1 <!-- Copyright (C) 2003 Red Hat, Inc. -->
2 <!-- This material may be distributed only subject to the terms -->
3 <!-- and conditions set forth in the Open Publication License, v1.0 -->
4 <!-- or later (the latest version is presently available at -->
5 <!-- http://www.opencontent.org/openpub/). -->
6 <!-- Distribution of the work or derivative of the work in any -->
7 <!-- standard (paper) book form is prohibited unless prior -->
8 <!-- permission is obtained from the copyright holder. -->
13 ><meta name="MSSmartTagsPreventParsing" content="TRUE">
16 CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
19 TITLE="eCos Reference Manual"
20 HREF="ecos-ref.html"><LINK
23 HREF="net-snmp-ecos-port.html"><LINK
26 HREF="net-snmp-mib-compiler.html"><LINK
28 TITLE="Embedded HTTP Server"
29 HREF="net-httpd.html"></HEAD
40 SUMMARY="Header navigation table"
49 >eCos Reference Manual</TH
57 HREF="net-snmp-mib-compiler.html"
65 >Chapter 47. SNMP for <SPAN
91 NAME="NET-SNMP-AGENT-MANPAGES-SNMPD.CONF">snmpd.conf</H1
100 >SNMPD.CONF(5) SNMPD.CONF(5)
105 share/snmp/snmpd.conf - configuration file for the ucd-
109 snmpd.conf is the configuration file which defines how the
110 ucd-smnp SNMP agent operates. These files may contain any
111 of the directives found in the DIRECTIVES section below.
112 This file is not required for the agent to operate and
116 First, make sure you have read the snmp_config(5) manual
117 page that describes how the ucd-snmp configuration files
118 operate, where they are located and how they all work
122 The ucd-snmp SNMP agent reports much of its information
123 through queries to the 1.3.6.1.4.1.2021 section of the mib
124 tree. Every mib in this section has the following table
128 This is the table's index numbers for each of the
129 DIRECTIVES listed below.
132 The name of the given table entry. This should be
133 unique, but is not required to be.
136 This is a flag returning either the integer value 1
137 or 0 if an error is detected for this table entry.
140 This is a DISPLAY-STRING describing any error trig-
141 gering the errorFlag above.
144 If this entry is SNMPset to the integer value of 1
145 AND the errorFlag defined above is indeed a 1, a
146 program or script will get executed with the table
147 entry name from above as the argument. The program
148 to be executed is configured in the config.h file
158 Checks to see if the NAME'd processes are running
159 on the agent's machine. An error flag (1) and a
160 description message are then passed to the
161 1.3.6.1.4.1.2021.2.100 and 1.3.6.1.4.1.2021.2.101
162 mib tables (respectively) if the NAME'd program is
163 not found in the process table as reported by
166 If MAX and MIN are not specified, MAX is assumed to
167 be infinity and MIN is assumed to be 1.
169 If MAX is specified but MIN is not specified, MIN
172 procfix NAME PROG ARGS
173 This registers a command that knows how to fix
174 errors with the given process NAME. When
175 1.3.6.1.4.1.2021.2.102 for a given NAMEd program is
176 set to the integer value of 1, this command will be
177 called. It defaults to a compiled value set using
178 the PROCFIXCMD definition in the config.h file.
182 exec MIBNUM NAME PROG ARGS
184 If MIBNUM is not specified, the agent executes the
185 named PROG with arguments of ARGS and returns the
186 exit status and the first line of the STDOUT output
187 of the PROG program to queries of the
188 1.3.6.1.4.1.2021.8.100 and 1.3.6.1.4.1.2021.8.101
189 mib tables (respectively). All STDOUT output
190 beyond the first line is silently truncated.
192 If MIBNUM is specified, it acts as above but
193 returns the exit status to MIBNUM.100.0 and the
194 entire STDOUT output to the table MIBNUM.101 in a
195 mib table. In this case, the MIBNUM.101 mib con-
196 tains the entire STDOUT output, one mib table entry
197 per line of output (ie, the first line is output as
198 MIBNUM.101.1, the second at MIBNUM.101.2, etc...).
200 Note: The MIBNUM must be specified in dotted-inte-
201 ger notation and can not be specified as
202 ".iso.org.dod.internet..." (should instead
205 Note: The agent caches the exit status and STDOUT
206 of the executed program for 30 seconds after
207 the initial query. This is to increase
208 speed and maintain consistency of informa-
209 tion for consecutive table queries. The
210 cache can be flushed by a snmp-set request
211 of integer(1) to 1.3.6.1.4.1.2021.100.VER-
214 execfix NAME PROG ARGS
215 This registers a command that knows how to fix
216 errors with the given exec or sh NAME. When
217 1.3.6.1.4.1.2021.8.102 for a given NAMEd entry is
218 set to the integer value of 1, this command will be
219 called. It defaults to a compiled value set using
220 the EXECFIXCMD definition in the config.h file.
224 disk PATH [ MINSPACE | MINPERCENT% ]
226 Checks the named disks mounted at PATH for avail-
227 able disk space. If the disk space is less than
228 MINSPACE (kB) if specified or less than MINPERCENT
229 (%) if a % sign is specified, or DEFDISKMINI-
230 MUMSPACE (kB) if not specified, the associated
231 entry in the 1.3.6.1.4.1.2021.9.100 mib table will
232 be set to (1) and a descriptive error message will
233 be returned to queries of 1.3.6.1.4.1.2021.9.101.
241 Checks the load average of the machine and returns
242 an error flag (1), and an text-string error message
243 to queries of 1.3.6.1.4.1.2021.10.100 and
244 1.3.6.1.4.1.2021.10.101 (respectively) when the
245 1-minute, 5-minute, or 15-minute averages exceed
246 the associated maximum values. If any of the MAX1,
247 MAX5, or MAX15 values are unspecified, they default
248 to a value of DEFMAXLOADAVE.
251 Monitors file sizes and makes sure they don't grow
252 beyond a certain size. MAXSIZE defaults to infi-
253 nite if not specified, and only monitors the size
254 without reporting errors about it.
257 Any errors in obtaining the above information are reported
258 via the 1.3.6.1.4.1.2021.101.100 flag and the
259 1.3.6.1.4.1.2021.101.101 text-string description.
262 To enable and SMUX based sub-agent, such as gated, use the
263 smuxpeer configuration entry
266 For gated a sensible entry might be
268 .1.3.6.1.4.1.4.1.3 secret
271 snmpd supports the View-Based Access Control Model (vacm)
272 as defined in RFC 2275. To this end, it recognizes the
273 following keywords in the configuration file: com2sec,
274 group, access, and view as well as some easier-to-use
275 wrapper directives: rocommunity, rwcommunity, rouser,
278 rocommunity COMMUNITY [SOURCE] [OID]
280 rwcommunity COMMUNITY [SOURCE] [OID]
281 These create read-only and read-write communities
282 that can be used to access the agent. They are a
283 quick method of using the following com2sec, group,
284 access, and view directive lines. They are not as
285 efficient either, as groups aren't created so the
286 tables are possibly larger. In other words: don't
287 use these if you have complex situations to set up.
289 The format of the SOURCE is token is described in
290 the com2sec directive section below. The OID token
291 restricts access for that community to everything
292 below that given OID.
294 rouser USER [noauth|auth|priv] [OID]
296 rwuser USER [noauth|auth|priv] [OID]
297 Creates a SNMPv3 USM user in the VACM access
298 configuration tables. Again, its more efficient
299 (and powerful) to use the combined com2sec, group,
300 access, and view directives instead.
302 The minimum level of authentication and privacy the
303 user must use is specified by the first token
304 (which defaults to "auth"). The OID parameter
305 restricts access for that user to everything below
308 com2sec NAME SOURCE COMMUNITY
309 This directive specifies the mapping from a
310 source/community pair to a security name. SOURCE
311 can be a hostname, a subnet, or the word "default".
312 A subnet can be specified as IP/MASK or IP/BITS.
313 The first source/community combination that matches
314 the incoming packet is selected.
316 group NAME MODEL SECURITY
317 This directive defines the mapping from security-
318 model/securityname to group. MODEL is one of v1,
321 access NAME CONTEXT MODEL LEVEL PREFX READ WRITE NOTIFY
322 The access directive maps from group/security
323 model/security level to a view. MODEL is one of
324 any, v1, v2c, or usm. LEVEL is one of noauth,
325 auth, or priv. PREFX specifies how CONTEXT should
326 be matched against the context of the incoming pdu,
327 either exact or prefix. READ, WRITE and NOTIFY
328 specifies the view to be used for the corresponding
329 access. For v1 or v2c access, LEVEL will be
330 noauth, and CONTEXT will be empty.
332 view NAME TYPE SUBTREE [MASK]
333 The defines the named view. TYPE is either included
334 or excluded. MASK is a list of hex octets, sepa-
335 rated by '.' or ':'. The MASK defaults to "ff" if
338 The reason for the mask is, that it allows you to
339 control access to one row in a table, in a rela-
340 tively simple way. As an example, as an ISP you
341 might consider giving each customer access to his
342 or her own interface:
344 view cust1 included interfaces.ifTable.ifEntry.ifIndex.1 ff.a0
345 view cust2 included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0
347 (interfaces.ifTable.ifEntry.ifIndex.1 == .1.3.6.1.2.1.2.2.1.1.1,
348 ff.a0 == 11111111.10100000. which nicely covers up and including
349 the row index, but lets the user vary the field of the row)
352 # sec.name source community
353 com2sec local localhost private
354 com2sec mynet 10.10.10.0/24 public
355 com2sec public default public
358 group mygroup v1 mynet
359 group mygroup v2c mynet
360 group mygroup usm mynet
362 group local v2c local
363 group local usm local
364 group public v1 public
365 group public v2c public
366 group public usm public
368 # incl/excl subtree mask
369 view all included .1 80
370 view system included system fe
371 view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
373 # context sec.model sec.level prefix read write notify
374 access mygroup "" any noauth exact mib2 none none
375 access public "" any noauth exact system none none
376 access local "" any noauth exact all all all
379 The default configuration of the agent, as shipped, is functionally
380 equivalent to the following entries:
381 com2sec public default public
382 group public v1 public
383 group public v2c public
384 group public usm public
386 access public "" any noauth exact all none none
390 The snmpd agent needs to be configured with an
391 engineID to be able to respond to SNMPv3 messages.
392 With this configuration file line, the engineID
393 will be configured from STRING. The default value
394 of the engineID is configured with the first IP
395 address found for the hostname of the machine.
397 createUser username (MD5|SHA) authpassphrase [DES] [priv-
399 This directive should be placed into the "/var/ucd-
400 snmp"/snmpd.conf file instead of the other normal
401 locations. The reason is that the information is
402 read from the file and then the line is removed
403 (eliminating the storage of the master password for
404 that user) and replaced with the key that is
405 derived from it. This key is a localized key, so
406 that if it is stolen it can not be used to access
407 other agents. If the password is stolen, however,
410 MD5 and SHA are the authentication types to use,
411 but you must have built the package with openssl
412 installed in order to use SHA. The only privacy
413 protocol currently supported is DES. If the pri-
414 vacy passphrase is not specified, it is assumed to
415 be the same as the authentication passphrase. Note
416 that the users created will be useless unless they
417 are also added to the VACM access control tables
420 Warning: the minimum pass phrase length is 8 char-
423 SNMPv3 users can be created at runtime using the
427 SETTING SYSTEM INFORMATION
432 Sets the system location and the system contact for
433 the agent. This information is reported by the
434 'system' table in the mibII tree.
436 authtrapenable NUMBER
437 Setting authtrapenable to 1 enables generation of
438 authentication failure traps. The default value is
442 This defines the default community string to be
443 used when sending traps. Note that this command
444 must be used prior to any of the following three
445 commands that are intended use this community
448 trapsink HOST [COMMUNITY [PORT]]
450 trap2sink HOST [COMMUNITY [PORT]]
452 informsink HOST [COMMUNITY [PORT]]
453 These commands define the hosts to receive traps
454 (and/or inform notifications). The daemon sends a
455 Cold Start trap when it starts up. If enabled, it
456 also sends traps on authentication failures. Mul-
457 tiple trapsink, trap2sink and informsink lines may
458 be specified to specify multiple destinations. Use
459 trap2sink to send SNMPv2 traps and informsink to
460 send inform notifications. If COMMUNITY is not
461 specified, the string from a preceding trapcommu-
462 nity directive will be used. If PORT is not speci-
463 fied, the well known SNMP trap port (162) will be
468 Passes entire control of MIBOID to the EXEC pro-
469 gram. The EXEC program is called in one of the
470 following three ways:
476 These call lines match to SNMP get and get-
477 next requests. It is expected that the EXEC
478 program will take the arguments passed to it
479 and return the appropriate response through
482 The first line of stdout should be the mib
483 OID of the returning value. The second line
484 should be the TYPE of value returned, where
485 TYPE is one of the text strings: string,
486 integer, unsigned, objectid, timeticks,
487 ipaddress, counter, or gauge. The third
488 line of stdout should be the VALUE corre-
489 sponding with the returned TYPE.
491 For instance, if a script was to return the
492 value integer value "42" when a request for
493 .1.3.6.1.4.100 was requested, the script
494 should return the following 3 lines:
499 To indicate that the script is unable to
500 comply with the request due to an end-of-mib
501 condition or an invalid request, simple exit
502 and return no output to stdout at all. A
503 snmp error will be generated corresponding
504 to the SNMP NO-SUCH-NAME response.
506 EXEC -s MIBOID TYPE VALUE
508 For SNMP set requests, the above call method
509 is used. The TYPE passed to the EXEC pro-
510 gram is one of the text strings: integer,
511 counter, gauge, timeticks, ipaddress, objid,
512 or string, indicating the type of value
513 passed in the next argument.
515 Return nothing to stdout, and the set will
516 assumed to have been successful. Otherwise,
517 return one of the following error strings to
518 signal an error: not-writable, or wrong-type
519 and the appropriate error response will be
522 Note: By default, the only community
523 allowed to write (ie snmpset) to
524 your script will be the "private"
525 community,or community #2 if defined
526 differently by the "community" token
527 discussed above. Which communities
528 are allowed write access are con-
529 trolled by the RWRITE definition in
530 the snmplib/snmp_impl.h source file.
533 See the EXAMPLE.CONF file in the top level source direc-
534 tory for a more detailed example of how the above informa-
535 tion is used in real examples.
537 RE-READING snmpd.conf and snmpd.local.conf
538 The ucd-snmp agent can be forced to re-read its configura-
539 tion files. It can be told to do so by one of two ways:
541 1. An snmpset of integer(1) to
542 1.3.6.1.4.1.2021.100.VERUPDATECONFIG.
544 2. A "kill -HUP" signal sent to the snmpd agent pro-
548 share/snmp/snmpd.conf
551 snmp_config(5), snmpd(1), EXAMPLE.conf, read_config(3).
555 27 Jan 2000 SNMPD.CONF(5)
566 SUMMARY="Footer navigation table"
577 HREF="net-snmp-mib-compiler.html"
595 HREF="net-httpd.html"
611 HREF="net-snmp-ecos-port.html"
619 >Embedded HTTP Server</TD