snmpd(8) - f30

1SNMPD(8)                           Net-SNMP                           SNMPD(8)
2
3
4

NAME

6       snmpd - daemon to respond to SNMP request packets.
7

SYNOPSIS

9       snmpd [OPTIONS] [LISTENING ADDRESSES]
10

DESCRIPTION

12       snmpd  is  an SNMP agent which binds to a port and awaits requests from
13       SNMP management software.  Upon receiving a request, it  processes  the
14       request(s),  collects  the  requested  information  and/or performs the
15       requested operation(s) and returns the information to the sender.
16

OPTIONS

18       -a      Log the source addresses of incoming requests.
19
20       -A      Append to the log file rather than truncating it.
21
22       -c FILE Read FILE as a configuration file (or a comma-separated list of
23               configuration  files).   Note  that  the  loaded file will only
24               understand snmpd.conf tokens, unless the configuration type  is
25               specified  in the file as described in the snmp_config man page
26               under SWITCHING CONFIGURATION TYPES IN MID-FILE.
27
28       -C      Do not read any configuration files except the ones  optionally
29               specified by the -c option.  Note that this behaviour also cov‐
30               ers the persistent configuration files.   This  may  result  in
31               dynamically-assigned  values  being  reset  following  an agent
32               restart,  unless  the  relevant  persistent  config  files  are
33               explicitly loaded using the -c option.
34
35       -d      Dump (in hexadecimal) the sent and received SNMP packets.
36
37       -D[TOKEN[,...]]
38               Turn  on  debugging output for the given TOKEN(s).  Without any
39               tokens specified, it defaults to printing all the tokens (which
40               is equivalent to the keyword "ALL").  You might want to try ALL
41               for extremely verbose output.  Note: You can not  put  a  space
42               between the -D flag and the listed TOKENs.
43
44       -f      Do not fork() from the calling shell.
45
46       -g GID  Change  to  the  numerical group ID GID after opening listening
47               sockets.
48
49       -h, --help
50               Display a brief usage message and then exit.
51
52       -H      Display a list of configuration file directives  understood  by
53               the agent and then exit.
54
55       -I [-]INITLIST
56               Specifies  which  modules should (or should not) be initialized
57               when the agent starts up.  If the comma-separated  INITLIST  is
58               preceded  with a '-', it is the list of modules that should not
59               be started.  Otherwise this is the list  of  the  only  modules
60               that should be started.
61
62               To get a list of compiled modules, run the agent with the argu‐
63               ments -Dmib_init -H (assuming debugging support has  been  com‐
64               piled in).
65
66       -L[eEfFoOsSnN]
67               Specify where logging output should be directed (standard error
68               or output, to a file or via syslog).  See  LOGGING  OPTIONS  in
69               snmpcmd(1) for details.
70
71       -m MIBLIST
72               Specifies  a  colon  separated  list of MIB modules to load for
73               this application.   This  overrides  the  environment  variable
74               MIBS.  See snmpcmd(1) for details.
75
76       -M DIRLIST
77               Specifies  a  colon separated list of directories to search for
78               MIBs.  This overrides the environment  variable  MIBDIRS.   See
79               snmpcmd(1) for details.
80
81       -n NAME Set an alternative application name (which will affect the con‐
82               figuration files loaded).   By  default  this  will  be  snmpd,
83               regardless of the name of the actual binary.
84
85       -p FILE Save the process ID of the daemon in FILE.
86
87       -q      Print simpler output for easier automated parsing.
88
89       -r      Do not require root access to run the daemon.  Specifically, do
90               not exit if files only accessible to root  (such  as  /dev/kmem
91               etc.) cannot be opened.
92
93       -u UID  Change  to  the user ID UID (which can be given in numerical or
94               textual form) after opening listening sockets.
95
96       -U      Instructs the agent to not remove its  pid  file  (see  the  -p
97               option)  on  shutdown. Overrides the leave_pidfile token in the
98               snmpd.conf file, see snmpd.conf(5).
99
100       -v, --version
101               Print version information for the agent and then exit.
102
103       -V      Symbolically dump SNMP transactions.
104
105       -x ADDRESS
106               Listens for AgentX connections on the specified address  rather
107               than  the default "/var/agentx/master".  The address can either
108               be a Unix domain socket path,  or  the  address  of  a  network
109               interface.   The  format is the same as the format of listening
110               addresses described below.
111
112       -X      Run as an AgentX subagent rather than as an SNMP master agent.
113
114       --name="value"
115               Allows one to specify  any  token  ("name")  supported  in  the
116               snmpd.conf  file  and  sets its value to "value". Overrides the
117               corresponding token in the snmpd.conf file.  See  snmpd.conf(5)
118               for the full list of tokens.
119

LISTENING ADDRESSES

121       By default, snmpd listens for incoming SNMP requests on UDP port 161 on
122       all IPv4 interfaces.  However, it is possible to modify this  behaviour
123       by specifying one or more listening addresses as arguments to snmpd.  A
124       listening address takes the form:
125
126              [<transport-specifier>:]<transport-address>
127
128       At its simplest, a listening address may consist only of a port number,
129       in  which  case  snmpd listens on that UDP port on all IPv4 interfaces.
130       Otherwise, the <transport-address> part of the specification is  parsed
131       according to the following table:
132
133           <transport-specifier>       <transport-address> format
134
135           udp (default)               hostname[:port] or IPv4-address[:port]
136
137           tcp                         hostname[:port] or IPv4-address[:port]
138
139           unix                        pathname
140
141           ipx                         [network]:node[/port]
142
143           aal5pvc or pvc              [interface.][VPI.]VCI
144
145           udp6 or udpv6 or udpipv6    hostname[:port] or IPv6-address[:port]
146
147           tcp6 or tcpv6 or tcpipv6    hostname[:port] or IPv6-address[:port]
148
149           ssh                         hostname:port
150
151           dtlsudp                     hostname:port
152
153       Note  that  <transport-specifier> strings are case-insensitive so that,
154       for example, "tcp" and "TCP" are equivalent.  Here are  some  examples,
155       along with their interpretation:
156
157       127.0.0.1:161           listen  on  UDP port 161, but only on the loop‐
158                               back  interface.   This  prevents  snmpd  being
159                               queried   remotely.   The   port  specification
160                               ":161" is not strictly necessary since that  is
161                               the default SNMP port.
162
163       TCP:1161                listen on TCP port 1161 on all IPv4 interfaces.
164
165       ipx:/40000              listen on IPX port 40000 on all IPX interfaces.
166
167       unix:/tmp/local-agent   listen    on    the    Unix    domain    socket
168                               /tmp/local-agent.
169
170       /tmp/local-agent        is identical  to  the  previous  specification,
171                               since  the  Unix domain is assumed if the first
172                               character of the <transport-address> is '/'.
173
174       PVC:161                 listen on the AAL5  permanent  virtual  circuit
175                               with  VPI=0  and VCI=161 (decimal) on the first
176                               ATM adapter in the machine.
177
178       udp6:10161              listen on port 10161 on all IPv6 interfaces.
179
180       ssh:127.0.0.1:22        Allows connections from the snmp  subsystem  on
181                               the  ssh  server  on  port  22.  The details of
182                               using SNMP over SSH are defined below.
183
184       dtlsudp:127.0.0.1:9161  Listen for connections over DTLS  on  UDP  port
185                               9161.    The   snmp.conf  file  must  have  the
186                               serverCert, configuration tokens defined.
187
188       Note that not all the transport domains listed  above  will  always  be
189       available; for instance, hosts with no IPv6 support will not be able to
190       use udp6 transport addresses, and attempts to do so will result in  the
191       error  "Error  opening  specified  endpoint".  Likewise, since AAL5 PVC
192       support is only currently available on Linux, it  will  fail  with  the
193       same error on other platforms.
194

Transport Specific Notes

196       ssh     The  SSH transport, on the server side, is actually just a unix
197               named pipe that can be connected to via a ssh subsystem config‐
198               ured  in  the main ssh server.  The pipe location (configurable
199               with   the   sshtosnmpsocket    token    in    snmp.conf)    is
200               /var/net-snmp/sshtosnmp.  Packets should be submitted to it via
201               the sshtosnmp application, which also sends the user ID as well
202               when starting the connection.  The TSM security model should be
203               used when packets should process it.
204
205               The sshtosnmp command knows how to connect  to  this  pipe  and
206               talk  to  it.  It should be configured in the OpenSSH sshd con‐
207               figuration file (which is normally  /etc/ssh/sshd_config  using
208               the following configuration line:
209
210
211                      Subsystem snmp /usr/local/bin/sshtosnmp
212
213               The  sshtosnmp  command  will  need  read/write  access  to the
214               /var/net-snmp/sshtosnmp pipe.  Although  it  should  be  fairly
215               safe  to  grant  access  to  the  average  user  since it still
216               requires modifications to the ACM settings before the user  can
217               perform  operations,  paranoid  administrators may want to make
218               the /var/net-snmp directory accessible only by users in a  par‐
219               ticular  group.  Use the sshtosnmpsocketperms snmp.conf config‐
220               ure option to set the permissions, owner and group of the  cre‐
221               ated socket.
222
223               Access  control can be granted to the user "foo" using the fol‐
224               lowing style of simple snmpd.conf settings:
225
226
227                      rouser -s tsm foo authpriv
228
229               Note that "authpriv" is acceptable  assuming  as  SSH  protects
230               everything  that  way  (assuming  you have a non-insane setup).
231               snmpd has no notion of how SSH has actually protected a  packet
232               and  thus the snmp agent assumes all packets passed through the
233               SSH transport have been protected at the authpriv level.
234
235       dtlsudp The DTLS protocol, which is based off  of  TLS,  requires  both
236               client  and server certificates to establish the connection and
237               authenticate both sides.  In order to do this, the client  will
238               need  to  configure the snmp.conf file with the clientCert con‐
239               figuration tokens.  The  server  will  need  to  configure  the
240               snmp.conf   file   with  the  serverCert  configuration  tokens
241               defined.
242
243               Access control setup is similar to the ssh transport as the TSM
244               security model should be used to protect the packet.
245

CONFIGURATION FILES

247       snmpd checks for the existence of and parses the following files:
248
249       /etc/snmp/snmp.conf
250             Common   configuration   for  the  agent  and  applications.  See
251             snmp.conf(5) for details.
252
253       /etc/snmp/snmpd.conf
254
255       /etc/snmp/snmpd.local.conf
256             Agent-specific configuration.   See  snmpd.conf(5)  for  details.
257             These files are optional and may be used to configure access con‐
258             trol, trap generation, subagent protocols and much else besides.
259
260             In addition to these two configuration files  in  /etc/snmp,  the
261             agent   will  read  any  files  with  the  names  snmpd.conf  and
262             snmpd.local.conf in a colon separated path specified in the SNMP‐
263             CONFPATH environment variable.
264
265       /usr/share/snmp/mibs/
266             The agent will also load all files in this directory as MIBs.  It
267             will not, however, load any  file  that  begins  with  a  '.'  or
268             descend into subdirectories.
269