Install and Setup Net-SNMP for basic SNMP monitoring on Linux. Setup snmpd.conf SNMP Linux, Unix, HPUX systems. Whether 64bit, 32 bit, or ARM based system like Raspberry Pi.
PURPOSE: Setup Net-SNMP with SNMPv3 Credentials with minimal effort to get System Monitoring & Process details.
Reference: SNMPv3
With this Guide, you can Monitor:
- Status
- CPU
- Memory
- Topology
- Interface Status/Utilization
- Asset Inventory
- Volumes such as /, /etc/ and other directories.
- Running Processes
Tested on: Ubuntu, Debian, CentOS.
This is a basic configuration, for Either SNMPv2 or SNMPv3
- Start by updating the system, then installing snmpd
apt-get update
apt-get install snmpd
Modify the snmpd.conf file to setup the configuration to monitor your system from across the network. The configuration below allows anyone to read the SNMP data - you may want a more secure configuration. These are the barebones needed to start monitoring right away via SNMPv2:
- Open the snmpd.conf in your favorite editor
nano /etc/snmp/snmpd.conf
- Change IP Binding from local to All IPs or selected Interfaces
- Note: Comment out the start of a line with #
- Example output:
# Listen for connections from the local system only
# agentAddress udp:127.0.0.1:161
# Listen for connections on all interfaces (both IPv4 *and* IPv6)
agentAddress udp:161,udp6:[::1]:161
[::1]:161
Note: this is where you can limit Interface snmp is bound
Choose either SNMPv2, or SNMPv3 (encrypted traffic, more secure)
SNMPv2
- Scroll down the page and un-comment to Community String:
#rocommunity public localhost
rocommunity public
#rocommunity secret 10.0.0.0/16
Note the example, you can use rocommunity public and the allowed IP Addresses as commented out on line 4.
To maje it work it needs to basically look like:
- rocommunity <snmpcommunity>
- Limit to endpoint IP: rocommunity <snmpcommunity> 10.1.1.10
- limit to IP Range: rocommunity <snmpcommunity> 10.0.0.0/16
- ipv6only: rocommunity6 <snmpcommunity>
- Restart the SNMP deamon:
service snmpd restart
- When Adding the Device for monitoring, select SNMPv2, use the Community string, enter ONLY into Read Only, then select Test.
SNMPv3
This is where I break from a lot of guides, probably because no one referenced the source material. We are editing the SNMPd.conf file directly, this way you are not dependent on net-snmp-utils.
WARNING: SNMPv3 pass phrases must be at least 8 characters long!
- Create the User (usually do not see the user in Show Run/Show Start configurations)
- Example Command: CreateUser TestSNMPv3User SHA P@$$w0rd AES P@$$w0rd
- Note: If the privacy passphrase is not specified, it is assumed to be the same as the authentication passphrase.
- Example Command: CreateUser TestSNMPv3User SHA P@$$w0rd AES P@$$w0rd
- MD5: Use HMAC MD5 algorithm for authentication
- SHA: Use HMAC SHA1 algorithm for authentication
- AES: Use AES 128 bit algorithm for encryption
- DES: Use 56 but DES algorithm for encryption
What it would look like in the configuration
###############################################################################
#
# SNMPv3 AUTHENTICATION
#
# I add the SNMPv3 Users in this area
# Example
CreateUser TestSNMPv3User SHA SNMPv3SHAPass AES SNMPv3AESPass
- Access Control
- Example Command: rouser SNMPv3User Priv .1
- It is not appropriate to specify both rouser and rwuser directives referring to the same SNMPv3 user
- rouser: Read only user
- rwuser: Read/write User (should not use unless you have a reason to do so)
- Auth: Group using the authNoPriv Security Model
- Noauth: Group using the noAuthNoPriv Security Model
- Priv: Group using the authPriv Security Model
- Example Command: rouser SNMPv3User Priv .1
Scroll down and set to allow the User and Privacy Type
rouser SNMPv3User priv .1
Why .1? .1 is the beginning of the SNMP OID tree, you can limit further, but .1 or 1.3.6 always works.
- Restart the SNMP deamon:
service snmpd restart
When adding this device to add a Node, it should look like the following. Notice that Read/Write Must be blank.
Restart Services with new configuration
- Restart the SNMP deamon:
service snmpd restart
- Device will show as Vendor Net-SNMP, changing the SystemObjectID will change the Vendor on Rediscovery.
apt-get install snmp
snmpwalk -v 3 -l authPriv -u SNMPv3User -a sha -A SNMPv3SHAPass -x aes -X SNMPv3AESPass localhost