Enabling the preconfigured SNMP
To start the snmpd
daemon, execute from the console:
# chkconfig snmpd on # service snmpd start Starting snmpd: [ OK ]
You also need to enable the snmpd port in the firewall: run system-config-securitylevel-tui
and enable snmpd:udp in the "Customize" screen.
You can then query the snmp status of this server by running snmpwalk
:
# snmpwalk -v 1 -c public myserver.mydomain.de SNMPv2-MIB::sysDescr.0 = STRING: Linux server15 2.6.32.12-0.7.1.xs5.6.100.307.170586xen #1 SMP Tue Nov 30 09:55:20 EST 2010 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (330504) 0:55:05.04 SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (edit /etc/snmp/snmpd.conf) SNMPv2-MIB::sysName.0 = STRING: server15 SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf) SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance SNMPv2-MIB::sysORID.8 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance ....
After snmp has been enabled, you can then query this server from Cacti, for example, to get fancy network and cpu load diagrams.
Disabling public access
The default SNMP configuration enables querying of the server without password. So everybody in the world can run the snmpwalk command and retrieve your server status. If you do not want this then you have to disable the default configuration and add a new configuration that will grant access only to hosts identified by username and password.
To remove public access of the SNMP data, comment out all lines starting with "view systemview included" in /etc/snmp/snmpd.conf
and restart sndmp.
# Third, create a view for us to let the group have rights to: # name incl/excl subtree mask(optional) #view systemview included system #view systemview included interfaces #view systemview included at #view systemview included ip #view systemview included icmp #view systemview included tcp #view systemview included udp #view systemview included snmp
Enabling SNMP v 3
The easiest way of adding password protection is to use the net-snmp-config
command. Unfortunately, the binary is not available on Citrix XenServer, so it must be installed first. Since it is also not available in the Citrix package repository, we need to retrieve it from some other place first. As Citrix XenServer is based on CentOS 5.4, make sure you download the 5.4 release of the package.
The net-snmp-devel package has lots of dependencies which we don't need. So we force installation of this package only with the --nodeps
flat.
Finally, we create a username and password for SNMP with the net-snmp-config
command.
# wget http://vault.centos.org/5.4/os/i386/CentOS/net-snmp-devel-5.3.2.2-7.el5.i386.rpm --2011-07-17 18:26:45-- http://vault.centos.org/5.4/os/i386/CentOS/net-snmp-devel-5.3.2.2-7.el5.i386.rpm Resolving vault.centos.org... 95.211.98.141 Connecting to vault.centos.org|95.211.98.141|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1995703 (1.9M) [application/x-rpm] Saving to: `net-snmp-devel-5.3.2.2-7.el5.i386.rpm.1' 100%[======================================================================================================================>] 1,995,703 6.51M/s in 0.3s 2011-07-17 18:26:45 (6.51 MB/s) - `net-snmp-devel-5.3.2.2-7.el5.i386.rpm' saved [1995703/1995703] # rpm -hiv --nodeps net-snmp-devel-5.3.2.2-7.el5.i386.rpm warning: net-snmp-devel-5.3.2.2-7.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID e8562897 Preparing... ########################################### [100%] 1:net-snmp-devel ########################################### [100%] # service snmpd stop # net-snmp-config --create-snmpv3-user -a mytopsecredpassword monitor adding the following line to /var/net-snmp/snmpd.conf: createUser monitor MD5 "mytopsecredpassword" DES adding the following line to /etc/snmp/snmpd.conf: rwuser monitor # service snmpd start Starting snmpd: [ OK ] #
The SNMP information can now be retrieved only by issuing the user name and password:
# snmpwalk -v 3 -c public myserver.mydomain.de -u monitor -A mytopsecredpassword -l AuthNoPriv SNMPv2-MIB::sysDescr.0 = STRING: Linux server00 2.6.32.12-0.7.1.xs5.6.100.323.170596xen #1 SMP Fri Apr 8 07:25:07 EDT 2011 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (35243502) 4 days, 1:53:55.02 SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (edit /etc/snmp/snmpd.conf) SNMPv2-MIB::sysName.0 = STRING: server15 SNMPv2-MIB::sysLocation.0 = STRING: Unknown SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance