{{tag>Brouillon Réseau SNMP}} = Notes SNMP Voir : * [[Notes SNMPv3]] * https://wiki.deimos.fr/SNMP_:_Le_protocole_de_gestion_r%C3%A9seaux.html * https://makina-corpus.com/python/initiation-snmp-avec-python-pysnmp-partie-1-le-protocole-et-les-commandes * http://www.sugarbug.web4me.fr/atelier/techniques/monitoring_lan/snmp/ * https://support.zoho.com/portal/manageengine/kb/articles/configuring-snmp-on-redhat-linux-server * [Configuration avancée de SNMP sur Linux : redémarrer un service à distance en utilisant le protocole SNMP](https://blog.cedrictemple.net/362-configuration-avancee-de-snmp-sur-linux-redemarrer-un-service-a-distance-en-utilisant-le-protocole-snmp/) * https://docs.redhat.com/fr/documentation/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-system_monitoring_tools-net-snmp#sect-System_Monitoring_Tools-Net-SNMP-Retrieving * https://blog.cedrictemple.net/290-configuration-avancee-de-snmp-sur-linux-les-informations-systemes/ Voir les traps SNMP : * [Les traps SNMP](https://documentation-fr.centreon.com/docs/centreon/en/2.8.x/configuration_guide/advanced_configuration/traps.html) * [snmptt](https://servicenav.coservit.com/documentations/2-creer-un-fichier-de-definition-trap/) * [How to define trapsess for snmpv3 without plain passwords in Red Hat Enterprise Linux 6](https://access.redhat.com/solutions/969183) * https://docs.centreon.com/fr/docs/monitoring/passive-monitoring/enable-snmp-traps/ Exemple de conf : * https://github.com/opencomputeproject/OpenNetworkLinux/blob/master/builds/any/rootfs/wheezy/common/overlay/etc/snmp/snmpd.conf ## Serveur ### RedHat ~~~bash yum install net-snmp ~~~ ### Debian ~~~bash apt-get install snmpd snmptrapd snmp-mibs-downloader ~~~ ~~~bash ln -s /usr/share/mibs/ /usr/share/snmp/mibs ~~~ ''/etc/default/snmptrapd'' ~~~bash #export MIBS= export MIBS=ALL export MIBDIRS=/usr/share/mibs #TRAPDRUN=no TRAPDRUN=yes #TRAPDOPTS='-Lsd -p /run/snmptrapd.pid' TRAPDOPTS='-On -Lsd -p /run/snmptrapd.pid' ~~~ ''/etc/snmp/snmp.conf'' ~~~ #mibs : ~~~ ~~~bash service snmpd restart service snmptrapd restart ~~~ ### Conf ''/etc/snmp/snmpd.conf'' ~~~ #rocommunity public localhost rocommunity public 0.0.0.0/0 #agentAddress udp:127.0.0.1:161 #agentAddress udp:161,udp6:[::1]:161 agentAddress udp:161 #includeAllDisks 1 skipNFSInHostResources 1 ~~~ #### Exemple conf ##### Exemple 1 - Conf Debian ''/etc/snmp/snmpd.conf'' ~~~ agentAddress udp:161,udp6:[::1]:161 view systemonly included .1.3.6.1.2.1.1 view systemonly included .1.3.6.1.2.1.25.1 rocommunity public rouser authOnlyUser sysLocation Sitting on the Dock of the Bay sysContact Me sysServices 72 proc mountd proc ntalkd 4 proc sendmail 10 1 disk / 10000 disk /var 5% includeAllDisks 10% load 12 10 5 trapsink localhost public iquerySecName internalUser rouser internalUser defaultMonitors yes linkUpDownNotifications yes extend test1 /bin/echo Hello, world! extend-sh test2 echo Hello, world! ; echo Hi there ; exit 35 master agentx smuxpeer .1.3.6.1.4.1.674.10892.1 ~~~ ##### Exemple 2 - Conf RedHat ''/etc/snmp/snmpd.conf'' ~~~ #com2sec notConfigUser default public com2sec mynetwork 192.168.0.0/24 public group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser view centreon included .1.3.6.1 view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 access notConfigGroup "" any noauth exact centreon none none access notConfigGroup "" any noauth exact systemview none none syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root (configure /etc/snmp/snmp.local.conf) dontLogTCPWrappersConnects yes ~~~ ~~~bash cat >> /etc/snmp/snmpd.conf <> /etc/snmp/snmpd.conf echo "smuxpeer .1.3.6.1.4.1.674.10892.1" >> /etc/snmp/snmpd.conf systemctl restart snmpd ~~~ Solution 2 ''/etc/sysconfig/snmpd'' ~~~bash # snmpd command line options # '-f' is implicitly added by snmpd systemd unit file # OPTIONS="-LS0-6d" OPTIONS="-I -smux" ~~~ ~~~bash systemctl restart snmpd ~~~ ### Pleins de message "Connection from UDP" dans les logs ''/var/log/syslog'' ~~~ Jul 18 01:08:07 plop snmpd[3232]: Connection from UDP: [192.168.15.27]:52799->[192.168.15.32] Jul 18 01:08:34 plop snmpd[3232]: Connection from UDP: [192.168.15.22]:53386->[192.168.15.32] ~~~ #### Solution Remplacer ''-Lsd'' par ''-LSwd'' ''/etc/default/snmpd'' ~~~ini #SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid' SNMPDOPTS='-LSwd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid' ~~~ Ou ''/etc/sysconfig/snmpd'' ~~~bash #OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid" OPTIONS="-LSwd -Lf /dev/null -p /var/run/snmpd.pid" ~~~ ou ''/etc/snmp/snmpd.conf'' ~~~ dontLogTCPWrappersConnects yes ~~~ puis restart du service ### Autres ''usmUser'' a été créer après le redémarrage de SNMPd suite à la commande ''createUser'' (SNMPv3) Voir la commande ''snmpusm'' #### snmptranslate ~~~ $ snmptranslate -M+. -m +ALL -On HOST-RESOURCES-MIB::hrProcessorTable .1.3.6.1.2.1.25.3.3 $ snmptranslate -Td .1.3.6.1.4.1.2021.11.52 UCD-SNMP-MIB::ssCpuRawSystem ... This object may sometimes be implemented as the combination of the 'ssCpuRawWait(54)' and 'ssCpuRawKernel(55)' counters, so care must be taken when summing the overall raw counters." ~~~ #### HP Ajoutez la ligne suivante dans /etc/snmp/snmpd.conf : ''/etc/snmp/snmpd.conf'' ~~~ dlmod cmaX /usr/lib64/libcmaX64.so ~~~ Redémarrez les services suivants : ~~~bash systemctl restart hp-snmp-agents systemctl restart snmpd ~~~ ## Client Voir : * https://blog.cedrictemple.net/239-faire-des-requetes-snmp-en-ligne-de-commande-sous-linux * https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-an-snmp-daemon-and-client-on-ubuntu-18-04-fr Use the ''-On'' option, according to ''man snmpcmd'' ~~~bash #snmpwalk -v2c -c public localhost snmpwalk -v2c -On -c public localhost ~~~ ### snmpwalk Voir aussi : * snmpgetnext Exemples : ~~~bash snmpwalk -v2c -c public localhost system #snmpwalk -v -c snmpwalk -v 2c -c public 192.168.1.13 1.3.6.1.2.1.2.2.1.10 snmpwalk -v 3 -u usersnmp -a SHA -A 'MonMot2Passe!!' -x AES -X '!!MaPhrase2PasseAE' -l authPriv localhost ~~~ ATTENTION : ne faites JAMAIS une requête snmpwalk sur la racine de l’arbre SNMP ou sur un noeud de haut niveau. Si vous faites cela, vous allez saturer l’agent SNMP interrogé, le réseau et votre poste. Dans le passé, vous pouviez saturer certains agents SNMP et il était nécessaire de les redémarrer voire de redémarrer l’équipement. Ce pourrait être très gênant si vous deviez demander à l’équipe réseau de redémarrer un routeur. ~~~bash # snmpwalk -v2c -c public 192.168.1.13 ~~~ ### snmpget ~~~bash #snmpget -v -c snmpget -v 2c -c public 192.168.1.13 1.3.6.1.2.1.2.2.1.10.1 OID_STORAGE_DESC=.1.3.6.1.2.1.25.2.3.1.3 OID_STORAGE_SIZE=.1.3.6.1.2.1.25.2.3.1.5 OID_STORAGE_USED=.1.3.6.1.2.1.25.2.3.1.6 snmpget -r 2 -v 3 -a MD5 -A "$PASSWD" -l authNoPriv -u nagios -Oqv localhost $OID_STORAGE_DESC.${indice} snmpget -r 2 -v 3 -a MD5 -A "$PASSWD" -l authNoPriv -u nagios -Oqv localhost $OID_STORAGE_SIZE.${indice} snmpget -r 2 -v 3 -a MD5 -A "$PASSWD" -l authNoPriv -u nagios -Oqv localhost $OID_STORAGE_USED.${indice} ~~~ ### Nagios check_snmp Exemple de supervision de ports sur un switch ''/usr/local/nagios/etc/objects/commands.cfg'' ~~~c define command{ command_name check_port_com command_line $USER1$/check_snmp -H $HOSTADDRESS$ -P3 -L authNoPriv -a MD5 -U $USER3$ -A "$USER4$" -c 1,1 -o IF-MIB::ifOperStatus.$ARG1$ } ~~~ ''switch.cfg'' ~~~c define service{ use generic-service ; Inherit values from a template host_name linksys-srw224p service_description Port 1 Link Status check_command check_snmp!-C public -o ifOperStatus.1 -r 1 -m RFC1213-MIB } ~~~ ''/usr/local/nagios/etc/objects/switch.cfg'' ~~~c define service{ use EtatPortCom hostgroup_name RouteurSwitchs service_description EtatPortCom1 check_command check_port_com!1 #event_handler trigger_etatport!1 } ~~~ ### Lister les utilisateurs SNMPv3 ~~~bash snmpwalk .1.3.6.1.6.3.15.1.2.2.1.3 ~~~ ### Ajout d'une MIB Voir : https://github.com/simonjj/SnmpMibs Logs Zabbix ~~~ MIB search path: /root/.snmp/mibs:/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/mibs/site:/usr/share/snmp/mibs:/usr/share/mibs/iana:/usr/share/mibs/ietf:/usr/share/mibs/netsnmp Cannot find module (DISMAN-EVENT-MIB): At line 1 in (none) ~~~ ~~~bash apt-get install snmp-mibs-downloader ~~~ La MIB sera installée ici : ''/var/lib/snmp/mibs/ietf/DISMAN-EVENT-MIB'' Commenter **mibs :** ''/etc/snmp/snmp.conf'' ~~~ #mibs : ~~~ ~~~bash snmptranslate -Tp ~~~ Pour **DISMAN-EVENT-MIB** le pb est résolu Mais il reste **CPQRACK-MIB** et **CPQIDA-MIB** ~~~ Cannot find module (CPQRACK-MIB): At line 1 in (none) Cannot find module (CPQIDA-MIB): At line 1 in (none) ~~~ ~~~bash git clone https://github.com/simonjj/SnmpMibs cd SnmpMibs cp CPQ* /usr/share/snmp/mibs/ chmod a+r /usr/share/snmp/mibs/CPQ* ~~~ #### Notes ~~~ snmpget -t 1 -r 5 -M /usr/local/share/snmp/mibs -v 1 -c public 159.217.18.10:161 cpqRackCommonEnclosureTemp tcpdump -i any -s 0 host hp-array-1.0 and port 161 -n ~~~ ### snmpcheck Il existe l'ancienne version écrit en Perl et une plus récente écrit en Ruby Il ne faut pas confondre la commande snmpcheck de Debian (paquet **[[http://net-snmp.sourceforge.net/|snmp]]**) avec la snmpcheck de http://www.nothink.org/codes/snmpcheck Debian ~~~bash apt-get install ruby-snmp ~~~ RedHat ~~~bash yum install ruby gem install snmp ~~~ ~~~bash wget http://www.nothink.org/codes/snmpcheck/snmpcheck-1.9.rb chmod +x snmpcheck-1.9.rb ./snmpcheck.rb ~~~ ~~~bash nmap -sS 192.168.56.21 snmpcheck -h snmpcheck -t 192.168.56.21 ~~~ ### qtmib GUI SNMP MIB Browser for Linux platforms Liens : https://sourceforge.net/projects/qtmib/ The program comes with a large number of MIBs pre-installed, anything from Cisco’s and Juniper’s to HP’s and Dell’s. You can also install your own MIBs by copying them into ~/.config/qtmib/mibs directory.