]>
Commit | Line | Data |
---|---|---|
0302c83d MT |
1 | ############################################################################### |
2 | # | |
3 | # snmpd.conf: | |
4 | # An example configuration file for configuring the ucd-snmp snmpd agent. | |
5 | # | |
6 | ############################################################################### | |
7 | # | |
8 | # This file is intended to only be as a starting point. Many more | |
9 | # configuration directives exist than are mentioned in this file. For | |
10 | # full details, see the snmpd.conf(5) manual page. | |
11 | # | |
12 | # All lines beginning with a '#' are comments and are intended for you | |
13 | # to read. All other lines are configuration commands for the agent. | |
14 | ||
15 | ############################################################################### | |
16 | # Access Control | |
17 | ############################################################################### | |
18 | ||
19 | # As shipped, the snmpd demon will only respond to queries on the | |
20 | # system mib group until this file is replaced or modified for | |
21 | # security purposes. Examples are shown below about how to increase the | |
22 | # level of access. | |
23 | ||
24 | # By far, the most common question I get about the agent is "why won't | |
25 | # it work?", when really it should be "how do I configure the agent to | |
26 | # allow me to access it?" | |
27 | # | |
28 | # By default, the agent responds to the "public" community for read | |
29 | # only access, if run out of the box without any configuration file in | |
30 | # place. The following examples show you other ways of configuring | |
31 | # the agent so that you can change the community names, and give | |
32 | # yourself write access to the mib tree as well. | |
33 | # | |
34 | # For more information, read the FAQ as well as the snmpd.conf(5) | |
35 | # manual page. | |
36 | ||
37 | #### | |
38 | # First, map the community name "public" into a "security name" | |
39 | ||
40 | # sec.name source community | |
41 | com2sec notConfigUser default public | |
42 | ||
43 | #### | |
44 | # Second, map the security name into a group name: | |
45 | ||
46 | # groupName securityModel securityName | |
47 | group notConfigGroup v1 notConfigUser | |
48 | group notConfigGroup v2c notConfigUser | |
49 | ||
50 | #### | |
51 | # Third, create a view for us to let the group have rights to: | |
52 | ||
53 | # Make at least snmpwalk -v 1 localhost -c public system fast again. | |
54 | # name incl/excl subtree mask(optional) | |
55 | view systemview included .1.3.6.1.2.1.1 | |
56 | view systemview included .1.3.6.1.2.1.25.1.1 | |
57 | ||
58 | #### | |
59 | # Finally, grant the group read-only access to the systemview view. | |
60 | ||
61 | # group context sec.model sec.level prefix read write notif | |
62 | access notConfigGroup "" any noauth exact systemview none none | |
63 | ||
64 | # ----------------------------------------------------------------------------- | |
65 | ||
66 | # Here is a commented out example configuration that allows less | |
67 | # restrictive access. | |
68 | ||
69 | # YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY | |
70 | # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO | |
71 | # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE. | |
72 | ||
73 | ## sec.name source community | |
74 | #com2sec local localhost COMMUNITY | |
75 | #com2sec mynetwork NETWORK/24 COMMUNITY | |
76 | ||
77 | ## group.name sec.model sec.name | |
78 | #group MyRWGroup any local | |
79 | #group MyROGroup any mynetwork | |
80 | # | |
81 | #group MyRWGroup any otherv3user | |
82 | #... | |
83 | ||
84 | ## incl/excl subtree mask | |
85 | #view all included .1 80 | |
86 | ||
87 | ## -or just the mib2 tree- | |
88 | ||
89 | #view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc | |
90 | ||
91 | ||
92 | ## context sec.model sec.level prefix read write notif | |
93 | #access MyROGroup "" any noauth 0 all none none | |
94 | #access MyRWGroup "" any noauth 0 all all all | |
95 | ||
96 | ||
97 | ############################################################################### | |
98 | # Sample configuration to make net-snmpd RFC 1213. | |
99 | # Unfortunately v1 and v2c don't allow any user based authentification, so | |
100 | # opening up the default config is not an option from a security point. | |
101 | # | |
102 | # WARNING: If you uncomment the following lines you allow write access to your | |
103 | # snmpd daemon from any source! To avoid this use different names for your | |
104 | # community or split out the write access to a different community and | |
105 | # restrict it to your local network. | |
106 | # Also remember to comment the syslocation and syscontact parameters later as | |
107 | # otherwise they are still read only (see FAQ for net-snmp). | |
108 | # | |
109 | ||
110 | # First, map the community name "public" into a "security name" | |
111 | # sec.name source community | |
112 | #com2sec notConfigUser default public | |
113 | ||
114 | # Second, map the security name into a group name: | |
115 | # groupName securityModel securityName | |
116 | #group notConfigGroup v1 notConfigUser | |
117 | #group notConfigGroup v2c notConfigUser | |
118 | ||
119 | # Third, create a view for us to let the group have rights to: | |
120 | # Open up the whole tree for ro, make the RFC 1213 required ones rw. | |
121 | # name incl/excl subtree mask(optional) | |
122 | #view roview included .1 | |
123 | #view rwview included system.sysContact | |
124 | #view rwview included system.sysName | |
125 | #view rwview included system.sysLocation | |
126 | #view rwview included interfaces.ifTable.ifEntry.ifAdminStatus | |
127 | #view rwview included at.atTable.atEntry.atPhysAddress | |
128 | #view rwview included at.atTable.atEntry.atNetAddress | |
129 | #view rwview included ip.ipForwarding | |
130 | #view rwview included ip.ipDefaultTTL | |
131 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest | |
132 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex | |
133 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 | |
134 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 | |
135 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 | |
136 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 | |
137 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType | |
138 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge | |
139 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask | |
140 | #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 | |
141 | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex | |
142 | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress | |
143 | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress | |
144 | #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType | |
145 | #view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState | |
146 | #view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger | |
147 | #view rwview included snmp.snmpEnableAuthenTraps | |
148 | ||
149 | # Finally, grant the group read-only access to the systemview view. | |
150 | # group context sec.model sec.level prefix read write notif | |
151 | #access notConfigGroup "" any noauth exact roview rwview none | |
152 | ||
153 | ||
154 | ||
155 | ############################################################################### | |
156 | # System contact information | |
157 | # | |
158 | ||
159 | # It is also possible to set the sysContact and sysLocation system | |
160 | # variables through the snmpd.conf file: | |
161 | ||
162 | syslocation Unknown (edit /etc/snmp/snmpd.conf) | |
163 | syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf) | |
164 | ||
165 | # Example output of snmpwalk: | |
166 | # % snmpwalk -v 1 localhost -c public system | |
167 | # system.sysDescr.0 = "SunOS name sun4c" | |
168 | # system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4 | |
169 | # system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55 | |
170 | # system.sysContact.0 = "Me <me@somewhere.org>" | |
171 | # system.sysName.0 = "name" | |
172 | # system.sysLocation.0 = "Right here, right now." | |
173 | # system.sysServices.0 = 72 | |
174 | ||
175 | ||
176 | ############################################################################### | |
177 | # Logging | |
178 | # | |
179 | ||
180 | # We do not want annoying "Connection from UDP: " messages in syslog. | |
181 | # If the following option is commented out, snmpd will print each incoming | |
182 | # connection, which can be useful for debugging. | |
183 | ||
184 | dontLogTCPWrappersConnects yes | |
185 | ||
186 | # ----------------------------------------------------------------------------- | |
187 | ||
188 | ||
189 | ############################################################################### | |
190 | # Process checks. | |
191 | # | |
192 | # The following are examples of how to use the agent to check for | |
193 | # processes running on the host. The syntax looks something like: | |
194 | # | |
195 | # proc NAME [MAX=0] [MIN=0] | |
196 | # | |
197 | # NAME: the name of the process to check for. It must match | |
198 | # exactly (ie, http will not find httpd processes). | |
199 | # MAX: the maximum number allowed to be running. Defaults to 0. | |
200 | # MIN: the minimum number to be running. Defaults to 0. | |
201 | ||
202 | # | |
203 | # Examples (commented out by default): | |
204 | # | |
205 | ||
206 | # Make sure mountd is running | |
207 | #proc mountd | |
208 | ||
209 | # Make sure there are no more than 4 ntalkds running, but 0 is ok too. | |
210 | #proc ntalkd 4 | |
211 | ||
212 | # Make sure at least one sendmail, but less than or equal to 10 are running. | |
213 | #proc sendmail 10 1 | |
214 | ||
215 | # A snmpwalk of the process mib tree would look something like this: | |
216 | # | |
217 | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 | |
218 | # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 | |
219 | # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 | |
220 | # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 | |
221 | # enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd" | |
222 | # enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd" | |
223 | # enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail" | |
224 | # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 | |
225 | # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 | |
226 | # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 | |
227 | # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 | |
228 | # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 | |
229 | # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 | |
230 | # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 | |
231 | # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 | |
232 | # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 | |
233 | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 | |
234 | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 | |
235 | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 | |
236 | # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." | |
237 | # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" | |
238 | # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" | |
239 | # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 | |
240 | # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 | |
241 | # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 | |
242 | # | |
243 | # Note that the errorFlag for mountd is set to 1 because one is not | |
244 | # running (in this case an rpc.mountd is, but thats not good enough), | |
245 | # and the ErrMessage tells you what's wrong. The configuration | |
246 | # imposed in the snmpd.conf file is also shown. | |
247 | # | |
248 | # Special Case: When the min and max numbers are both 0, it assumes | |
249 | # you want a max of infinity and a min of 1. | |
250 | # | |
251 | ||
252 | ||
253 | # ----------------------------------------------------------------------------- | |
254 | ||
255 | ||
256 | ############################################################################### | |
257 | # Executables/scripts | |
258 | # | |
259 | ||
260 | # | |
261 | # You can also have programs run by the agent that return a single | |
262 | # line of output and an exit code. Here are two examples. | |
263 | # | |
264 | # exec NAME PROGRAM [ARGS ...] | |
265 | # | |
266 | # NAME: A generic name. The name must be unique for each exec statement. | |
267 | # PROGRAM: The program to run. Include the path! | |
268 | # ARGS: optional arguments to be passed to the program | |
269 | ||
270 | # a simple hello world | |
271 | ||
272 | #exec echotest /bin/echo hello world | |
273 | ||
274 | # Run a shell script containing: | |
275 | # | |
276 | # #!/bin/sh | |
277 | # echo hello world | |
278 | # echo hi there | |
279 | # exit 35 | |
280 | # | |
281 | # Note: this has been specifically commented out to prevent | |
282 | # accidental security holes due to someone else on your system writing | |
283 | # a /tmp/shtest before you do. Uncomment to use it. | |
284 | # | |
285 | #exec shelltest /bin/sh /tmp/shtest | |
286 | ||
287 | # Then, | |
288 | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 | |
289 | # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 | |
290 | # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 | |
291 | # enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest" | |
292 | # enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest" | |
293 | # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world" | |
294 | # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest" | |
295 | # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 | |
296 | # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 | |
297 | # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." | |
298 | # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." | |
299 | # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 | |
300 | # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 | |
301 | ||
302 | # Note that the second line of the /tmp/shtest shell script is cut | |
303 | # off. Also note that the exit status of 35 was returned. | |
304 | ||
305 | # ----------------------------------------------------------------------------- | |
306 | ||
307 | ||
308 | ############################################################################### | |
309 | # disk checks | |
310 | # | |
311 | ||
312 | # The agent can check the amount of available disk space, and make | |
313 | # sure it is above a set limit. | |
314 | ||
315 | # disk PATH [MIN=100000] | |
316 | # | |
317 | # PATH: mount path to the disk in question. | |
318 | # MIN: Disks with space below this value will have the Mib's errorFlag set. | |
319 | # Default value = 100000. | |
320 | ||
321 | # Check the / partition and make sure it contains at least 10 megs. | |
322 | ||
323 | #disk / 10000 | |
324 | ||
325 | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 | |
326 | # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 | |
327 | # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F | |
328 | # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0" | |
329 | # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 | |
330 | # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 | |
331 | # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 | |
332 | # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 | |
333 | # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 | |
334 | # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 | |
335 | # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" | |
336 | ||
337 | # ----------------------------------------------------------------------------- | |
338 | ||
339 | ||
340 | ############################################################################### | |
341 | # load average checks | |
342 | # | |
343 | ||
344 | # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] | |
345 | # | |
346 | # 1MAX: If the 1 minute load average is above this limit at query | |
347 | # time, the errorFlag will be set. | |
348 | # 5MAX: Similar, but for 5 min average. | |
349 | # 15MAX: Similar, but for 15 min average. | |
350 | ||
351 | # Check for loads: | |
352 | #load 12 14 14 | |
353 | ||
354 | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 | |
355 | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 | |
356 | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 | |
357 | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 | |
358 | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1" | |
359 | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5" | |
360 | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15" | |
361 | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39 | |
362 | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31 | |
363 | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36 | |
364 | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00" | |
365 | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00" | |
366 | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00" | |
367 | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 | |
368 | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 | |
369 | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 | |
370 | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" | |
371 | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" | |
372 | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" | |
373 | ||
374 | # ----------------------------------------------------------------------------- | |
375 | ||
376 | ||
377 | ############################################################################### | |
378 | # Extensible sections. | |
379 | # | |
380 | ||
381 | # This alleviates the multiple line output problem found in the | |
382 | # previous executable mib by placing each mib in its own mib table: | |
383 | ||
384 | # Run a shell script containing: | |
385 | # | |
386 | # #!/bin/sh | |
387 | # echo hello world | |
388 | # echo hi there | |
389 | # exit 35 | |
390 | # | |
391 | # Note: this has been specifically commented out to prevent | |
392 | # accidental security holes due to someone else on your system writing | |
393 | # a /tmp/shtest before you do. Uncomment to use it. | |
394 | # | |
395 | # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest | |
396 | ||
397 | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 | |
398 | # enterprises.ucdavis.50.1.1 = 1 | |
399 | # enterprises.ucdavis.50.2.1 = "shelltest" | |
400 | # enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest" | |
401 | # enterprises.ucdavis.50.100.1 = 35 | |
402 | # enterprises.ucdavis.50.101.1 = "hello world." | |
403 | # enterprises.ucdavis.50.101.2 = "hi there." | |
404 | # enterprises.ucdavis.50.102.1 = 0 | |
405 | ||
406 | # Now the Output has grown to two lines, and we can see the 'hi | |
407 | # there.' output as the second line from our shell script. | |
408 | # | |
409 | # Note that you must alter the mib.txt file to be correct if you want | |
410 | # the .50.* outputs above to change to reasonable text descriptions. | |
411 | ||
412 | # Other ideas: | |
413 | # | |
414 | # exec .1.3.6.1.4.1.2021.51 ps /bin/ps | |
415 | # exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top | |
416 | # exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq | |
417 | ||
418 | # ----------------------------------------------------------------------------- | |
419 | ||
420 | ||
421 | ############################################################################### | |
422 | # Pass through control. | |
423 | # | |
424 | ||
425 | # Usage: | |
426 | # pass MIBOID EXEC-COMMAND | |
427 | # | |
428 | # This will pass total control of the mib underneath the MIBOID | |
429 | # portion of the mib to the EXEC-COMMAND. | |
430 | # | |
431 | # Note: You'll have to change the path of the passtest script to your | |
432 | # source directory or install it in the given location. | |
433 | # | |
434 | # Example: (see the script for details) | |
435 | # (commented out here since it requires that you place the | |
436 | # script in the right location. (its not installed by default)) | |
437 | ||
438 | # pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest | |
439 | ||
440 | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 | |
441 | # enterprises.ucdavis.255.1 = "life the universe and everything" | |
442 | # enterprises.ucdavis.255.2.1 = 42 | |
443 | # enterprises.ucdavis.255.2.2 = OID: 42.42.42 | |
444 | # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 | |
445 | # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 | |
446 | # enterprises.ucdavis.255.5 = 42 | |
447 | # enterprises.ucdavis.255.6 = Gauge: 42 | |
448 | # | |
449 | # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 | |
450 | # enterprises.ucdavis.255.5 = 42 | |
451 | # | |
452 | # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" | |
453 | # enterprises.ucdavis.255.1 = "New string" | |
454 | # | |
455 | ||
456 | # For specific usage information, see the man/snmpd.conf.5 manual page | |
457 | # as well as the local/passtest script used in the above example. | |
458 | ||
459 | ############################################################################### | |
460 | # Further Information | |
461 | # | |
462 | # See the snmpd.conf manual page, and the output of "snmpd -H". |