]> git.ipfire.org Git - people/ms/ipfire-3.x.git/blob - net-snmp/snmpd.conf
projects / people / ms / ipfire-3.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
libnl3: New package.
[people/ms/ipfire-3.x.git] / net-snmp / snmpd.conf
1 ###############################################################################
2 #
3 # snmpd.conf:
4 # An example configuration file for configuring the ucd-snmp snmpd agent.
5 #
6 ###############################################################################
7 #
8 # This file is intended to only be as a starting point. Many more
9 # configuration directives exist than are mentioned in this file. For
10 # full details, see the snmpd.conf(5) manual page.
11 #
12 # All lines beginning with a '#' are comments and are intended for you
13 # to read. All other lines are configuration commands for the agent.
14
15 ###############################################################################
16 # Access Control
17 ###############################################################################
18
19 # As shipped, the snmpd demon will only respond to queries on the
20 # system mib group until this file is replaced or modified for
21 # security purposes. Examples are shown below about how to increase the
22 # level of access.
23
24 # By far, the most common question I get about the agent is "why won't
25 # it work?", when really it should be "how do I configure the agent to
26 # allow me to access it?"
27 #
28 # By default, the agent responds to the "public" community for read
29 # only access, if run out of the box without any configuration file in
30 # place. The following examples show you other ways of configuring
31 # the agent so that you can change the community names, and give
32 # yourself write access to the mib tree as well.
33 #
34 # For more information, read the FAQ as well as the snmpd.conf(5)
35 # manual page.
36
37 ####
38 # First, map the community name "public" into a "security name"
39
40 # sec.name source community
41 com2sec notConfigUser default public
42
43 ####
44 # Second, map the security name into a group name:
45
46 # groupName securityModel securityName
47 group notConfigGroup v1 notConfigUser
48 group notConfigGroup v2c notConfigUser
49
50 ####
51 # Third, create a view for us to let the group have rights to:
52
53 # Make at least snmpwalk -v 1 localhost -c public system fast again.
54 # name incl/excl subtree mask(optional)
55 view systemview included .1.3.6.1.2.1.1
56 view systemview included .1.3.6.1.2.1.25.1.1
57
58 ####
59 # Finally, grant the group read-only access to the systemview view.
60
61 # group context sec.model sec.level prefix read write notif
62 access notConfigGroup "" any noauth exact systemview none none
63
64 # -----------------------------------------------------------------------------
65
66 # Here is a commented out example configuration that allows less
67 # restrictive access.
68
69 # YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY
70 # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO
71 # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
72
73 ## sec.name source community
74 #com2sec local localhost COMMUNITY
75 #com2sec mynetwork NETWORK/24 COMMUNITY
76
77 ## group.name sec.model sec.name
78 #group MyRWGroup any local
79 #group MyROGroup any mynetwork
80 #
81 #group MyRWGroup any otherv3user
82 #...
83
84 ## incl/excl subtree mask
85 #view all included .1 80
86
87 ## -or just the mib2 tree-
88
89 #view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
90
91
92 ## context sec.model sec.level prefix read write notif
93 #access MyROGroup "" any noauth 0 all none none
94 #access MyRWGroup "" any noauth 0 all all all
95
96
97 ###############################################################################
98 # Sample configuration to make net-snmpd RFC 1213.
99 # Unfortunately v1 and v2c don't allow any user based authentification, so
100 # opening up the default config is not an option from a security point.
101 #
102 # WARNING: If you uncomment the following lines you allow write access to your
103 # snmpd daemon from any source! To avoid this use different names for your
104 # community or split out the write access to a different community and
105 # restrict it to your local network.
106 # Also remember to comment the syslocation and syscontact parameters later as
107 # otherwise they are still read only (see FAQ for net-snmp).
108 #
109
110 # First, map the community name "public" into a "security name"
111 # sec.name source community
112 #com2sec notConfigUser default public
113
114 # Second, map the security name into a group name:
115 # groupName securityModel securityName
116 #group notConfigGroup v1 notConfigUser
117 #group notConfigGroup v2c notConfigUser
118
119 # Third, create a view for us to let the group have rights to:
120 # Open up the whole tree for ro, make the RFC 1213 required ones rw.
121 # name incl/excl subtree mask(optional)
122 #view roview included .1
123 #view rwview included system.sysContact
124 #view rwview included system.sysName
125 #view rwview included system.sysLocation
126 #view rwview included interfaces.ifTable.ifEntry.ifAdminStatus
127 #view rwview included at.atTable.atEntry.atPhysAddress
128 #view rwview included at.atTable.atEntry.atNetAddress
129 #view rwview included ip.ipForwarding
130 #view rwview included ip.ipDefaultTTL
131 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest
132 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
133 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
134 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
135 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
136 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
137 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType
138 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge
139 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask
140 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
141 #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
142 #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
143 #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
144 #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
145 #view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState
146 #view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
147 #view rwview included snmp.snmpEnableAuthenTraps
148
149 # Finally, grant the group read-only access to the systemview view.
150 # group context sec.model sec.level prefix read write notif
151 #access notConfigGroup "" any noauth exact roview rwview none
152
153
154
155 ###############################################################################
156 # System contact information
157 #
158
159 # It is also possible to set the sysContact and sysLocation system
160 # variables through the snmpd.conf file:
161
162 syslocation Unknown (edit /etc/snmp/snmpd.conf)
163 syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
164
165 # Example output of snmpwalk:
166 # % snmpwalk -v 1 localhost -c public system
167 # system.sysDescr.0 = "SunOS name sun4c"
168 # system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4
169 # system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55
170 # system.sysContact.0 = "Me <me@somewhere.org>"
171 # system.sysName.0 = "name"
172 # system.sysLocation.0 = "Right here, right now."
173 # system.sysServices.0 = 72
174
175
176 ###############################################################################
177 # Logging
178 #
179
180 # We do not want annoying "Connection from UDP: " messages in syslog.
181 # If the following option is commented out, snmpd will print each incoming
182 # connection, which can be useful for debugging.
183
184 dontLogTCPWrappersConnects yes
185
186 # -----------------------------------------------------------------------------
187
188
189 ###############################################################################
190 # Process checks.
191 #
192 # The following are examples of how to use the agent to check for
193 # processes running on the host. The syntax looks something like:
194 #
195 # proc NAME [MAX=0] [MIN=0]
196 #
197 # NAME: the name of the process to check for. It must match
198 # exactly (ie, http will not find httpd processes).
199 # MAX: the maximum number allowed to be running. Defaults to 0.
200 # MIN: the minimum number to be running. Defaults to 0.
201
202 #
203 # Examples (commented out by default):
204 #
205
206 # Make sure mountd is running
207 #proc mountd
208
209 # Make sure there are no more than 4 ntalkds running, but 0 is ok too.
210 #proc ntalkd 4
211
212 # Make sure at least one sendmail, but less than or equal to 10 are running.
213 #proc sendmail 10 1
214
215 # A snmpwalk of the process mib tree would look something like this:
216 #
217 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2
218 # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1
219 # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2
220 # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3
221 # enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"
222 # enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"
223 # enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"
224 # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0
225 # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0
226 # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1
227 # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0
228 # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4
229 # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10
230 # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0
231 # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0
232 # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1
233 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1
234 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0
235 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0
236 # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."
237 # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""
238 # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""
239 # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0
240 # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0
241 # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0
242 #
243 # Note that the errorFlag for mountd is set to 1 because one is not
244 # running (in this case an rpc.mountd is, but thats not good enough),
245 # and the ErrMessage tells you what's wrong. The configuration
246 # imposed in the snmpd.conf file is also shown.
247 #
248 # Special Case: When the min and max numbers are both 0, it assumes
249 # you want a max of infinity and a min of 1.
250 #
251
252
253 # -----------------------------------------------------------------------------
254
255
256 ###############################################################################
257 # Executables/scripts
258 #
259
260 #
261 # You can also have programs run by the agent that return a single
262 # line of output and an exit code. Here are two examples.
263 #
264 # exec NAME PROGRAM [ARGS ...]
265 #
266 # NAME: A generic name. The name must be unique for each exec statement.
267 # PROGRAM: The program to run. Include the path!
268 # ARGS: optional arguments to be passed to the program
269
270 # a simple hello world
271
272 #exec echotest /bin/echo hello world
273
274 # Run a shell script containing:
275 #
276 # #!/bin/sh
277 # echo hello world
278 # echo hi there
279 # exit 35
280 #
281 # Note: this has been specifically commented out to prevent
282 # accidental security holes due to someone else on your system writing
283 # a /tmp/shtest before you do. Uncomment to use it.
284 #
285 #exec shelltest /bin/sh /tmp/shtest
286
287 # Then,
288 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8
289 # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1
290 # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2
291 # enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"
292 # enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"
293 # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"
294 # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"
295 # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0
296 # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35
297 # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."
298 # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."
299 # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0
300 # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0
301
302 # Note that the second line of the /tmp/shtest shell script is cut
303 # off. Also note that the exit status of 35 was returned.
304
305 # -----------------------------------------------------------------------------
306
307
308 ###############################################################################
309 # disk checks
310 #
311
312 # The agent can check the amount of available disk space, and make
313 # sure it is above a set limit.
314
315 # disk PATH [MIN=100000]
316 #
317 # PATH: mount path to the disk in question.
318 # MIN: Disks with space below this value will have the Mib's errorFlag set.
319 # Default value = 100000.
320
321 # Check the / partition and make sure it contains at least 10 megs.
322
323 #disk / 10000
324
325 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9
326 # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0
327 # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F
328 # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"
329 # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000
330 # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130
331 # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325
332 # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092
333 # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58
334 # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0
335 # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""
336
337 # -----------------------------------------------------------------------------
338
339
340 ###############################################################################
341 # load average checks
342 #
343
344 # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
345 #
346 # 1MAX: If the 1 minute load average is above this limit at query
347 # time, the errorFlag will be set.
348 # 5MAX: Similar, but for 5 min average.
349 # 15MAX: Similar, but for 15 min average.
350
351 # Check for loads:
352 #load 12 14 14
353
354 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10
355 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1
356 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2
357 # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3
358 # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"
359 # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"
360 # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"
361 # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39
362 # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31
363 # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36
364 # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"
365 # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"
366 # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"
367 # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0
368 # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0
369 # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0
370 # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""
371 # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""
372 # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""
373
374 # -----------------------------------------------------------------------------
375
376
377 ###############################################################################
378 # Extensible sections.
379 #
380
381 # This alleviates the multiple line output problem found in the
382 # previous executable mib by placing each mib in its own mib table:
383
384 # Run a shell script containing:
385 #
386 # #!/bin/sh
387 # echo hello world
388 # echo hi there
389 # exit 35
390 #
391 # Note: this has been specifically commented out to prevent
392 # accidental security holes due to someone else on your system writing
393 # a /tmp/shtest before you do. Uncomment to use it.
394 #
395 # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
396
397 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50
398 # enterprises.ucdavis.50.1.1 = 1
399 # enterprises.ucdavis.50.2.1 = "shelltest"
400 # enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"
401 # enterprises.ucdavis.50.100.1 = 35
402 # enterprises.ucdavis.50.101.1 = "hello world."
403 # enterprises.ucdavis.50.101.2 = "hi there."
404 # enterprises.ucdavis.50.102.1 = 0
405
406 # Now the Output has grown to two lines, and we can see the 'hi
407 # there.' output as the second line from our shell script.
408 #
409 # Note that you must alter the mib.txt file to be correct if you want
410 # the .50.* outputs above to change to reasonable text descriptions.
411
412 # Other ideas:
413 #
414 # exec .1.3.6.1.4.1.2021.51 ps /bin/ps
415 # exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
416 # exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
417
418 # -----------------------------------------------------------------------------
419
420
421 ###############################################################################
422 # Pass through control.
423 #
424
425 # Usage:
426 # pass MIBOID EXEC-COMMAND
427 #
428 # This will pass total control of the mib underneath the MIBOID
429 # portion of the mib to the EXEC-COMMAND.
430 #
431 # Note: You'll have to change the path of the passtest script to your
432 # source directory or install it in the given location.
433 #
434 # Example: (see the script for details)
435 # (commented out here since it requires that you place the
436 # script in the right location. (its not installed by default))
437
438 # pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest
439
440 # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255
441 # enterprises.ucdavis.255.1 = "life the universe and everything"
442 # enterprises.ucdavis.255.2.1 = 42
443 # enterprises.ucdavis.255.2.2 = OID: 42.42.42
444 # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42
445 # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1
446 # enterprises.ucdavis.255.5 = 42
447 # enterprises.ucdavis.255.6 = Gauge: 42
448 #
449 # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5
450 # enterprises.ucdavis.255.5 = 42
451 #
452 # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"
453 # enterprises.ucdavis.255.1 = "New string"
454 #
455
456 # For specific usage information, see the man/snmpd.conf.5 manual page
457 # as well as the local/passtest script used in the above example.
458
459 ###############################################################################
460 # Further Information
461 #
462 # See the snmpd.conf manual page, and the output of "snmpd -H".
Michael's tree of IPFire 3.x.