SNMPD.CONF(5) Net-SNMP SNMPD.CONF(5)
NAME
/snmp/snmpd.conf - configuration file for the Net-SNMP SNMP agent.
# 注释 :/etc/snmp/snmpd.conf 文件是 Net-SNMP 代理的配置文件
DESCRIPTION
snmpd.conf is the configuration file which defines how the Net-SNMP
SNMP agent operates. These files may contain any of the directives
found in the DIRECTIVES section below. This file is not required for
the agent to operate and respond to requests.
# 注释 :snmpd.conf 是定义 Net-SNMP 代理如何运作的配置文件。
# 这些文件可能包含了下面 DIRECTIVES 一节中的任何命令。
# 注释 :不过该文件并不是 agent 所必须的
PLEASE READ FIRST
First, make sure you have read the snmp_config(5) manual page that
describes how the Net-SNMP configuration files operate, where they are
located and how they all work together.
Also, you might consider looking into the snmpconf application (perl
script) which can help you build an snmpd.conf file by prompting you
for information. You should try it. Really. Go ahead. Right now.
Run:
snmpconf -g basic_setup
to get you started. See the snmpconf(1) manual page for more informa-
tion.
EXTENSIBLE-MIB
The Net-SNMP SNMP agent reports much of its information through queries
to the 1.3.6.1.4.1.2021 section of the MIB tree. Every MIB in this
section has the following table entries in it.
# 注释 :Net-SNMP 比较常用的 MIB 有 .1.3.6.1.4.2021 。 也就是 UCD-SNMP-MIB
# 这个 MIB 下面定义了很多关于系统方面的很多对象,例如磁盘、内存、系统负荷、进程等等。
# 对于磁盘、进程 等这些 non-scalar 对象,它们的定义都依照如下方式 :
# -)1.3.6.1.4.2021.<oid>.1 :该记录的 index
# -)1.3.6.1.4.2021.<oid>.2 :该记录所指向的对象的名称
# -)1.3.6.1.4.2021.<oid>.100 :该记录所指向的对象目前的状态是否正确。0表示正确,1表示有错误
# -)1.3.6.1.4.2021.<oid>.101 :错误消息
# -)1.3.6.1.4.2021.<oid>.102 :如果有专门的程序来处理 .101 中给出的错误,则设置为1,否则为0
# 注释 :同时有些还有如下定义 :
# -)1.3.6.1.4.2021.<oid>.3 :该记录所指向的对象所允许的最少数量
# -)1.3.6.1.4.2021.<oid>.4 :该记录所指向的对象所允许的最大数量
# -)1.3.6.1.4.2021.<oid>.5 :该记录所指向的对象在当期系统中存在的数量
.1 -- index
This is the table's index numbers for each of the DIRECTIVES
listed below.
.2 -- name
The name of the given table entry. This should be unique, but
is not required to be.
.100 -- errorFlag
This is a flag returning either the integer value 1 or 0 if an
error is detected for this table entry.
.101 -- errorMsg
This is a DISPLAY-STRING describing any error triggering the
errorFlag above.
.102 -- errorFix
If this entry is set to the integer value of 1 AND the errorFlag
defined above is indeed a 1, a program or script will get exe-
cuted with the table entry name from above as the argument. The
program to be executed is configured in the config.h file at
compile time.
Directives
proc NAME
proc NAME MAX
proc NAME MAX MIN
Checks to see if processes called NAME are running on the agent
machine. An error flag (1) and a description message are then
passed to the 1.3.6.1.4.1.2021.2.1.100 and
1.3.6.1.4.1.2021.2.1.101 MIB columns (respectively) if the
NAME'd program is not found in the process table as reported by
"/bin/ps -e".
# 注释 :proc 指令表示让 Net-SNMP 监测指定名称的进程。oid 为 1.3.6.1.4.1.2021.1
# 格式为 proc <name> [max] [min]
# 要注意,<name> 必须和真正的进程的名称完全匹配(不含参数部分),所以 http 和 httpd 是不一样的。
# 如果 [max] 和 [min] 都没有指定,则默认为最小为1,最大不限制
# 如果 [min] 没有指定,则默认为0
# 如果 [max] 和 [min] 都为0,则解释为最大不限制,最小为0
If MAX and MIN are not specified, MAX is assumed to be infinity
and MIN is assumed to be 1.
If MAX is specified but MIN is not specified, MIN is assumed to
be 0.
procfix NAME PROG ARGS
This registers a command that knows how to fix errors with the
given process NAME. When 1.3.6.1.4.1.2021.2.1.102 for a given
NAMEd program is set to the integer value of 1, this command
will be called. It defaults to a compiled value set using the
PROCFIXCMD definition in the config.h file.
# 注释 :procfix 指令和上面的 .102 相关。如果 1.3.6.1.4.2021.<oid>.102 =1 。oId 为 1.3.6.1.4.1.2021.2 。 则当 1.3.6.1.4.2021.<oid>.100 = 1 时,将调用指定名称的程序
# 注释 :如果有多个 proc 指令,则 .1.3.6.1.4.1.2021.2 下有多个实例,每个实例的 index 等于它们在 snmpd.conf 中的 proc 指令中的位置
exec NAME PROG ARGS
exec MIBNUM NAME PROG ARGS
If MIBNUM is not specified, the agent executes the named PROG
with arguments of ARGS and returns the exit status and the first
line of the STDOUT output of the PROG program to queries of the
1.3.6.1.4.1.2021.8.1.100 and 1.3.6.1.4.1.2021.8.1.101 mib
columns (respectively). All STDOUT output beyond the first line
is silently truncated.
# 注释 :exec 指令用于执行某个命令,并返回退出状态和该程序的标准输出结果中的第一行。oid 为 1.3.6.1.4.1.2021.8
# 格式为 exec [MIBNUM] <name> <prog> [args]
# 其中状态码放在 1.3.6.1.4.1.2021.8.1.100.<index> ,而输出信息放在 1.3.6.1.4.1.2021.8.1.101.<index>
# 至于第一行后面的其他输出信息就被忽略了。
If MIBNUM is specified, it acts as above but returns the exit
status to MIBNUM.100.0 and the entire STDOUT output to the table
MIBNUM.101 in a MIB table. In this case, the MIBNUM.101 mib
contains the entire STDOUT output, one MIB table entry per line
of output (ie, the first line is output as MIBNUM.101.1, the
second at MIBNUM.101.2, etc...).
# 注释 :如果指定了 MIBNUM ,则状态码被送入 [MIBNUM].100.0 ,
# 所有的输出信息(不仅仅第一行)被送入 [MIBNUM].101 表。
# 该表有多行,用于存储多行输出信息
Note: The MIBNUM must be specified in dotted-integer notation
and can not be specified as ".iso.org.dod.internet..."
(should instead be .1.3.6.1...).
# 注释 :不过 [MIBNUM] 必须是数字格式,不能是名称格式
Note: The agent caches the exit status and STDOUT of the exe-
cuted program for 30 seconds after the initial query.
This is to increase speed and maintain consistency of
information for consecutive table queries. The cache can
be flushed by a snmp-set request of integer(1) to
1.3.6.1.4.1.2021.100.VERCLEARCACHE.
execfix NAME PROG ARGS
This registers a command that knows how to fix errors with the
given exec or sh NAME. When 1.3.6.1.4.1.2021.8.1.102 for a
given NAMEd entry is set to the integer value of 1, this command
will be called. It defaults to a compiled value set using the
EXECFIXCMD definition in the config.h file.
# 注释 :execfix 指令和 exec 指令相关,表示当 exec 程序出错时,使用指定的程序来修复
disk PATH
disk PATH [ MINSPACE | MINPERCENT% ]
Checks the named disks mounted at PATH for available disk space.
If the disk space is less than MINSPACE (kB) if specified or
less than MINPERCENT (%) if a % sign is specified, or
DEFDISKMINIMUMSPACE (kB) if not specified, the associated entry
in the 1.3.6.1.4.1.2021.9.1.100 MIB table will be set to (1) and
a descriptive error message will be returned to queries of
1.3.6.1.4.1.2021.9.1.101.
# 注释 :disk 指令用于检查指定的磁盘系统信息。oid 是 1.3.6.1.4.1.2021.9
# 格式为 disk </path> [ minspace (单位 kb) | minpercent % ]
# 注释 :minspace 是用于指定最小的空闲空间,minpercent 是用于指定最小的空闲百分比。
# 如果是以 % 结尾,则表示是 minpercent ,否则为 minspace
# 注释 :由于 disk 可以有多个记录,所以需要使用 1.3.6.1.4.1.2021.9.<index> 的格式来访问单个磁盘的信息
load MAX1
load MAX1 MAX5
load MAX1 MAX5 MAX15
Checks the load average of the machine and returns an error flag
(1), and an text-string error message to queries of
1.3.6.1.4.1.2021.10.1.100 and 1.3.6.1.4.1.2021.10.1.101 (respec-
tively) when the 1-minute, 5-minute, or 15-minute averages
exceed the associated maximum values. If any of the MAX1, MAX5,
or MAX15 values are unspecified, they default to a value of DEF-
MAXLOADAVE.
# 注释 :load 指令是用于监测系统的负载。oid 是 1.3.6.1.4.1.2021.10
# 格式为 load <max_1> [max_5] [max_15]
# 分别表示 1分钟,5分钟,15分钟之前的最高负载
file FILE [MAXSIZE]
Monitors file sizes and makes sure they don't grow beyond a cer-
tain size (in kilobytes). MAXSIZE defaults to infinite if not
specified, and only monitors the size without reporting errors
about it. A maximum of 20 files can be monitored.
# 注释 :file 指令用于监视某个文件的大小情况。oid 是 1.3.6.1.4.1.2021.15
# 格式为 file <file> [maxsize]
# 注释 :file 也是一个表的格式,有 fileIndex ,fileName ,fileSize,fileMax, fileErrorFlag,fileErrorMsg 这几个字段
# 其中 [maxsize] 的单位是 kB (1KB=1000B 而不是 1024B )
Errors
Any errors in obtaining the above information are reported via the
1.3.6.1.4.1.2021.101.1.100 flag and the 1.3.6.1.4.1.2021.101.1.101
text-string description.
# 补充 :ucd-snmp-mib 一共定义了下面这些 oid
-- Current UCD core mib table entries:
-- prTable OBJECT IDENTIFIER ::= { ucdavis 2 }
-- memory OBJECT IDENTIFIER ::= { ucdavis 4 }
-- extTable OBJECT IDENTIFIER ::= { ucdavis 8 }
-- diskTable OBJECT IDENTIFIER ::= { ucdavis 9 }
-- loadTable OBJECT IDENTIFIER ::= { ucdavis 10 }
-- systemStats OBJECT IDENTIFIER ::= { ucdavis 11 }
-- ucdDemoMIB OBJECT IDENTIFIER ::= { ucdavis 14 } - UCD-DEMO-MIB
-- fileTable OBJECT IDENTIFIER ::= { ucdavis 15 }
-- logMatch OBJECT IDENTIFIER ::= { ucdavis 16 }
-- version OBJECT IDENTIFIER ::= { ucdavis 100 }
-- snmperrs OBJECT IDENTIFIER ::= { ucdavis 101 }
-- mibRegistryTable OBJECT IDENTIFIER ::= { ucdavis 102 }
AGENTX SUB-AGENTS
To enable AgentX support in the SNMP master agent, put the following
line in your snmpd.conf file:
master agentx
See README.agentx for further details.
AgentXSocket addr
This defines the address the master agent listens at. The
default is /var/agentx/master. Another possibility is local-
host:705
AgentXTimeout addr
Defines the timeout period for an AgentX request. Default is 1
second.
AgentXRetries addr
Defines the number of retries for an AgentX request. Default is
5 retries.
You can also put the following in your subagent.conf file (where "sub-
agent" is the name you used in your init_snmp("subagent") api call:
agentPingInterval NUM
This makes the subagent try and reconnect every NUM seconds to
the master if it ever becomes (or starts) disconnected. >>>>>>>
5.4.2.3
SMUX SUB-AGENTS
To enable and SMUX based sub-agent, such as gated, use the smuxpeer
configuration entry
smuxpeer OID PASS
For gated a sensible entry might be smuxpeer .1.3.6.1.4.1.4.1.3
secret
DYNAMICALLY LOADABLE MODULES
If the agent is built with support for the UCD-DLMOD-MIB it is capable
of loading agent MIB modules dynamically at startup through the dlmod
directive and during runtime through use of the UCD-DLMOD-MIB. The
following directive loads the shared object module file PATH which uses
the module name prefix NAME.
dlmod NAME PATH
ACCESS CONTROL
snmpd supports the View-Based Access Control Model (VACM) as defined in
RFC 2575. To this end, it recognizes the following keywords in the
configuration file: com2sec, group, access, and view as well as some
easier-to-use wrapper directives: rocommunity, rwcommunity, rouser,
rwuser. If IPv6 support has been enabled, the rocommunity6 and rwcom-
munity6 tokens will also be available. This section defines how to
configure the snmpd program to accept various types and levels of
access.
rouser USER [noauth|auth|priv] [OID]
rwuser USER [noauth|auth|priv] [OID]
Creates a SNMPv3 USM user in the VACM access configuration
tables. It is more efficient (and powerful) to use the combined
group, access, and view directives instead, but these wrapper
directives are much simpler.
The minimum level of authentication and privacy the user must
use is specified by the first token (which defaults to "auth").
The OID parameter restricts access for that user to everything
below the given OID.
rocommunity COMMUNITY [SOURCE] [OID]
rwcommunity COMMUNITY [SOURCE] [OID]
These create read-only and read-write communities that can be
used to access the agent. They are a quick wrapper around the
more complex and powerful com2sec, group, access, and view
directive lines. They are not as efficient either, as groups
aren't created so the tables are possibly larger. In other
words: don't use these if you have complex situations to set up.
If your setup is simple or you don't mind a small performance
hit, use these directives.
# 注释 :rocommunity 指令用于建立只读/读写的 communities 。
# 格式为 rocommunity|rwcommunity <community string> [source] [oid]
# 其中 [source] 可以为 ip/mask 或者 ip/bits 的格式,或者主机名,或者是 "default" (注意区分大小写,Default ≠ default)
# 而 [oid] 表示带该 <community string> 的请求只能访问该 [oid] 以及其下的 subtree
# 注释 :不过如果不需要复杂的控制,可以使用该指令。
The format of the SOURCE is token is described in the com2sec
directive section below. The OID token restricts access for
that community to everything below that given OID.
rocommunity6 COMMUNITY [SOURCE] [OID]
rwcommunity6 COMMUNITY [SOURCE] [OID]
They are the alternative directives to the rocommunity, rwcommu-
nity for the transport domain UDPIPv6. They are only valid in
specifing UDPIPv6 as transport domain.
The format of the SOURCE is token is described in the com2sec6
directive section below. The OID token restricts access for
that community to everything below that given OID.
com2sec NAME SOURCE COMMUNITY
This directive specifies the mapping from a source/community
pair to a security name. SOURCE can be a hostname, a subnet, or
the word "default". A subnet can be specified as IP/MASK or
IP/BITS. The first source/community combination that matches
the incoming packet is selected.
# 注释 :com2sec 指令表示将 source/community string 映射为 security name
# 格式为 : com2sec <security_name> <source> <community string>
# 注意!!由于一个地址可能匹配多个 source ,snmp 将只使用第一个匹配的那个 com2sec 指令,这点类似于 bind 9 中的 match-clients {} 语句
com2sec6 NAME SOURCE COMMUNITY
This directive is the IPv6 version of com2sec. A subnet can be
specified as IPv6/IPv6MASK or IPv6/BITS. It is only valid in
specifing UDPIPv6 as transport domain.
group NAME MODEL SECURITY
This directive defines the mapping from securitymodel/security-
name to group. MODEL is one of v1, v2c, or usm.
# 注释 :group 指令将 security mode /security name 的组合映射到某个 group
# 注释 :model 可以是 v1,v2c,usm
# 格式为 : group <gruop_name> <model> <security_name>
view NAME TYPE SUBTREE [MASK]
This defines the named view. TYPE is either included or
excluded. MASK is a list of hex octets, separated by '.' or
':'. The MASK defaults to "ff" if not specified.
# 注释 :接下来就是用 view 指令建立视图了。视图就是从整个 mib tree 中把某个部分(subtee)独立出来分配一个名称。
# view 命令的格式为 :view <view_name> <type> <subtree> [mask]
# type 有 included 和 excluded 两种,subtree 就是视图的来源
The reason for the mask is, that it allows you to control access
to one row in a table, in a relatively simple way. As an exam-
ple, as an ISP you might consider giving each customer access to
his or her own interface:
# 注释 :[mask] 用于允许控制到某个表的某行的访问
view cust1 included interfaces.ifTable.ifEntry.ifIndex.1 ff.a0
view cust2 included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0
(interfaces.ifTable.ifEntry.ifIndex.1 == .1.3.6.1.2.1.2.2.1.1.1,
ff.a0 == 11111111.10100000. which nicely covers up and including
the row index, but lets the user vary the field of the row)
access NAME CONTEXT MODEL LEVEL PREFX READ WRITE NOTIFY
The access directive maps from group/security model/security
level to a view. MODEL is one of any, v1, v2c, or usm. LEVEL
is one of noauth, auth, or priv. PREFX specifies how CONTEXT
should be matched against the context of the incoming pdu,
either exact or prefix. READ, WRITE and NOTIFY specifies the
view to be used for the corresponding access. For v1 or v2c
access, LEVEL will be noauth, and CONTEXT will be empty.
# 注释 :access 指令用于分配 group 对各个 view 的访问权限。
# 格式为 : access <group_name> <context> <Model> <level> <prefx> <read> <write> <notify>
# context 在 v1 和 v2 中固定为 "" ,model 就是 v1 ,v2c ,usm 三种。
# <prefx> 一般为 exact 和 prefix ,对于 v1 ,v2c 来说,固定为 exact
# 下面就是一个完整的例子 :
VACM Examples:
# sec.name source community
com2sec local localhost private [ 来自localhost,community string 为 private 的映射 local 用户 ]
com2sec mynet 10.10.10.0/24 public [ 来自 10.10.10.0/24 ,community string 为 public 的映射为 mynet 用户 ]
com2sec public default public [ 来自 default ,community string 为 public 的映射到 public 用户 ]
com2sec6 mynet fec0::/64 public
# name sec.model sec.name
group mygroup v1 mynet [ 将 v1 和 v2c ,usm 格式的 mynet 用户分配到 mygroup 组]
group mygroup v2c mynet
group mygroup usm mynet
group local v1 local [ 将 v1 和 v2c,usm 格式的 local 用户分配到 local 组 ]
group local v2c local
group local usm local
group public v1 public [ 将 v1 和 v2c,usm 格式的 public 用户分配到 public 组 ]
group public v2c public
group public usm public
# name incl/excl subtree mask
view all included .1 80 [ 建立一个 view 名称为 all ,包括 .1 下的所有子树 ,mask 为 80 ]
view system included system fe [ 建立一个 view 名称为 system ,包括 system 组和其下的内容,mask为 fe ]
view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc [ 建立一个 view 名称为 mib2 ,包括整个 mib-2 子树,mask 为 fc ]
# group context sec.model sec.level prefix read write notify
access mygroup "" any noauth exact mib2 none none [ mygroup 组可以读取 mib2 视图,不能写和发送 trap 消息给任何视图]
access public "" any noauth exact system none none [ public 组可以读取 system 视图,不能写和发送 trap 消息给任何视图]
access local "" any noauth exact all all all [ local 组可以读取 all 视图,可以写和发送 trap 视图给任何视图]
Default VACM model
The default configuration of the agent, as shipped, is functionally
equivalent to the following entries:
com2sec public default public
group public v1 public
group public v2c public
group public usm public
view all included .1
access public "" any noauth exact all none none
SNMPv3 CONFIGURATION
engineID STRING
The snmpd agent needs to be configured with an engineID to be
able to respond to SNMPv3 messages. With this configuration
file line, the engineID will be configured from STRING. The
default value of the engineID is configured with the first IP
address found for the hostname of the machine.
createUser username (MD5|SHA) authpassphrase [DES] [privpassphrase]
MD5 and SHA are the authentication types to use, but you must
have built the package with openssl installed in order to use
SHA. The only privacy protocol currently supported is DES. If
the privacy passphrase is not specified, it is assumed to be the
same as the authentication passphrase. Note that the users cre-
ated will be useless unless they are also added to the VACM
access control tables described above.
Warning: the minimum pass phrase length is 8 characters.
SNMPv3 users can be created at runtime using the snmpusm(1) com-
mand.
Instead of figuring out how to use this directive and where to
put it (see below), just run "net-snmp-config --create-
snmpv3-user" instead, which will add one of these lines to the
right place.
This directive should be placed into the /var/net-
snmp/snmpd.conf file instead of the other normal locations. The
reason is that the information is read from the file and then
the line is removed (eliminating the storage of the master pass-
word for that user) and replaced with the key that is derived
from it. This key is a localized key, so that if it is stolen
it can not be used to access other agents. If the password is
stolen, however, it can be.
SETTING SYSTEM INFORMATION
syslocation STRING
syscontact STRING
sysname STRING
Sets the system location, system contact or system name for the
agent. This information is reported in the 'system' group the
mibII tree. Ordinarily these objects (sysLocation.0, sysCon-
tact.0 and sysName.0) are read-write. However, specifying the
value for one of these objects by giving the appropriate token
makes the corresponding object read-only, and attempts to set
the value of the object will result in a notWritable error
response.
# 注释 :系统信息包括 syslocation 、syscontact、sysname 三个对象。
# 本来这几个对象是 read-write 的,但如果在 snmpd.conf 中设置了,则变成 read-only 的状态了。
# 如果试图用 set 设置将会返回一个 notWritable 的错误
# 问题 :在 snmpd.conf 中设置 syslocation home ,并用 snmpwalk 查询,然后用 snmpset -c public -v2c localhost sysLocation.0 s home02 结果如何?
sysservices NUMBER
Sets the value of the system.sysServices.0 object. For a host,
a good value is 72.
sysdescr STRING
sysobjectid OID
Sets the system description or object ID for the agent.
Although these values are not SNMP-writable, it is conceivable
that a network administrator may wish to configure them to some-
thing other than the default values.
# 注释 :sysdescr 和 sysobjectid 用于设置系统的描述信息和 agent 的 oid
agentaddress [<transport-specifier>:]<transport-address>[,...]
Makes the agent list on the specified comma-separated list of
listening addresses instead of the default behaviour, which is
to listen on UDP port 161 on all IPv4 interfaces. See the sec-
tion LISTENING ADDRESSES in the snmpd(8) manual page for more
information about the format of listening addresses. For exam-
ple, specifying agentaddress 161,tcp:161,localhost:9161 will
make the agent listen on UDP port 161 on all IPv4 interfaces,
TCP port 161 on all IPv4 interfaces and UDP port 9161 only on
the interface associated with the localhost address.
# 注释 :在 snmpd 命令行可以指定监听地址,在 snmpd.conf 也可以。
# 使用的就是 agetnaddress 指令。
# 格式为 agentaddress [udp|tcp|unix]:[hostname|ip]:[port]
agentgroup groupid
Change to this gid after opening port. The groupid may refer to
a group by name or a number if the group number starts with '#'.
For example, specifying agentgroup snmp will cause the agent to
run as the snmp group or agentgroup #10 will cause the agent to
run as the group with groupid 10.
# 注释 :agentgroup <group_id> 等于 snmpd 命令的 -g 选项,如果是 gid ,前面加一个 #
agentuser uid
Change to this uid after opening port. The userid may refer to a
user by name or a number if the user number starts with '#'. For
example, specifying agentuser snmp will cause the agent to run
as the snmp user or agentuser #10 will cause the agent to run as
the user with userid 10.
# 注释 :agentuser <group_id> 等于 snmpd 命令的 -u 选项,如果是 uid ,前面加一个 #
interface NAME TYPE SPEED
For interfaces where the agent fails to guess correctly on the
type and speed, this directive can supply additional informa-
tion. TYPE is a type value as given in the IANAifType-MIB.
# 注释 :如果有 snmpd 无法正确识别的接口,可以用 interface 指令来定义
# interface 给处理 接口名称,类型,速率
ignoredisk STRING
When scanning for available disk devices the agent might block
in trying to open all possible disk devices. This might lead to
a timeout when walking the device tree. Sometimes the next walk
will run without timeout, sometimes it will timeout every time
you try it.
# 注释 :ignoredisk 指令用于忽略某些磁盘。当扫描磁盘时可能会卡在某些设备上
If you experience such behaviour you might add this directive
and give all device names not to be checked (i.e. opened). You
might have more than one such directive in your configuration
file stating all devices not to be opened. You might also spec-
ify those devices using wildcards similar to the syntax you can
use in a bourne shell (see examples below).
Note: For a list of devices scanned for every system please con-
sult the sources (host/hr_disk.c) and check for the
Add_HR_Disk_entry() calls relevant for your type of OS.
# 注释 :ignoredisk 指令的格式如下
Examples:
ignoredisk /dev/rdsk/c0t2d0
This directive prevents the device /dev/rdsk/c0t2d0 from being
scanned.
ignoredisk /dev/rdsk/c0t[!6]d0
This directive prevents all devices /dev/rdsk/c0tXd0 except
.../c0t6d0 from being scanned. For most systems similar is the
following directive:
ignoredisk /dev/rdsk/c0t[0-57-9a-f]d0
ignoredisk /dev/rdsk/c1*
This directive prevents all devices whose device names start
with /dev/rdsk/c1 from being scanned.
ignoredisk /dev/rdsk/c?t0d0
This directive prevents all devices /dev/rdsk/cXt0d0 ('X' might
be any char) from being scanned.
You might use more than one such wildcard expression in any such
directive.
storageUseNFS NUMBER
Setting storageUseNFS to 1 causes all NFS and NFS-like file sys-
tems to be marked as 'Network Disks' in the hrStorageTable. This
is according to RFC 2790. Not setting storageUseNFS or setting
it to 2 causes NFS and NFS-like file systems to be marked as
'Fixed Disks' as it has been in previous versions of the ucd-
snmp SNMP agent.
# 注释 :storeageUserNFS <number> 指令将把 hrStorageTable 表中的所有 NFS
# 和 NFS-类似的文件系统标识为 "Network Disks"。如果设置为2或者不设置,
# 将把 NFS 文件系统标识为 "Fixed Disks" 。
# 补充 :host Resource MIB 定以了如下对象:
host OBJECT IDENTIFIER ::= { mib-2 25 }
hrSystem OBJECT IDENTIFIER ::= { host 1 }
hrStorage OBJECT IDENTIFIER ::= { host 2 }
hrDevice OBJECT IDENTIFIER ::= { host 3 }
hrSWRun OBJECT IDENTIFIER ::= { host 4 }
hrSWRunPerf OBJECT IDENTIFIER ::= { host 5 }
hrSWInstalled OBJECT IDENTIFIER ::= { host 6 }
hrMIBAdminInfo OBJECT IDENTIFIER ::= { host 7 }
authtrapenable NUMBER
Setting authtrapenable to 1 enables generation of authentication
failure traps. The default value is disabled(2). Ordinarily
the corresponding object (snmpEnableAuthenTraps.0) is read-
write, but setting its value via this token makes the object
read-only, and attempts to set the value of the object will
result in a notWritable error response.
# 注释 :authtrapenable 表示是否启用 authentication trap 。默认是不启用。
# 该对象是 read-write 的,但如果在 snmpd.conf 中定义,则变成 read-only
# 默认是2(不启用),1表示启用
override OID TYPE VALUE
This directive allows you to override a particular OID with a
different value (and possibly a different type of value). An
example:
override sysDescr.0 octet_str "my own sysDescr"
That line will set the sysDescr.0 value to "my own sysDescr" as
well as make it modifiable with SNMP SETs as well (which is
actually illegal according to the MIB specifications).
Note that care must be taken when using this. For example, if
you try to override a property of the 3rd interface in the
ifTable with a new value and later the numbering within the
ifTable changes it's index ordering you'll end up with problems
and your modified value won't appear in the right place in the
table.
Valid TYPEs are: integer, uinteger, octet_str, bit_str,
object_id, counter, gauge, null. Note that setting an object to
"null" effectively delete's it as being accessible. No VALUE
needs to be given if the object type is null.
More types should be available in the future, as well as
writable object support.
SETTING UP TRAP AND/OR INFORM DESTINATIONS
trapcommunity STRING
This defines the default community string to be used when send-
ing traps. Note that this command must be used prior to any of
the following three commands that are intended use this commu-
nity string.
# 注释 :trapcommunity <string> 设置发送 trap 消息时默认使用的 community string
# 注意,该命令必须在下面三个命令之前
trapsink HOST [COMMUNITY [PORT]]
trap2sink HOST [COMMUNITY [PORT]]
informsink HOST [COMMUNITY [PORT]]
These commands define the hosts to receive traps (and/or inform
notifications). The daemon sends a Cold Start trap when it
starts up. If enabled, it also sends traps on authentication
failures. Multiple trapsink, trap2sink and informsink lines may
be specified to specify multiple destinations. Use trap2sink to
send SNMPv2 traps and informsink to send inform notifications.
If COMMUNITY is not specified, the string from a preceding trap-
community directive will be used. If PORT is not specified, the
well known SNMP trap port (162) will be used.
# 注释 :trapsink <host> ,trap2sink <host> ,informsink <host> 是用于设置 trap 消息的目标位置。
# trap2sink 用于发送 snmp v2c 的 trap 消息;inforsink 用于发送 notification 消息
# 注意 :如果没有指定 community string ,则使用上一个 trapcommunity 指令 给出的 community string
# 同时 每个指令还可以带不同的 community string
# 注释 :至于 port ,则默认为 162
trapsess [SNMPCMD_ARGS] HOST
This is a more generic trap configuration token that allows any
type of trap destination to be specified with any version of
SNMP. See the snmpcmd(1) manual page for further details on the
arguments that can be passed as SNMPCMD ARGS . In addition to
the arguments listed there, the special argument -Ci specifies
that you want inform notifications to be used instead of unac-
knowledged traps (this requires that you also specify a version
number of v2c or v3 as well).
PROXY SUPPORT
proxy [-Cn CONTEXTNAME] [SNMPCMD ARGS] HOST OID [REMOTEOID]
This token specifies that any incoming requests under OID should
be proxied on to another HOST instead. If a CONTEXTNAME is
specified, it assigns the proxied tree to a particular context
name within the local agent. This is the proper way to query
multiple agents through a single proxy. Assign each remote
agent to a different context name. Then you can use "snmpwalk
-n contextname1" to walk one remote proxied agent and "snmpwalk
-n contextname2" to walk another, assuming you are using SNMPv3
to talk to the proxy (snmpv1 and snmpv2c context mappings aren't
currently supported but might be in the future). Optionally,
relocate the local OID tree to the new location at the REMO-
TEOID. To authenticate to HOST you should use the appropriate
set of SNMPCMD ARGS. See the snmpcmd(1) manual page for
details.
Examples:
# assigns the entire mib tree on remotehost1 to the context of the
# same name:
proxy -Cn remotehost1 -v 1 -c public remotehost1 .1.3
# ditto, but for remotehost 2
proxy -Cn remotehost2 -v 1 -c public remotehost2 .1.3
# proxies only the ucdavis enterprises tree to the remote host using snmpv1
proxy -v 1 -c public remotehost .1.3.6.1.4.1.2021
# uses v3 to access remotehost and converts the remote .1.3.6.1.2.1.1
# oid to local .1.3.6.1.3.10 oid (another way to access mulitple hosts
# without using contexts)
proxy -v 3 -l noAuthNoPriv -u user remotehost .1.3.6.1.3.10 .1.3.6.1.2.1.1
PASS-THROUGH CONTROL
pass MIBOID EXEC
(If you're writing perl scripts, please see the embedded perl
support information later in this manual page). Passes entire
control of MIBOID to the EXEC program. The EXEC program is
called in one of the following three ways:
EXEC -g MIBOID
EXEC -n MIBOID
These call lines match to SNMP get and getnext requests.
It is expected that the EXEC program will take the argu-
ments passed to it and return the appropriate response
through it's stdout.
The first line of stdout should be the MIB OID of the
returning value. The second line should be the TYPE of
value returned, where TYPE is one of the text strings:
string, integer, unsigned, objectid, timeticks, ipad-
dress, counter, or gauge. The third line of stdout
should be the VALUE corresponding with the returned TYPE.
For instance, if a script was to return the value integer
value "42" when a request for .1.3.6.1.4.100 was
requested, the script should return the following 3
lines:
.1.3.6.1.4.100
integer
42
To indicate that the script is unable to comply with the
request due to an end-of-mib condition or an invalid
request, simple exit and return no output to stdout at
all. An SNMP error will be generated corresponding to
the SNMP noSuchName response.
EXEC -s MIBOID TYPE VALUE
For SNMP set requests, the above call method is used.
The TYPE passed to the EXEC program is one of the text
strings: integer, counter, gauge, timeticks, ipaddress,
objid, or string, indicating the type of value passed in
the next argument.
Return nothing to stdout, and the set will assumed to
have been successful. Otherwise, return one of the fol-
lowing error strings to signal an error: not-writable, or
wrong-type and the appropriate error response will be
generated instead.
Note: By default, the only community allowed to write
(ie snmpset) to your script will be the "private"
community,or community #2 if defined differently
by the "community" token discussed above. Which
communities are allowed write access are con-
trolled by the RWRITE definition in the snm-
plib/snmp_impl.h source file.
Example (in snmpd.conf):
pass .1.3.6.1.4.1.2021.255 /path/to/local/passtest
pass_persist MIBOID EXEC
Passes entire control of MIBOID to the EXEC program. Similar to
pass, but the EXEC program continues to run after the initial
request is answered.
Upon initialization, EXEC is passed the string "PING/n" in
stdin, and it should respond by printing "PONG/n" to stdout.
For get and getnext requests, EXEC program is passed two lines,
the command (get or getnext) and the MIB OID. It should return
three lines, the MIB OID, the TYPE of value returned, the VALUE
corresponding with the returned TYPE.
For example, if the value for .1.3.6.1.4.100 was requested, the
following 2 lines would be passed in to stdin:
get
.1.3.6.1.4.100
To return the value, say, 42, the script would write to stdout:
.1.3.6.1.4.100
integer
42
To indicate that the script is unable to comply with the request
due to an end-of-mib condition or an invalid request, print
"NONE/n" to stdout.
Example (in snmpd.conf):
pass_persist .1.3.6.1.4.1.2021.255 /path/to/local/pass_per-
sisttest
EMBEDDED PERL SUPPORT
Warning: though embedded perl is working, not much functionality has
been implemented yet and thus writing mib module pieces for the agent
within perl is not trivial at this point. It should get better in
future releases.
The net-snmp package has ability to call perl scripts directly inside
the agent through embedded perl technology (similar to mod_perl for the
apache web server). This must be turned on at compile time by passing
--enable-embedded-perl to the configure script when the package is
built. To see if your package was built with embedded perl, run "net-
snmp-config --configure-options" and see if that flag was used.
If compiled in, it defines the following snmpd.conf configuration
directives:
disablePerl true
This will turn off perl support entirely. If the embedded perl
support stops working due to a change in perl, etc, this will
stop any calls to the perl core.
perlInitFile FILE
Use FILE as the initialization file. This file is normally
/usr/share/snmp/snmp_perl.pl but this token can override that
default. This file performs any in-perl initialization that is
needed before the rest of the perl directives (below) are
called. It is sourced once just before the first perl directive
is parsed. See the default file for an example of the initial-
ization it performs.
perl EXPRESSION
Calls perl to evaluate an expression. Normally you'd want to do
something like register a function to call when an OID is
requested, but you can really do anything perl related you want.
For example:
perl print "hello world/n";
is the most basic hello world example.
The init script by default initializes a $agent variable which
is a pointer to a NetSnmp::agent object through which you can
register callbacks when a section of the OID tree is hit:
perl use Data::Dumper;
perl sub myroutine { print "got called: ",Dumper(@_),"/n"; }
perl $agent->register('mylink', '.1.3.6.1.8765', /&myroutine);
Sourcing an external file:
perl 'do /path/to/file.pl';
No better examples exist at the moment, unfortunately. Look for
improved support in future releases. Comments on how this looks
as an architecture are certainly appreciated now.
DISMAN-EVENT-MIB SUPPORT (READ: SENDING TRAPS ON ERRORS)
Warning: this implementation has not been extensively tested and is
additionally not known to be entirely complete. The concepts defined
here should function appropriately, however, but no promises are made
at this time.
If your agent was compiled with support for the DISMAN-EVENT-MIB (you
can enable this by running the net-snmp configure script with the
--with-mib-modules=disman/event-mib argument) you have support for hav-
ing the agent check its own data at regular intervals and to send out
traps when certain conditions occur. Traps are sent when expressions
are first noticed, not once per evaluation. Once a test expression
fires a trap, the test will have to fail again before a new trap is
sent. See the DISMAN-EVENT-MIB documentation for more details. This
can be configured either using the MIB tables themselves or by using
these special key words:
agentSecName NAME
The DISMAN-EVENT-MIB support requires a valid user name for
which to scan your agent with. This can either be specified
using the agentSecName token or by explicitly list one on the
"monitor" lines described below using the -u switch. Either
way, a "rouser" line (or equivalent access control settings)
must also be specified with the same security name name. If you
need an example, just do something like this:
agentSecName internal
rouser internal
And everything below should work just fine.
monitor [OPTIONS] NAME EXPRESSION
This token tells the agent to monitor itself for problems based
on EXPRESSION. Expression is a simple expression based on an
oid, a comparison operator (!=, ==, <, <=, >, >=) and an integer
value (see the examples below). NAME is merely an arbitrary
name of your choosing for administrative purposes only. OPTIONS
include the following possibilities:
-r FREQUENCY
Monitors the given expression every FREQUENCY seconds.
The default is 600 (10 minutes).
-u SECNAME
Use the SECNAME security name for scanning the local
host. Specifically, this SECNAME must then be given
access control rights via something like the "rouser"
snmpd.conf token for this expression to be valid at all.
If not specified, it uses the default security name spec-
ified by the agentsecname snmpd.conf token. Either the
-u flag or a valid agentsecname token must be specified
(and that name must be given proper access control rights
via a "rouser" token).
-o OID Specifies additional object values to be delivered with
in the resulting trap in addition to the normal trap
objects. This is useful for obtaining other columns in
the table for the row that triggered the expression. See
the examples below for more details.
The following example configuration checks the hrSWRunPerfTable
table (listing running processes) for any process which is con-
suming > 10Mb of memory. It performs this check every 600 sec-
onds (the default). For every process it finds exceeding the
limit, it will end out exactly one notification. In addition to
the normal hrSWRunPerfMem oid and value sent in the trap, the
hrSWRunName object will also be sent. Note that the hrSWRunName
object actually occurs in a different table, but since the
indexes to the two tables are the same this works out alright.
rouser me
monitor -u me -o sysUpTime.0 -o hrSWRunName "high process memory" hrSWRunPerfMem > 10000
The above line would produce a trap which, when formated by
snmptrapd, would look like:
2002-04-05 13:33:53 localhost.localdomain [udp:127.0.0.1:32931]:
sysUpTimeInstance = Timeticks: (1629) 0:00:16.29 snmpTrapOID.0 = OID: mteTriggerFired mteHotTrigger = high process memory mteHotTargetName = mteHotContextName = mteHotOID = OID: hrSWRunPerfMem.1968 mteHotValue = 28564 hrSWRunName.1968 = "xemacs"
This shows my xemacs process using 28Mb of resident memory.
Which, considering it's xemacs, is not that surprising.
defaultMonitors yes
By default, the agent and the DISMAN-EVENT-MIB support do noth-
ing until configured. Typically people wish to watch a bunch of
tables within the UCD-SNMP-MIB which are designed specifically
for reporting problems. If the "defaultMonitors yes" line is
put into the snmpd.conf file (which must be accompanied by an
appropriate agentSecName line and a rouser line), the following
monitoring conditions will be installed:
monitor -o prNames -o prErrMessage "process table" prErrorFlag != 0
monitor -o memErrorName -o memSwapErrorMsg "memory" memSwapError != 0
monitor -o extNames -o extOutput "extTable" extResult != 0
monitor -o dskPath -o dskErrorMsg "dskTable" dskErrorFlag != 0
monitor -o laNames -o laErrMessage "laTable" laErrorFlag != 0
monitor -o fileName -o fileErrorMsg "fileTable" fileErrorFlag != 0
DEBUGGING AND OTHER EXTENSIBILITY NOTES
If you're trying to figure out aspects of the various mib modules (pos-
sibly some that you've added yourself), the following may help you spit
out some useful debugging information. First off, please read the
snmpd manual page on the -D flag. Then the following configuration
snmpd.conf token, combined with the -D flag, can produce useful output:
injectHandler HANDLER modulename
This will insert new handlers into the section of the mib tree
referenced by "modulename". The types of handlers available for
insertion are:
debug - Prints out lots of debugging information when -Dhelper:debug
is passed to the snmpd application.
read_only - Forces turning off write support for the given module.
serialize - If a module is failing to handle multiple requests
properly (using the new 5.0 module API), this will force
the module to only receive one request at a time.
bulk_to_next - If a module registers to handle getbulk support, but
for some reason is failing to implement it properly,
this module will convert all getbulk requests to
getnext requests before the final module receives it.
Figuring out module names
To figure out which modules you can inject things into, snmpwalk
the nsModuleTable which will give you a list of all named mod-
ules registered within the agent.
EXAMPLE CONFIGURATION FILE
See the EXAMPLE.CONF file in the top level source directory for a more
detailed example of how the above information is used in real examples.
RE-READING snmpd.conf AND snmpd.local.conf
The Net-SNMP agent can be forced to re-read its configuration files.
It can be told to do so by one of two ways:
1. An snmpset of integer(1) to UCD-SNMP-MIB::versionUpdateConfig.0
(.1.3.6.1.4.1.2021.100.11.0)
2. A "kill -HUP" signal sent to the snmpd agent process.
# 注释 :要使 snmpd 重新读取配置有两种方法 :
# -)snmpset -c <string> -v 2c <host> UCD-SNMP-MIB::versionUpdateConfig.0 i 1
# -)发送一个 HUP 信号给 snmpd 进程,
# -)执行 service snmpd restart
FILES
/snmp/snmpd.conf
SEE ALSO
snmpconf(1), snmpusm(1), snmp.conf(5), snmp_config(5), snmpd(8), EXAM-
PLE.conf, read_config(3).
4th Berkeley Distribution 28 Feb 2003 SNMPD.CONF(5)