1SNMPD(8)                           Net-SNMP                           SNMPD(8)
2
3
4

NAME

6       snmpd - daemon to respond to SNMP request packets.
7

SYNOPSIS

9       snmpd [OPTIONS] [LISTENING ADDRESSES]
10

DESCRIPTION

12       snmpd  is  an SNMP agent which binds to a port and awaits requests from
13       SNMP management software.  Upon receiving a request, it  processes  the
14       request(s),  collects  the  requested  information  and/or performs the
15       requested operation(s) and returns the information to the sender.
16

OPTIONS

18       -a      Log the source addresses of incoming requests.
19
20       -A      Append to the log file rather than truncating it.
21
22       -c FILE Read FILE as a configuration file (or a comma-separated list of
23               configuration  files).   Note  that  the  loaded file will only
24               understand snmpd.conf tokens, unless the configuration type  is
25               specified  in the file as described in the snmp_config man page
26               under SWITCHING CONFIGURATION TYPES IN MID-FILE.
27
28       -C      Do not read any configuration files except the ones  optionally
29               specified by the -c option.  Note that this behaviour also cov‐
30               ers the persistent configuration files.   This  may  result  in
31               dynamically-assigned  values  being  reset  following  an agent
32               restart,  unless  the  relevant  persistent  config  files  are
33               explicitly loaded using the -c option.
34
35       -d      Dump (in hexadecimal) the sent and received SNMP packets.
36
37       -D[TOKEN[,...]]
38               Turn  on  debugging output for the given TOKEN(s).  Without any
39               tokens specified, it defaults to printing all the tokens (which
40               is equivalent to the keyword "ALL").  You might want to try ALL
41               for extremely verbose output.  Note: You can not  put  a  space
42               between the -D flag and the listed TOKENs.
43
44       -f      Do not fork() from the calling shell.
45
46       -g GID  Change the group ID of the snmpd process into GID after opening
47               listening sockets. This overrides the agentgroup  configuration
48               file parameter.
49
50       -h, --help
51               Display a brief usage message and then exit.
52
53       -H      Display  a  list of configuration file directives understood by
54               the agent and then exit.
55
56       -I [-]INITLIST
57               Specifies which modules should (or should not)  be  initialized
58               when  the  agent starts up.  If the comma-separated INITLIST is
59               preceded with a '-', it is the list of modules that should  not
60               be  started.   Otherwise  this  is the list of the only modules
61               that should be started.
62
63               To get a list of compiled modules, run the agent with the argu‐
64               ments  -Dmib_init  -H (assuming debugging support has been com‐
65               piled in).
66
67       -L[eEfFoOsSnN]
68               Specify where logging output should be directed (standard error
69               or  output,  to  a file or via syslog).  See LOGGING OPTIONS in
70               snmpcmd(1) for details.
71
72       -m MIBLIST
73               Specifies a colon separated list of MIB  modules  to  load  for
74               this  application.   This  overrides  the  environment variable
75               MIBS.  See snmpcmd(1) for details.
76
77       -M DIRLIST
78               Specifies a colon separated list of directories to  search  for
79               MIBs.   This  overrides  the environment variable MIBDIRS.  See
80               snmpcmd(1) for details.
81
82       -n NAME Set an alternative application name (which will affect the con‐
83               figuration  files  loaded).   By  default  this  will be snmpd,
84               regardless of the name of the actual binary.
85
86       -p FILE Save the process ID of the daemon in FILE.
87
88       -q      Print simpler output for easier automated parsing.
89
90       -r      Do not require root access to run the daemon.  Specifically, do
91               not  exit  if  files only accessible to root (such as /dev/kmem
92               etc.) cannot be opened.
93
94       -u UID  Change the user ID of the snmpd process into UID (which can  be
95               given  in  numerical  or  textual form) after opening listening
96               sockets. This overrides the agentuser configuration file param‐
97               eter.
98
99       -U      Instructs  the  agent  to  not  remove its pid file (see the -p
100               option) on shutdown. Overrides the leave_pidfile token  in  the
101               snmpd.conf file, see snmpd.conf(5).
102
103       -v, --version
104               Print version information for the agent and then exit.
105
106       -V      Symbolically dump SNMP transactions.
107
108       -x ADDRESS
109               Listens  for AgentX connections on the specified address rather
110               than the default "/var/agentx/master".  The address can  either
111               be  a  Unix  domain  socket  path,  or the address of a network
112               interface.  The format is the same as the format  of  listening
113               addresses described below.
114
115       -X      Run as an AgentX subagent rather than as an SNMP master agent.
116
117       --name="value"
118               Allows  one  to  specify  any  token  ("name") supported in the
119               snmpd.conf file and sets its value to  "value".  Overrides  the
120               corresponding  token  in the snmpd.conf file. See snmpd.conf(5)
121               for the full list of tokens.
122

LISTENING ADDRESSES

124       By default, snmpd listens for incoming SNMP requests on UDP port 161 on
125       all  IPv4 interfaces.  However, it is possible to modify this behaviour
126       by specifying one or more listening addresses as arguments to snmpd.  A
127       listening address takes the form:
128
129              [<transport-specifier>:]<transport-address>
130
131       At its simplest, a listening address may consist only of a port number,
132       in which case snmpd listens on that UDP port on  all  IPv4  interfaces.
133       Otherwise,  the <transport-address> part of the specification is parsed
134       according to the following table:
135
136           <transport-specifier>       <transport-address> format
137
138           udp (default)               hostname[:port] or IPv4-address[:port]
139
140           tcp                         hostname[:port] or IPv4-address[:port]
141
142           unix                        pathname
143
144           ipx                         [network]:node[/port]
145
146           aal5pvc or pvc              [interface.][VPI.]VCI
147
148           udp6 or udpv6 or udpipv6    hostname[:port] or IPv6-address[:port]
149
150           tcp6 or tcpv6 or tcpipv6    hostname[:port] or IPv6-address[:port]
151
152           ssh                         hostname:port
153
154           dtlsudp                     hostname:port
155
156       Note that <transport-specifier> strings are case-insensitive  so  that,
157       for  example,  "tcp" and "TCP" are equivalent.  Here are some examples,
158       along with their interpretation:
159
160       127.0.0.1:161           listen on UDP port 161, but only on  the  loop‐
161                               back  interface.   This  prevents  snmpd  being
162                               queried  remotely.   The   port   specification
163                               ":161"  is not strictly necessary since that is
164                               the default SNMP port.
165
166       TCP:1161                listen on TCP port 1161 on all IPv4 interfaces.
167
168       ipx:/40000              listen on IPX port 40000 on all IPX interfaces.
169
170       unix:/tmp/local-agent   listen    on    the    Unix    domain    socket
171                               /tmp/local-agent.
172
173       /tmp/local-agent        is  identical  to  the  previous specification,
174                               since the Unix domain is assumed if  the  first
175                               character of the <transport-address> is '/'.
176
177       PVC:161                 listen  on  the  AAL5 permanent virtual circuit
178                               with VPI=0 and VCI=161 (decimal) on  the  first
179                               ATM adapter in the machine.
180
181       udp6:10161              listen on port 10161 on all IPv6 interfaces.
182
183       ssh:127.0.0.1:22        Allows  connections  from the snmp subsystem on
184                               the ssh server on  port  22.   The  details  of
185                               using SNMP over SSH are defined below.
186
187       dtlsudp:127.0.0.1:9161  Listen  for  connections  over DTLS on UDP port
188                               9161.   The  snmp.conf  file  must   have   the
189                               serverCert, configuration tokens defined.
190
191       Note  that  not  all  the transport domains listed above will always be
192       available; for instance, hosts with no IPv6 support will not be able to
193       use  udp6 transport addresses, and attempts to do so will result in the
194       error "Error opening specified endpoint".   Likewise,  since  AAL5  PVC
195       support  is  only  currently  available on Linux, it will fail with the
196       same error on other platforms.
197

Transport Specific Notes

199       ssh     The SSH transport, on the server side, is actually just a  unix
200               named pipe that can be connected to via a ssh subsystem config‐
201               ured in the main ssh server.  The pipe  location  (configurable
202               with    the    sshtosnmpsocket    token    in   snmp.conf)   is
203               /var/net-snmp/sshtosnmp.  Packets should be submitted to it via
204               the sshtosnmp application, which also sends the user ID as well
205               when starting the connection.  The TSM security model should be
206               used when packets should process it.
207
208               The  sshtosnmp  command  knows  how to connect to this pipe and
209               talk to it.  It should be configured in the OpenSSH  sshd  con‐
210               figuration  file  (which is normally /etc/ssh/sshd_config using
211               the following configuration line:
212
213
214                      Subsystem snmp /usr/local/bin/sshtosnmp
215
216               The sshtosnmp  command  will  need  read/write  access  to  the
217               /var/net-snmp/sshtosnmp  pipe.   Although  it  should be fairly
218               safe to grant  access  to  the  average  user  since  it  still
219               requires  modifications to the ACM settings before the user can
220               perform operations, paranoid administrators may  want  to  make
221               the  /var/net-snmp directory accessible only by users in a par‐
222               ticular group.  Use the sshtosnmpsocketperms snmp.conf  config‐
223               ure  option to set the permissions, owner and group of the cre‐
224               ated socket.
225
226               Access control can be granted to the user "foo" using the  fol‐
227               lowing style of simple snmpd.conf settings:
228
229
230                      rouser -s tsm foo authpriv
231
232               Note  that  "authpriv"  is  acceptable assuming as SSH protects
233               everything that way (assuming you  have  a  non-insane  setup).
234               snmpd  has no notion of how SSH has actually protected a packet
235               and thus the snmp agent assumes all packets passed through  the
236               SSH transport have been protected at the authpriv level.
237
238       dtlsudp The  DTLS  protocol,  which  is based off of TLS, requires both
239               client and server certificates to establish the connection  and
240               authenticate  both sides.  In order to do this, the client will
241               need to configure the snmp.conf file with the  clientCert  con‐
242               figuration  tokens.   The  server  will  need  to configure the
243               snmp.conf  file  with  the  serverCert   configuration   tokens
244               defined.
245
246               Access control setup is similar to the ssh transport as the TSM
247               security model should be used to protect the packet.
248

CONFIGURATION FILES

250       snmpd checks for the existence of and parses the following files:
251
252       /etc/snmp/snmp.conf
253             Common  configuration  for  the  agent  and   applications.   See
254             snmp.conf(5) for details.
255
256       /etc/snmp/snmpd.conf
257
258       /etc/snmp/snmpd.local.conf
259             Agent-specific  configuration.   See  snmpd.conf(5)  for details.
260             These files are optional and may be used to configure access con‐
261             trol, trap generation, subagent protocols and much else besides.
262
263             In  addition  to  these two configuration files in /etc/snmp, the
264             agent  will  read  any  files  with  the  names  snmpd.conf   and
265             snmpd.local.conf in a colon separated path specified in the SNMP‐
266             CONFPATH environment variable.
267
268       /usr/share/snmp/mibs/
269             The agent will also load all files in this directory as MIBs.  It
270             will  not,  however,  load  any  file  that  begins with a '.' or
271             descend into subdirectories.
272

SEE ALSO

274       (in recommended reading order)
275
276       snmp_config(5), snmp.conf(5), snmpd.conf(5)
277
278
279
280V5.9                              30 Jun 2010                         SNMPD(8)
Impressum