1SNMPD.CONF(5) Net-SNMP SNMPD.CONF(5)
2
6 snmpd.conf - configuration file for the Net-SNMP SNMP agent
7
9 The Net-SNMP agent uses one or more configuration files to control its
10 operation and the management information provided. These files
11 (snmpd.conf and snmpd.local.conf) can be located in one of several
12 locations, as described in the snmp_config(5) manual page.
13 The (perl) application snmpconf can be used to generate configuration
15 files for the most common agent requirements. See the snmpconf(1) man‐
16 ual page for more information, or try running the command:
17 snmpconf -g basic_setup
19 There are a large number of directives that can be specified, but these
21 mostly fall into four distinct categories:
22 · those controlling who can access the agent
24 · those configuring the information that is supplied by the agent
26 · those controlling active monitoring of the local system
28 · those concerned with extending the functionality of the agent.
30 Some directives don't fall naturally into any of these four categories,
32 but this covers the majority of the contents of a typical snmpd.conf
33 file. A full list of recognised directives can be obtained by running
34 the command:
35 snmpd -H
37
39 Although most configuration directives are concerned with the MIB
40 information supplied by the agent, there are a handful of directives
41 that control the behaviour of snmpd considered simply as a daemon pro‐
42 viding a network service.
43 agentaddress [<transport-specifier>:]<transport-address>[,...]
45 defines a list of listening addresses, on which to receive
46 incoming SNMP requests. See the section LISTENING ADDRESSES in
47 the snmpd(8) manual page for more information about the format
48 of listening addresses.
49 The default behaviour is to listen on UDP port 161 on all IPv4
51 interfaces.
52 agentgroup {GROUP|#GID}
54 changes to the specified group after opening the listening
55 port(s). This may refer to a group by name (GROUP), or a
56 numeric group ID starting with '#' (#GID).
57 agentuser {USER|#UID}
59 changes to the specified user after opening the listening
60 port(s). This may refer to a user by name (USER), or a numeric
61 user ID starting with '#' (#UID).
62 leave_pidfile yes
64 instructs the agent to not remove its pid file on shutdown.
65 Equivalent to specifying "-U" on the command line.
66 maxGetbulkRepeats NUM
68 Sets the maximum number of responses allowed for a single vari‐
69 able in a getbulk request. Set to 0 to enable the default and
70 set it to -1 to enable unlimited. Because memory is allocated
71 ahead of time, sitting this to unlimited is not considered safe
72 if your user population can not be trusted. A repeat number
73 greater than this will be truncated to this value.
74 This is set by default to -1.
76 maxGetbulkResponses NUM
78 Sets the maximum number of responses allowed for a getbulk
79 request. This is set by default to 100. Set to 0 to enable the
80 default and set it to -1 to enable unlimited. Because memory is
81 allocated ahead of time, sitting this to unlimited is not con‐
82 sidered safe if your user population can not be trusted.
83 In general, the total number of responses will not be allowed to
85 exceed the maxGetbulkResponses number and the total number
86 returned will be an integer multiple of the number of variables
87 requested times the calculated number of repeats allow to fit
88 below this number.
89 Also not that processing of maxGetbulkRepeats is handled first.
91 SNMPv3 Configuration
93 SNMPv3 requires an SNMP agent to define a unique "engine ID" in order
94 to respond to SNMPv3 requests. This ID will normally be determined
95 automatically, using two reasonably non-predictable values - a
96 (pseudo-)random number and the current time in seconds. This is the
97 recommended approach. However the capacity exists to define the
98 engineID in other ways:
99 engineID STRING
101 specifies that the engineID should be built from the given text
102 STRING.
103 engineIDType 1|2|3
105 specifies that the engineID should be built from the IPv4
106 address (1), IPv6 address (2) or MAC address (3). Note that
107 changing the IP address (or switching the network interface
108 card) may cause problems.
109 engineIDNic INTERFACE
111 defines which interface to use when determining the MAC address.
112 If engineIDType 3 is not specified, then this directive has no
113 effect.
114 The default is to use eth0.
116
118 SNMPv3 was originally defined using the User-Based Security Model
119 (USM), which contains a private list of users and keys specific to the
120 SNMPv3 protocol. The operational community, however, declared it a
121 pain to manipulate yet another database and would prefer to use exist‐
122 ing infrastructure. To that end the IETF created the ISMS working
123 group to battle that problem, and the ISMS working group decided to
124 tunnel SNMP over SSH and DTLS to make use existing user and authentica‐
125 tion infrastructures.
126 SNMPv3 USM Users
128 To use the USM based SNMPv3-specific users, you'll need to create them.
129 It is recommended you use the net-snmp-config command to do this, but
130 you can also do it by directly specifying createUser directives your‐
131 self instead:
132 createUser [-e ENGINEID] username (MD5|SHA) authpassphrase [DES|AES]
134 [privpassphrase]
135 MD5 and SHA are the authentication types to use. DES and AES
137 are the privacy protocols to use. If the privacy passphrase is
138 not specified, it is assumed to be the same as the authentica‐
139 tion passphrase. Note that the users created will be useless
140 unless they are also added to the VACM access control tables
141 described above.
142 SHA authentication and DES/AES privacy require OpenSSL to be
144 installed and the agent to be built with OpenSSL support. MD5
145 authentication may be used without OpenSSL.
146 Warning: the minimum pass phrase length is 8 characters.
148 SNMPv3 users can be created at runtime using the snmpusm(1) com‐
150 mand.
151 Instead of figuring out how to use this directive and where to
153 put it (see below), just run "net-snmp-config --create-
154 snmpv3-user" instead, which will add one of these lines to the
155 right place.
156 This directive should be placed into the /var/lib/net-
158 snmp/snmpd.conf file instead of the other normal locations. The
159 reason is that the information is read from the file and then
160 the line is removed (eliminating the storage of the master pass‐
161 word for that user) and replaced with the key that is derived
162 from it. This key is a localized key, so that if it is stolen
163 it can not be used to access other agents. If the password is
164 stolen, however, it can be.
165 If you need to localize the user to a particular EngineID (this
167 is useful mostly in the similar snmptrapd.conf file), you can
168 use the -e argument to specify an EngineID as a hex value (EG,
169 "0x01020304").
170 If you want to generate either your master or localized keys
172 directly, replace the given password with a hexstring (preceeded
173 by a "0x") and precede the hex string by a -m or -l token
174 (respectively). EGs:
175 [these keys are *not* secure but are easy to visually parse for
177 counting purposes. Please generate random keys instead of using
178 these examples]
179 createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405
181 createUser myuser SHA -m 0x0001020304050607080900010203040506070809 AES -m 0x0001020304050607080900010203040506070809
182 Due to the way localization happens, localized privacy keys are
184 expected to be the length needed by the algorithm (128 bits for
185 all supported algorithms). Master encryption keys, though, need
186 to be the length required by the authentication algorithm not
187 the length required by the encrypting algorithm (MD5: 16 bytes,
188 SHA: 20 bytes).
189 SSH Support
191 To use SSH, you'll need to configure sshd to invoke sshtosnmp as well
192 as configure the access control settings to allow access through the
193 tsm security model using the user name provided to snmpd by the ssh
194 transport.
195 DTLS Support
197 For DTLS, snmpd will need to be configured with it's own X.509 certifi‐
198 cate as well as the certificates of the client users to be allowed to
199 connect to the agent. The access control will need to be set up as
200 well to allow access through the tsm security model. The CommonName of
201 the Subject from the X.509 certificate will be passed to snmpd as the
202 SNMPv3 username to use. See the http://www.net-
203 snmp.org/wiki/index.php/Using_DTLS web page for more detailed instruc‐
204 tions for setting up DTLS.
205 defX509ServerPub FILE
207 defX509ServerPriv FILE
209 These two directives specify the public and private key files
210 for the certificate that snmpd should present to incoming con‐
211 nections.
212 defX509ClientCerts FILE
214 This directive specifies a file containing all of the public
215 keys (or CAs of public keys) for clients to connect the server
216 with.
217
219 snmpd supports the View-Based Access Control Model (VACM) as defined in
220 RFC 2575, to control who can retrieve or update information. To this
221 end, it recognizes various directives relating to access control.
222 Traditional Access Control
224 Most simple access control requirements can be specified using the
225 directives rouser/rwuser (for SNMPv3) or rocommunity/rwcommunity (for
226 SNMPv1 or SNMPv2c).
227 rouser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
229 rwuser [-s SECMODEL] USER [noauth|auth|priv [OID | -V VIEW [CONTEXT]]]
231 specify an SNMPv3 user that will be allowed read-only (GET and
232 GETNEXT) or read-write (GET, GETNEXT and SET) access respec‐
233 tively. By default, this will provide access to the full OID
234 tree for authenticated (including encrypted) SNMPv3 requests,
235 using the default context. An alternative minimum security
236 level can be specified using noauth (to allow unauthenticated
237 requests), or priv (to enforce use of encryption). The OID
238 field restricts access for that user to the subtree rooted at
239 the given OID, or the named view. An optional context can also
240 be specified, or "context*" to denote a context prefix. If no
241 context field is specified (or the token "*" is used), the
242 directive will match all possible contexts.
243 If SECMODEL is specified then it will be the security model
245 required for that user (note that identical user names may come
246 in over different security models and will be appropriately sep‐
247 arated via the access control settings). The default security
248 model is "usm" and the other common security models are likely
249 "tsm" when using SSH or DTLS support and "ksm" if the Kerberos
250 support has been compiled in.
251 rocommunity COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
253 rwcommunity COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
255 specify an SNMPv1 or SNMPv2c community that will be allowed
256 read-only (GET and GETNEXT) or read-write (GET, GETNEXT and SET)
257 access respectively. By default, this will provide access to
258 the full OID tree for such requests, regardless of where they
259 were sent from. The SOURCE token can be used to restrict access
260 to requests from the specified system(s) - see com2sec for the
261 full details. The OID field restricts access for that community
262 to the subtree rooted at the given OID, or named view. Contexts
263 are typically less relevant to community-based SNMP versions,
264 but the same behaviour applies here.
265 rocommunity6 COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
267 rwcommunity6 COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
269 are directives relating to requests received using IPv6 (if the
270 agent supports such transport domains). The interpretation of
271 the SOURCE, OID, VIEW and CONTEXT tokens are exactly the same as
272 for the IPv4 versions.
273 In each case, only one directive should be specified for a given SNMPv3
275 user, or community string. It is not appropriate to specify both
276 rouser and rwuser directives referring to the same SNMPv3 user (or
277 equivalent community settings). The rwuser directive provides all the
278 access of rouser (as well as allowing SET support). The same holds
279 true for the community-based directives.
280 More complex access requirements (such as access to two or more dis‐
282 tinct OID subtrees, or different views for GET and SET requests) should
283 use one of the other access control mechanisms. Note that if several
284 distinct communities or SNMPv3 users need to be granted the same level
285 of access, it would also be more efficient to use the main VACM config‐
286 uration directives.
287 VACM Configuration
289 The full flexibility of the VACM is available using four configuration
290 directives - com2sec, group, view and access. These provide direct
291 configuration of the underlying VACM tables.
292 com2sec [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
294 com2sec6 [-Cn CONTEXT] SECNAME SOURCE COMMUNITY
296 map an SNMPv1 or SNMPv2c community string to a security name -
297 either from a particular range of source addresses, or globally
298 ("default"). A restricted source can either be a specific host‐
299 name (or address), or a subnet - represented as IP/MASK (e.g.
300 10.10.10.0/255.255.255.0), or IP/BITS (e.g. 10.10.10.0/24), or
301 the IPv6 equivalents.
302 The same community string can be specified in several separate
304 directives (presumably with different source tokens), and the
305 first source/community combination that matches the incoming
306 request will be selected. Various source/community combinations
307 can also map to the same security name.
308 If a CONTEXT is specified (using -Cn), the community string will
310 be mapped to a security name in the named SNMPv3 context. Other‐
311 wise the default context ("") will be used.
312 com2secunix [-Cn CONTEXT] SECNAME SOCKPATH COMMUNITY
314 is the Unix domain sockets version of com2sec.
315 group GROUP {v1|v2c|usm|tsm|ksm} SECNAME
317 maps a security name (in the specified security model) into a
318 named group. Several group directives can specify the same
319 group name, allowing a single access setting to apply to several
320 users and/or community strings.
321 Note that groups must be set up for the two community-based mod‐
323 els separately - a single com2sec (or equivalent) directive will
324 typically be accompanied by two group directives.
325 view VNAME TYPE OID [MASK]
327 defines a named "view" - a subset of the overall OID tree. This
328 is most commonly a single subtree, but several view directives
329 can be given with the same view name (VNAME), to build up a more
330 complex collection of OIDs. TYPE is either included or
331 excluded, which can again define a more complex view (e.g by
332 excluding certain sensitive objects from an otherwise accessible
333 subtree).
334 MASK is a list of hex octets (optionally separated by '.' or
336 ':') with the set bits indicating which subidentifiers in the
337 view OID to match against. If not specified, this defaults to
338 matching the OID exactly (all bits set), thus defining a simple
339 OID subtree. So:
340 view iso1 included .iso 0xf0
341 view iso2 included .iso
342 view iso3 included .iso.org.dod.mgmt 0xf0
343 would all define the same view, covering the whole of the
345 'iso(1)' subtree (with the third example ignoring the subidenti‐
346 fiers not covered by the mask).
347 More usefully, the mask can be used to define a view covering a
349 particular row (or rows) in a table, by matching against the
350 appropriate table index value, but skipping the column subiden‐
351 tifier:
352 view ifRow4 included .1.3.6.1.2.1.2.2.1.0.4 0xff:a0
354 Note that a mask longer than 8 bits must use ':' to separate the
356 individual octets.
357 access GROUP CONTEXT {any|v1|v2c|usm|tsm|ksm} LEVEL PREFX READ WRITE
359 NOTIFY
360 maps from a group of users/communities (with a particular secu‐
361 rity model and minimum security level, and in a specific con‐
362 text) to one of three views, depending on the request being pro‐
363 cessed.
364 LEVEL is one of noauth, auth, or priv. PREFX specifies how CON‐
366 TEXT should be matched against the context of the incoming
367 request, either exact or prefix. READ, WRITE and NOTIFY speci‐
368 fies the view to be used for GET*, SET and TRAP/INFORM requests
369 (althought the NOTIFY view is not currently used). For v1 or
370 v2c access, LEVEL will need to be noauth.
371 Typed-View Configuration
373 The final group of directives extend the VACM approach into a more
374 flexible mechanism, which can be applied to other access control
375 requirements. Rather than the fixed three views of the standard VACM
376 mechanism, this can be used to configure various different view types.
377 As far as the main SNMP agent is concerned, the two main view types are
378 read and write, corresponding to the READ and WRITE views of the main
379 access directive. See the 'snmptrapd.conf(5)' man page for discussion
380 of other view types.
381 authcommunity TYPES COMMUNITY [SOURCE [OID | -V VIEW [CONTEXT]]]
383 is an alternative to the rocommunity/rwcommunity directives.
384 TYPES will usually be read or read,write respectively. The view
385 specification can either be an OID subtree (as before), or a
386 named view (defined using the view directive) for greater flexi‐
387 bility. If this is omitted, then access will be allowed to the
388 full OID tree. If CONTEXT is specified, access is configured
389 within this SNMPv3 context. Otherwise the default context ("")
390 is used.
391 authuser TYPES [-s MODEL] USER [LEVEL [OID | -V VIEW [CONTEXT]]]
393 is an alternative to the rouser/rwuser directives. The fields
394 TYPES, OID, VIEW and CONTEXT have the same meaning as for auth‐
395 community.
396 authgroup TYPES [-s MODEL] GROUP [LEVEL [OID | -V VIEW [CONTEXT]]]
398 is a companion to the authuser directive, specifying access for
399 a particular group (defined using the group directive as usual).
400 Both authuser and authgroup default to authenticated requests -
401 LEVEL can also be specified as noauth or priv to allow unauthen‐
402 ticated requests, or require encryption respectively. Both
403 authuser and authgroup directives also default to configuring
404 access for SNMPv3/USM requests - use the '-s' flag to specify an
405 alternative security model (using the same values as for access
406 above).
407 authaccess TYPES [-s MODEL] GROUP VIEW [LEVEL [CONTEXT]]
409 also configures the access for a particular group, specifying
410 the name and type of view to apply. The MODEL and LEVEL fields
411 are interpreted in the same way as for authgroup. If CONTEXT is
412 specified, access is configured within this SNMPv3 context (or
413 contexts with this prefix if the CONTEXT field ends with '*').
414 Otherwise the default context ("") is used.
415 setaccess GROUP CONTEXT MODEL LEVEL PREFIX VIEW TYPES
417 is a direct equivalent to the original access directive, typi‐
418 cally listing the view types as read or read,write as appropri‐
419 ate. (or see 'snmptrapd.conf(5)' for other possibilities). All
420 other fields have the same interpretation as with access.
421
423 Most of the information reported by the Net-SNMP agent is retrieved
424 from the underlying system, or dynamically configured via SNMP SET
425 requests (and retained from one run of the agent to the next). How‐
426 ever, certain MIB objects can be configured or controlled via the
427 snmpd.conf(5) file.
428 System Group
430 Most of the scalar objects in the 'system' group can be configured in
431 this way:
432 sysLocation STRING
434 sysContact STRING
436 sysName STRING
438 set the system location, system contact or system name (sysLoca‐
439 tion.0, sysContact.0 and sysName.0) for the agent respectively.
440 Ordinarily these objects are writeable via suitably authorized
441 SNMP SET requests. However, specifying one of these directives
442 makes the corresponding object read-only, and attempts to SET it
443 will result in a notWritable error response.
444 sysServices NUMBER
446 sets the value of the sysServices.0 object. For a host system,
447 a good value is 72 (application + end-to-end layers). If this
448 directive is not specified, then no value will be reported for
449 the sysServices.0 object.
450 sysDescr STRING
452 sysObjectID OID
454 sets the system description or object ID for the agent.
455 Although these MIB objects are not SNMP-writable, these direc‐
456 tives can be used by a network administrator to configure suit‐
457 able values for them.
458 Interfaces Group
460 interface NAME TYPE SPEED
461 can be used to provide appropriate type and speed settings for
462 interfaces where the agent fails to determine this information
463 correctly. TYPE is a type value as given in the IANAifType-MIB,
464 and can be specified numerically or by name (assuming this MIB
465 is loaded).
466 Host Resources Group
468 This requires that the agent was built with support for the host module
469 (which is now included as part of the default build configuration on
470 the major supported platforms).
471 ignoreDisk STRING
473 controls which disk devices are scanned as part of populating
474 the hrDiskStorageTable (and hrDeviceTable). The HostRes imple‐
475 mentation code includes a list of disk device patterns appropri‐
476 ate for the current operating system, some of which may cause
477 the agent to block when trying to open the corresponding disk
478 devices. This might lead to a timeout when walking these
479 tables, possibly resulting in inconsistent behaviour. This
480 directive can be used to specify particular devices (either
481 individually or wildcarded) that should not be checked.
482 Note: Please consult the source (host/hr_disk.c) and check for
484 the Add_HR_Disk_entry calls relevant for a particular O/S
485 to determine the list of devices that will be scanned.
486 The pattern can include one or more wildcard expressions. See
488 snmpd.examples(5) for illustration of the wildcard syntax.
489 skipNFSInHostResources true
491 controls whether NFS and NFS-like file systems should be omitted
492 from the hrStorageTable (true or 1) or not (false or 0, which is
493 the default). If the Net-SNMP agent gets hung on NFS-mounted
494 filesystems, you can try setting this to '1'.
495 storageUseNFS [1|2]
497 controls how NFS and NFS-like file systems should be reported in
498 the hrStorageTable. as 'Network Disks' (1) or 'Fixed Disks' (2)
499 Historically, the Net-SNMP agent has reported such file systems
500 as 'Fixed Disks', and this is still the default behaviour. Set‐
501 ting this directive to '1' reports such file systems as ´Network
502 Disks', as required by the Host Resources MIB.
503 Process Monitoring
505 The hrSWRun group of the Host Resources MIB provides information about
506 individual processes running on the local system. The prTable of the
507 UCD-SNMP-MIB complements this by reporting on selected services (which
508 may involve multiple processes). This requires that the agent was
509 built with support for the ucd-snmp/proc module (which is included as
510 part of the default build configuration).
511 proc NAME [MAX [MIN]]
513 monitors the number of processes called NAME (as reported by
514 "/bin/ps -e") running on the local system.
515 If the number of NAMEd processes is less than MIN or greater
517 than MAX, then the corresponding prErrorFlag instance will be
518 set to 1, and a suitable description message reported via the
519 prErrMessage instance.
520 Note: This situation will not automatically trigger a trap to
522 report the problem - see the DisMan Event MIB section
523 later.
524 If neither MAX nor MIN are specified (or are both 0), they will
526 default to infinity and 1 respectively ("at least one"). If
527 only MAX is specified, MIN will default to 0 ("no more than
528 MAX").
529 procfix NAME PROG ARGS
531 registers a command that can be run to fix errors with the given
532 process NAME. This will be invoked when the corresponding prE‐
533 rrFix instance is set to 1.
534 Note: This command will not be invoked automatically.
536 The procfix directive must be specified after the matching proc
538 directive, and cannot be used on its own.
539 If no proc directives are defined, then walking the prTable will fail
541 (noSuchObject).
542 Disk Usage Monitoring
544 This requires that the agent was built with support for the ucd-
545 snmp/disk module (which is included as part of the default build con‐
546 figuration).
547 disk PATH [ MINSPACE | MINPERCENT% ]
549 monitors the disk mounted at PATH for available disk space.
550 The minimum threshold can either be specified in kB (MINSPACE)
552 or as a percentage of the total disk (MINPERCENT% with a '%'
553 character), defaulting to 100kB if neither are specified. If
554 the free disk space falls below this threshold, then the corre‐
555 sponding dskErrorFlag instance will be set to 1, and a suitable
556 description message reported via the dskErrorMsg instance.
557 Note: This situation will not automatically trigger a trap to
559 report the problem - see the DisMan Event MIB section
560 later.
561 includeAllDisks MINPERCENT%
563 configures monitoring of all disks found on the system, using
564 the specified (percentage) threshold. The threshold for indi‐
565 vidual disks can be adjusted using suitable disk directives
566 (which can come either before or after the includeAllDisks
567 directive).
568 Note: Whether disk directives appears before or after
570 includeAllDisks may affect the indexing of the dskTable.
571 Only one includeAllDisks directive should be specified - any
573 subsequent copies will be ignored.
574 The list of mounted disks will be determined when the agent
576 starts using the setmntent(3) and getmntent(3), or fopen(3) and
577 getmntent(3), or setfsent(3) and getfsent(3) system calls. If
578 none of the above system calls are available then the root par‐
579 tition "/" (which is assumed to exist on any UNIX based sys‐
580 tem) will be monitored. Disks mounted after the agent has
581 started will not be monitored.
582 If neither any disk directives or includeAllDisks are defined, then
584 walking the dskTable will fail (noSuchObject).
585 System Load Monitoring
587 This requires that the agent was built with support for either the ucd-
588 snmp/loadave module or the ucd-snmp/memory module respectively (both of
589 which are included as part of the default build configuration).
590 load MAX1 [MAX5 [MAX15]]
592 monitors the load average of the local system, specifying
593 thresholds for the 1-minute, 5-minute and 15-minute averages.
594 If any of these loads exceed the associated maximum value, then
595 the corresponding laErrorFlag instance will be set to 1, and a
596 suitable description message reported via the laErrMessage
597 instance.
598 Note: This situation will not automatically trigger a trap to
600 report the problem - see the DisMan Event MIB section
601 later.
602 If the MAX15 threshold is omitted, it will default to the MAX5
604 value. If both MAX5 and MAX15 are omitted, they will default to
605 the MAX1 value. If this directive is not specified, all three
606 thresholds will default to a value of DEFMAXLOADAVE.
607 If a threshold value of 0 is given, the agent will not report
609 errors via the relevant laErrorFlag or laErrMessage instances,
610 regardless of the current load.
611 Unlike the proc and disk directives, walking the walking the laTable
613 will succeed (assuming the ucd-snmp/loadave module was configured into
614 the agent), even if the load directive is not present.
615 swap MIN
617 monitors the amount of swap space available on the local system.
618 If this falls below the specified threshold (MIN kB), then the
619 memErrorSwap object will be set to 1, and a suitable description
620 message reported via memSwapErrorMsg.
621 Note: This situation will not automatically trigger a trap to
623 report the problem - see the DisMan Event MIB section
624 later.
625 If this directive is not specified, the default threshold is 16 MB.
626 Log File Monitoring
628 This requires that the agent was built with support for either the ucd-
629 snmp/file or ucd-snmp/logmatch modules respectively (both of which are
630 included as part of the default build configuration).
631 file FILE [MAXSIZE]
633 monitors the size of the specified file (in kB). If MAXSIZE is
634 specified, and the size of the file exceeds this threshold, then
635 the corresponding fileErrorFlag instance will be set to 1, and a
636 suitable description message reported via the fileErrorMsg
637 instance.
638 Note: This situation will not automatically trigger a trap to
640 report the problem - see the DisMan Event MIB section
641 later.
642 Note: A maximum of 20 files can be monitored.
644 Note: If no file directives are defined, then walking the
646 fileTable will fail (noSuchObject).
647 logmatch NAME FILE CYCLETIME REGEX
649 monitors the specified file for occurances of the specified pat‐
650 tern REGEX. The file position is stored internally so the entire
651 file is only read initially, every subsequent pass will only
652 read the new lines added to the file since the last read.
653 NAME name of the logmatch instance (will appear as logMatch‐
655 Name under logMatch/logMatchTable/logMatchEntry/logMatch‐
656 Name in the ucd-snmp MIB tree)
657 FILE absolute path to the logfile to be monitored. Note that
659 this path can contain date/time directives (like in the
660 UNIX 'date' command). See the manual page for 'strftime'
661 for the various directives accepted.
662 CYCLETIME
664 time interval for each logfile read and internal variable
665 update in seconds. Note: an SNMPGET* operation will also
666 trigger an immediate logfile read and variable update.
667 REGEX the regular expression to be used. Note: DO NOT enclose
669 the regular expression in quotes even if there are spaces
670 in the expression as the quotes will also become part of
671 the pattern to be matched!
672 Example:
674 logmatch apache-GETs
676 /usr/local/apache/logs/access.log-%Y-%m-%d 60 GET.*HTTP.*
677 This logmatch instance is named 'apache-GETs', uses
679 'GET.*HTTP.*' as its regular expression and it will moni‐
680 tor the file named (assuming today is May 6th 2009):
681 '/usr/local/apache/logs/access.log-2009-05-06', tomorrow
682 it will look for 'access.log-2009-05-07'. The logfile is
683 read every 60 seconds.
684 Note: A maximum of 250 logmatch directives can be specified.
686 Note: If no logmatch directives are defined, then walking the
688 logMatchTable will fail (noSuchObject).
689
691 The usual behaviour of an SNMP agent is to wait for incoming SNMP
692 requests and respond to them - if no requests are received, an agent
693 will typically not initiate any actions. This section describes various
694 directives that can configure snmpd to take a more active role.
695 Notification Handling
697 trapcommunity STRING
698 defines the default community string to be used when sending
699 traps. Note that this directive must be used prior to any com‐
700 munity-based trap destination directives that need to use it.
701 trapsink HOST [COMMUNITY [PORT]]
703 trap2sink HOST [COMMUNITY [PORT]]
705 informsink HOST [COMMUNITY [PORT]]
707 define the address of a notification receiver that should be
708 sent SNMPv1 TRAPs, SNMPv2c TRAP2s, or SNMPv2 INFORM notifica‐
709 tions respectively. See the section LISTENING ADDRESSES in the
710 snmpd(8) manual page for more information about the format of
711 listening addresses. If COMMUNITY is not specified, the most
712 recent trapcommunity string will be used.
713 If the transport address does not include an explicit port spec‐
715 ification, then PORT will be used. If this is not specified,
716 the well known SNMP trap port (162) will be used.
717 Note: This mechanism is being deprecated, and the listening
719 port should be specified via the transport specification
720 HOST instead.
721 If several sink directives are specified, multiple copies of
723 each notification (in the appropriate formats) will be gener‐
724 ated.
725 Note: It is not normally appropriate to list two (or all three)
727 sink directives with the same destination.
728 trapsess [SNMPCMD_ARGS] HOST
730 provides a more generic mechanism for defining notification des‐
731 tinations. SNMPCMD_ARGS should be the command-line options
732 required for an equivalent snmptrap (or snmpinform) command to
733 send the desired notification. The option -Ci can be used (with
734 -v2c or -v3) to generate an INFORM notification rather than an
735 unacknowledged TRAP.
736 This is the appropriate directive for defining SNMPv3 trap
738 receivers. See http://www.net-snmp.org/tutorial/tutorial-5/com‐
739 mands/snmptrap-v3.html for more information about SNMPv3 notifi‐
740 cation behaviour.
741 authtrapenable {1|2}
743 determines whether to generate authentication failure traps
744 (enabled(1)) or not (disabled(2) - the default). Ordinarily the
745 corresponding MIB object (snmpEnableAuthenTraps.0) is read-
746 write, but specifying this directive makes this object read-
747 only, and attempts to set the value via SET requests will result
748 in a notWritable error response.
749 v1trapaddress HOST
751 defines the agent address, which is inserted into SNMPv1 TRAPs.
752 Arbitrary local IPv4 address is chosen if this option is
753 ommited. This option is useful mainly when the agent is visible
754 from outside world by specific address only (e.g. because of
755 network address translation or firewall).
756 DisMan Event MIB
758 The previous directives can be used to configure where traps should be
759 sent, but are not concerned with when to send such traps (or what traps
760 should be generated). This is the domain of the Event MIB - developed
761 by the Distributed Management (DisMan) working group of the IETF.
762 This requires that the agent was built with support for the dis‐
764 man/event module (which is now included as part of the default build
765 configuration for the most recent distribution).
766 Note: The behaviour of the latest implementation differs in
768 some minor respects from the previous code - nothing too
769 significant, but existing scripts may possibly need some
770 minor adjustments.
771 iquerySecName NAME
773 agentSecName NAME
775 specifies the default SNMPv3 username, to be used when making
776 internal queries to retrieve any necessary information (either
777 for evaluating the monitored expression, or building a notifica‐
778 tion payload). These internal queries always use SNMPv3, even
779 if normal querying of the agent is done using SNMPv1 or SNMPv2c.
780 Note that this user must also be explicitly created (createUser)
782 and given appropriate access rights (e.g. rouser). This direc‐
783 tive is purely concerned with defining which user should be used
784 - not with actually setting this user up.
785 monitor [OPTIONS] NAME EXPRESSION
787 defines a MIB object to monitor. If the EXPRESSION condition
788 holds (see below), then this will trigger the corresponding
789 event, and either send a notification or apply a SET assignment
790 (or both). Note that the event will only be triggered once,
791 when the expression first matches. This monitor entry will not
792 fire again until the monitored condition first becomes false,
793 and then matches again. NAME is an administrative name for this
794 expression, and is used for indexing the mteTriggerTable (and
795 related tables). Note also that such monitors use an internal
796 SNMPv3 request to retrieve the values being monitored (even if
797 normal agent queries typically use SNMPv1 or SNMPv2c). See the
798 iquerySecName token described above.
799 EXPRESSION
801 There are three types of monitor expression supported by the
802 Event MIB - existence, boolean and threshold tests.
803 OID | ! OID | != OID
805 defines an existence(0) monitor test. A bare OID speci‐
806 fies a present(0) test, which will fire when (an instance
807 of) the monitored OID is created. An expression of the
808 form ! OID specifies an absent(1) test, which will fire
809 when the monitored OID is delected. An expression of the
810 form != OID specifies a changed(2) test, which will fire
811 whenever the monitored value(s) change. Note that there
812 must be whitespace before the OID token.
813 OID OP VALUE
815 defines a boolean(1) monitor test. OP should be one of
816 the defined comparison operators (!=, ==, <, <=, >, >=)
817 and VALUE should be an integer value to compare against.
818 Note that there must be whitespace around the OP token.
819 A comparison such as OID !=0 will not be handled cor‐
820 rectly.
821 OID MIN MAX [DMIN DMAX]
823 defines a threshold(2) monitor test. MIN and MAX are
824 integer values, specifying lower and upper thresholds.
825 If the value of the monitored OID falls below the lower
826 threshold (MIN) or rises above the upper threshold (MAX),
827 then the monitor entry will trigger the corresponding
828 event.
829 Note that the rising threshold event will only be re-
831 armed when the monitored value falls below the lower
832 threshold (MIN). Similarly, the falling threshold event
833 will be re-armed by the upper threshold (MAX).
834 The optional parameters DMIN and DMAX configure a pair of
836 similar threshold tests, but working with the delta dif‐
837 ferences between successive sample values.
838 OPTIONS
840 There are various options to control the behaviour of the moni‐
841 tored expression. These include:
842 -D indicates that the expression should be evaluated using
844 delta differences between sample values (rather than the
845 values themselves).
846 -d OID
848 -di OID
850 specifies a discontinuity marker for validating delta
851 differences. A -di object instance will be used exactly
852 as given. A -d object will have the instance subidenti‐
853 fiers from the corresponding (wildcarded) expression
854 object appended. If the -I flag is specified, then there
855 is no difference between these two options.
856 This option also implies -D.
858 -e EVENT
860 specifies the event to be invoked when this monitor entry
861 is triggered. If this option is not given, the monitor
862 entry will generate one of the standard notifications
863 defined in the DISMAN-EVENT-MIB.
864 -I indicates that the monitored expression should be applied
866 to the specified OID as a single instance. By default,
867 the OID will be treated as a wildcarded object, and the
868 monitor expanded to cover all matching instances.
869 -i OID
871 -o OID define additional varbinds to be added to the notifica‐
873 tion payload when this monitor trigger fires. For a
874 wildcarded expression, the suffix of the matched instance
875 will be added to any OIDs specified using -o, while OIDs
876 specified using -i will be treated as exact instances.
877 If the -I flag is specified, then there is no difference
878 between these two options.
879 See strictDisman for details of the ordering of notifica‐
881 tion payloads.
882 -r FREQUENCY
884 monitors the given expression every FREQUENCY seconds.
885 By default, the expression will be evaluated every 600s
886 (10 minutes).
887 -S indicates that the monitor expression should not be eval‐
889 uated when the agent first starts up. The first evalua‐
890 tion will be done once the first repeat interval has
891 expired.
892 -s indicates that the monitor expression should be evaluated
894 when the agent first starts up. This is the default be‐
895 haviour.
896 Note: Notifications triggered by this initial evaluation
898 will be sent before the coldStart trap.
899 -u SECNAME
901 specifies a security name to use for scanning the local
902 host, instead of the default iquerySecName. Once again,
903 this user must be explicitly created and given suitable
904 access rights.
905 notificationEvent ENAME NOTIFICATION [-m] [-i OID | -o OID ]*
907 defines a notification event named ENAME. This can be triggered
908 from a given monitor entry by specifying the option -e ENAME
909 (see above). NOTIFICATION should be the OID of the NOTIFICA‐
910 TION-TYPE definition for the notification to be generated.
911 If the -m option is given, the notification payload will include
913 the standard varbinds as specified in the OBJECTS clause of the
914 notification MIB definition. This option must come after the
915 NOTIFICATION OID (and the relevant MIB file must be available
916 and loaded by the agent). Otherwise, these varbinds must be
917 listed explicitly (either here or in the corresponding monitor
918 directive).
919 The -i OID and -o OID options specify additional varbinds to be
921 appended to the notification payload, after the standard list.
922 If the monitor entry that triggered this event involved a wild‐
923 carded expression, the suffix of the matched instance will be
924 added to any OIDs specified using -o, while OIDs specified using
925 -i will be treated as exact instances. If the -I flag was spec‐
926 ified to the monitor directive, then there is no difference
927 between these two options.
928 setEvent ENAME [-I] OID = VALUE
930 defines a set event named ENAME, assigning the (integer) VALUE
931 to the specified OID. This can be triggered from a given moni‐
932 tor entry by specifying the option -e ENAME (see above).
933 If the monitor entry that triggered this event involved a wild‐
935 carded expression, the suffix of the matched instance will nor‐
936 mally be added to the OID. If the -I flag was specified to
937 either of the monitor or setEvent directives, the specified OID
938 will be regarded as an exact single instance.
939 strictDisman yes
941 The definition of SNMP notifications states that the varbinds
942 defined in the OBJECT clause should come first (in the order
943 specified), followed by any "extra" varbinds that the notifica‐
944 tion generator feels might be useful. The most natural approach
945 would be to associate these mandatory varbinds with the notifi‐
946 cationEvent entry, and append any varbinds associated with the
947 monitor entry that triggered the notification to the end of this
948 list. This is the default behaviour of the Net-SNMP Event MIB
949 implementation.
950 Unfortunately, the DisMan Event MIB specifications actually
952 state that the trigger-related varbinds should come first, fol‐
953 lowed by the event-related ones. This directive can be used to
954 restore this strictly-correct (but inappropriate) behaviour.
955 Note: Strict DisMan ordering may result in generating invalid
957 notifications payload lists if the notificationEvent -n
958 flag is used together with monitor -o (or -i) varbind
959 options.
960 If no monitor entries specify payload varbinds, then the setting
962 of this directive is irrelevant.
963 linkUpDownNotifications yes
965 will configure the Event MIB tables to monitor the ifTable for
966 network interfaces being taken up or down, and triggering a
967 linkUp or linkDown notification as appropriate.
968 This is exactly equivalent to the configuration:
970 notificationEvent linkUpTrap linkUp ifIndex ifAdminStatus ifOperStatus
972 notificationEvent linkDownTrap linkDown ifIndex ifAdminStatus ifOperStatus
973 monitor -r 60 -e linkUpTrap "Generate linkUp" ifOperStatus != 2
975 monitor -r 60 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
976 defaultMonitors yes
978 will configure the Event MIB tables to monitor the various UCD-
979 SNMP-MIB tables for problems (as indicated by the appropriate
980 xxErrFlag column objects).
981 This is exactly equivalent to the configuration:
983 monitor -o prNames -o prErrMessage "process table" prErrorFlag != 0
985 monitor -o memErrorName -o memSwapErrorMsg "memory" memSwapError != 0
986 monitor -o extNames -o extOutput "extTable" extResult != 0
987 monitor -o dskPath -o dskErrorMsg "dskTable" dskErrorFlag != 0
988 monitor -o laNames -o laErrMessage "laTable" laErrorFlag != 0
989 monitor -o fileName -o fileErrorMsg "fileTable" fileErrorFlag != 0
990 In both these latter cases, the snmpd.conf must also contain a iquery‐
992 SecName directive, together with a corresponding createUser entry and
993 suitable access control configuration.
994 DisMan Schedule MIB
996 The DisMan working group also produced a mechanism for scheduling par‐
997 ticular actions (a specified SET assignment) at given times. This
998 requires that the agent was built with support for the disman/schedule
999 module (which is included as part of the default build configuration
1000 for the most recent distribution).
1001 There are three ways of specifying the scheduled action:
1003 repeat FREQUENCY OID = VALUE
1005 configures a SET assignment of the (integer) VALUE to the MIB
1006 instance OID, to be run every FREQUENCY seconds.
1007 cron MINUTE HOUR DAY MONTH WEEKDAY OID = VALUE
1009 configures a SET assignment of the (integer) VALUE to the MIB
1010 instance OID, to be run at the times specified by the fields
1011 MINUTE to WEEKDAY. These follow the same pattern as the equiva‐
1012 lent crontab(5) fields.
1013 Note: These fields should be specified as a (comma-separated)
1015 list of numeric values. Named values for the MONTH and
1016 WEEKDAY fields are not supported, and neither are value
1017 ranges. A wildcard match can be specified as '*'.
1018 The DAY field can also accept negative values, to indicate days
1020 counting backwards from the end of the month.
1021 at MINUTE HOUR DAY MONTH WEEKDAY OID = VALUE
1023 configures a one-shot SET assignment, to be run at the first
1024 matching time as specified by the fields MINUTE to WEEKDAY. The
1025 interpretation of these fields is exactly the same as for the
1026 cron directive.
1027
1029 One of the first distinguishing features of the original UCD suite was
1030 the ability to extend the functionality of the agent - not just by
1031 recompiling with code for new MIB modules, but also by configuring the
1032 running agent to report additional information. There are a number of
1033 techniques to support this, including:
1034 · running external commands (exec, extend, pass)
1036 · loading new code dynamically (embedded perl, dlmod)
1038 · communicating with other agents (proxy, SMUX, AgentX)
1040 Arbitrary Extension Commands
1042 The earliest extension mechanism was the ability to run arbitrary com‐
1043 mands or shell scripts. Such commands do not need to be aware of SNMP
1044 operations, or conform to any particular behaviour - the MIB structures
1045 are designed to accommodate any form of command output. Use of this
1046 mechanism requires that the agent was built with support for the ucd-
1047 snmp/extensible and/or agent/extend modules (which are both included as
1048 part of the default build configuration).
1049 exec [MIBOID] NAME PROG ARGS
1051 sh [MIBOID] NAME PROG ARGS
1053 invoke the named PROG with arguments of ARGS. By default the
1054 exit status and first line of output from the command will be
1055 reported via the extTable, discarding any additional output.
1056 Note: Entries in this table appear in the order they are read
1058 from the configuration file. This means that adding new
1059 exec (or sh) directives and restarting the agent, may
1060 affect the indexing of other entries.
1061 The PROG argument for exec directives must be a full path to a
1063 real binary, as it is executed via the exec() system call. To
1064 invoke a shell script, use the sh directive instead.
1065 If MIBOID is specified, then the results will be rooted at this
1067 point in the OID tree, returning the exit statement as
1068 MIBOID.100.0 and the entire command output in a pseudo-table
1069 based at MIBNUM.101 - with one 'row' for each line of output.
1070 Note: The layout of this "relocatable" form of exec (or sh)
1072 output does not strictly form a valid MIB structure.
1073 This mechanism is being deprecated - please see the
1074 extend directive (described below) instead.
1075 The agent does not cache the exit status or output of the exe‐
1077 cuted program.
1078 execfix NAME PROG ARGS
1080 registers a command that can be invoked on demand - typically to
1081 respond to or fix errors with the corresponding exec or sh
1082 entry. When the extErrFix instance for a given NAMEd entry is
1083 set to the integer value of 1, this command will be called.
1084 Note: This directive can only be used in combination with a
1086 corresponding exec or sh directive, which must be defined
1087 first. Attempting to define an unaccompanied execfix
1088 directive will fail.
1089 exec and sh extensions can only be configured via the snmpd.conf file.
1091 They cannot be set up via SNMP SET requests.
1092 extend [MIBOID] NAME PROG ARGS
1094 works in a similar manner to the exec directive, but with a num‐
1095 ber of improvements. The MIB tables (nsExtendConfigTable etc)
1096 are indexed by the NAME token, so are unaffected by the order in
1097 which entries are read from the configuration files. There are
1098 two result tables - one (nsExtendOutput1Table) containing the
1099 exit status, the first line and full output (as a single string)
1100 for each extend entry, and the other (nsExtendOutput2Table) con‐
1101 taining the complete output as a series of separate lines.
1102 If MIBOID is specified, then the configuration and result tables
1104 will be rooted at this point in the OID tree, but are otherwise
1105 structured in exactly the same way. This means that several sep‐
1106 arate extend directives can specify the same MIBOID root, with‐
1107 out conflicting.
1108 The exit status and output is cached for each entry individu‐
1110 ally, and can be cleared (and the caching behaviour configured)
1111 using the nsCacheTable.
1112 extendfix NAME PROG ARGS
1114 registers a command that can be invoked on demand, by setting
1115 the appropriate nsExtendRunType instance to the value run-com‐
1116 mand(3). Unlike the equivalent execfix, this directive does not
1117 need to be paired with a corresponding extend entry, and can
1118 appear on its own.
1119 Both extend and extendfix directives can be configured dynamically,
1121 using SNMP SET requests to the NET-SNMP-EXTEND-MIB.
1122 MIB-Specific Extension Commands
1124 The first group of extension directives invoke arbitrary commands, and
1125 rely on the MIB structure (and management applications) having the
1126 flexibility to accommodate and interpret the output. This is a conve‐
1127 nient way to make information available quickly and simply, but is of
1128 no use when implementing specific MIB objects, where the extension must
1129 conform to the structure of the MIB (rather than vice versa). The
1130 remaining extension mechanisms are all concerned with such MIB-specific
1131 situations - starting with "pass-through" scripts. Use of this mecha‐
1132 nism requires that the agent was built with support for the ucd-
1133 snmp/pass and ucd-snmp/pass_persist modules (which are both included as
1134 part of the default build configuration).
1135 pass [-p priority] MIBOID PROG
1137 will pass control of the subtree rooted at MIBOID to the speci‐
1138 fied PROG command. GET and GETNEXT requests for OIDs within
1139 this tree will trigger this command, called as:
1140 PROG -g OID
1142 PROG -n OID
1144 respectively, where OID is the requested OID. The PROG command
1146 should return the response varbind as three separate lines
1147 printed to stdout - the first line should be the OID of the
1148 returned value, the second should be its TYPE (one of the text
1149 strings integer, gauge, counter, timeticks, ipaddress, objectid,
1150 or string ), and the third should be the value itself.
1151 If the command cannot return an appropriate varbind - e.g the
1153 specified OID did not correspond to a valid instance for a GET
1154 request, or there were no following instances for a GETNEXT -
1155 then it should exit without producing any output. This will
1156 result in an SNMP noSuchName error, or a noSuchInstance excep‐
1157 tion.
1158 Note: The SMIv2 type counter64 and SNMPv2 noSuchObject
1160 exception are not supported.
1161 A SET request will result in the command being called as:
1163 PROG -s OID TYPE VALUE
1165 where TYPE is one of the tokens listed above, indicating the
1167 type of the value passed as the third parameter.
1168 If the assignment is successful, the PROG command should exit
1170 without producing any output. Errors should be indicated by
1171 writing one of the strings not-writable, or wrong-type to std‐
1172 out, and the agent will generate the appropriate error response.
1173 Note: The other SNMPv2 errors are not supported.
1175 In either case, the command should exit once it has finished
1177 processing. Each request (and each varbind within a single
1178 request) will trigger a separate invocation of the command.
1179 The default registration priority is 127. This can be changed
1181 by supplying the optional -p flag, with lower priority registra‐
1182 tions being used in preference to higher priority values.
1183 pass_persist [-p priority] MIBOID PROG
1185 will also pass control of the subtree rooted at MIBOID to the
1186 specified PROG command. However this command will continue to
1187 run after the initial request has been answered, so subsequent
1188 requests can be processed without the startup overheads.
1189 Upon initialization, PROG will be passed the string "PING\n" on
1191 stdin, and should respond by printing "PONG\n" to stdout.
1192 For GET and GETNEXT requests, PROG will be passed two lines on
1194 stdin, the command (get or getnext) and the requested OID. It
1195 should respond by printing three lines to stdout - the OID for
1196 the result varbind, the TYPE and the VALUE itself - exactly as
1197 for the pass directive above. If the command cannot return an
1198 appropriate varbind, it should print print "NONE\n" to stdout
1199 (but continue running).
1200 For SET requests, PROG will be passed three lines on stdin, the
1202 command (set) and the requested OID, followed by the type and
1203 value (both on the same line). If the assignment is successful,
1204 the command should print "DONE\n" to stdout. Errors should be
1205 indicated by writing one of the strings not-writable, wrong-
1206 type, wrong-length, wrong-value or inconsistent-value to stdout,
1207 and the agent will generate the appropriate error response. In
1208 either case, the command should continue running.
1209 The registration priority can be changed using the optional -p
1211 flag, just as for the pass directive.
1212 pass and pass_persist extensions can only be configured via the
1214 snmpd.conf file. They cannot be set up via SNMP SET requests.
1215 Embedded Perl Support
1217 Programs using the previous extension mechanisms can be written in any
1218 convenient programming language - including perl, which is a common
1219 choice for pass-through extensions in particular. However the Net-SNMP
1220 agent also includes support for embedded perl technology (similar to
1221 mod_perl for the Apache web server). This allows the agent to inter‐
1222 pret perl scripts directly, thus avoiding the overhead of spawning pro‐
1223 cesses and initializing the perl system when a request is received.
1224 Use of this mechanism requires that the agent was built with support
1226 for the embedded perl mechanism, which is not part of the default build
1227 environment. It must be explicitly included by specifying the
1228 '--enable-embedded-perl' option to the configure script when the pack‐
1229 age is first built.
1230 If enabled, the following directives will be recognised:
1232 disablePerl true
1234 will turn off embedded perl support entirely (e.g. if there are
1235 problems with the perl installation).
1236 perlInitFile FILE
1238 loads the specified initialisation file (if present) immediately
1239 before the first perl directive is parsed. If not explicitly
1240 specified, the agent will look for the default initialisation
1241 file /usr/share/snmp/snmp_perl.pl.
1242 The default initialisation file creates an instance of a Net‐
1244 SNMP::agent object - a variable $agent which can be used to reg‐
1245 ister perl-based MIB handler routines.
1246 perl EXPRESSION
1248 evaluates the given expression. This would typically register a
1249 handler routine to be called when a section of the OID tree was
1250 requested:
1251 perl use Data::Dumper;
1252 perl sub myroutine { print "got called: ",Dumper(@_),"\n"; }
1253 perl $agent->register('mylink', '.1.3.6.1.8765', \&myroutine);
1254 This expression could also source an external file:
1256 perl 'do /path/to/file.pl';
1257 or perform any other perl-based processing that might be
1259 required.
1260 Dynamically Loadable Modules
1262 Most of the MIBs supported by the Net-SNMP agent are implemented as C
1263 code modules, which were compiled and linked into the agent libraries
1264 when the suite was first built. Such implementation modules can also
1265 be compiled independently and loaded into the running agent once it has
1266 started. Use of this mechanism requires that the agent was built with
1267 support for the ucd-snmp/dlmod module (which is included as part of the
1268 default build configuration).
1269 dlmod NAME PATH
1271 will load the shared object module from the file PATH (an abso‐
1272 lute filename), and call the initialisation routine init_NAME.
1273 Note: If the specified PATH is not a fully qualified filename,
1275 it will be interpreted relative to
1276 /usr/lib(64)/snmp/dlmod, and .so will be appended to the
1277 filename.
1278 This functionality can also be configured using SNMP SET requests to
1280 the UCD-DLMOD-MIB.
1281 Proxy Support
1283 Another mechanism for extending the functionality of the agent is to
1284 pass selected requests (or selected varbinds) to another SNMP agent,
1285 which can be running on the same host (presumably listening on a dif‐
1286 ferent port), or on a remote system. This can be viewed either as the
1287 main agent delegating requests to the remote one, or acting as a proxy
1288 for it. Use of this mechanism requires that the agent was built with
1289 support for the ucd-snmp/proxy module (which is included as part of the
1290 default build configuration).
1291 proxy [-Cn CONTEXTNAME] [SNMPCMD_ARGS] HOST OID [REMOTEOID]
1293 will pass any incoming requests under OID to the agent listening
1294 on the port specified by the transport address HOST. See the
1295 section LISTENING ADDRESSES in the snmpd(8) manual page for more
1296 information about the format of listening addresses.
1297 Note: To proxy the entire MIB tree, use the OID .1.3 (not the
1299 top-level .1)
1300 The SNMPCMD_ARGS should provide sufficient version and administrative
1302 information to generate a valid SNMP request (see snmpcmd(1)).
1303 Note: The proxied request will not use the administrative settings
1305 from the original request.
1306 If a CONTEXTNAME is specified, this will register the proxy delegation
1308 within the named context in the local agent. Defining multiple proxy
1309 directives for the same OID but different contexts can be used to query
1310 several remote agents through a single proxy, by specifying the appro‐
1311 priate SNMPv3 context in the incoming request (or using suitable con‐
1312 figured community strings - see the com2sec directive).
1313 Specifying the REMOID parameter will map the local MIB tree rooted at
1315 OID to an equivalent subtree rooted at REMOID on the remote agent.
1316 SMUX Sub-Agents
1318 The Net-SNMP agent supports the SMUX protocol (RFC 1227) to communicate
1319 with SMUX-based subagents (such as gated, zebra or quagga). Use of
1320 this mechanism requires that the agent was built with support for the
1321 smux module, which is not part of the default build environment, and
1322 must be explicitly included by specifying the '--with-mib-modules=smux'
1323 option to the configure script when the package is first built.
1324 Note: This extension protocol has been officially deprecated in
1326 favour of AgentX (see below).
1327 smuxpeer OID PASS
1329 will register a subtree for SMUX-based processing, to be authen‐
1330 ticated using the password PASS. If a subagent (or "peer") con‐
1331 nects to the agent and registers this subtree then requests for
1332 OIDs within it will be passed to that SMUX subagent for process‐
1333 ing.
1334 A suitable entry for an OSPF routing daemon (such as gated,
1336 zebra or quagga) might be something like
1337 smuxpeer .1.3.6.1.2.1.14 ospf_pass
1338 smuxsocket <IPv4-address>
1340 defines the IPv4 address for SMUX peers to communicate with the
1341 Net-SNMP agent. The default is to listen on all IPv4 interfaces
1342 ("0.0.0.0"), unless the package has been configured with
1343 "--enable-local-smux" at build time, which causes it to only
1344 listen on 127.0.0.1 by default. SMUX uses the well-known TCP
1345 port 199.
1346 Note the Net-SNMP agent will only operate as a SMUX master agent. It
1348 does not support acting in a SMUX subagent role.
1349 AgentX Sub-Agents
1351 The Net-SNMP agent supports the AgentX protocol (RFC 2741) in both mas‐
1352 ter and subagent roles. Use of this mechanism requires that the agent
1353 was built with support for the agentx module (which is included as part
1354 of the default build configuration), and also that this support is
1355 explicitly enabled (e.g. via the snmpd.conf file).
1356 There are two directives specifically relevant to running as an AgentX
1358 master agent:
1359 master agentx
1361 will enable the AgentX functionality and cause the agent to
1362 start listening for incoming AgentX registrations. This can
1363 also be activated by specifying the '-x' command-line option (to
1364 specify an alternative listening socket).
1365 agentXPerms SOCKPERMS [DIRPERMS [USER|UID [GROUP|GID]]]
1367 Defines the permissions and ownership of the AgentX Unix Domain
1368 socket, and the parent directories of this socket. SOCKPERMS
1369 and DIRPERMS must be octal digits (see chmod(1) ). By default
1370 this socket will only be accessible to subagents which have the
1371 same userid as the agent.
1372 There is one directive specifically relevant to running as an AgentX
1374 sub-agent:
1375 agentXPingInterval NUM
1377 will make the subagent try and reconnect every NUM seconds to
1378 the master if it ever becomes (or starts) disconnected.
1379 The remaining directives are relevant to both AgentX master and sub-
1381 agents:
1382 agentXSocket [<transport-specifier>:]<transport-address>[,...]
1384 defines the address the master agent listens at, or the subagent
1385 should connect to. The default is the Unix Domain socket
1386 "/var/agentx/master". Another common alternative is tcp:local‐
1387 host:705. See the section LISTENING ADDRESSES in the snmpd(8)
1388 manual page for more information about the format of addresses.
1389 Note: Specifying an AgentX socket does not automatically enable
1391 AgentX functionality (unlike the '-x' command-line
1392 option).
1393 agentXTimeout NUM
1395 defines the timeout period (NUM seconds) for an AgentX request.
1396 Default is 1 second.
1397 agentXRetries NUM
1399 defines the number of retries for an AgentX request. Default is
1400 5 retries.
1401 net-snmp ships with both C and Perl APIs to develop your own AgentX
1403 subagent.
1404
1406 override [-rw] OID TYPE VALUE
1407 This directive allows you to override a particular OID with a
1408 different value (and possibly a different type of value). The
1409 -rw flag will allow snmp SETs to modify it's value as well.
1410 (note that if you're overriding original functionality, that
1411 functionality will be entirely lost. Thus SETS will do nothing
1412 more than modify the internal overridden value and will not per‐
1413 form any of the original functionality intended to be provided
1414 by the MIB object. It's an emulation only.) An example:
1415 override sysDescr.0 octet_str "my own sysDescr"
1417 That line will set the sysDescr.0 value to "my own sysDescr" as
1419 well as make it modifiable with SNMP SETs as well (which is
1420 actually illegal according to the MIB specifications).
1421 Note that care must be taken when using this. For example, if
1423 you try to override a property of the 3rd interface in the
1424 ifTable with a new value and later the numbering within the
1425 ifTable changes it's index ordering you'll end up with problems
1426 and your modified value won't appear in the right place in the
1427 table.
1428 Valid TYPEs are: integer, uinteger, octet_str, object_id,
1430 counter, null (for gauges, use "uinteger"; for bit strings, use
1431 "octet_str"). Note that setting an object to "null" effectively
1432 delete's it as being accessible. No VALUE needs to be given if
1433 the object type is null.
1434 More types should be available in the future.
1436 If you're trying to figure out aspects of the various mib modules (pos‐
1438 sibly some that you've added yourself), the following may help you spit
1439 out some useful debugging information. First off, please read the
1440 snmpd manual page on the -D flag. Then the following configuration
1441 snmpd.conf token, combined with the -D flag, can produce useful output:
1442 injectHandler HANDLER modulename
1444 This will insert new handlers into the section of the mib tree
1445 referenced by "modulename". The types of handlers available for
1446 insertion are:
1447 stash_cache
1449 Caches information returned from the lower level. This
1450 greatly help the performance of the agent, at the cost of
1451 caching the data such that its no longer "live" for 30
1452 seconds (in this future, this will be configurable).
1453 Note that this means snmpd will use more memory as well
1454 while the information is cached. Currently this only
1455 works for handlers registered using the table_iterator
1456 support, which is only a few mib tables. To use it, you
1457 need to make sure to install it before the table_iterator
1458 point in the chain, so to do this:
1459 injectHandler stash_cache NAME ta‐
1461 ble_iterator
1462 If you want a table to play with, try walking the nsMod‐
1464 uleTable with and without this injected.
1465 debug Prints out lots of debugging information when the
1468 -Dhelper:debug flag is passed to the snmpd application.
1469 read_only
1472 Forces turning off write support for the given module.
1473 serialize
1476 If a module is failing to handle multiple requests prop‐
1477 erly (using the new 5.0 module API), this will force the
1478 module to only receive one request at a time.
1479 bulk_to_next
1482 If a module registers to handle getbulk support, but for
1483 some reason is failing to implement it properly, this
1484 module will convert all getbulk requests to getnext
1485 requests before the final module receives it.
1486 dontLogTCPWrappersConnects
1488 If the snmpd was compiled with TCP Wrapper support, it logs
1489 every connection made to the agent. This setting disables the
1490 log messages for accepted connections. Denied connections will
1491 still be logged.
1492 Figuring out module names
1494 To figure out which modules you can inject things into, run snm‐
1495 pwalk on the nsModuleTable which will give a list of all named
1496 modules registered within the agent.
1497 Internal Data tables
1499 table NAME
1500 add_row NAME INDEX(ES) VALUE(S)
1502
1504 o The Net-SNMP agent can be instructed to re-read the various con‐
1505 figuration files, either via an snmpset assignment of integer(1)
1506 to UCD-SNMP-MIB::versionUpdateConfig.0
1507 (.1.3.6.1.4.1.2021.100.11.0), or by sending a kill -HUP signal
1508 to the agent process.
1509 o All directives listed with a value of "yes" actually accept a
1511 range of boolean values. These will accept any of 1, yes or
1512 true to enable the corresponding behaviour, or any of 0, no or
1513 false to disable it. The default in each case is for the fea‐
1514 ture to be turned off, so these directives are typically only
1515 used to enable the appropriate behaviour.
1516
1518 See the EXAMPLE.CONF file in the top level source directory for a more
1519 detailed example of how the above information is used in real examples.
1520
1522 /etc/snmp/snmpd.conf
1523
1525 snmpconf(1), snmpusm(1), snmp.conf(5), snmp_config(5), snmpd(8), EXAM‐
1526 PLE.conf, read_config(3).
15274th Berkeley Distribution 08 Feb 2002 SNMPD.CONF(5)