自分向けの備忘録
環境は、CentOS7.3
★snmpd.confの中身
rocommunity hogehoge
trapCommunity hogehoge
trap2sink localhost hogehoge
#First, map the community name "public" into a "security name"
#sec.name source community
com2sec notConfigUser default public
com2sec omnet 192.168.1.0/24 hogehoge
com2sec omnet 192.168.13.0/24 hogehoge
####
# Second, map the security name into a group name:
# groupName securityModel securityName
group omnet_group v1 omnet
group omnet_group v2c omnet
group omnet_group usm omnet
####
# Third, create a view for us to let the group have rights to:
# Make at least snmpwalk -v 1 localhost -c public system fast again.
# name incl/excl subtree mask(optional)
#view systemview included .1.3.6.1.2.1.1
#view systemview included .1.3.6.1.2.1.25.1.1
view view_all included .1
####
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup "" any noauth exact systemview none none
access omnet_group "" any noauth exact view_all none none
★snmptrapd.confの中身
※除外させたいやつは、traphandleで指定
authCommunity log,execute,net aphrodite2
### Add
#createUser user SHA password AES password
traphandle .1.3.6.1.4.1.6876.4.1.0.* /bin/true
traphandle .1.3.6.1.4.1.6876.4.90.0.401 /bin/true
traphandle .1.3.6.1.4.1.3183.1.1.0.* /bin/true
traphandle default /usr/bin/traptoemail -f <fromadd> -s <smtpserver> alert@hoge.local
※traptoemailは、別途、net-snmp-perlパッケージをインストールすること。
また、LANGをen_USにしとかないと、mailのtimeヘッダが可笑しなことになり、1970/1/1となってしまうので注意。
起動オプション
※ログはfacility5で出力の場合
■snmpd
# cat /etc/sysconfig/snmpd
# snmpd command line options
# '-f' is implicitly added by snmpd systemd unit file
# OPTIONS="-LS0-6d"
OPTIONS="-Ls5 -Lf /dev/null -p /var/run/snmpd.pid -a"
■snmptrapd
# cat /etc/sysconfig/snmptrapd
# snmptrapd command line options
# '-f' is implicitly added by snmptrapd systemd unit file
# OPTIONS="-Lsd"
OPTIONS="-Ls5 -Lf /dev/null -p /var/run/snmptrapd.pid -a"
★vendor mibsの配置(/etc/snmp/snmp.conf)
mibdirs /usr/share/snmp/mibs:/usr/share/snmp/mibs/vendormibs
★snmp v3の対応
# service snmpd stop
# net-snmp-create-v3-user -ro -A password -a SHA -X password -x AES username
adding the following line to /var/lib/net-snmp/snmpd.conf:
createUser snmpv3user SHA "snmpv3authPass" AES snmpv3encPass
adding the following line to /etc/snmp/snmpd.conf:
rouser snmpv3user
ここで、snmpd startの実施
上記より、ユーザ追加時に下記変更が加わる
1./var/lib/net-snmp/snmpd.conf
usmUser XXXXXXXXXXXXXXXXXX anmpadmin XXXXXXXXXXXXXXXXXX
上記行が追記される
2./etc/snmp/snmpd.conf
rouser snmpadmin
上記行が追記される
★rsyslog.confの中身
#kern.* /dev/console
#SNMP Log section
local5.* /var/log/snmp/snmplog
& ~
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
★trap確認howto
snmptrap -v 2c -c hogehoge <機器のip> '' .1.3.6.1.4.1.8072.100 .1.3.6.1.4.1.8072.100.1 s "hogehoge"
snmpwalk -v 2c -c hogehoge <機器のip>
snmpwalk -v 2c -c hogehoge <機器のip> CISCO-PROCESS-MIB::cpmCPUTotal5minRev
snmpwalk -v3 -u user -l authPriv -a SHA -A password -x AES -X password <機器のip> system