This article is part of the Net-SNMP series:
- Beginners Guide to Installing, Using, and Configuring Net-SNMP – Part 1
- Beginners Guide to Installing, Using, and Configuring Net-SNMP – Part 2
In the first part of this series, we discussed the steps you need to follow in order to download, install, and get the Net-SNMP tool running.
In this part, we will focus on the configuration aspect, explaining how you can configure the Net-SNMP agent, as well as set up authentication and encryption for the messages transmitted between it and the client.
Configuring the Net-SNMP Agent – snmpd
Assuming that the Net-SNMP package is installed on your system and is up and running, run the following
snmpwalk -v2c -c public localhost system
On my system, the following output was produced:
SNMPv2-MIB::sysDescr.0 = STRING: Linux himanshu-desktop 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (6481067) 18:00:10.67 SNMPv2-MIB::sysContact.0 = STRING: Me <email@example.com> SNMPv2-MIB::sysName.0 = STRING: himanshu-desktop SNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay SNMPv2-MIB::sysServices.0 = INTEGER: 72 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (22) 0:00:00.22 ... ... ...
If you observe, this output contains values corresponding to system-specific variables present under the “.iso.org.dod.internet.mgmt.mib-2.system” MIB tree.
Now, suppose you want to tweak information such as “sysLocation” and “sysContact”. This you can do by editing the corresponding values in
/etc/snmp/snmpd.conf, a file which you can use for configuring the Net-SNMP agent (“snmpd”).
As you can see in the screenshot above, the file contains many entries, some of which are deliberately commented out and need to be explicitly activated. In this file, I changed the value of the “sysLocation” parameter from “Sitting on the Dock of the Bay” to “Datacenter, Row 2, Rack 1.”
For the change to come into effect, just restart the Net-SNMP daemon with the following command:
and then run the
snmpwalk command again:
$ snmpwalk -v2c -c public localhost system SNMPv2-MIB::sysDescr.0 = STRING: Linux himanshu-desktop 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (470) 0:00:04.70 SNMPv2-MIB::sysContact.0 = STRING: Me <firstname.lastname@example.org>; SNMPv2-MIB::sysName.0 = STRING: himanshu-desktop SNMPv2-MIB::sysLocation.0 = STRING: Datacenter, Row 2, Rack 1 SNMPv2-MIB::sysServices.0 = INTEGER: 72 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
So, as you can see, the value of the “sysLocation” parameter was successfully changed. Similarly, you can tweak the values of other parameters present in this file, as well as add parameters which aren’t already there.
Note: You can also use Net-SNMP’s
snmpconf utility for creating and modifying SNMP configuration files. To know more about the command, read its Manpage here.
Set Up Authentication and Encryption
The Net-SNMP client utilities such as
snmpwalk, and more, as well as the daemon (snmpd) support all three versions of the SNMP protocol: v1, v2c, and v3. While the first two support only authentication, v3 also supports encryption. So, in this section, we will discuss how to set up SNMPv3.
As a first step, stop the snmpd daemon service using the following command:
then open the
/var/lib/snmp/snmpd.conf file and add the following line at the bottom:
createUser USERNAME SHA "AUTHENTICATION-PASSWORD" AES "ENCRYPTION-PASSWORD"
createUser command creates an SNMPv3-specific user for the purpose of authentication and encryption of SNMPV3 messages.
In the command above, replace “AUTHENTICATION-PASSWORD” and “ENCRYPTION-PASSWORD” with actual passwords that you want to keep. Also, it’s worth noting that if you do not mention “ENCRYPTION-PASSWORD” at all, Net-SNMP will use “AUTHENTICATION-PASSWORD” as the “ENCRYPTION-PASSWORD”.
etc/snmp/snmpd.conf and add the following line at the bottom:
rouser USERNAME priv
This line makes sure that the user we created earlier has read-only permissions, and can only be accessed by using AuthPriv, a Net-SNMP mode that enables communication with authentication, as well as privacy. If you want the user to have write permissions, too, just use
rwuser (instead of
rouser) in that case.
Now, start the Net-SNMP daemon service again using the following command:
and then run the following command to test SNMPV3:
snmpwalk -v 3 -l authPriv -a sha -A [AUTHENTICATION-PASSWORD] -x AES -X [ENCRYPTION-PASSWORD] -u [USERNAME] localhost system
If SNMPV3 is set up successfully, the output should be the same as the one listed at the beginning of this article.
1. Make sure to replace [AUTHENTICATION-PASSWORD], [ENCRYPTION-PASSWORD], and [USERNAME] with appropriate values.
2. SHA authentication and DES/AES encryption support is only available if you have OpenSSL installed or if you’ve compiled using
Net-SNMP provides a lot of configuration options, and what we’ve discussed here are just the basics, although it should be enough to get you started. For more information, go through the Manpage of snmpd.conf.