Articles‎ > ‎

SNMP - More than checking the box

posted Dec 18, 2008, 9:25 AM by Philip Rinehart   [ updated Dec 18, 2008, 9:25 AM by Greg Neagle ]
Written by Andrina Kelly   
Wednesday, 23 May 2007

SNMP, simple network management protocol, is a way to monitor your network-attached devices.  In a typical setup an agent will run on each system and report information to the managing system. Some examples of a managing system could be Intermapper, MRTG, RRDTool or Lithium.

 In this article we're going to go through how to configure snmp on OS X Server. 

OS X Server comes with the snmpd already installed, and a simple check-box in Server Admin to enable the daemon, however, simply enabling the process isn't enough, and some configuration is going to be required before you can get any information out of your server. (As an aside, if you wish to test this on a client OS instead, you can install Net-SNMP and see the same results - http://net-snmp.sourceforge.net/)

While configuring your SNMP service, you're going to want the daemon disabled, so ensure the check-box in Server Admin is unchecked first.

In terminal on the machine you're looking to monitor, in this case our OS X Server, we're going to first want to backup the default configuration file.  This file can be found at /etc/snmpd.conf - I like to back these up in the same directory so I can easily find them in the future.

The tool we're going to use is going to recreate the snmpd.conf file for us, so in this cape I'm going to move the original file instead of copying it. You can simply do a move i.e.:

mv /etc/snmpd.conf /etc/snmpd.conf.bak 

N.B. I like to date/time my backup files as I'm working so I can see a bit more clearly what's going on, and so I don't end up with files like file.bak, file.bak1 etc.  A simple way of doing this is to employ the "date" comand into your mv command like this:
mv /etc/snmpd.conf /etc/snmpd.conf.`date +%Y%m%d`
This moves the file to /etc/snmpd.conf.20070523
If you wanted to add in time, 'man date' will show you all the available formats

 We can now move on to configuring snmp, we'll be doing this with an interactive command-line tool.  Still in terminal, we're going to use the snmpconf tool:

sudo snmpconf -i


This will present you with an interactive process, with the first screen looking like this:

I can create the following types of configuration files for you.
Select the file type you wish to create:
(you can create more than one as you run this program)

   1:  snmpd.conf
   2:  snmptrapd.conf
   3:  snmp.conf

Other options: quit

Select File:

We're going to be creating the snmpd.conf file, so select 1 and enter. After doing this you'll be presented with the following screen, we're looking to set up access, so we're again interested in the first option of Access Control:

The configuration information which can be put into snmpd.conf is divided
into sections.  Select a configuration section for snmpd.conf
that you wish to create:

   1:  Access Control Setup
   2:  Extending the Agent
   3:  Monitor Various Aspects of the Running Host
   4:  Agent Operating Mode
   5:  System Information Setup
   6:  Trap Destinations

Other options: finished

Select section:

Now we're in the Access Control Setup area, we're going to set up our community name.  This community is what your monitoring application is gong to use to authenticate itself to your agent.  The default setting for a community name is generally "public" however, as this is a default it's akin to leaving the password on your wireless router as "admin".

We're going to set up selection 3 from the Access Control Setup, and I'm going to call my community macenterprise for this configuration.

Select section: 3

Configuring: rocommunity
Description:
  a SNMPv1/SNMPv2c read-only access community name
    arguments:  community [default|hostname|network/bits] [oid]

The community name to add read-only access for: macenterprise
The hostname or network address to accept this community name from [RETURN for all]: 
The OID that this community should be restricted to [RETURN for no-restriction]: 

Finished Output: rocommunity  macenterprise

Other than being asked for my community name, I could have also restricted what host or IP would be able to access my machine, or the OID that my community should be restricted to - this is further in depth than we're going to get in this overview, but an OID is an object identifier, so with this you can identify distinct results from within the hierarchy of results that this community would only have access to.  I've left both of these at their default values, and my result is a read-only community called macenterprise.

We're finished with the Access Control setup, so you can type in "finished" here, and it will bring you back to the previous menu.

Select section: finished

The configuration information which can be put into snmpd.conf is divided
into sections.  Select a configuration section for snmpd.conf
that you wish to create:

   1:  Access Control Setup
   2:  Extending the Agent
   3:  Monitor Various Aspects of the Running Host
   4:  Agent Operating Mode
   5:  System Information Setup
   6:  Trap Destinations

Other options: finished

Select section:

 It's good to have some information about the general system setup in your configuration, like where the machine is physically located, and who the primary contact for the machine is, we can do this from within selection 5, the System Information Setup menu.

Section: System Information Setup
Description:
  This section defines some of the information reported in
  the "system" mib group in the mibII tree.

Select from:

   1:  The [typically physical] location of the system.
   2:  The contact information for the administrator
   3:  The proper value for the sysServices object.

Other options: finished, list

Select section: 

Select 1 and enter the physical location of your machine - this can include more than just the room, but also what rack, and even where in the rack. After that you can select number 2 and enter in contact information for the administrator.

Select section: 1

Configuring: syslocation
Description:
  The [typically physical] location of the system.
    Note that setting this value here means that when trying to
    perform an snmp SET operation to the sysLocation.0 variable will make
    the agent return the "notWritable" error code.  IE, including
    this token in the snmpd.conf file will disable write access to
    the variable.
    arguments:  location_string

The location of the system: Computer Center Server Room, Rack 24, U 14

Finished Output: syslocation  "Computer Center Server Room, Rack 24, U 14"

Select section: 2

Configuring: syscontact
Description:
  The contact information for the administrator
    Note that setting this value here means that when trying to
    perform an snmp SET operation to the sysContact.0 variable will make
    the agent return the "notWritable" error code.  IE, including
    this token in the snmpd.conf file will disable write access to
    the variable.
    arguments:  contact_string

The contact information: Andrina Kelly, 555-123-4567 andrina@nojunkemailforme.com

Finished Output: syscontact  "Andrina Kelly, 555-123-4567 andrina@nojunkemailforme.com"

Option 3 is for configuring the sysServices object, you will be asked a number of Yes/No questions to determine what the proper value for the sysServices object. This is used to determine what services your machine offers. Reply with a 1 for yes or a 0 for no:

Select section: 3

Configuring: sysservices
Description:
  The proper value for the sysServices object.
    arguments:  sysservices_number

does this host offer physical services (eg, like a repeater) [answer 0 or 1]: 0
does this host offer datalink/subnetwork services (eg, like a bridge): 0
does this host offer internet services (eg, supports IP): 1
does this host offer end-to-end services (eg, supports TCP): 1
does this host offer application services (eg, supports SMTP): 1

Finished Output: sysservices 76

That's our snmpd.conf file configured.  From here type finished twice to return back to the menu that allows us to configure our snmp.conf file.

Select section: finished

I can create the following types of configuration files for you.
Select the file type you wish to create:
(you can create more than one as you run this program)

   1:  snmpd.conf
   2:  snmptrapd.conf
   3:  snmp.conf

Other options: quit

Select File: 3

The configuration information which can be put into snmp.conf is divided
into sections.  Select a configuration section for snmp.conf
that you wish to create:

   1:  Default Authentication Options
   2:  Debugging output options
   3:  Textual mib parsing
   4:  Output style options

Other options: finished

Select section: 

We'll be configuring the Default Authentication Options in our snmp.conf file, so select option 1 for this, and then in the resulting menu, we're going to chosing option 3 and entering in our community name that we set earlier.

Select section: 1

Section: Default Authentication Options
Description:
  This section defines the default authentication
  information.  Setting these up properly in your
  ~/.snmp/snmp.conf file will greatly reduce the amount of
  command line arguments you need to type (especially for snmpv3).

Select from:

   1:  The default port number to use
   2:  The default snmp version number to use.
   3:  The default snmpv1 and snmpv2c community name to use when needed.
   4:  The default snmpv3 security name to use when using snmpv3
   5:  The default snmpv3 context name to use
   6:  The default snmpv3 security level to use
   7:  The default snmpv3 authentication type name to use
   8:  The default snmpv3 authentication pass phrase to use
   9:  The default snmpv3 privacy (encryption) type name to use
  10:  The default snmpv3 privacy pass phrase to use

Other options: finished, list

Select section: 3

Configuring: defcommunity
Description:
  The default snmpv1 and snmpv2c community name to use when needed.
    If this is specified, you don't need to include the community
    name as an argument to the snmp applications.  
    override: with -c on the command line.
    arguments: communityname

Enter the default community name to use: macenterprise

Finished Output: defcommunity  macenterprise

After doing this get back to the main menu using "finished" a couple more times, and you can now quit, and your files will be created for you.

Select section: finished

I can create the following types of configuration files for you.
Select the file type you wish to create:
(you can create more than one as you run this program)

   1:  snmpd.conf
   2:  snmptrapd.conf
   3:  snmp.conf

Other options: quit

Select File: quit


The following files were created:

  snmpd.conf installed in /usr/share/snmp
  snmp.conf installed in /usr/share/snmp

Now this is done we can enable snmp again in Server Admin, and test the service.  We can use snmpwalk to do a simply querry of our local network entity.

server:/etc dri$ snmpwalk -v 1 -c macenterprise localhost
SNMPv2-MIB::sysDescr.0 = STRING: Darwin server.example.com 8.6.0 Darwin Kernel Version 8.6.0: Tue Mar  7 16:58:48 PST 2006; root:xnu-792.6.70.obj~1/RELEASE_PPC Power Macintosh
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.255
SNMPv2-MIB::sysUpTime.0 = Timeticks: (2098) 0:00:20.98
SNMPv2-MIB::sysContact.0 = STRING: "Andrina Kelly, 555-123-4567 andrina@nojunkemailforme.com"
SNMPv2-MIB::sysName.0 = STRING: server.example.com
SNMPv2-MIB::sysLocation.0 = STRING: "Computer Center Server Room, Rack 24, U 14"
SNMPv2-MIB::sysServices.0 = INTEGER: 76
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (67) 0:00:00.67
SNMPv2-MIB::sysORID.1 = OID: IF-MIB::ifMIB
SNMPv2-MIB::sysORID.2 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.3 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.4 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.5 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.6 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.7 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.8 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.9 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance

So with this we're using the SNMPv1 to search the macenterprise community on our localhost - the list that came back was miles longer, and assuming you get an equally long list of information, you've configured everything correctly.  If you forgot something (like checking the SNMP box in Server Admin) after a few seconds you'll get a timeout message.

With this you're now ready to add your newly configured machine into your monitoring application of choice and start gathering statistics. Once configured and set up the whole process is rather self-sustaining, but great for refering back to and help you see trends in your infrastructure. 

Last Updated ( Thursday, 03 January 2008 )
Comments