Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:cacti_c6:snmp [31.07.2012 10:51. ] – [Manpage snmpd.conf] django | centos:cacti_c6:snmp [31.10.2023 18:53. ] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== SNMP (unter CentOS 6.x)====== | ||
+ | SNMP((**S**imple **N**etwork **M**anagement **P**rotocol, | ||
+ | |||
+ | ===== Installation ===== | ||
+ | Falls noch nicht in unserem System vorhanden, installieren wir folgende Pakete: | ||
+ | # yum install net-snmp net-snmp-utils -y | ||
+ | |||
+ | ==== Paketdetails ==== | ||
+ | Die Softwarekomponenten, | ||
+ | === net-snmp === | ||
+ | # rpm -qil net-snmp | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Install Date: Tue 10 Jul 2012 10:37:57 PM CEST Build Host: c6b9.bsys.dev.centos.org | ||
+ | Group : System Environment/ | ||
+ | Size : 835719 | ||
+ | Signature | ||
+ | Packager | ||
+ | URL : https:// | ||
+ | Summary | ||
+ | Description : | ||
+ | SNMP (Simple Network Management Protocol) is a protocol used for | ||
+ | network management. The NET-SNMP project includes various SNMP tools: | ||
+ | an extensible agent, an SNMP library, tools for requesting or setting | ||
+ | information from SNMP agents, tools for generating and handling SNMP | ||
+ | traps and a version of the netstat command which uses SNMP. This | ||
+ | package contains the snmpd and snmptrapd daemons, documentation, | ||
+ | |||
+ | You will probably also want to install the net-snmp-utils package, | ||
+ | which contains NET-SNMP utilities. | ||
+ | / | ||
+ | / | ||
+ | /etc/snmp | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | === net-snmp-utils === | ||
+ | # rpm -qil net-snmp-utils | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Install Date: Tue 17 Jul 2012 09:37:47 PM CEST Build Host: c6b9.bsys.dev.centos.org | ||
+ | Group : Applications/ | ||
+ | Size : 370527 | ||
+ | Signature | ||
+ | Packager | ||
+ | URL : https:// | ||
+ | Summary | ||
+ | Description : | ||
+ | The net-snmp-utils package contains various utilities for use with the | ||
+ | NET-SNMP network management project. | ||
+ | |||
+ | Install this package if you need utilities for managing your network | ||
+ | using the SNMP protocol. You will also need to install the net-snmp | ||
+ | package. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | ===== Konfiguration ===== | ||
+ | ==== erste einfache Konfiguration für SNMP Version V1/V2c ==== | ||
+ | Die Konfiguration des SNMP-Daemons erfolgt über die Konfigurationsdatei // | ||
+ | |||
+ | <file bash / | ||
+ | # | ||
+ | # snmpd.conf: | ||
+ | # An example configuration file for configuring the ucd-snmp snmpd agent. | ||
+ | # | ||
+ | ############################################################################### | ||
+ | # | ||
+ | # This file is intended to only be as a starting point. | ||
+ | # configuration directives exist than are mentioned in this file. For | ||
+ | # full details, see the snmpd.conf(5) manual page. | ||
+ | # | ||
+ | # All lines beginning with a '#' | ||
+ | # to read. All other lines are configuration commands for the agent. | ||
+ | |||
+ | ############################################################################### | ||
+ | # Access Control | ||
+ | ############################################################################### | ||
+ | |||
+ | # As shipped, the snmpd demon will only respond to queries on the | ||
+ | # system mib group until this file is replaced or modified for | ||
+ | # security purposes. | ||
+ | # level of access. | ||
+ | |||
+ | # By far, the most common question I get about the agent is "why won't | ||
+ | # it work?", | ||
+ | # allow me to access it?" | ||
+ | # | ||
+ | # By default, the agent responds to the " | ||
+ | # only access, if run out of the box without any configuration file in | ||
+ | # place. | ||
+ | # the agent so that you can change the community names, and give | ||
+ | # yourself write access to the mib tree as well. | ||
+ | # | ||
+ | # For more information, | ||
+ | # manual page. | ||
+ | |||
+ | #### | ||
+ | # First, map the community name " | ||
+ | |||
+ | # | ||
+ | com2sec notConfigUser | ||
+ | |||
+ | #### | ||
+ | # Second, map the security name into a group name: | ||
+ | |||
+ | # | ||
+ | group | ||
+ | group | ||
+ | |||
+ | #### | ||
+ | # Third, create a view for us to let the group have rights to: | ||
+ | |||
+ | # Make at least snmpwalk -v 1 localhost -c public system fast again. | ||
+ | # | ||
+ | view systemview | ||
+ | view systemview | ||
+ | |||
+ | #### | ||
+ | # Finally, grant the group read-only access to the systemview view. | ||
+ | |||
+ | # | ||
+ | access | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | # Here is a commented out example configuration that allows less | ||
+ | # restrictive access. | ||
+ | |||
+ | # YOU SHOULD CHANGE THE " | ||
+ | # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO | ||
+ | # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE. | ||
+ | |||
+ | ## | ||
+ | #com2sec local | ||
+ | #com2sec mynetwork NETWORK/ | ||
+ | |||
+ | ## | ||
+ | #group MyRWGroup | ||
+ | #group MyROGroup | ||
+ | # | ||
+ | #group MyRWGroup | ||
+ | #... | ||
+ | |||
+ | ## | ||
+ | #view all included | ||
+ | |||
+ | ## -or just the mib2 tree- | ||
+ | |||
+ | #view mib2 | ||
+ | |||
+ | |||
+ | ## context sec.model sec.level prefix read | ||
+ | #access MyROGroup "" | ||
+ | #access MyRWGroup "" | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Sample configuration to make net-snmpd RFC 1213. | ||
+ | # Unfortunately v1 and v2c don't allow any user based authentification, | ||
+ | # opening up the default config is not an option from a security point. | ||
+ | # | ||
+ | # WARNING: If you uncomment the following lines you allow write access to your | ||
+ | # snmpd daemon from any source! To avoid this use different names for your | ||
+ | # community or split out the write access to a different community and | ||
+ | # restrict it to your local network. | ||
+ | # Also remember to comment the syslocation and syscontact parameters later as | ||
+ | # otherwise they are still read only (see FAQ for net-snmp). | ||
+ | # | ||
+ | |||
+ | # First, map the community name " | ||
+ | # | ||
+ | #com2sec notConfigUser | ||
+ | |||
+ | # Second, map the security name into a group name: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Third, create a view for us to let the group have rights to: | ||
+ | # Open up the whole tree for ro, make the RFC 1213 required ones rw. | ||
+ | # | ||
+ | #view roview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | |||
+ | # Finally, grant the group read-only access to the systemview view. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # System contact information | ||
+ | # | ||
+ | |||
+ | # It is also possible to set the sysContact and sysLocation system | ||
+ | # variables through the snmpd.conf file: | ||
+ | |||
+ | syslocation Unknown (edit / | ||
+ | syscontact Root < | ||
+ | |||
+ | # Example output of snmpwalk: | ||
+ | # % snmpwalk -v 1 localhost -c public system | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Logging | ||
+ | # | ||
+ | |||
+ | # We do not want annoying " | ||
+ | # If the following option is commented out, snmpd will print each incoming | ||
+ | # connection, which can be useful for debugging. | ||
+ | |||
+ | dontLogTCPWrappersConnects yes | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Process checks. | ||
+ | # | ||
+ | # The following are examples of how to use the agent to check for | ||
+ | # processes running on the host. The syntax looks something like: | ||
+ | # | ||
+ | # proc NAME [MAX=0] [MIN=0] | ||
+ | # | ||
+ | # NAME: the name of the process to check for. It must match | ||
+ | # | ||
+ | # MAX: the maximum number allowed to be running. | ||
+ | # MIN: the minimum number to be running. | ||
+ | |||
+ | # | ||
+ | # Examples (commented out by default): | ||
+ | # | ||
+ | |||
+ | # Make sure mountd is running | ||
+ | #proc mountd | ||
+ | |||
+ | # Make sure there are no more than 4 ntalkds running, but 0 is ok too. | ||
+ | #proc ntalkd 4 | ||
+ | |||
+ | # Make sure at least one sendmail, but less than or equal to 10 are running. | ||
+ | #proc sendmail 10 1 | ||
+ | |||
+ | # A snmpwalk of the process mib tree would look something like this: | ||
+ | # | ||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.1 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.2 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.3 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 | ||
+ | # | ||
+ | # Note that the errorFlag for mountd is set to 1 because one is not | ||
+ | # running (in this case an rpc.mountd is, but thats not good enough), | ||
+ | # and the ErrMessage tells you what's wrong. | ||
+ | # imposed in the snmpd.conf file is also shown. | ||
+ | # | ||
+ | # Special Case: When the min and max numbers are both 0, it assumes | ||
+ | # you want a max of infinity and a min of 1. | ||
+ | # | ||
+ | |||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Executables/ | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # You can also have programs run by the agent that return a single | ||
+ | # line of output and an exit code. Here are two examples. | ||
+ | # | ||
+ | # exec NAME PROGRAM [ARGS ...] | ||
+ | # | ||
+ | # NAME: A generic name. The name must be unique for each exec statement. | ||
+ | # PROGRAM: | ||
+ | # ARGS: | ||
+ | |||
+ | # a simple hello world | ||
+ | |||
+ | #exec echotest /bin/echo hello world | ||
+ | |||
+ | # Run a shell script containing: | ||
+ | # | ||
+ | # #!/bin/sh | ||
+ | # echo hello world | ||
+ | # echo hi there | ||
+ | # exit 35 | ||
+ | # | ||
+ | # Note: this has been specifically commented out to prevent | ||
+ | # accidental security holes due to someone else on your system writing | ||
+ | # a /tmp/shtest before you do. Uncomment to use it. | ||
+ | # | ||
+ | #exec shelltest /bin/sh /tmp/shtest | ||
+ | |||
+ | # Then, | ||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extNames.1 = " | ||
+ | # enterprises.ucdavis.extTable.extEntry.extNames.2 = " | ||
+ | # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/ | ||
+ | # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/ | ||
+ | # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." | ||
+ | # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." | ||
+ | # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 | ||
+ | |||
+ | # Note that the second line of the /tmp/shtest shell script is cut | ||
+ | # off. Also note that the exit status of 35 was returned. | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # disk checks | ||
+ | # | ||
+ | |||
+ | # The agent can check the amount of available disk space, and make | ||
+ | # sure it is above a set limit. | ||
+ | |||
+ | # disk PATH [MIN=100000] | ||
+ | # | ||
+ | # PATH: mount path to the disk in question. | ||
+ | # MIN: Disks with space below this value will have the Mib's errorFlag set. | ||
+ | # Default value = 100000. | ||
+ | |||
+ | # Check the / partition and make sure it contains at least 10 megs. | ||
+ | |||
+ | #disk / 10000 | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/ | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # load average checks | ||
+ | # | ||
+ | |||
+ | # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] | ||
+ | # | ||
+ | # 1MAX: If the 1 minute load average is above this limit at query | ||
+ | # time, the errorFlag will be set. | ||
+ | # 5MAX: | ||
+ | # 15MAX: | ||
+ | |||
+ | # Check for loads: | ||
+ | #load 12 14 14 | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Extensible sections. | ||
+ | # | ||
+ | |||
+ | # This alleviates the multiple line output problem found in the | ||
+ | # previous executable mib by placing each mib in its own mib table: | ||
+ | |||
+ | # Run a shell script containing: | ||
+ | # | ||
+ | # #!/bin/sh | ||
+ | # echo hello world | ||
+ | # echo hi there | ||
+ | # exit 35 | ||
+ | # | ||
+ | # Note: this has been specifically commented out to prevent | ||
+ | # accidental security holes due to someone else on your system writing | ||
+ | # a /tmp/shtest before you do. Uncomment to use it. | ||
+ | # | ||
+ | # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 | ||
+ | # enterprises.ucdavis.50.1.1 = 1 | ||
+ | # enterprises.ucdavis.50.2.1 = " | ||
+ | # enterprises.ucdavis.50.3.1 = "/ | ||
+ | # enterprises.ucdavis.50.100.1 = 35 | ||
+ | # enterprises.ucdavis.50.101.1 = "hello world." | ||
+ | # enterprises.ucdavis.50.101.2 = "hi there." | ||
+ | # enterprises.ucdavis.50.102.1 = 0 | ||
+ | |||
+ | # Now the Output has grown to two lines, and we can see the 'hi | ||
+ | # there.' | ||
+ | # | ||
+ | # Note that you must alter the mib.txt file to be correct if you want | ||
+ | # the .50.* outputs above to change to reasonable text descriptions. | ||
+ | |||
+ | # Other ideas: | ||
+ | # | ||
+ | # exec .1.3.6.1.4.1.2021.51 ps / | ||
+ | # exec .1.3.6.1.4.1.2021.52 top / | ||
+ | # exec .1.3.6.1.4.1.2021.53 mailq / | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Pass through control. | ||
+ | # | ||
+ | |||
+ | # Usage: | ||
+ | # pass MIBOID EXEC-COMMAND | ||
+ | # | ||
+ | # This will pass total control of the mib underneath the MIBOID | ||
+ | # portion of the mib to the EXEC-COMMAND. | ||
+ | # | ||
+ | # Note: You'll have to change the path of the passtest script to your | ||
+ | # source directory or install it in the given location. | ||
+ | # | ||
+ | # Example: | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # pass .1.3.6.1.4.1.2021.255 /bin/sh / | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 | ||
+ | # enterprises.ucdavis.255.1 = "life the universe and everything" | ||
+ | # enterprises.ucdavis.255.2.1 = 42 | ||
+ | # enterprises.ucdavis.255.2.2 = OID: 42.42.42 | ||
+ | # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 | ||
+ | # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 | ||
+ | # enterprises.ucdavis.255.5 = 42 | ||
+ | # enterprises.ucdavis.255.6 = Gauge: 42 | ||
+ | # | ||
+ | # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 | ||
+ | # enterprises.ucdavis.255.5 = 42 | ||
+ | # | ||
+ | # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" | ||
+ | # enterprises.ucdavis.255.1 = "New string" | ||
+ | # | ||
+ | |||
+ | # For specific usage information, | ||
+ | # as well as the local/ | ||
+ | |||
+ | ############################################################################### | ||
+ | # Further Information | ||
+ | # | ||
+ | # See the snmpd.conf manual page, and the output of "snmpd -H". | ||
+ | |||
+ | </ | ||
+ | |||
+ | Im ersten Step wollen wir mal erreichen, dass mit einem gesonderten Passwort der Zugriff von der lokalen Maschine via **localhost** und aus dem eignenen Netzsegment nur noch antwortet. | ||
+ | Die Vorgabemusterdatei passen wir nun für unseren ersten Test wie nachfolgend an. | ||
+ | # vim / | ||
+ | |||
+ | <file bash / | ||
+ | # | ||
+ | # snmpd.conf: | ||
+ | # An example configuration file for configuring the ucd-snmp snmpd agent. | ||
+ | # | ||
+ | ############################################################################### | ||
+ | # | ||
+ | # This file is intended to only be as a starting point. | ||
+ | # configuration directives exist than are mentioned in this file. For | ||
+ | # full details, see the snmpd.conf(5) manual page. | ||
+ | # | ||
+ | # All lines beginning with a '#' | ||
+ | # to read. All other lines are configuration commands for the agent. | ||
+ | |||
+ | ############################################################################### | ||
+ | # Access Control | ||
+ | ############################################################################### | ||
+ | |||
+ | # As shipped, the snmpd demon will only respond to queries on the | ||
+ | # system mib group until this file is replaced or modified for | ||
+ | # security purposes. | ||
+ | # level of access. | ||
+ | |||
+ | # By far, the most common question I get about the agent is "why won't | ||
+ | # it work?", | ||
+ | # allow me to access it?" | ||
+ | # | ||
+ | # By default, the agent responds to the " | ||
+ | # only access, if run out of the box without any configuration file in | ||
+ | # place. | ||
+ | # the agent so that you can change the community names, and give | ||
+ | # yourself write access to the mib tree as well. | ||
+ | # | ||
+ | # For more information, | ||
+ | # manual page. | ||
+ | |||
+ | #### | ||
+ | # First, map the community name " | ||
+ | |||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: com2sec notConfigUser | ||
+ | com2sec local | ||
+ | com2sec mynetwork | ||
+ | |||
+ | #### | ||
+ | # Second, map the security name into a group name: | ||
+ | |||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: group | ||
+ | # group | ||
+ | group | ||
+ | group | ||
+ | group | ||
+ | group | ||
+ | |||
+ | #### | ||
+ | # Third, create a view for us to let the group have rights to: | ||
+ | |||
+ | # Make at least snmpwalk -v 1 localhost -c public system fast again. | ||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: view systemview | ||
+ | # view systemview | ||
+ | view all | ||
+ | |||
+ | #### | ||
+ | # Finally, grant the group read-only access to the systemview view. | ||
+ | |||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: access | ||
+ | access | ||
+ | access | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | # Here is a commented out example configuration that allows less | ||
+ | # restrictive access. | ||
+ | |||
+ | # YOU SHOULD CHANGE THE " | ||
+ | # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO | ||
+ | # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE. | ||
+ | |||
+ | ## | ||
+ | #com2sec local | ||
+ | #com2sec mynetwork NETWORK/ | ||
+ | |||
+ | ## | ||
+ | #group MyRWGroup | ||
+ | #group MyROGroup | ||
+ | # | ||
+ | #group MyRWGroup | ||
+ | #... | ||
+ | |||
+ | ## | ||
+ | #view all included | ||
+ | |||
+ | ## -or just the mib2 tree- | ||
+ | |||
+ | #view mib2 | ||
+ | |||
+ | |||
+ | ## context sec.model sec.level prefix read | ||
+ | #access MyROGroup "" | ||
+ | #access MyRWGroup "" | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Sample configuration to make net-snmpd RFC 1213. | ||
+ | # Unfortunately v1 and v2c don't allow any user based authentification, | ||
+ | # opening up the default config is not an option from a security point. | ||
+ | # | ||
+ | # WARNING: If you uncomment the following lines you allow write access to your | ||
+ | # snmpd daemon from any source! To avoid this use different names for your | ||
+ | # community or split out the write access to a different community and | ||
+ | # restrict it to your local network. | ||
+ | # Also remember to comment the syslocation and syscontact parameters later as | ||
+ | # otherwise they are still read only (see FAQ for net-snmp). | ||
+ | # | ||
+ | |||
+ | # First, map the community name " | ||
+ | # | ||
+ | #com2sec notConfigUser | ||
+ | |||
+ | # Second, map the security name into a group name: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Third, create a view for us to let the group have rights to: | ||
+ | # Open up the whole tree for ro, make the RFC 1213 required ones rw. | ||
+ | # | ||
+ | #view roview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | |||
+ | # Finally, grant the group read-only access to the systemview view. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # System contact information | ||
+ | # | ||
+ | |||
+ | # It is also possible to set the sysContact and sysLocation system | ||
+ | # variables through the snmpd.conf file: | ||
+ | |||
+ | # Django : 2012-07-17 | ||
+ | # default: syslocation Unknown (edit / | ||
+ | # syscontact Root < | ||
+ | syslocation " | ||
+ | syscontact django@nausch.org | ||
+ | |||
+ | # Example output of snmpwalk: | ||
+ | # % snmpwalk -v 1 localhost -c public system | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Logging | ||
+ | # | ||
+ | |||
+ | # We do not want annoying " | ||
+ | # If the following option is commented out, snmpd will print each incoming | ||
+ | # connection, which can be useful for debugging. | ||
+ | |||
+ | dontLogTCPWrappersConnects yes | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Process checks. | ||
+ | # | ||
+ | # The following are examples of how to use the agent to check for | ||
+ | # processes running on the host. The syntax looks something like: | ||
+ | # | ||
+ | # proc NAME [MAX=0] [MIN=0] | ||
+ | # | ||
+ | # NAME: the name of the process to check for. It must match | ||
+ | # | ||
+ | # MAX: the maximum number allowed to be running. | ||
+ | # MIN: the minimum number to be running. | ||
+ | |||
+ | # | ||
+ | # Examples (commented out by default): | ||
+ | # | ||
+ | |||
+ | # Make sure mountd is running | ||
+ | #proc mountd | ||
+ | |||
+ | # Make sure there are no more than 4 ntalkds running, but 0 is ok too. | ||
+ | #proc ntalkd 4 | ||
+ | |||
+ | # Make sure at least one sendmail, but less than or equal to 10 are running. | ||
+ | #proc sendmail 10 1 | ||
+ | |||
+ | # A snmpwalk of the process mib tree would look something like this: | ||
+ | # | ||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.1 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.2 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.3 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 | ||
+ | # | ||
+ | # Note that the errorFlag for mountd is set to 1 because one is not | ||
+ | # running (in this case an rpc.mountd is, but thats not good enough), | ||
+ | # and the ErrMessage tells you what's wrong. | ||
+ | # imposed in the snmpd.conf file is also shown. | ||
+ | # | ||
+ | # Special Case: When the min and max numbers are both 0, it assumes | ||
+ | # you want a max of infinity and a min of 1. | ||
+ | # | ||
+ | |||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Executables/ | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # You can also have programs run by the agent that return a single | ||
+ | # line of output and an exit code. Here are two examples. | ||
+ | # | ||
+ | # exec NAME PROGRAM [ARGS ...] | ||
+ | # | ||
+ | # NAME: A generic name. The name must be unique for each exec statement. | ||
+ | # PROGRAM: | ||
+ | # ARGS: | ||
+ | |||
+ | # a simple hello world | ||
+ | |||
+ | #exec echotest /bin/echo hello world | ||
+ | |||
+ | # Run a shell script containing: | ||
+ | # | ||
+ | # #!/bin/sh | ||
+ | # echo hello world | ||
+ | # echo hi there | ||
+ | # exit 35 | ||
+ | # | ||
+ | # Note: this has been specifically commented out to prevent | ||
+ | # accidental security holes due to someone else on your system writing | ||
+ | # a /tmp/shtest before you do. Uncomment to use it. | ||
+ | # | ||
+ | #exec shelltest /bin/sh /tmp/shtest | ||
+ | |||
+ | # Then, | ||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extNames.1 = " | ||
+ | # enterprises.ucdavis.extTable.extEntry.extNames.2 = " | ||
+ | # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/ | ||
+ | # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/ | ||
+ | # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." | ||
+ | # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." | ||
+ | # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 | ||
+ | |||
+ | # Note that the second line of the /tmp/shtest shell script is cut | ||
+ | # off. Also note that the exit status of 35 was returned. | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # disk checks | ||
+ | # | ||
+ | |||
+ | # The agent can check the amount of available disk space, and make | ||
+ | # sure it is above a set limit. | ||
+ | |||
+ | # disk PATH [MIN=100000] | ||
+ | # | ||
+ | # PATH: mount path to the disk in question. | ||
+ | # MIN: Disks with space below this value will have the Mib's errorFlag set. | ||
+ | # Default value = 100000. | ||
+ | |||
+ | # Check the / partition and make sure it contains at least 10 megs. | ||
+ | |||
+ | #disk / 10000 | ||
+ | |||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/ | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" | ||
+ | |||
+ | # Django : 2012-07-31 | ||
+ | # folgende Partitionen definiert | ||
+ | disk / | ||
+ | disk /boot | ||
+ | disk /var/log | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # load average checks | ||
+ | # | ||
+ | |||
+ | # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] | ||
+ | # | ||
+ | # 1MAX: If the 1 minute load average is above this limit at query | ||
+ | # time, the errorFlag will be set. | ||
+ | # 5MAX: | ||
+ | # 15MAX: | ||
+ | |||
+ | # Check for loads: | ||
+ | load 12 14 14 | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Extensible sections. | ||
+ | # | ||
+ | |||
+ | # This alleviates the multiple line output problem found in the | ||
+ | # previous executable mib by placing each mib in its own mib table: | ||
+ | |||
+ | # Run a shell script containing: | ||
+ | # | ||
+ | # #!/bin/sh | ||
+ | # echo hello world | ||
+ | # echo hi there | ||
+ | # exit 35 | ||
+ | # | ||
+ | # Note: this has been specifically commented out to prevent | ||
+ | # accidental security holes due to someone else on your system writing | ||
+ | # a /tmp/shtest before you do. Uncomment to use it. | ||
+ | # | ||
+ | # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 | ||
+ | # enterprises.ucdavis.50.1.1 = 1 | ||
+ | # enterprises.ucdavis.50.2.1 = " | ||
+ | # enterprises.ucdavis.50.3.1 = "/ | ||
+ | # enterprises.ucdavis.50.100.1 = 35 | ||
+ | # enterprises.ucdavis.50.101.1 = "hello world." | ||
+ | # enterprises.ucdavis.50.101.2 = "hi there." | ||
+ | # enterprises.ucdavis.50.102.1 = 0 | ||
+ | |||
+ | # Now the Output has grown to two lines, and we can see the 'hi | ||
+ | # there.' | ||
+ | # | ||
+ | # Note that you must alter the mib.txt file to be correct if you want | ||
+ | # the .50.* outputs above to change to reasonable text descriptions. | ||
+ | |||
+ | # Other ideas: | ||
+ | # | ||
+ | # exec .1.3.6.1.4.1.2021.51 ps / | ||
+ | # exec .1.3.6.1.4.1.2021.52 top / | ||
+ | # exec .1.3.6.1.4.1.2021.53 mailq / | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Pass through control. | ||
+ | # | ||
+ | |||
+ | # Usage: | ||
+ | # pass MIBOID EXEC-COMMAND | ||
+ | # | ||
+ | # This will pass total control of the mib underneath the MIBOID | ||
+ | # portion of the mib to the EXEC-COMMAND. | ||
+ | # | ||
+ | # Note: You'll have to change the path of the passtest script to your | ||
+ | # source directory or install it in the given location. | ||
+ | # | ||
+ | # Example: | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # pass .1.3.6.1.4.1.2021.255 /bin/sh / | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 | ||
+ | # enterprises.ucdavis.255.1 = "life the universe and everything" | ||
+ | # enterprises.ucdavis.255.2.1 = 42 | ||
+ | # enterprises.ucdavis.255.2.2 = OID: 42.42.42 | ||
+ | # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 | ||
+ | # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 | ||
+ | # enterprises.ucdavis.255.5 = 42 | ||
+ | # enterprises.ucdavis.255.6 = Gauge: 42 | ||
+ | # | ||
+ | # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 | ||
+ | # enterprises.ucdavis.255.5 = 42 | ||
+ | # | ||
+ | # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" | ||
+ | # enterprises.ucdavis.255.1 = "New string" | ||
+ | # | ||
+ | |||
+ | # For specific usage information, | ||
+ | # as well as the local/ | ||
+ | |||
+ | ############################################################################### | ||
+ | # Further Information | ||
+ | # | ||
+ | # See the snmpd.conf manual page, and the output of "snmpd -H". | ||
+ | </ | ||
+ | Nachdem die Konfigurationsdatei mit jeder Menge Kommentare bestückt ist, sehen wir uns erst einmal an, was dort aktuell aktiviert wurde. | ||
+ | |||
+ | # egrep -v ' | ||
+ | |||
+ | < | ||
+ | com2sec mynetwork | ||
+ | group | ||
+ | group | ||
+ | group | ||
+ | group | ||
+ | view all | ||
+ | access | ||
+ | access | ||
+ | syslocation " | ||
+ | syscontact django@nausch.org | ||
+ | dontLogTCPWrappersConnects yes | ||
+ | disk / | ||
+ | disk /boot | ||
+ | disk /var/log | ||
+ | load 12 14 14 | ||
+ | </ | ||
+ | |||
+ | Mit dieser minimalen Konfiguration des SNMP-Daemon können folgende Parameter abgefragt werden: | ||
+ | * CPU Auslastung und durchschnittliche Belastung (load) | ||
+ | * Anzahl der Prozesse | ||
+ | * Speicher und SWAP-Nutzung | ||
+ | * Laufwerksauslastung | ||
+ | * eingeloggte User | ||
+ | * Netzwerk-Schnittstellen | ||
+ | |||
+ | |||
+ | ==== Manpage snmpd.conf ==== | ||
+ | Genauere Hinweise zur Konfiguration findet man übrigends in der Manpage von **snmp.conf**. | ||
+ | # man snmp.conf | ||
+ | |||
+ | < | ||
+ | |||
+ | NAME | ||
+ | | ||
+ | |||
+ | DESCRIPTION | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | a personal file, with the settings specific to a particular user. | ||
+ | |||
+ | IMPORTANT NOTE | ||
+ | | ||
+ | | ||
+ | |||
+ | As well as application-specific configuration tokens, there are several directives that relate to standard library behaviour, relevant | ||
+ | to most Net-SNMP applications. | ||
+ | ual page. | ||
+ | |||
+ | These directives can be divided into several distinct groups. | ||
+ | |||
+ | CLIENT BEHAVIOUR | ||
+ | | ||
+ | The transport domain that should be used for a certain application type unless something else is specified. | ||
+ | |||
+ | | ||
+ | The target that should be used for connections to a certain application if the connection should be in a specific domain. | ||
+ | |||
+ | | ||
+ | defines | ||
+ | including a port number in the AGENT specification. | ||
+ | |||
+ | If not specified, the default value for this token is 161. | ||
+ | |||
+ | | ||
+ | defines the default version of SNMP to use. This can be overridden using the -v option. | ||
+ | |||
+ | | ||
+ | defines the default community to use for SNMPv1 and SNMPv2c requests. | ||
+ | |||
+ | alias NAME DEFINITION | ||
+ | Creates an aliased tied to NAME for a given transport definition. | ||
+ | Eg, a line of " | ||
+ | " | ||
+ | |||
+ | | ||
+ | defines whether to display a hexadecimal dump of the raw SNMP requests sent and received by the application. | ||
+ | lent to the -d option. | ||
+ | | ||
+ | turns on debugging for all applications run if set to 1. | ||
+ | |||
+ | | ||
+ | defines the debugging tokens that should be turned on when doDebugging is set. This is equivalent to the -D option. | ||
+ | |||
+ | | ||
+ | restricts requestIDs, etc to 16-bit values. | ||
+ | |||
+ | The SNMP specifications | ||
+ | random values for security. | ||
+ | interoperability with such agents. | ||
+ | |||
+ | | ||
+ | specifies the source address to be used by command-line applications when sending SNMP requests. See snmpcmd(1) for more infor- | ||
+ | mation about the format of addresses. | ||
+ | |||
+ | This value is also used by snmpd when generating notifications. | ||
+ | |||
+ | | ||
+ | specifies the desired size of the buffer to be used when receiving responses to SNMP requests. | ||
+ | than the clientRecvBuf | ||
+ | actually used for internal housekeeping. | ||
+ | |||
+ | This directive will be ignored if the platforms does not support setsockopt(). | ||
+ | |||
+ | | ||
+ | is similar to clientRecvBuf, | ||
+ | |||
+ | | ||
+ | disables the validation of varbind values against the MIB definition for the relevant OID. | ||
+ | option. | ||
+ | |||
+ | This directive | ||
+ | with a non-NULL value. | ||
+ | |||
+ | | ||
+ | disables warnings about unknown config file tokens. | ||
+ | |||
+ | | ||
+ | controls how the encoding of SNMP requests is handled. | ||
+ | |||
+ | The default behaviour is to encode packets starting from the end of the PDU and working backwards. | ||
+ | to disable this behaviour, and build the encoded request in the (more obvious) forward direction. | ||
+ | |||
+ | It should not normally be necessary to change this setting, as the encoding is basically the same in either case - but working | ||
+ | backwards typically produces a slightly more efficient encoding, and hence a smaller network datagram. | ||
+ | |||
+ | SNMPv3 SETTINGS | ||
+ | | ||
+ | defines the default security name to use for SNMPv3 requests. | ||
+ | |||
+ | | ||
+ | defines the default security level to use for SNMPv3 requests. | ||
+ | |||
+ | If not specified, the default value for this token is noAuthNoPriv. | ||
+ | |||
+ | Note: authPriv is only available if the software has been compiled to use the OpenSSL libraries. | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | define the default authentication and privacy pass phrases to use for SNMPv3 requests. | ||
+ | and -X options respectively. | ||
+ | |||
+ | The defPassphrase | ||
+ | not specified. | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | define the default authentication and privacy protocols to use for SNMPv3 requests. | ||
+ | -x options respectively. | ||
+ | |||
+ | If not specified, SNMPv3 requests will default to MD5 authentication and DES encryption. | ||
+ | |||
+ | Note: If the software has not been compiled to use the OpenSSL libraries, then only MD5 authentication is supported. | ||
+ | SHA authentication nor any form of encryption will be available. | ||
+ | |||
+ | | ||
+ | defines the default context to use for SNMPv3 requests. | ||
+ | |||
+ | If not specified, the default value for this token is the default context (i.e. the empty string "" | ||
+ | |||
+ | | ||
+ | defines the security model to use for SNMPv3 requests. | ||
+ | for SNMPv3. | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | define | ||
+ | passphrase, as discussed in the defPassphrase section above. However for improved security a truely random key can be generated | ||
+ | and used instead | ||
+ | equivalent to the short-form command line options -3m, -3M, -3k, and -3K. | ||
+ | |||
+ | Localized keys are master keys which have been converted to a unique key which is only suitable for on particular | ||
+ | (agent). | ||
+ | bytes, SHA1=20 bytes; priv keys: DES=16 bytes (8 bytes of which is used as an IV and not a key), and AES=16 bytes). | ||
+ | |||
+ | | ||
+ | Sets the path of the sshtosnmp socket created by an application (e.g. snmpd) listening for incoming ssh connections through the | ||
+ | sshtosnmp unix socket. | ||
+ | |||
+ | | ||
+ | Sets the mode, owner and group of the sshtosnmp socket created by an application (e.g. snmpd) listening for incoming ssh con- | ||
+ | nections through the sshtosnmp unix socket. | ||
+ | connect to the SNMP service (VACM access still needs to be granted as well, most likely through the TSM security model). | ||
+ | |||
+ | SERVER BEHAVIOUR | ||
+ | | ||
+ | defines the directory where snmpd and snmptrapd store persistent configuration settings. | ||
+ | |||
+ | If not specified, the persistent directory defaults to / | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | disable the loading and saving of persistent configuration information. | ||
+ | |||
+ | Note: This will break SNMPv3 operations (and other behaviour that relies on changes persisting across application restart). | ||
+ | Use With Care. | ||
+ | |||
+ | | ||
+ | defines a filename template for creating temporary files, for handling input to and output from external shell commands. | ||
+ | by the mkstemp() and mktemp() functions. | ||
+ | |||
+ | If not specified, the default pattern is "/ | ||
+ | |||
+ | | ||
+ | specifies | ||
+ | the serverRecvBuf value, then this will be used instead. | ||
+ | used for internal housekeeping. | ||
+ | |||
+ | This directive will be ignored if the platforms does not support setsockopt(). | ||
+ | |||
+ | | ||
+ | is similar to serverRecvBuf, | ||
+ | |||
+ | MIB HANDLING | ||
+ | | ||
+ | specifies | ||
+ | details. | ||
+ | |||
+ | mibs MIBLIST | ||
+ | specifies a list of MIB modules (not files) that should be loaded. | ||
+ | pcmd(1) for details. | ||
+ | |||
+ | | ||
+ | specifies | ||
+ | that this value can be overridden by the MIBFILES environment variable. | ||
+ | |||
+ | | ||
+ | whether to display MIB parsing errors. | ||
+ | |||
+ | | ||
+ | whether MIB parsing should be strict about comment termination. | ||
+ | of the text line, rather than being terminated by the next " | ||
+ | rect) MIBs. | ||
+ | Note that this directive was previous (mis-)named strictCommentTerm, | ||
+ | name. This earlier token is still accepted for backwards compatibility. | ||
+ | |||
+ | | ||
+ | whether | ||
+ | (strictly incorrect) MIBs. | ||
+ | |||
+ | | ||
+ | the minimum warning level of the warnings printed by the MIB parser. | ||
+ | |||
+ | OUTPUT CONFIGURATION | ||
+ | | ||
+ | Whether the commands should log timestamps with their error/ | ||
+ | with timestamps | ||
+ | before being passed to the logging routines. | ||
+ | |||
+ | | ||
+ | Equivalent to -Oe. | ||
+ | |||
+ | | ||
+ | Equivalent to -On. | ||
+ | |||
+ | | ||
+ | Equivalent to -Ob. | ||
+ | |||
+ | | ||
+ | Equivalent to -OE. | ||
+ | |||
+ | | ||
+ | Equivalent to -Oq. | ||
+ | |||
+ | | ||
+ | Equivalent to -Ov. | ||
+ | |||
+ | | ||
+ | Equivalent to -OU. | ||
+ | |||
+ | | ||
+ | Equivalent to -Ot. | ||
+ | |||
+ | | ||
+ | Equivalent to -OT. | ||
+ | |||
+ | | ||
+ | Specifies where to break up the output of hexadecimal strings. | ||
+ | |||
+ | | ||
+ | The value 1 is equivalent to -Os and the value 2 is equivalent to -OS. | ||
+ | |||
+ | | ||
+ | Maps -O options as follow: -Os=1, -OS=2, -Of=3, -On=4, -Ou=5. | ||
+ | |||
+ | | ||
+ | Equivalent to -OX. | ||
+ | |||
+ | | ||
+ | Disables the use of DISPLAY-HINT information when parsing indices and values to set. Equivalent to -Ih. | ||
+ | |||
+ | FILES | ||
+ | / | ||
+ | | ||
+ | |||
+ | SEE ALSO | ||
+ | | ||
+ | |||
+ | 4th Berkeley Distribution | ||
+ | </ | ||
+ | |||
+ | ==== iptables-Paketfilterregeln ==== | ||
+ | Nach dem Starten unseres **snmp** Daemon können wir mit Hilfe von netstat überprüfen, | ||
+ | # netstat -tulpen | grep 161 | ||
+ | |||
+ | | ||
+ | |||
+ | Steht unser server hinter einer Firewall, so müssen wir unter Umständen eine geeignete Firewallregel in der zentralen Konfigurationsdatei von **iptables** nachtragen, damit der Zugriff auf den Port 161 (UDP) auch erfolgen kann. | ||
+ | Wir tragen in der Konfigurationsdatei / | ||
+ | # vim / | ||
+ | |||
+ | < | ||
+ | |||
+ | # Django 2012-07-17 SNMP freigeschaltet für CACTI-Überwachung | ||
+ | -A INPUT -i eth0 -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT | ||
+ | # Django : end | ||
+ | |||
+ | ... | ||
+ | </ | ||
+ | |||
+ | Anschließend aktivieren wir die Änderungen an unserem Paketfilter, | ||
+ | # service iptables restart | ||
+ | < | ||
+ | iptables: Setting chains to policy ACCEPT: filter nat [ OK ] | ||
+ | iptables: Unloading modules: | ||
+ | iptables: Applying firewall rules: | ||
+ | </ | ||
+ | ===== Serverstart ===== | ||
+ | Der erste Start unseres Daemons erfolgt dem gewohnten Syntaxschema: | ||
+ | # service snmpd start | ||
+ | snmpd starten: | ||
+ | Im syslog wird der erfolgreiche Start entsprechend quittiert: | ||
+ | Jan 10 14:12:38 nss snmpd[27826]: | ||
+ | Jan 10 14:12:38 nss snmpd[27826]: | ||
+ | Damit der snmp-Daemon **snmpd** automatisch bei jedem Systemstart startet, kann die Einrichtung eines Start-Scriptes über folgenden Befehl erreicht werden: | ||
+ | # chkconfig snmpd on | ||
+ | Ein Überprüfung ob der Dienst (Daemon) sshd wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehl erreicht werden: | ||
+ | # chkconfig --list | grep snmpd | ||
+ | | ||
+ | |||
+ | |||
+ | |||
+ | ===== erster Test der Minimalkonfiguration ===== | ||
+ | Bei unserer ersten Konfiguration haben wir angegeben, dass sowohl für **localhost** als auch **mynetwork** unterschiedliche Passworte zur Anwendung kommen sollen. Dies wollen wir nun im ersten Test ausprobieren. Zum testen verwenden wir das Programm **snmpwalk** aus dem **RPM**-Paket **net-snmp-utils**. | ||
+ | |||
+ | Eine geneu Beschreibung der Optionen entnehmen wir bei Bedarf der //Manpage// von **snmpwalk**. | ||
+ | # man snmpwalk | ||
+ | |||
+ | < | ||
+ | |||
+ | NAME | ||
+ | | ||
+ | |||
+ | SYNOPSIS | ||
+ | | ||
+ | |||
+ | DESCRIPTION | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | Each variable name is given in the format specified in variables(5). | ||
+ | |||
+ | | ||
+ | other MIB modules, that are defined as lying within this subtree). | ||
+ | an error packet will be returned and a message will be shown, helping to pinpoint why the request was malformed. | ||
+ | |||
+ | If the tree search causes attempts to search beyond the end of the MIB, the message "End of MIB" will be displayed. | ||
+ | |||
+ | OPTIONS | ||
+ | | ||
+ | can complete the walk anyway. | ||
+ | | ||
+ | this check. | ||
+ | |||
+ | -CE {OID} | ||
+ | End the walk at the specified OID, rather than a simple subtree. | ||
+ | of a table, or even two or more tables within a single command. | ||
+ | |||
+ | | ||
+ | | ||
+ | mand line in the printed results if it is a valid OID in the tree itself. | ||
+ | |||
+ | | ||
+ | of a single instance to behave as generally expected, and return the specified instance value. | ||
+ | final GET request, so a walk of a single instance will return nothing. | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | that it does not include snmp library initialization, | ||
+ | |||
+ | In addition to these options, snmpwalk takes the common options described in the snmpcmd(1) manual page. | ||
+ | |||
+ | EXAMPLES | ||
+ | The command: | ||
+ | |||
+ | | ||
+ | |||
+ | will retrieve all of the variables under system: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | (plus the contents of the sysORTable). | ||
+ | |||
+ | The command: | ||
+ | |||
+ | | ||
+ | |||
+ | will retrieve the scalar values, but omit the sysORTable. | ||
+ | |||
+ | SEE ALSO | ||
+ | | ||
+ | |||
+ | 4th Berkeley Distribution | ||
+ | </ | ||
+ | ==== vollständige Abfrage des SNMP-Baums ==== | ||
+ | Mit folgendem Aufruf kann der vollständige SNMP-Baum von localhost aus abgefragt werden. | ||
+ | # snmpwalk -v 2c -c private -O e 127.0.0.1 | ||
+ | < | ||
+ | SNMPv2-MIB:: | ||
+ | DISMAN-EVENT-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | SNMPv2-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | IF-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | RFC1213-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | IP-FORWARD-MIB:: | ||
+ | </ | ||
+ | |||
+ | ==== Abfrage der Systemnamen ==== | ||
+ | Möchten wir lediglich nur den Systemnamen (**sysName.0**) abfragen, so geben wir einfach die Option **sysName.0** bei der Abfrage mit an. | ||
+ | # snmpwalk -v 2c -c private -O e 127.0.0.1 sysName.0 | ||
+ | |||
+ | | ||
+ | |||
+ | |||
+ | ==== Abfrage der definierten Laufwerke ==== | ||
+ | Möchten wir lediglich nur die freigegebenen Laufwerke abfragen (**dskPath**) abfragen, so geben wir einfach die Option **.1.3.6.1.4.1.2021.9.1.2** bei der Abfrage mit an. | ||
+ | # snmpwalk -v 2c -c private -O e localhost .1.3.6.1.4.1.2021.9.1.2 | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | |||
+ | ==== Abfragen aus dem eigenen Netzwerk ==== | ||
+ | === Abfrage mit richtigem Passwort === | ||
+ | Bei der Konfiguration unseres SNMP-Daemon hatten wir angegeben, dass für Anfragen aus dem eigenen Netzwerk ein gesondertes Passwort zu verwenden ist. | ||
+ | # snmpwalk -v 2c -c public -O e 10.0.0.10 sysName.0 | ||
+ | |||
+ | | ||
+ | |||
+ | === Abfrage mit falschem Passwort === | ||
+ | Versuchen wir hingegen mit dem Passwort, welches wir für **localhost** definiert haben, die Anfrage von einem Host aus dem eigenen Netzwerk, so klappt dies erwartungsgemäß nicht. | ||
+ | # snmpwalk -v 2c -c private -O e 10.0.0.10 sysName.0 | ||
+ | |||
+ | | ||
+ | |||
+ | |||
+ | ===== erweiterte Konfiguration (SNMP V3) ===== | ||
+ | ==== Zugriffbeschränkung ==== | ||
+ | Da die beiden SNMP-Versionen 1 und 2c fast keine Sicherheitsmechanismen bieten, wollen wir in unserem Netzwerk nunmehr ausschließlich in der aktuellen Version 3, in der die Sicherheitsmechanismen deutlich ausgebaut wurden einsetzen. | ||
+ | |||
+ | Hierzu bearbeiten wir nun die Konfigurationsdatei unseres // | ||
+ | |||
+ | # vim / | ||
+ | |||
+ | < | ||
+ | # | ||
+ | # snmpd.conf: | ||
+ | # An example configuration file for configuring the ucd-snmp snmpd agent. | ||
+ | # | ||
+ | ############################################################################### | ||
+ | # | ||
+ | # This file is intended to only be as a starting point. | ||
+ | # configuration directives exist than are mentioned in this file. For | ||
+ | # full details, see the snmpd.conf(5) manual page. | ||
+ | # | ||
+ | # All lines beginning with a '#' | ||
+ | # to read. All other lines are configuration commands for the agent. | ||
+ | |||
+ | ############################################################################### | ||
+ | # Access Control | ||
+ | ############################################################################### | ||
+ | |||
+ | # As shipped, the snmpd demon will only respond to queries on the | ||
+ | # system mib group until this file is replaced or modified for | ||
+ | # security purposes. | ||
+ | # level of access. | ||
+ | |||
+ | # By far, the most common question I get about the agent is "why won't | ||
+ | # it work?", | ||
+ | # allow me to access it?" | ||
+ | # | ||
+ | # By default, the agent responds to the " | ||
+ | # only access, if run out of the box without any configuration file in | ||
+ | # place. | ||
+ | # the agent so that you can change the community names, and give | ||
+ | # yourself write access to the mib tree as well. | ||
+ | # | ||
+ | # For more information, | ||
+ | # manual page. | ||
+ | |||
+ | #### | ||
+ | # First, map the community name " | ||
+ | |||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: com2sec notConfigUser | ||
+ | #com2sec local | ||
+ | #com2sec mynetwork | ||
+ | |||
+ | |||
+ | # Django : 2012-07-31 | ||
+ | # default: unset | ||
+ | createUser django MD5 Der_Admin_mit_den_dicksten_Eiern! DES | ||
+ | |||
+ | #### | ||
+ | # Second, map the security name into a group name: | ||
+ | |||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: group | ||
+ | # group | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | group | ||
+ | |||
+ | |||
+ | #### | ||
+ | # Third, create a view for us to let the group have rights to: | ||
+ | |||
+ | # Make at least snmpwalk -v 1 localhost -c public system fast again. | ||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: view systemview | ||
+ | # view systemview | ||
+ | view all | ||
+ | |||
+ | #### | ||
+ | # Finally, grant the group read-only access to the systemview view. | ||
+ | |||
+ | # | ||
+ | # Django : 2012-07-17 | ||
+ | # default: access | ||
+ | # | ||
+ | # | ||
+ | # Django : 2012-07-31 | ||
+ | access | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | # Here is a commented out example configuration that allows less | ||
+ | # restrictive access. | ||
+ | |||
+ | # YOU SHOULD CHANGE THE " | ||
+ | # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO | ||
+ | # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE. | ||
+ | |||
+ | ## | ||
+ | #com2sec local | ||
+ | #com2sec mynetwork NETWORK/ | ||
+ | |||
+ | ## | ||
+ | #group MyRWGroup | ||
+ | #group MyROGroup | ||
+ | # | ||
+ | #group MyRWGroup | ||
+ | #... | ||
+ | |||
+ | ## | ||
+ | #view all included | ||
+ | |||
+ | ## -or just the mib2 tree- | ||
+ | |||
+ | #view mib2 | ||
+ | |||
+ | |||
+ | ## context sec.model sec.level prefix read | ||
+ | #access MyROGroup "" | ||
+ | #access MyRWGroup "" | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Sample configuration to make net-snmpd RFC 1213. | ||
+ | # Unfortunately v1 and v2c don't allow any user based authentification, | ||
+ | # opening up the default config is not an option from a security point. | ||
+ | # | ||
+ | # WARNING: If you uncomment the following lines you allow write access to your | ||
+ | # snmpd daemon from any source! To avoid this use different names for your | ||
+ | # community or split out the write access to a different community and | ||
+ | # restrict it to your local network. | ||
+ | # Also remember to comment the syslocation and syscontact parameters later as | ||
+ | # otherwise they are still read only (see FAQ for net-snmp). | ||
+ | # | ||
+ | |||
+ | # First, map the community name " | ||
+ | # | ||
+ | #com2sec notConfigUser | ||
+ | |||
+ | # Second, map the security name into a group name: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # Third, create a view for us to let the group have rights to: | ||
+ | # Open up the whole tree for ro, make the RFC 1213 required ones rw. | ||
+ | # | ||
+ | #view roview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | #view rwview | ||
+ | |||
+ | # Finally, grant the group read-only access to the systemview view. | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # System contact information | ||
+ | # | ||
+ | |||
+ | # It is also possible to set the sysContact and sysLocation system | ||
+ | # variables through the snmpd.conf file: | ||
+ | |||
+ | # Django : 2012-07-17 | ||
+ | # default: syslocation Unknown (edit / | ||
+ | # syscontact Root < | ||
+ | syslocation " | ||
+ | syscontact django@nausch.org | ||
+ | |||
+ | # Example output of snmpwalk: | ||
+ | # % snmpwalk -v 1 localhost -c public system | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Logging | ||
+ | # | ||
+ | |||
+ | # We do not want annoying " | ||
+ | # If the following option is commented out, snmpd will print each incoming | ||
+ | # connection, which can be useful for debugging. | ||
+ | |||
+ | dontLogTCPWrappersConnects yes | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Process checks. | ||
+ | # | ||
+ | # The following are examples of how to use the agent to check for | ||
+ | # processes running on the host. The syntax looks something like: | ||
+ | # | ||
+ | # proc NAME [MAX=0] [MIN=0] | ||
+ | # | ||
+ | # NAME: the name of the process to check for. It must match | ||
+ | # | ||
+ | # MAX: the maximum number allowed to be running. | ||
+ | # MIN: the minimum number to be running. | ||
+ | |||
+ | # | ||
+ | # Examples (commented out by default): | ||
+ | # | ||
+ | |||
+ | # Make sure mountd is running | ||
+ | #proc mountd | ||
+ | |||
+ | # Make sure there are no more than 4 ntalkds running, but 0 is ok too. | ||
+ | #proc ntalkd 4 | ||
+ | |||
+ | # Make sure at least one sendmail, but less than or equal to 10 are running. | ||
+ | #proc sendmail 10 1 | ||
+ | |||
+ | # A snmpwalk of the process mib tree would look something like this: | ||
+ | # | ||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.1 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.2 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prNames.3 = " | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 | ||
+ | # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 | ||
+ | # | ||
+ | # Note that the errorFlag for mountd is set to 1 because one is not | ||
+ | # running (in this case an rpc.mountd is, but thats not good enough), | ||
+ | # and the ErrMessage tells you what's wrong. | ||
+ | # imposed in the snmpd.conf file is also shown. | ||
+ | # | ||
+ | # Special Case: When the min and max numbers are both 0, it assumes | ||
+ | # you want a max of infinity and a min of 1. | ||
+ | # | ||
+ | |||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Executables/ | ||
+ | # | ||
+ | |||
+ | # | ||
+ | # You can also have programs run by the agent that return a single | ||
+ | # line of output and an exit code. Here are two examples. | ||
+ | # | ||
+ | # exec NAME PROGRAM [ARGS ...] | ||
+ | # | ||
+ | # NAME: A generic name. The name must be unique for each exec statement. | ||
+ | # PROGRAM: | ||
+ | # ARGS: | ||
+ | |||
+ | # a simple hello world | ||
+ | |||
+ | #exec echotest /bin/echo hello world | ||
+ | |||
+ | # Run a shell script containing: | ||
+ | # | ||
+ | # #!/bin/sh | ||
+ | # echo hello world | ||
+ | # echo hi there | ||
+ | # exit 35 | ||
+ | # | ||
+ | # Note: this has been specifically commented out to prevent | ||
+ | # accidental security holes due to someone else on your system writing | ||
+ | # a /tmp/shtest before you do. Uncomment to use it. | ||
+ | # | ||
+ | #exec shelltest /bin/sh /tmp/shtest | ||
+ | |||
+ | # Then, | ||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extNames.1 = " | ||
+ | # enterprises.ucdavis.extTable.extEntry.extNames.2 = " | ||
+ | # enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/ | ||
+ | # enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/ | ||
+ | # enterprises.ucdavis.extTable.extEntry.extResult.1 = 0 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extResult.2 = 35 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world." | ||
+ | # enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world." | ||
+ | # enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0 | ||
+ | # enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0 | ||
+ | |||
+ | # Note that the second line of the /tmp/shtest shell script is cut | ||
+ | # off. Also note that the exit status of 35 was returned. | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # disk checks | ||
+ | # | ||
+ | |||
+ | # The agent can check the amount of available disk space, and make | ||
+ | # sure it is above a set limit. | ||
+ | |||
+ | # disk PATH [MIN=100000] | ||
+ | # | ||
+ | # PATH: mount path to the disk in question. | ||
+ | # MIN: Disks with space below this value will have the Mib's errorFlag set. | ||
+ | # Default value = 100000. | ||
+ | |||
+ | # Check the / partition and make sure it contains at least 10 megs. | ||
+ | |||
+ | #disk / 10000 | ||
+ | |||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/ | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0 | ||
+ | # enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = "" | ||
+ | |||
+ | # Django : 2012-07-31 | ||
+ | # folgende Partitionen definiert | ||
+ | disk / | ||
+ | disk /boot | ||
+ | disk /var/log | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # load average checks | ||
+ | # | ||
+ | |||
+ | # load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0] | ||
+ | # | ||
+ | # 1MAX: If the 1 minute load average is above this limit at query | ||
+ | # time, the errorFlag will be set. | ||
+ | # 5MAX: | ||
+ | # 15MAX: | ||
+ | |||
+ | # Check for loads: | ||
+ | load 12 14 14 | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = " | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0 | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = "" | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = "" | ||
+ | # enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = "" | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Extensible sections. | ||
+ | # | ||
+ | |||
+ | # This alleviates the multiple line output problem found in the | ||
+ | # previous executable mib by placing each mib in its own mib table: | ||
+ | |||
+ | # Run a shell script containing: | ||
+ | # | ||
+ | # #!/bin/sh | ||
+ | # echo hello world | ||
+ | # echo hi there | ||
+ | # exit 35 | ||
+ | # | ||
+ | # Note: this has been specifically commented out to prevent | ||
+ | # accidental security holes due to someone else on your system writing | ||
+ | # a /tmp/shtest before you do. Uncomment to use it. | ||
+ | # | ||
+ | # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50 | ||
+ | # enterprises.ucdavis.50.1.1 = 1 | ||
+ | # enterprises.ucdavis.50.2.1 = " | ||
+ | # enterprises.ucdavis.50.3.1 = "/ | ||
+ | # enterprises.ucdavis.50.100.1 = 35 | ||
+ | # enterprises.ucdavis.50.101.1 = "hello world." | ||
+ | # enterprises.ucdavis.50.101.2 = "hi there." | ||
+ | # enterprises.ucdavis.50.102.1 = 0 | ||
+ | |||
+ | # Now the Output has grown to two lines, and we can see the 'hi | ||
+ | # there.' | ||
+ | # | ||
+ | # Note that you must alter the mib.txt file to be correct if you want | ||
+ | # the .50.* outputs above to change to reasonable text descriptions. | ||
+ | |||
+ | # Other ideas: | ||
+ | # | ||
+ | # exec .1.3.6.1.4.1.2021.51 ps / | ||
+ | # exec .1.3.6.1.4.1.2021.52 top / | ||
+ | # exec .1.3.6.1.4.1.2021.53 mailq / | ||
+ | |||
+ | # ----------------------------------------------------------------------------- | ||
+ | |||
+ | |||
+ | ############################################################################### | ||
+ | # Pass through control. | ||
+ | # | ||
+ | |||
+ | # Usage: | ||
+ | # pass MIBOID EXEC-COMMAND | ||
+ | # | ||
+ | # This will pass total control of the mib underneath the MIBOID | ||
+ | # portion of the mib to the EXEC-COMMAND. | ||
+ | # | ||
+ | # Note: You'll have to change the path of the passtest script to your | ||
+ | # source directory or install it in the given location. | ||
+ | # | ||
+ | # Example: | ||
+ | # | ||
+ | # | ||
+ | |||
+ | # pass .1.3.6.1.4.1.2021.255 /bin/sh / | ||
+ | |||
+ | # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 | ||
+ | # enterprises.ucdavis.255.1 = "life the universe and everything" | ||
+ | # enterprises.ucdavis.255.2.1 = 42 | ||
+ | # enterprises.ucdavis.255.2.2 = OID: 42.42.42 | ||
+ | # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 | ||
+ | # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 | ||
+ | # enterprises.ucdavis.255.5 = 42 | ||
+ | # enterprises.ucdavis.255.6 = Gauge: 42 | ||
+ | # | ||
+ | # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 | ||
+ | # enterprises.ucdavis.255.5 = 42 | ||
+ | # | ||
+ | # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" | ||
+ | # enterprises.ucdavis.255.1 = "New string" | ||
+ | # | ||
+ | |||
+ | # For specific usage information, | ||
+ | # as well as the local/ | ||
+ | |||
+ | ############################################################################### | ||
+ | # Further Information | ||
+ | # | ||
+ | # See the snmpd.conf manual page, and the output of "snmpd -H". | ||
+ | </ | ||
+ | |||
+ | In der gewohnten Kurzform sehen wir nun folgende aktive Zeilen: | ||
+ | # egrep -v ' | ||
+ | |||
+ | < | ||
+ | group | ||
+ | view all | ||
+ | access | ||
+ | syslocation " | ||
+ | syscontact django@nausch.org | ||
+ | dontLogTCPWrappersConnects yes | ||
+ | disk / | ||
+ | disk /boot | ||
+ | disk /var/log | ||
+ | load 12 14 14 | ||
+ | </ | ||
+ | |||
+ | ==== Änderungen aktivieren ==== | ||
+ | Zum Aktivieren starten wir nun den Daemon einmal durch. | ||
+ | # service snmpd restart | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | ==== Änderungen testen ==== | ||
+ | Der Zugriff mit dem Passwort // | ||
+ | # snmpwalk -v 1 localhost -c private .1.3.6.1.4.1.2021.9 | ||
+ | |||
+ | | ||
+ | |||
+ | Genauso wenig scheitert der Verbindungsaufbau von einem entfernten Host aus dem eigenen Netz mit dem Passwort // | ||
+ | # snmpwalk -v 1 10.0.0.10 -c public .1.3.6.1.4.1.2021.9 | ||
+ | |||
+ | | ||
+ | |||
+ | Geben wir aber nun bei der Abfrage den richtigen Usernamen //django// mit dem zugehörigen Passwort // | ||
+ | * Von **localhost** aus: < | ||
+ | * Von **vml000030** aus: < | ||
+ | |||
+ | Passen Usernamen und/oder Passwort nicht, wird natürlich eine Fehlermeldung ausgegeben. | ||
+ | # snmpwalk -v 3 -l AuthNoPriv -u django -A Der_User_ohne_Rechte 10.0.0.10 sysDescr.0 | ||
+ | |||
+ | No log handling enabled - turning on stderr logging | ||
+ | | ||
+ | |||
+ | |||
+ | ===== SNMP Logging anpassen ===== | ||
+ | Im Normalfall wird uns im syslog der SNMP-Zugriff dokumentiert. Mit unter können diese zu Teil doch sehr vielen Logeinträgen unerwünscht erscheinen. | ||
+ | Dec 20 09:51:08 pml010010 snmpd[22654]: | ||
+ | Dec 20 09:51:08 pml010010 snmpd[22654]: | ||
+ | |||
+ | Das Logging generell abzustellen, | ||
+ | |||
+ | Folgende Loglevel sind unter CentOS 6.x wählbar: | ||
+ | ^ Log-Level ^ Beschreibung | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |||
+ | Als Standard ist unter CentOS 6.x der Lglevel **0 - 6** aktiviert. Die Zugriffe auf den Deamon werden im Loglevel **6** protokolliert. | ||
+ | |||
+ | Wir werden also nun nachfolgend den Loglevel **0 - 5** definieren. Hierzu passen wir die Konfigurationsdatei // | ||
+ | # vim / | ||
+ | <file bash / | ||
+ | # Django : 2012-12-20 Loglevel 0-5 zum Unterdrücken der Zugriffe im syslog | ||
+ | # default: OPTIONS=" | ||
+ | OPTIONS=" | ||
+ | </ | ||
+ | |||
+ | Zum Aktivieren unserer Änderung starten wir den Daemon 1x durch. | ||
+ | # service snmpd restart | ||
+ | |||
+ | |||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[centos: | ||
+ | * **[[wiki: | ||
+ | * **[[https:// | ||
+ | |||