SNMP – snmpwalk

1. Set Up SNMP

First, you need an SNMP server on your Linux machine. Install the packet snmpd to query network components, and the packet snmp to request values (for example walk or get). Use the following commands:sudo apt-get install snmpdsudo apt-get install snmpAfter having installed these packets, you must follow the configuration steps below.

Basic Configuration: SNMP v1 and v2

The configuration file snmpd.conf is located in the /etc/snmp directory. Please make a backup of the original file before editing it.

You have to set up the SNMP server in order to allow read access from other machines. Open the configuration file with an editor. # sec.name source community com2sec paranoid default public Change the entry paranoid to readonly or readwrite. You can define sources as you want (for example 127.0.0.1 to only allow access from the local machine), and you can modify the community string as well. Save the changes to the configuration and restart the SNMP daemon: sudo service snmpd restart

Basic Configuration: SNMP v3

If you want to use SNMP v3, you need the packet openssl in addition. Stop the SNMP daemon and create an SNMP v3 user: sudo service snmpd stop

sudo net-snmp-config --create-snmpv3-user -ro -X DES -A MD5 -a "SNMP_PWD" -x "SNMP_PWD" username

After that, force encryption in the file /usr/share/snmp/snmpd.conf by adding AuthPriv:rouser username AuthPriv

Furthermore, delete the file /etc/snmp/snmpd.conf, and create a new one with the following content:

group groupv3 usm username view all included .iso 80

Note: Ubuntu 18.04 implements stronger security mechanisms, so you have to provide a wider path in /etc/snmp/snmpd.conf: view systemonly included .1.3.6.1

# context sec.model sec.level match read write notif access groupv3 "" any auth exact all all all syslocation Unknown syscontact Root <root@localhost>

Then start the daemon again:sudo service snmpd start

2. Set Up Access

By default, only requests on localhost are allowed. In order to allow access for other IPs on the monitored computer, modify the start options in the file /etc/default/snmpd. There you will find the following line: SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1' You have two options now:

  • In order to allow requests for all network interfaces, delete 127.0.0.1 from the line.
  • To allow requests only for specific devices, add the corresponding IPs after 127.0.0.1, separated by spaces. Then restart snmpd. You can also allow access only for specific computers by modifying /etc/snmp/snmpd.conf accordingly. Just specify the sources there with the IP addresses that should get access.

# com2sec paranoid default public# com2sec readonly default public com2sec readonly xxx.xxx.xxx.xxx/32 public com2sec readonly yyy.yyy.yyy.yyy/32 public

Note: If you have a firewall, you need to open the UDP port 161 to get access from other computers. For example, use the following commands to open access:

iptables -A OUTPUT -p udp -m udp --sport 161 -j ACCEPT iptables -A ufw-user-input -p udp -m udp --dport 161 -j ACCEPT

3. Test the Configuration with an SNMP Walk

You can test your configuration with an SNMP walk. A walk shows you lists of return values requested from a specific device. Use the following command to show a list of available data on your Linux machine:snmpwalk –v1 –c public localhostWith the following command, a list of memory values on a specific device (indicated with <IP>) is returned:snmpwalk v1 –c –private <IP> memory

Note: Do not only use 127.0.0.1 for testing, but also external IPs.

4. Test the Configuration with the SNMP Tester

Use the SNMP Tester to run test queries against your Linux device. This tool enables you to debug SNMP activities in order to find problems in your SNMP configuration. For more information, the download, and the manual, please refer to Paessler SNMP Tester.

5. Create Sensors in PRTG

PRTG already provides several SNMP sensors for Linux monitoring out of the box. You can natively monitor for example free disk spaceload averagememory usage, and I/O on physical disks via SNMP.

Of course, you can also use the SNMP Library sensor to adjust monitoring to your needs. PRTG already includes a basic Linux OID library (ucd-snmp-mib).

  1. Create a device for the Linux machine you want to monitor (enter this computer’s IP address or DNS name)
  2. On this device, create an SNMP Library sensor or one of the natively available ones.
    1. For the SNMP Library sensor: From the appearing list, select the basic linux library (ucd-snmp-mib).oidlib file.
    2. In the next step, you will see a list of library OIDs that indicate the available sensors. Select the sensors you want to monitor by marking the corresponding checkboxes.
  3. Click Continue.

PRTG will start to monitor your Linux device immediately.

###############################################################################
#
# EXAMPLE.conf:
#   An example configuration file for configuring the Net-SNMP agent ('snmpd')
#   See the 'snmpd.conf(5)' man page for details
#
#  Some entries are deliberately commented out, and will need to be explicitly activated
#
###############################################################################
#
#  AGENT BEHAVIOUR
#

#  Listen for connections from the local system only
#agentAddress  udp:127.0.0.1:161
#  Listen for connections on all interfaces (both IPv4 *and* IPv6)
#agentAddress udp:161,udp6:[::1]:161
agentAddress udp:161



###############################################################################
#
#  SNMPv3 AUTHENTICATION
#
#  Note that these particular settings don't actually belong here.
#  They should be copied to the file /var/lib/snmp/snmpd.conf
#     and the passwords changed, before being uncommented in that file *only*.
#  Then restart the agent

#  createUser authOnlyUser  MD5 "remember to change this password"
#  createUser authPrivUser  SHA "remember to change this one too"  DES
#  createUser internalUser  MD5 "this is only ever used internally, but still change the password"

#  If you also change the usernames (which might be sensible),
#  then remember to update the other occurances in this example config file to match.



###############################################################################
#
#  ACCESS CONTROL
#

                                                 #  system + hrSystem groups only
view   systemonly  included   .1.3.6.1.2.1.1
view   systemonly  included   .1.3.6.1.2.1.25.1

                                                 #  Full access from the local host
#rocommunity public  localhost
                                                 #  Default access to basic system info
 rocommunity bnet  default
                                                 #  rocommunity6 is for IPv6
#rocommunity6 bnet  default   -V systemonly

                                                 #  Full access from an example network
                                                 #     Adjust this network address to match your local
                                                 #     settings, change the community string,
                                                 #     and check the 'agentAddress' setting above
#rocommunity secret  10.0.0.0/16

                                                 #  Full read-only access for SNMPv3
 rouser   authOnlyUser
                                                 #  Full write access for encrypted requests
                                                 #     Remember to activate the 'createUser' lines above
#rwuser   authPrivUser   priv

#  It's no longer typically necessary to use the full 'com2sec/group/access' configuration
#  r[ow]user and r[ow]community, together with suitable views, should cover most requirements



###############################################################################
#
#  SYSTEM INFORMATION
#

#  Note that setting these values here, results in the corresponding MIB objects being 'read-only'
#  See snmpd.conf(5) for more details
sysLocation    Sitting on the Dock of the Bay
sysContact     Me 
                                                 # Application + End-to-End layers
sysServices    72


#
#  Process Monitoring
#
                               # At least one  'mountd' process
proc  mountd
                               # No more than 4 'ntalkd' processes - 0 is OK
proc  ntalkd    4
                               # At least one 'sendmail' process, but no more than 10
proc  sendmail 10 1

#  Walk the UCD-SNMP-MIB::prTable to see the resulting output
#  Note that this table will be empty if there are no "proc" entries in the snmpd.conf file


#
#  Disk Monitoring
#
                               # 10MBs required on root disk, 5% free on /var, 10% free on all other disks
disk       /     10000
disk       /var  5%
includeAllDisks  10%

#  Walk the UCD-SNMP-MIB::dskTable to see the resulting output
#  Note that this table will be empty if there are no "disk" entries in the snmpd.conf file


#
#  System Load
#
                               # Unacceptable 1-, 5-, and 15-minute load averages
load   12 10 5

#  Walk the UCD-SNMP-MIB::laTable to see the resulting output
#  Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file



###############################################################################
#
#  ACTIVE MONITORING
#

                                    #   send SNMPv1  traps
 trapsink     localhost public
                                    #   send SNMPv2c traps
#trap2sink    localhost public
                                    #   send SNMPv2c INFORMs
#informsink   localhost public

#  Note that you typically only want *one* of these three lines
#  Uncommenting two (or all three) will result in multiple copies of each notification.


#
#  Event MIB - automatically generate alerts
#
                                   # Remember to activate the 'createUser' lines above
iquerySecName   internalUser       
rouser          internalUser
                                   # generate traps on UCD error conditions
defaultMonitors          yes
                                   # generate traps on linkUp/Down
linkUpDownNotifications  yes



###############################################################################
#
#  EXTENDING THE AGENT
#

#
#  Arbitrary extension commands
#
 extend    test1   /bin/echo  Hello, world!
 extend-sh test2   echo Hello, world! ; echo Hi there ; exit 35
#extend-sh test3   /bin/sh /tmp/shtest

#  Note that this last entry requires the script '/tmp/shtest' to be created first,
#    containing the same three shell commands, before the line is uncommented

#  Walk the NET-SNMP-EXTEND-MIB tables (nsExtendConfigTable, nsExtendOutput1Table
#     and nsExtendOutput2Table) to see the resulting output

#  Note that the "extend" directive supercedes the previous "exec" and "sh" directives
#  However, walking the UCD-SNMP-MIB::extTable should still returns the same output,
#     as well as the fuller results in the above tables.


#
#  "Pass-through" MIB extension command
#
#pass .1.3.6.1.4.1.8072.2.255  /bin/sh       PREFIX/local/passtest
#pass .1.3.6.1.4.1.8072.2.255  /usr/bin/perl PREFIX/local/passtest.pl

# Note that this requires one of the two 'passtest' scripts to be installed first,
#    before the appropriate line is uncommented.
# These scripts can be found in the 'local' directory of the source distribution,
#     and are not installed automatically.

#  Walk the NET-SNMP-PASS-MIB::netSnmpPassExamples subtree to see the resulting output


#
#  AgentX Sub-agents
#
                                           #  Run as an AgentX master agent
 master          agentx
                                           #  Listen for network connections (from localhost)
                                           #    rather than the default named socket /var/agentx/master
#agentXSocket    tcp:localhost:705

Napsat komentář

Vaše emailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *