Beginners Guide to Installing, Using, and Configuring Net-SNMP – Part 2

This article is part of the Net-SNMP series:

In the first part of this series, we discussed the steps you need to follow in order to download, install, and get the Net-SNMP tool running.

In this part, we will focus on the configuration aspect, explaining how you can configure the Net-SNMP agent, as well as set up authentication and encryption for the messages transmitted between it and the client.

Assuming that the Net-SNMP package is installed on your system and is up and running, run the following snmpwalk command:

snmpwalk -v2c -c public localhost system

On my system, the following output was produced:

SNMPv2-MIB::sysDescr.0 = STRING: Linux himanshu-desktop 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (6481067) 18:00:10.67
SNMPv2-MIB::sysContact.0 = STRING: Me <me@example.org>
SNMPv2-MIB::sysName.0 = STRING: himanshu-desktop
SNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (22) 0:00:00.22
...
...
...

If you observe, this output contains values corresponding to system-specific variables present under the “.iso.org.dod.internet.mgmt.mib-2.system” MIB tree.

Now, suppose you want to tweak information such as “sysLocation” and “sysContact”. This you can do by editing the corresponding values in /etc/snmp/snmpd.conf, a file which you can use for configuring the Net-SNMP agent (“snmpd”).

The /etc/snmp/snmpd.conf file.

As you can see in the screenshot above, the file contains many entries, some of which are deliberately commented out and need to be explicitly activated. In this file, I changed the value of the “sysLocation” parameter from “Sitting on the Dock of the Bay” to “Datacenter, Row 2, Rack 1.”

For the change to come into effect, just restart the Net-SNMP daemon with the following command:

/etc/init.d/snmpd restart

and then run the snmpwalk command again:

$ snmpwalk -v2c -c public localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux himanshu-desktop 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (470) 0:00:04.70
SNMPv2-MIB::sysContact.0 = STRING: Me <me@example.org>;
SNMPv2-MIB::sysName.0 = STRING: himanshu-desktop
SNMPv2-MIB::sysLocation.0 = STRING: Datacenter, Row 2, Rack 1
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

So, as you can see, the value of the “sysLocation” parameter was successfully changed. Similarly, you can tweak the values of other parameters present in this file, as well as add parameters which aren’t already there.

Note: You can also use Net-SNMP’s snmpconf utility for creating and modifying SNMP configuration files. To know more about the command, read its Manpage here.

The Net-SNMP client utilities such as snmpget, snmpwalk, and more, as well as the daemon (snmpd) support all three versions of the SNMP protocol: v1, v2c, and v3. While the first two support only authentication, v3 also supports encryption. So, in this section, we will discuss how to set up SNMPv3.

As a first step, stop the snmpd daemon service using the following command:

/etc/init.d/snmpd stop

then open the /var/lib/snmp/snmpd.conf file and add the following line at the bottom:

createUser USERNAME SHA "AUTHENTICATION-PASSWORD" AES "ENCRYPTION-PASSWORD"

The createUser command creates an SNMPv3-specific user for the purpose of authentication and encryption of SNMPV3 messages.

In the command above, replace “AUTHENTICATION-PASSWORD” and “ENCRYPTION-PASSWORD” with actual passwords that you want to keep. Also, it’s worth noting that if you do not mention “ENCRYPTION-PASSWORD” at all, Net-SNMP will use “AUTHENTICATION-PASSWORD” as the “ENCRYPTION-PASSWORD”.

Now, open etc/snmp/snmpd.conf and add the following line at the bottom:

rouser USERNAME priv

This line makes sure that the user we created earlier has read-only permissions, and can only be accessed by using AuthPriv, a Net-SNMP mode that enables communication with authentication, as well as privacy. If you want the user to have write permissions, too, just use rwuser (instead of rouser) in that case.

Now, start the Net-SNMP daemon service again using the following command:

/etc/init.d/snmpd start

and then run the following command to test SNMPV3:

snmpwalk -v 3 -l authPriv -a sha -A [AUTHENTICATION-PASSWORD] -x AES -X [ENCRYPTION-PASSWORD] -u [USERNAME] localhost system

If SNMPV3 is set up successfully, the output should be the same as the one listed at the beginning of this article.

Note:
1. Make sure to replace [AUTHENTICATION-PASSWORD], [ENCRYPTION-PASSWORD], and [USERNAME] with appropriate values.

2. SHA authentication and DES/AES encryption support is only available if you have OpenSSL installed or if you’ve compiled using --with-openssl=internal.

Net-SNMP provides a lot of configuration options, and what we’ve discussed here are just the basics, although it should be enough to get you started. For more information, go through the Manpage of snmpd.conf.