported platforms).
471
472       ignoreDisk STRING
473              controls which disk devices are scanned as  part  of  populating
474              the  hrDiskStorageTable (and hrDeviceTable).  The HostRes imple‐
475              mentation code includes a list of disk device patterns appropri‐
476              ate  for  the  current operating system, some of which may cause
477              the agent to block when trying to open  the  corresponding  disk
478              devices.   This  might  lead  to  a  timeout  when walking these
479              tables, possibly  resulting  in  inconsistent  behaviour.   This
480              directive  can  be  used  to  specify particular devices (either
481              individually or wildcarded) that should not be checked.
482
483              Note:  Please consult the source (host/hr_disk.c) and check  for
484                     the Add_HR_Disk_entry calls relevant for a particular O/S
485                     to determine the list of devices that will be scanned.
486
487              The pattern can include one or more wildcard  expressions.   See
488              snmpd.examples(5) for illustration of the wildcard syntax.
489
490       skipNFSInHostResources true
491              controls whether NFS and NFS-like file systems should be omitted
492              from the hrStorageTable (true or 1) or not (false or 0, which is
493              the  default).   If  the Net-SNMP agent gets hung on NFS-mounted
494              filesystems, you can try setting this to '1'.
495
496       storageUseNFS [1|2]
497              controls how NFS and NFS-like file systems should be reported in
498              the hrStorageTable.  as 'Network Disks' (1) or 'Fixed Disks' (2)
499              Historically, the Net-SNMP agent has reported such file  systems
500              as 'Fixed Disks', and this is still the default behaviour.  Set‐
501              ting this directive to '1' reports such file systems as ´Network
502              Disks', as required by the Host Resources MIB.
503
504   Process Monitoring
505       The  hrSWRun group of the Host Resources MIB provides information about
506       individual processes running on the local system.  The prTable  of  the
507       UCD-SNMP-MIB  complements this by reporting on selected services (which
508       may involve multiple processes).  This  requires  that  the  agent  was
509       built  with  support for the ucd-snmp/proc module (which is included as
510       part of the default build configuration).
511
512       proc NAME [MAX [MIN]]
513              monitors the number of processes called  NAME  (as  reported  by
514              "/bin/ps -e") running on the local system.
515
516              If  the  number  of  NAMEd processes is less than MIN or greater
517              than MAX, then the corresponding prErrorFlag  instance  will  be
518              set  to  1,  and a suitable description message reported via the
519              prErrMessage instance.
520
521              Note:  This situation will not automatically trigger a  trap  to
522                     report  the  problem  -  see the DisMan Event MIB section
523                     later.
524
525              If neither MAX nor MIN are specified (or are both 0), they  will
526              default  to  infinity  and  1 respectively ("at least one").  If
527              only MAX is specified, MIN will default  to  0  ("no  more  than
528              MAX").
529
530       procfix NAME PROG ARGS
531              registers a command that can be run to fix errors with the given
532              process NAME.  This will be invoked when the corresponding  prE‐
533              rrFix instance is set to 1.
534
535              Note:  This command will not be invoked automatically.
536
537              The  procfix directive must be specified after the matching proc
538              directive, and cannot be used on its own.
539
540       If no proc directives are defined, then walking the prTable  will  fail
541       (noSuchObject).
542
543   Disk Usage Monitoring
544       This  requires  that  the  agent  was  built  with support for the ucd-
545       snmp/disk module (which is included as part of the default  build  con‐
546       figuration).
547
548       disk PATH [ MINSPACE | MINPERCENT% ]
549              monitors the disk mounted at PATH for available disk space.
550
551              The  minimum  threshold can either be specified in kB (MINSPACE)
552              or as a percentage of the total disk  (MINPERCENT%  with  a  '%'
553              character),  defaulting  to  100kB if neither are specified.  If
554              the free disk space falls below this threshold, then the  corre‐
555              sponding  dskErrorFlag instance will be set to 1, and a suitable
556              description message reported via the dskErrorMsg instance.
557
558              Note:  This situation will not automatically trigger a  trap  to
559                     report  the  problem  -  see the DisMan Event MIB section
560                     later.
561
562       includeAllDisks MINPERCENT%
563              configures monitoring of all disks found on  the  system,  using
564              the  specified  (percentage) threshold.  The threshold for indi‐
565              vidual disks can be  adjusted  using  suitable  disk  directives
566              (which  can  come  either  before  or  after the includeAllDisks
567              directive).
568
569              Note:  Whether  disk  directives   appears   before   or   after
570                     includeAllDisks may affect the indexing of the dskTable.
571
572              Only  one  includeAllDisks  directive  should be specified - any
573              subsequent copies will be ignored.
574
575              The list of mounted disks will  be  determined  when  the  agent
576              starts  using the setmntent(3) and getmntent(3), or fopen(3) and
577              getmntent(3),  or setfsent(3)  and  getfsent(3) system calls. If
578              none  of the above system calls are available then the root par‐
579              tition  "/" (which  is  assumed to exist on any UNIX based  sys‐
580              tem)  will  be  monitored.   Disks  mounted  after the agent has
581              started will not be monitored.
582
583       If neither any disk directives or  includeAllDisks  are  defined,  then
584       walking the dskTable will fail (noSuchObject).
585
586   System Load Monitoring
587       This requires that the agent was built with support for either the ucd-
588       snmp/loadave module or the ucd-snmp/memory module respectively (both of
589       which are included as part of the default build configuration).
590
591       load MAX1 [MAX5 [MAX15]]
592              monitors  the  load  average  of  the  local  system, specifying
593              thresholds for the 1-minute, 5-minute  and  15-minute  averages.
594              If  any of these loads exceed the associated maximum value, then
595              the corresponding laErrorFlag instance will be set to 1,  and  a
596              suitable  description  message  reported  via  the  laErrMessage
597              instance.
598
599              Note:  This situation will not automatically trigger a  trap  to
600                     report  the  problem  -  see the DisMan Event MIB section
601                     later.
602
603              If the MAX15 threshold is omitted, it will default to  the  MAX5
604              value.  If both MAX5 and MAX15 are omitted, they will default to
605              the MAX1 value.  If this directive is not specified,  all  three
606              thresholds will default to a value of DEFMAXLOADAVE.
607
608              If  a  threshold  value of 0 is given, the agent will not report
609              errors via the relevant laErrorFlag or  laErrMessage  instances,
610              regardless of the current load.
611
612       Unlike  the  proc  and disk directives, walking the walking the laTable
613       will succeed (assuming the ucd-snmp/loadave module was configured  into
614       the agent), even if the load directive is not present.
615
616       swap MIN
617              monitors the amount of swap space available on the local system.
618              If this falls below the specified threshold (MIN kB),  then  the
619              memErrorSwap object will be set to 1, and a suitable description
620              message reported via memSwapErrorMsg.
621
622              Note:  This situation will not automatically trigger a  trap  to
623                     report  the  problem  -  see the DisMan Event MIB section
624                     later.
625       If this directive is not specified, the default threshold is 16 MB.
626
627   Log File Monitoring
628       This requires that the agent was built with support for either the ucd-
629       snmp/file  or ucd-snmp/logmatch modules respectively (both of which are
630       included as part of the default build configuration).
631
632       file FILE [MAXSIZE]
633              monitors the size of the specified file (in kB).  If MAXSIZE  is
634              specified, and the size of the file exceeds this threshold, then
635              the corresponding fileErrorFlag instance will be set to 1, and a
636              suitable  description  message  reported  via  the  fileErrorMsg
637              instance.
638
639              Note:  This situation will not automatically trigger a  trap  to
640                     report  the  problem  -  see the DisMan Event MIB section
641                     later.
642
643              Note: A maximum of 20 files can be monitored.
644
645              Note: If no  file  directives  are  defined,  then  walking  the
646              fileTable will fail (noSuchObject).
647
648       logmatch NAME FILE CYCLETIME REGEX
649              monitors the specified file for occurances of the specified pat‐
650              tern REGEX. The file position is stored internally so the entire
651              file  is  only  read  initially, every subsequent pass will only
652              read the new lines added to the file since the last read.
653
654              NAME   name of the logmatch instance (will appear  as  logMatch‐
655                     Name under logMatch/logMatchTable/logMatchEntry/logMatch‐
656                     Name in the ucd-snmp MIB tree)
657
658              FILE   absolute path to the logfile to be monitored.  Note  that
659                     this  path  can contain date/time directives (like in the
660                     UNIX 'date' command). See the manual page for  'strftime'
661                     for the various directives accepted.
662
663              CYCLETIME
664                     time interval for each logfile read and internal variable
665                     update in seconds.  Note: an SNMPGET* operation will also
666                     trigger an immediate logfile read and variable update.
667
668              REGEX  the  regular  expression to be used. Note: DO NOT enclose
669                     the regular expression in quotes even if there are spaces
670                     in  the expression as the quotes will also become part of
671                     the pattern to be matched!
672
673              Example:
674
675                     logmatch                                      apache-GETs
676                     /usr/local/apache/logs/access.log-%Y-%m-%d 60 GET.*HTTP.*
677
678                     This  logmatch  instance  is  named  'apache-GETs',  uses
679                     'GET.*HTTP.*' as its regular expression and it will moni‐
680                     tor  the  file  named  (assuming  today is May 6th 2009):
681                     '/usr/local/apache/logs/access.log-2009-05-06',  tomorrow
682                     it  will look for 'access.log-2009-05-07'. The logfile is
683                     read every 60 seconds.
684
685              Note: A maximum of 250 logmatch directives can be specified.
686
687              Note: If no logmatch directives are defined,  then  walking  the
688              logMatchTable will fail (noSuchObject).
689

ACTIVE MONITORING

691       The  usual  behaviour  of  an  SNMP  agent is to wait for incoming SNMP
692       requests and respond to them - if no requests are  received,  an  agent
693       will typically not initiate any actions. This section describes various
694       directives that can configure snmpd to take a more active role.
695
696   Notification Handling
697       trapcommunity STRING
698              defines the default community string to  be  used  when  sending
699              traps.   Note that this directive must be used prior to any com‐
700              munity-based trap destination directives that need to use it.
701
702       trapsink HOST [COMMUNITY [PORT]]
703
704       trap2sink HOST [COMMUNITY [PORT]]
705
706       informsink HOST [COMMUNITY [PORT]]
707              define the address of a notification  receiver  that  should  be
708              sent  SNMPv1  TRAPs,  SNMPv2c TRAP2s, or SNMPv2 INFORM notifica‐
709              tions respectively.  See the section LISTENING ADDRESSES in  the
710              snmpd(8)  manual  page  for more information about the format of
711              listening addresses.  If COMMUNITY is not  specified,  the  most
712              recent trapcommunity string will be used.
713
714              If the transport address does not include an explicit port spec‐
715              ification, then PORT will be used.  If this  is  not  specified,
716              the well known SNMP trap port (162) will be used.
717
718              Note:  This  mechanism  is  being  deprecated, and the listening
719                     port should be specified via the transport  specification
720                     HOST instead.
721
722              If  several  sink  directives  are specified, multiple copies of
723              each notification (in the appropriate formats)  will  be  gener‐
724              ated.
725
726              Note:  It is not normally appropriate to list two (or all three)
727                     sink directives with the same destination.
728
729       trapsess [SNMPCMD_ARGS] HOST
730              provides a more generic mechanism for defining notification des‐
731              tinations.   SNMPCMD_ARGS  should  be  the  command-line options
732              required for an equivalent snmptrap (or snmpinform)  command  to
733              send the desired notification.  The option -Ci can be used (with
734              -v2c or -v3) to generate an INFORM notification rather  than  an
735              unacknowledged TRAP.
736
737              This  is  the  appropriate  directive  for  defining SNMPv3 trap
738              receivers.  See http://www.net-snmp.org/tutorial/tutorial-5/com
739              mands/snmptrap-v3.html for more information about SNMPv3 notifi‐
740              cation behaviour.
741
742       authtrapenable {1|2}
743              determines whether  to  generate  authentication  failure  traps
744              (enabled(1)) or not (disabled(2) - the default).  Ordinarily the
745              corresponding  MIB  object  (snmpEnableAuthenTraps.0)  is  read-
746              write,  but  specifying  this  directive makes this object read-
747              only, and attempts to set the value via SET requests will result
748              in a notWritable error response.
749
750       v1trapaddress HOST
751              defines  the agent address, which is inserted into SNMPv1 TRAPs.
752              Arbitrary local  IPv4  address  is  chosen  if  this  option  is
753              ommited.  This option is useful mainly when the agent is visible
754              from outside world by specific address only  (e.g.   because  of
755              network address translation or firewall).
756
757   DisMan Event MIB
758       The  previous directives can be used to configure where traps should be
759       sent, but are not concerned with when to send such traps (or what traps
760       should  be generated).  This is the domain of the Event MIB - developed
761       by the Distributed Management (DisMan) working group of the IETF.
762
763       This requires that the agent  was  built  with  support  for  the  dis‐
764       man/event  module  (which  is now included as part of the default build
765       configuration for the most recent distribution).
766
767              Note:  The behaviour of the  latest  implementation  differs  in
768                     some  minor respects from the previous code - nothing too
769                     significant, but existing scripts may possibly need  some
770                     minor adjustments.
771
772       iquerySecName NAME
773
774       agentSecName NAME
775              specifies  the  default  SNMPv3 username, to be used when making
776              internal queries to retrieve any necessary  information  (either
777              for evaluating the monitored expression, or building a notifica‐
778              tion payload).  These internal queries always use  SNMPv3,  even
779              if normal querying of the agent is done using SNMPv1 or SNMPv2c.
780
781              Note that this user must also be explicitly created (createUser)
782              and given appropriate access rights (e.g. rouser).  This  direc‐
783              tive is purely concerned with defining which user should be used
784              - not with actually setting this user up.
785
786       monitor [OPTIONS] NAME EXPRESSION
787              defines a MIB object to monitor.  If  the  EXPRESSION  condition
788              holds  (see  below),  then  this  will trigger the corresponding
789              event, and either send a notification or apply a SET  assignment
790              (or  both).   Note  that  the event will only be triggered once,
791              when the expression first matches.  This monitor entry will  not
792              fire  again  until  the monitored condition first becomes false,
793              and then matches again.  NAME is an administrative name for this
794              expression,  and  is  used for indexing the mteTriggerTable (and
795              related tables).  Note also that such monitors use  an  internal
796              SNMPv3  request  to retrieve the values being monitored (even if
797              normal agent queries typically use SNMPv1 or SNMPv2c).  See  the
798              iquerySecName token described above.
799
800       EXPRESSION
801              There  are  three  types  of monitor expression supported by the
802              Event MIB - existence, boolean and threshold tests.
803
804              OID | ! OID | != OID
805                     defines an existence(0) monitor test.  A bare OID  speci‐
806                     fies a present(0) test, which will fire when (an instance
807                     of) the monitored OID is created.  An expression  of  the
808                     form  !  OID specifies an absent(1) test, which will fire
809                     when the monitored OID is delected.  An expression of the
810                     form  != OID specifies a changed(2) test, which will fire
811                     whenever the monitored value(s) change.  Note that  there
812                     must be whitespace before the OID token.
813
814              OID OP VALUE
815                     defines  a  boolean(1) monitor test.  OP should be one of
816                     the defined comparison operators (!=, ==, <, <=,  >,  >=)
817                     and  VALUE should be an integer value to compare against.
818                     Note that there must be whitespace around the  OP  token.
819                     A  comparison  such  as  OID !=0 will not be handled cor‐
820                     rectly.
821
822              OID MIN MAX [DMIN DMAX]
823                     defines a threshold(2) monitor test.   MIN  and  MAX  are
824                     integer  values,  specifying  lower and upper thresholds.
825                     If the value of the monitored OID falls below  the  lower
826                     threshold (MIN) or rises above the upper threshold (MAX),
827                     then the monitor entry  will  trigger  the  corresponding
828                     event.
829
830                     Note  that  the  rising  threshold event will only be re-
831                     armed when the monitored  value  falls  below  the  lower
832                     threshold  (MIN).  Similarly, the falling threshold event
833                     will be re-armed by the upper threshold (MAX).
834
835                     The optional parameters DMIN and DMAX configure a pair of
836                     similar  threshold tests, but working with the delta dif‐
837                     ferences between successive sample values.
838
839       OPTIONS
840              There are various options to control the behaviour of the  moni‐
841              tored expression.  These include:
842
843              -D     indicates  that  the expression should be evaluated using
844                     delta differences between sample values (rather than  the
845                     values themselves).
846
847              -d OID
848
849              -di OID
850                     specifies  a  discontinuity  marker  for validating delta
851                     differences.  A -di object instance will be used  exactly
852                     as  given.  A -d object will have the instance subidenti‐
853                     fiers  from  the  corresponding  (wildcarded)  expression
854                     object appended.  If the -I flag is specified, then there
855                     is no difference between these two options.
856
857                     This option also implies -D.
858
859              -e EVENT
860                     specifies the event to be invoked when this monitor entry
861                     is  triggered.   If this option is not given, the monitor
862                     entry will generate one  of  the  standard  notifications
863                     defined in the DISMAN-EVENT-MIB.
864
865              -I     indicates that the monitored expression should be applied
866                     to the specified OID as a single instance.   By  default,
867                     the  OID  will be treated as a wildcarded object, and the
868                     monitor expanded to cover all matching instances.
869
870              -i OID
871
872              -o OID define additional varbinds to be added to  the  notifica‐
873                     tion  payload  when  this  monitor  trigger fires.  For a
874                     wildcarded expression, the suffix of the matched instance
875                     will  be added to any OIDs specified using -o, while OIDs
876                     specified using -i will be treated  as  exact  instances.
877                     If  the -I flag is specified, then there is no difference
878                     between these two options.
879
880                     See strictDisman for details of the ordering of notifica‐
881                     tion payloads.
882
883              -r FREQUENCY
884                     monitors  the  given  expression every FREQUENCY seconds.
885                     By default, the expression will be evaluated  every  600s
886                     (10 minutes).
887
888              -S     indicates that the monitor expression should not be eval‐
889                     uated when the agent first starts up.  The first  evalua‐
890                     tion  will  be  done  once  the first repeat interval has
891                     expired.
892
893              -s     indicates that the monitor expression should be evaluated
894                     when  the agent first starts up.  This is the default be‐
895                     haviour.
896
897                     Note:  Notifications triggered by this initial evaluation
898                            will be sent before the coldStart trap.
899
900              -u SECNAME
901                     specifies  a  security name to use for scanning the local
902                     host, instead of the default iquerySecName.  Once  again,
903                     this  user  must be explicitly created and given suitable
904                     access rights.
905
906       notificationEvent ENAME NOTIFICATION [-m] [-i OID | -o OID ]*
907              defines a notification event named ENAME.  This can be triggered
908              from  a  given  monitor  entry by specifying the option -e ENAME
909              (see above).  NOTIFICATION should be the OID  of  the  NOTIFICA‐
910              TION-TYPE definition for the notification to be generated.
911
912              If the -m option is given, the notification payload will include
913              the standard varbinds as specified in the OBJECTS clause of  the
914              notification  MIB  definition.   This option must come after the
915              NOTIFICATION OID (and the relevant MIB file  must  be  available
916              and  loaded  by  the  agent).  Otherwise, these varbinds must be
917              listed explicitly (either here or in the  corresponding  monitor
918              directive).
919
920              The  -i OID and -o OID options specify additional varbinds to be
921              appended to the notification payload, after the  standard  list.
922              If  the monitor entry that triggered this event involved a wild‐
923              carded expression, the suffix of the matched  instance  will  be
924              added to any OIDs specified using -o, while OIDs specified using
925              -i will be treated as exact instances.  If the -I flag was spec‐
926              ified  to  the  monitor  directive,  then there is no difference
927              between these two options.
928
929       setEvent ENAME [-I] OID = VALUE
930              defines a set event named ENAME, assigning the  (integer)  VALUE
931              to  the specified OID.  This can be triggered from a given moni‐
932              tor entry by specifying the option -e ENAME (see above).
933
934              If the monitor entry that triggered this event involved a  wild‐
935              carded  expression, the suffix of the matched instance will nor‐
936              mally be added to the OID.  If the  -I  flag  was  specified  to
937              either  of the monitor or setEvent directives, the specified OID
938              will be regarded as an exact single instance.
939
940       strictDisman yes
941              The definition of SNMP notifications states  that  the  varbinds
942              defined  in  the  OBJECT  clause should come first (in the order
943              specified), followed by any "extra" varbinds that the  notifica‐
944              tion generator feels might be useful.  The most natural approach
945              would be to associate these mandatory varbinds with the  notifi‐
946              cationEvent  entry,  and append any varbinds associated with the
947              monitor entry that triggered the notification to the end of this
948              list.   This  is the default behaviour of the Net-SNMP Event MIB
949              implementation.
950
951              Unfortunately, the  DisMan  Event  MIB  specifications  actually
952              state  that the trigger-related varbinds should come first, fol‐
953              lowed by the event-related ones.  This directive can be used  to
954              restore this strictly-correct (but inappropriate) behaviour.
955
956              Note:  Strict  DisMan  ordering may result in generating invalid
957                     notifications payload lists if the  notificationEvent  -n
958                     flag  is  used  together  with monitor -o (or -i) varbind
959                     options.
960
961              If no monitor entries specify payload varbinds, then the setting
962              of this directive is irrelevant.
963
964       linkUpDownNotifications yes
965              will  configure  the Event MIB tables to monitor the ifTable for
966              network interfaces being taken up  or  down,  and  triggering  a
967              linkUp or linkDown notification as appropriate.
968
969              This is exactly equivalent to the configuration:
970
971                     notificationEvent  linkUpTrap    linkUp   ifIndex ifAdminStatus ifOperStatus
972                     notificationEvent  linkDownTrap  linkDown ifIndex ifAdminStatus ifOperStatus
973
974                     monitor  -r 60 -e linkUpTrap   "Generate linkUp" ifOperStatus != 2
975                     monitor  -r 60 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
976
977       defaultMonitors yes
978              will  configure the Event MIB tables to monitor the various UCD-
979              SNMP-MIB tables for problems (as indicated  by  the  appropriate
980              xxErrFlag column objects).
981
982              This is exactly equivalent to the configuration:
983
984                     monitor   -o prNames -o prErrMessage "process table" prErrorFlag != 0
985                     monitor   -o memErrorName -o memSwapErrorMsg "memory" memSwapError != 0
986                     monitor   -o extNames -o extOutput "extTable" extResult != 0
987                     monitor   -o dskPath -o dskErrorMsg "dskTable" dskErrorFlag != 0
988                     monitor   -o laNames -o laErrMessage  "laTable" laErrorFlag != 0
989                     monitor   -o fileName -o fileErrorMsg  "fileTable" fileErrorFlag != 0
990
991       In  both these latter cases, the snmpd.conf must also contain a iquery‐
992       SecName directive, together with a corresponding createUser  entry  and
993       suitable access control configuration.
994
995   DisMan Schedule MIB
996       The  DisMan working group also produced a mechanism for scheduling par‐
997       ticular actions (a specified SET  assignment)  at  given  times.   This
998       requires  that the agent was built with support for the disman/schedule
999       module (which is included as part of the  default  build  configuration
1000       for the most recent distribution).
1001
1002       There are three ways of specifying the scheduled action:
1003
1004       repeat FREQUENCY OID = VALUE
1005              configures  a  SET  assignment of the (integer) VALUE to the MIB
1006              instance OID, to be run every FREQUENCY seconds.
1007
1008       cron MINUTE HOUR DAY MONTH WEEKDAY  OID = VALUE
1009              configures a SET assignment of the (integer) VALUE  to  the  MIB
1010              instance  OID,  to  be  run at the times specified by the fields
1011              MINUTE to WEEKDAY.  These follow the same pattern as the equiva‐
1012              lent crontab(5) fields.
1013
1014              Note:  These  fields  should be specified as a (comma-separated)
1015                     list of numeric values.  Named values for the  MONTH  and
1016                     WEEKDAY  fields  are not supported, and neither are value
1017                     ranges. A wildcard match can be specified as '*'.
1018
1019              The DAY field can also accept negative values, to indicate  days
1020              counting backwards from the end of the month.
1021
1022       at MINUTE HOUR DAY MONTH WEEKDAY  OID = VALUE
1023              configures  a  one-shot  SET  assignment, to be run at the first
1024              matching time as specified by the fields MINUTE to WEEKDAY.  The
1025              interpretation  of  these  fields is exactly the same as for the
1026              cron directive.
1027

EXTENDING AGENT FUNCTIONALITY

1029       One of the first distinguishing features of the original UCD suite  was
1030       the  ability  to  extend  the  functionality of the agent - not just by
1031       recompiling with code for new MIB modules, but also by configuring  the
1032       running  agent  to report additional information. There are a number of
1033       techniques to support this, including:
1034
1035       ·      running external commands (exec, extend, pass)
1036
1037       ·      loading new code dynamically (embedded perl, dlmod)
1038
1039       ·      communicating with other agents (proxy, SMUX, AgentX)
1040
1041   Arbitrary Extension Commands
1042       The earliest extension mechanism was the ability to run arbitrary  com‐
1043       mands  or  shell scripts. Such commands do not need to be aware of SNMP
1044       operations, or conform to any particular behaviour - the MIB structures
1045       are  designed  to  accommodate any form of command output.  Use of this
1046       mechanism requires that the agent was built with support for  the  ucd-
1047       snmp/extensible and/or agent/extend modules (which are both included as
1048       part of the default build configuration).
1049
1050       exec [MIBOID] NAME PROG ARGS
1051
1052       sh [MIBOID] NAME PROG ARGS
1053              invoke the named PROG with arguments of ARGS.   By  default  the
1054              exit  status  and  first line of output from the command will be
1055              reported via the extTable, discarding any additional output.
1056
1057              Note:  Entries in this table appear in the order they  are  read
1058                     from  the configuration file.  This means that adding new
1059                     exec (or sh) directives and  restarting  the  agent,  may
1060                     affect the indexing of other entries.
1061
1062              The  PROG  argument for exec directives must be a full path to a
1063              real binary, as it is executed via the exec() system  call.   To
1064              invoke a shell script, use the sh directive instead.
1065
1066              If  MIBOID is specified, then the results will be rooted at this
1067              point  in  the  OID  tree,  returning  the  exit  statement   as
1068              MIBOID.100.0  and  the  entire  command output in a pseudo-table
1069              based at MIBNUM.101 - with one 'row' for each line of output.
1070
1071              Note:  The layout of this "relocatable" form  of  exec  (or  sh)
1072                     output  does  not  strictly  form  a valid MIB structure.
1073                     This mechanism is  being  deprecated  -  please  see  the
1074                     extend directive (described below) instead.
1075
1076              The  agent  does not cache the exit status or output of the exe‐
1077              cuted program.
1078
1079       execfix NAME PROG ARGS
1080              registers a command that can be invoked on demand - typically to
1081              respond  to  or  fix  errors  with  the corresponding exec or sh
1082              entry.  When the extErrFix instance for a given NAMEd  entry  is
1083              set to the integer value of 1, this command will be called.
1084
1085              Note:  This  directive  can  only  be used in combination with a
1086                     corresponding exec or sh directive, which must be defined
1087                     first.   Attempting  to  define  an unaccompanied execfix
1088                     directive will fail.
1089
1090       exec and sh extensions can only be configured via the snmpd.conf  file.
1091       They cannot be set up via SNMP SET requests.
1092
1093       extend [MIBOID] NAME PROG ARGS
1094              works in a similar manner to the exec directive, but with a num‐
1095              ber of improvements.  The MIB tables  (nsExtendConfigTable  etc)
1096              are indexed by the NAME token, so are unaffected by the order in
1097              which entries are read from the configuration files.  There  are
1098              two  result  tables  - one (nsExtendOutput1Table) containing the
1099              exit status, the first line and full output (as a single string)
1100              for each extend entry, and the other (nsExtendOutput2Table) con‐
1101              taining the complete output as a series of separate lines.
1102
1103              If MIBOID is specified, then the configuration and result tables
1104              will  be rooted at this point in the OID tree, but are otherwise
1105              structured in exactly the same way. This means that several sep‐
1106              arate  extend directives can specify the same MIBOID root, with‐
1107              out conflicting.
1108
1109              The exit status and output is cached for  each  entry  individu‐
1110              ally,  and can be cleared (and the caching behaviour configured)
1111              using the nsCacheTable.
1112
1113       extendfix NAME PROG ARGS
1114              registers a command that can be invoked on  demand,  by  setting
1115              the  appropriate  nsExtendRunType instance to the value run-com‐
1116              mand(3).  Unlike the equivalent execfix, this directive does not
1117              need  to  be  paired  with a corresponding extend entry, and can
1118              appear on its own.
1119
1120       Both extend and extendfix directives  can  be  configured  dynamically,
1121       using SNMP SET requests to the NET-SNMP-EXTEND-MIB.
1122
1123   MIB-Specific Extension Commands
1124       The  first group of extension directives invoke arbitrary commands, and
1125       rely on the MIB structure  (and  management  applications)  having  the
1126       flexibility  to accommodate and interpret the output.  This is a conve‐
1127       nient way to make information available quickly and simply, but  is  of
1128       no use when implementing specific MIB objects, where the extension must
1129       conform to the structure of the MIB  (rather  than  vice  versa).   The
1130       remaining extension mechanisms are all concerned with such MIB-specific
1131       situations - starting with "pass-through" scripts.  Use of this  mecha‐
1132       nism  requires  that  the  agent  was  built  with support for the ucd-
1133       snmp/pass and ucd-snmp/pass_persist modules (which are both included as
1134       part of the default build configuration).
1135
1136       pass [-p priority] MIBOID PROG
1137              will  pass control of the subtree rooted at MIBOID to the speci‐
1138              fied PROG command.  GET and GETNEXT  requests  for  OIDs  within
1139              this tree will trigger this command, called as:
1140
1141                     PROG -g OID
1142
1143                     PROG -n OID
1144
1145              respectively,  where OID is the requested OID.  The PROG command
1146              should return the  response  varbind  as  three  separate  lines
1147              printed  to  stdout  -  the  first line should be the OID of the
1148              returned value, the second should be its TYPE (one of  the  text
1149              strings integer, gauge, counter, timeticks, ipaddress, objectid,
1150              or string ), and the third should be the value itself.
1151
1152              If the command cannot return an appropriate varbind  -  e.g  the
1153              specified  OID  did not correspond to a valid instance for a GET
1154              request, or there were no following instances for  a  GETNEXT  -
1155              then  it  should  exit  without producing any output.  This will
1156              result in an SNMP noSuchName error, or a  noSuchInstance  excep‐
1157              tion.
1158
1159                     Note:  The  SMIv2  type counter64 and SNMPv2 noSuchObject
1160                            exception are not supported.
1161
1162              A SET request will result in the command being called as:
1163
1164                     PROG -s OID TYPE VALUE
1165
1166              where TYPE is one of the tokens  listed  above,  indicating  the
1167              type of the value passed as the third parameter.
1168
1169              If  the  assignment  is successful, the PROG command should exit
1170              without producing any output.  Errors  should  be  indicated  by
1171              writing  one  of the strings not-writable, or wrong-type to std‐
1172              out, and the agent will generate the appropriate error response.
1173
1174                     Note:  The other SNMPv2 errors are not supported.
1175
1176              In either case, the command should exit  once  it  has  finished
1177              processing.   Each  request  (and  each  varbind within a single
1178              request) will trigger a separate invocation of the command.
1179
1180              The default registration priority is 127.  This can  be  changed
1181              by supplying the optional -p flag, with lower priority registra‐
1182              tions being used in preference to higher priority values.
1183
1184       pass_persist [-p priority] MIBOID PROG
1185              will also pass control of the subtree rooted at  MIBOID  to  the
1186              specified  PROG  command.  However this command will continue to
1187              run after the initial request has been answered,  so  subsequent
1188              requests can be processed without the startup overheads.
1189
1190              Upon  initialization, PROG will be passed the string "PING\n" on
1191              stdin, and should respond by printing "PONG\n" to stdout.
1192
1193              For GET and GETNEXT requests, PROG will be passed two  lines  on
1194              stdin,  the  command (get or getnext) and the requested OID.  It
1195              should respond by printing three lines to stdout - the  OID  for
1196              the  result  varbind, the TYPE and the VALUE itself - exactly as
1197              for the pass directive above.  If the command cannot  return  an
1198              appropriate  varbind,  it  should print print "NONE\n" to stdout
1199              (but continue running).
1200
1201              For SET requests, PROG will be passed three lines on stdin,  the
1202              command  (set)  and  the requested OID, followed by the type and
1203              value (both on the same line).  If the assignment is successful,
1204              the  command  should print "DONE\n" to stdout.  Errors should be
1205              indicated by writing one of  the  strings  not-writable,  wrong-
1206              type, wrong-length, wrong-value or inconsistent-value to stdout,
1207              and the agent will generate the appropriate error response.   In
1208              either case, the command should continue running.
1209
1210              The  registration  priority can be changed using the optional -p
1211              flag, just as for the pass directive.
1212
1213       pass and  pass_persist  extensions  can  only  be  configured  via  the
1214       snmpd.conf file.  They cannot be set up via SNMP SET requests.
1215
1216   Embedded Perl Support
1217       Programs  using the previous extension mechanisms can be written in any
1218       convenient programming language - including perl,  which  is  a  common
1219       choice for pass-through extensions in particular.  However the Net-SNMP
1220       agent also includes support for embedded perl  technology  (similar  to
1221       mod_perl  for  the Apache web server).  This allows the agent to inter‐
1222       pret perl scripts directly, thus avoiding the overhead of spawning pro‐
1223       cesses and initializing the perl system when a request is received.
1224
1225       Use  of  this  mechanism requires that the agent was built with support
1226       for the embedded perl mechanism, which is not part of the default build
1227       environment.   It   must  be  explicitly  included  by  specifying  the
1228       '--enable-embedded-perl' option to the configure script when the  pack‐
1229       age is first built.
1230
1231       If enabled, the following directives will be recognised:
1232
1233       disablePerl true
1234              will  turn off embedded perl support entirely (e.g. if there are
1235              problems with the perl installation).
1236
1237       perlInitFile FILE
1238              loads the specified initialisation file (if present) immediately
1239              before  the  first  perl directive is parsed.  If not explicitly
1240              specified, the agent will look for  the  default  initialisation
1241              file /usr/share/snmp/snmp_perl.pl.
1242
1243              The  default  initialisation  file creates an instance of a Net‐
1244              SNMP::agent object - a variable $agent which can be used to reg‐
1245              ister perl-based MIB handler routines.
1246
1247       perl EXPRESSION
1248              evaluates the given expression.  This would typically register a
1249              handler routine to be called when a section of the OID tree  was
1250              requested:
1251                     perl use Data::Dumper;
1252                     perl sub myroutine  { print "got called: ",Dumper(@_),"\n"; }
1253                     perl $agent->register('mylink', '.1.3.6.1.8765', \&myroutine);
1254
1255              This expression could also source an external file:
1256                     perl 'do /path/to/file.pl';
1257
1258              or  perform  any  other  perl-based  processing  that  might  be
1259              required.
1260
1261   Dynamically Loadable Modules
1262       Most of the MIBs supported by the Net-SNMP agent are implemented  as  C
1263       code  modules,  which were compiled and linked into the agent libraries
1264       when the suite was first built.  Such implementation modules  can  also
1265       be compiled independently and loaded into the running agent once it has
1266       started.  Use of this mechanism requires that the agent was built  with
1267       support for the ucd-snmp/dlmod module (which is included as part of the
1268       default build configuration).
1269
1270       dlmod NAME PATH
1271              will load the shared object module from the file PATH (an  abso‐
1272              lute filename), and call the initialisation routine init_NAME.
1273
1274              Note:  If  the specified PATH is not a fully qualified filename,
1275                     it     will     be      interpreted      relative      to
1276                     /usr/lib(64)/snmp/dlmod,  and .so will be appended to the
1277                     filename.
1278
1279       This functionality can also be configured using SNMP  SET  requests  to
1280       the UCD-DLMOD-MIB.
1281
1282   Proxy Support
1283       Another  mechanism  for  extending the functionality of the agent is to
1284       pass selected requests (or selected varbinds) to  another  SNMP  agent,
1285       which  can  be running on the same host (presumably listening on a dif‐
1286       ferent port), or on a remote system.  This can be viewed either as  the
1287       main  agent delegating requests to the remote one, or acting as a proxy
1288       for it.  Use of this mechanism requires that the agent was  built  with
1289       support for the ucd-snmp/proxy module (which is included as part of the
1290       default build configuration).
1291
1292       proxy [-Cn CONTEXTNAME] [SNMPCMD_ARGS] HOST OID [REMOTEOID]
1293              will pass any incoming requests under OID to the agent listening
1294              on  the  port  specified by the transport address HOST.  See the
1295              section LISTENING ADDRESSES in the snmpd(8) manual page for more
1296              information about the format of listening addresses.
1297
1298              Note:  To  proxy  the entire MIB tree, use the OID .1.3 (not the
1299                     top-level .1)
1300
1301       The SNMPCMD_ARGS should provide sufficient version  and  administrative
1302       information to generate a valid SNMP request (see snmpcmd(1)).
1303
1304       Note:  The  proxied  request  will  not use the administrative settings
1305              from the original request.
1306
1307       If a CONTEXTNAME is specified, this will register the proxy  delegation
1308       within  the  named context in the local agent.  Defining multiple proxy
1309       directives for the same OID but different contexts can be used to query
1310       several  remote agents through a single proxy, by specifying the appro‐
1311       priate SNMPv3 context in the incoming request (or using  suitable  con‐
1312       figured community strings - see the com2sec directive).
1313
1314       Specifying  the  REMOID parameter will map the local MIB tree rooted at
1315       OID to an equivalent subtree rooted at REMOID on the remote agent.
1316
1317   SMUX Sub-Agents
1318       The Net-SNMP agent supports the SMUX protocol (RFC 1227) to communicate
1319       with  SMUX-based  subagents  (such  as gated, zebra or quagga).  Use of
1320       this mechanism requires that the agent was built with support  for  the
1321       smux  module,  which  is not part of the default build environment, and
1322       must be explicitly included by specifying the '--with-mib-modules=smux'
1323       option to the configure script when the package is first built.
1324
1325              Note:  This extension protocol has been officially deprecated in
1326                     favour of AgentX (see below).
1327
1328       smuxpeer OID PASS
1329              will register a subtree for SMUX-based processing, to be authen‐
1330              ticated using the password PASS.  If a subagent (or "peer") con‐
1331              nects to the agent and registers this subtree then requests  for
1332              OIDs within it will be passed to that SMUX subagent for process‐
1333              ing.
1334
1335              A suitable entry for an OSPF  routing  daemon  (such  as  gated,
1336              zebra or quagga) might be something like
1337                     smuxpeer .1.3.6.1.2.1.14 ospf_pass
1338
1339       smuxsocket <IPv4-address>
1340              defines  the IPv4 address for SMUX peers to communicate with the
1341              Net-SNMP agent.  The default is to listen on all IPv4 interfaces
1342              ("0.0.0.0"),   unless  the  package  has  been  configured  with
1343              "--enable-local-smux" at build time, which  causes  it  to  only
1344              listen  on  127.0.0.1  by  default. SMUX uses the well-known TCP
1345              port 199.
1346
1347       Note the Net-SNMP agent will only operate as a SMUX  master  agent.  It
1348       does not support acting in a SMUX subagent role.
1349
1350   AgentX Sub-Agents
1351       The Net-SNMP agent supports the AgentX protocol (RFC 2741) in both mas‐
1352       ter and subagent roles.  Use of this mechanism requires that the  agent
1353       was built with support for the agentx module (which is included as part
1354       of the default build configuration), and  also  that  this  support  is
1355       explicitly enabled (e.g. via the snmpd.conf file).
1356
1357       There  are two directives specifically relevant to running as an AgentX
1358       master agent:
1359
1360       master agentx
1361              will enable the AgentX functionality  and  cause  the  agent  to
1362              start  listening  for  incoming  AgentX registrations.  This can
1363              also be activated by specifying the '-x' command-line option (to
1364              specify an alternative listening socket).
1365
1366       agentXPerms SOCKPERMS [DIRPERMS [USER|UID [GROUP|GID]]]
1367              Defines  the permissions and ownership of the AgentX Unix Domain
1368              socket, and the parent directories of  this  socket.   SOCKPERMS
1369              and  DIRPERMS  must  be octal digits (see chmod(1) ). By default
1370              this socket will only be accessible to subagents which have  the
1371              same userid as the agent.
1372
1373       There  is  one  directive specifically relevant to running as an AgentX
1374       sub-agent:
1375
1376       agentXPingInterval NUM
1377              will make the subagent try and reconnect every  NUM  seconds  to
1378              the master if it ever becomes (or starts) disconnected.
1379
1380       The  remaining  directives  are relevant to both AgentX master and sub-
1381       agents:
1382
1383       agentXSocket [<transport-specifier>:]<transport-address>[,...]
1384              defines the address the master agent listens at, or the subagent
1385              should  connect  to.   The  default  is  the  Unix Domain socket
1386              "/var/agentx/master".  Another common alternative is  tcp:local‐
1387              host:705.   See  the section LISTENING ADDRESSES in the snmpd(8)
1388              manual page for more information about the format of addresses.
1389
1390              Note:  Specifying an AgentX socket does not automatically enable
1391                     AgentX   functionality   (unlike  the  '-x'  command-line
1392                     option).
1393
1394       agentXTimeout NUM
1395              defines the timeout period (NUM seconds) for an AgentX  request.
1396              Default is 1 second.
1397
1398       agentXRetries NUM
1399              defines the number of retries for an AgentX request.  Default is
1400              5 retries.
1401
1402       net-snmp ships with both C and Perl APIs to  develop  your  own  AgentX
1403       subagent.
1404

OTHER CONFIGURATION

1406       override [-rw] OID TYPE VALUE
1407              This  directive  allows  you to override a particular OID with a
1408              different value (and possibly a different type of  value).   The
1409              -rw  flag  will  allow  snmp  SETs to modify it's value as well.
1410              (note that if you're  overriding  original  functionality,  that
1411              functionality  will be entirely lost.  Thus SETS will do nothing
1412              more than modify the internal overridden value and will not per‐
1413              form  any  of the original functionality intended to be provided
1414              by the MIB object.  It's an emulation only.)  An example:
1415
1416                     override sysDescr.0 octet_str "my own sysDescr"
1417
1418              That line will set the sysDescr.0 value to "my own sysDescr"  as
1419              well  as  make  it  modifiable  with SNMP SETs as well (which is
1420              actually illegal according to the MIB specifications).
1421
1422              Note that care must be taken when using this.  For  example,  if
1423              you  try  to  override  a  property  of the 3rd interface in the
1424              ifTable with a new value and  later  the  numbering  within  the
1425              ifTable  changes it's index ordering you'll end up with problems
1426              and your modified value won't appear in the right place  in  the
1427              table.
1428
1429              Valid   TYPEs  are:  integer,  uinteger,  octet_str,  object_id,
1430              counter, null (for gauges, use "uinteger"; for bit strings,  use
1431              "octet_str").  Note that setting an object to "null" effectively
1432              delete's it as being accessible.  No VALUE needs to be given  if
1433              the object type is null.
1434
1435              More types should be available in the future.
1436
1437       If you're trying to figure out aspects of the various mib modules (pos‐
1438       sibly some that you've added yourself), the following may help you spit
1439       out  some  useful  debugging  information.   First off, please read the
1440       snmpd manual page on the -D flag.   Then  the  following  configuration
1441       snmpd.conf token, combined with the -D flag, can produce useful output:
1442
1443       injectHandler HANDLER modulename
1444              This  will  insert new handlers into the section of the mib tree
1445              referenced by "modulename".  The types of handlers available for
1446              insertion are:
1447
1448              stash_cache
1449                     Caches  information  returned from the lower level.  This
1450                     greatly help the performance of the agent, at the cost of
1451                     caching  the  data  such that its no longer "live" for 30
1452                     seconds (in this  future,  this  will  be  configurable).
1453                     Note  that  this means snmpd will use more memory as well
1454                     while the information is  cached.   Currently  this  only
1455                     works  for  handlers  registered using the table_iterator
1456                     support, which is only a few mib tables.  To use it,  you
1457                     need to make sure to install it before the table_iterator
1458                     point in the chain, so to do this:
1459
1460                                       injectHandler  stash_cache   NAME   ta‐
1461                     ble_iterator
1462
1463                     If  you want a table to play with, try walking the nsMod‐
1464                     uleTable with and without this injected.
1465
1466
1467              debug  Prints  out  lots  of  debugging  information  when   the
1468                     -Dhelper:debug flag is passed to the snmpd application.
1469
1470
1471              read_only
1472                     Forces turning off write support for the given module.
1473
1474
1475              serialize
1476                     If  a module is failing to handle multiple requests prop‐
1477                     erly (using the new 5.0 module API), this will force  the
1478                     module to only receive one request at a time.
1479
1480
1481              bulk_to_next
1482                     If  a module registers to handle getbulk support, but for
1483                     some reason is failing to  implement  it  properly,  this
1484                     module  will  convert  all  getbulk  requests  to getnext
1485                     requests before the final module receives it.
1486
1487       dontLogTCPWrappersConnects
1488              If the snmpd was compiled with  TCP  Wrapper  support,  it  logs
1489              every  connection  made  to the agent. This setting disables the
1490              log messages for accepted connections. Denied  connections  will
1491              still be logged.
1492
1493       Figuring out module names
1494              To figure out which modules you can inject things into, run snm‐
1495              pwalk on the nsModuleTable which will give a list of  all  named
1496              modules registered within the agent.
1497
1498   Internal Data tables
1499       table NAME
1500
1501       add_row NAME INDEX(ES) VALUE(S)
1502

NOTES

1504       o      The Net-SNMP agent can be instructed to re-read the various con‐
1505              figuration files, either via an snmpset assignment of integer(1)
1506              to                           UCD-SNMP-MIB::versionUpdateConfig.0
1507              (.1.3.6.1.4.1.2021.100.11.0), or by sending a kill  -HUP  signal
1508              to the agent process.
1509
1510       o      All  directives  listed  with a value of "yes" actually accept a
1511              range of boolean values.  These will accept any  of  1,  yes  or
1512              true  to  enable the corresponding behaviour, or any of 0, no or
1513              false to disable it.  The default in each case is for  the  fea‐
1514              ture  to  be  turned off, so these directives are typically only
1515              used to enable the appropriate behaviour.
1516

EXAMPLE CONFIGURATION FILE

1518       See the EXAMPLE.CONF file in the top level source directory for a  more
1519       detailed example of how the above information is used in real examples.
1520

FILES

1522       /etc/snmp/snmpd.conf
1523

SEE ALSO

1525       snmpconf(1),  snmpusm(1), snmp.conf(5), snmp_config(5), snmpd(8), EXAM‐
1526       PLE.conf, read_config(3).
1527
1528
1529
15304th Berkeley Distribution         08 Feb 2002                    SNMPD.CONF(5)
Impressum