|
Packit |
fcad23 |
.TH SNMPD 8 "30 Jun 2010" VVERSIONINFO "Net-SNMP"
|
|
Packit |
fcad23 |
.SH NAME
|
|
Packit |
fcad23 |
snmpd - daemon to respond to SNMP request packets.
|
|
Packit |
fcad23 |
.SH SYNOPSIS
|
|
Packit |
fcad23 |
.B snmpd
|
|
Packit |
fcad23 |
[OPTIONS] [LISTENING ADDRESSES]
|
|
Packit |
fcad23 |
.SH DESCRIPTION
|
|
Packit |
fcad23 |
.B snmpd
|
|
Packit |
fcad23 |
is an SNMP agent which binds to a port and awaits requests from
|
|
Packit |
fcad23 |
SNMP management software. Upon receiving a request, it processes the
|
|
Packit |
fcad23 |
request(s), collects the requested information and/or performs the
|
|
Packit |
fcad23 |
requested operation(s) and returns the information to the sender.
|
|
Packit |
fcad23 |
.SH OPTIONS
|
|
Packit |
fcad23 |
.TP 8
|
|
Packit |
fcad23 |
.B \-a
|
|
Packit |
fcad23 |
Log the source addresses of incoming requests.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-A
|
|
Packit |
fcad23 |
Append to the log file rather than truncating it.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B "\-c" \fIFILE
|
|
Packit |
fcad23 |
Read
|
|
Packit |
fcad23 |
.I FILE
|
|
Packit |
fcad23 |
as a configuration file
|
|
Packit |
fcad23 |
(or a comma-separated list of configuration files). Note that the loaded
|
|
Packit |
fcad23 |
file will only understand snmpd.conf tokens, unless the configuration type
|
|
Packit |
fcad23 |
is specified in the file as described in the snmp_config man page under
|
|
Packit |
fcad23 |
SWITCHING CONFIGURATION TYPES IN MID-FILE.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-C
|
|
Packit |
fcad23 |
Do not read any configuration files except the ones optionally specified by the
|
|
Packit |
fcad23 |
.B \-c
|
|
Packit |
fcad23 |
option.
|
|
Packit |
fcad23 |
Note that this behaviour also covers the persistent configuration files.
|
|
Packit |
fcad23 |
This may result in dynamically-assigned values being reset following an
|
|
Packit |
fcad23 |
agent restart, unless the relevant persistent config files are
|
|
Packit |
fcad23 |
explicitly loaded using the
|
|
Packit |
fcad23 |
.B \-c
|
|
Packit |
fcad23 |
option.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-d
|
|
Packit |
fcad23 |
Dump (in hexadecimal) the sent and received SNMP packets.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-D\fI[TOKEN[,...]]
|
|
Packit |
fcad23 |
Turn on debugging output for the given
|
|
Packit |
fcad23 |
.IR "TOKEN" "(s)."
|
|
Packit |
fcad23 |
Without any tokens specified, it defaults to printing all the tokens
|
|
Packit |
fcad23 |
(which is equivalent to the keyword "ALL").
|
|
Packit |
fcad23 |
You might want to try
|
|
Packit |
fcad23 |
.IR ALL
|
|
Packit |
fcad23 |
for extremely verbose output. Note: You can not put a space between
|
|
Packit |
fcad23 |
the \-D flag and the listed TOKENs.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-f
|
|
Packit |
fcad23 |
Do not fork() from the calling shell.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-g \fIGID
|
|
Packit |
fcad23 |
Change to the numerical group ID
|
|
Packit |
fcad23 |
.I GID
|
|
Packit |
fcad23 |
after opening listening sockets.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-h, \-\-help
|
|
Packit |
fcad23 |
Display a brief usage message and then exit.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-H
|
|
Packit |
fcad23 |
Display a list of configuration file directives understood by the
|
|
Packit |
fcad23 |
agent and then exit.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-I \fI[\-]INITLIST
|
|
Packit |
fcad23 |
Specifies which modules should (or should not) be initialized
|
|
Packit |
fcad23 |
when the agent starts up. If the comma-separated
|
|
Packit |
fcad23 |
.I INITLIST
|
|
Packit |
fcad23 |
is preceded
|
|
Packit |
fcad23 |
with a '\-', it is the list of modules that should \fInot\fR be started.
|
|
Packit |
fcad23 |
Otherwise this is the list of the \fIonly\fR modules that should be started.
|
|
Packit |
fcad23 |
|
|
Packit |
fcad23 |
To get a list of compiled modules, run the agent with the arguments
|
|
Packit |
fcad23 |
.I "\-Dmib_init \-H"
|
|
Packit |
fcad23 |
(assuming debugging support has been compiled in).
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-L[eEfFoOsSnN]
|
|
Packit |
fcad23 |
Specify where logging output should be directed (standard error or output,
|
|
Packit |
fcad23 |
to a file or via syslog). See LOGGING OPTIONS in snmpcmd(1) for details.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.BR \-m " \fIMIBLIST"
|
|
Packit |
fcad23 |
Specifies a colon separated list of MIB modules to load for this
|
|
Packit |
fcad23 |
application. This overrides the environment variable MIBS.
|
|
Packit |
fcad23 |
See \fIsnmpcmd(1)\fR for details.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.BR \-M " \fIDIRLIST"
|
|
Packit |
fcad23 |
Specifies a colon separated list of directories to search for MIBs.
|
|
Packit |
fcad23 |
This overrides the environment variable MIBDIRS.
|
|
Packit |
fcad23 |
See \fIsnmpcmd(1)\fR for details.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-n \fINAME
|
|
Packit |
fcad23 |
Set an alternative application name (which will affect the
|
|
Packit |
fcad23 |
configuration files loaded).
|
|
Packit |
fcad23 |
By default this will be \fIsnmpd\fR, regardless of the name
|
|
Packit |
fcad23 |
of the actual binary.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-p \fIFILE
|
|
Packit |
fcad23 |
Save the process ID of the daemon in
|
|
Packit |
fcad23 |
.IR FILE "."
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-q
|
|
Packit |
fcad23 |
Print simpler output for easier automated parsing.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-r
|
|
Packit |
fcad23 |
Do not require root access to run the daemon. Specifically, do not exit
|
|
Packit |
fcad23 |
if files only accessible to root (such as /dev/kmem etc.) cannot be
|
|
Packit |
fcad23 |
opened.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-u \fIUID
|
|
Packit |
fcad23 |
Change to the user ID
|
|
Packit |
fcad23 |
.I UID
|
|
Packit |
fcad23 |
(which can be given in numerical or textual form) after opening
|
|
Packit |
fcad23 |
listening sockets.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-U
|
|
Packit |
fcad23 |
Instructs the agent to not remove its pid file (see the
|
|
Packit |
fcad23 |
.B \-p
|
|
Packit |
fcad23 |
option) on shutdown. Overrides the leave_pidfile token in the
|
|
Packit |
fcad23 |
.I snmpd.conf
|
|
Packit |
fcad23 |
file, see
|
|
Packit |
fcad23 |
.I snmpd.conf(5).
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-v, \-\-version
|
|
Packit |
fcad23 |
Print version information for the agent and then exit.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-V
|
|
Packit |
fcad23 |
Symbolically dump SNMP transactions.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-x \fIADDRESS
|
|
Packit |
fcad23 |
Listens for AgentX connections on the specified address
|
|
Packit |
fcad23 |
rather than the default AGENTX_SOCKET.
|
|
Packit |
fcad23 |
The address can either be a Unix domain socket path,
|
|
Packit |
fcad23 |
or the address of a network interface. The format is the same as the
|
|
Packit |
fcad23 |
format of listening addresses described below.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B \-X
|
|
Packit |
fcad23 |
Run as an AgentX subagent rather than as an SNMP master agent.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.BI \-\- "name"="value"
|
|
Packit |
fcad23 |
Allows one to specify any token ("name") supported in the
|
|
Packit |
fcad23 |
.I snmpd.conf
|
|
Packit |
fcad23 |
file and sets its value to "value". Overrides the corresponding token in the
|
|
Packit |
fcad23 |
.I snmpd.conf
|
|
Packit |
fcad23 |
file. See
|
|
Packit |
fcad23 |
.I snmpd.conf(5)
|
|
Packit |
fcad23 |
for the full list of tokens.
|
|
Packit |
fcad23 |
.SH LISTENING ADDRESSES
|
|
Packit |
fcad23 |
By default,
|
|
Packit |
fcad23 |
.B snmpd
|
|
Packit |
fcad23 |
listens for incoming SNMP requests on UDP port 161 on all IPv4 interfaces.
|
|
Packit |
fcad23 |
However, it is possible to modify this behaviour by specifying one or more
|
|
Packit |
fcad23 |
listening addresses as arguments to \fBsnmpd\fR.
|
|
Packit |
fcad23 |
A listening address takes the form:
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
[<transport-specifier>:]<transport-address>
|
|
Packit |
fcad23 |
.PP
|
|
Packit |
fcad23 |
At its simplest, a listening address may consist only of a port
|
|
Packit |
fcad23 |
number, in which case
|
|
Packit |
fcad23 |
.B snmpd
|
|
Packit |
fcad23 |
listens on that UDP port on all IPv4 interfaces. Otherwise, the
|
|
Packit |
fcad23 |
<transport-address> part of the specification is parsed according to
|
|
Packit |
fcad23 |
the following table:
|
|
Packit |
fcad23 |
.RS 4
|
|
Packit |
fcad23 |
.TP 28
|
|
Packit |
fcad23 |
.BR "<transport-specifier>"
|
|
Packit |
fcad23 |
.BR "<transport-address> format"
|
|
Packit |
fcad23 |
.IP "udp \fI(default)\fR" 28
|
|
Packit |
fcad23 |
hostname[:port]
|
|
Packit |
fcad23 |
.I or
|
|
Packit |
fcad23 |
IPv4-address[:port]
|
|
Packit |
fcad23 |
.IP "tcp" 28
|
|
Packit |
fcad23 |
hostname[:port]
|
|
Packit |
fcad23 |
.I or
|
|
Packit |
fcad23 |
IPv4-address[:port]
|
|
Packit |
fcad23 |
.IP "unix" 28
|
|
Packit |
fcad23 |
pathname
|
|
Packit |
fcad23 |
.IP "ipx" 28
|
|
Packit |
fcad23 |
[network]:node[/port]
|
|
Packit |
fcad23 |
.TP 28
|
|
Packit |
fcad23 |
.IR "" "aal5pvc " or " pvc"
|
|
Packit |
fcad23 |
[interface.][VPI.]VCI
|
|
Packit |
fcad23 |
.TP 28
|
|
Packit |
fcad23 |
.IR "" "udp6 " or " udpv6 " or " udpipv6"
|
|
Packit |
fcad23 |
hostname[:port]
|
|
Packit |
fcad23 |
.I or
|
|
Packit |
fcad23 |
IPv6-address[:port]
|
|
Packit |
fcad23 |
.TP 28
|
|
Packit |
fcad23 |
.IR "" "tcp6 " or " tcpv6 " or " tcpipv6"
|
|
Packit |
fcad23 |
hostname[:port]
|
|
Packit |
fcad23 |
.I or
|
|
Packit |
fcad23 |
IPv6-address[:port]
|
|
Packit |
fcad23 |
.TP 28
|
|
Packit |
fcad23 |
.IR "" "ssh"
|
|
Packit |
fcad23 |
hostname:port
|
|
Packit |
fcad23 |
.TP 28
|
|
Packit |
fcad23 |
.IR "" "dtlsudp"
|
|
Packit |
fcad23 |
hostname:port
|
|
Packit |
fcad23 |
.RE
|
|
Packit |
fcad23 |
.PP
|
|
Packit |
fcad23 |
Note that <transport-specifier> strings are case-insensitive so that,
|
|
Packit |
fcad23 |
for example, "tcp" and "TCP" are equivalent. Here are some examples,
|
|
Packit |
fcad23 |
along with their interpretation:
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "127.0.0.1:161"
|
|
Packit |
fcad23 |
listen on UDP port 161, but only on the loopback interface. This
|
|
Packit |
fcad23 |
prevents
|
|
Packit |
fcad23 |
.B snmpd
|
|
Packit |
fcad23 |
being queried remotely. The port specification ":161" is
|
|
Packit |
fcad23 |
not strictly necessary since that is the default SNMP port.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "TCP:1161"
|
|
Packit |
fcad23 |
listen on TCP port 1161 on all IPv4 interfaces.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "ipx:/40000"
|
|
Packit |
fcad23 |
listen on IPX port 40000 on all IPX interfaces.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "unix:/tmp/local\-agent"
|
|
Packit |
fcad23 |
listen on the Unix domain socket \fI/tmp/local\-agent\fR.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "/tmp/local\-agent"
|
|
Packit |
fcad23 |
is identical to the previous specification, since the Unix domain is
|
|
Packit |
fcad23 |
assumed if the first character of the <transport-address> is '/'.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "PVC:161"
|
|
Packit |
fcad23 |
listen on the AAL5 permanent virtual circuit with VPI=0 and VCI=161
|
|
Packit |
fcad23 |
(decimal) on the first ATM adapter in the machine.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "udp6:10161"
|
|
Packit |
fcad23 |
listen on port 10161 on all IPv6 interfaces.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "ssh:127.0.0.1:22"
|
|
Packit |
fcad23 |
Allows connections from the snmp subsystem on the ssh server on port
|
|
Packit |
fcad23 |
22. The details of using SNMP over SSH are defined below.
|
|
Packit |
fcad23 |
.TP 24
|
|
Packit |
fcad23 |
.IR "dtlsudp:127.0.0.1:9161"
|
|
Packit |
fcad23 |
Listen for connections over DTLS on UDP port 9161. The snmp.conf file
|
|
Packit |
fcad23 |
must have the
|
|
Packit |
fcad23 |
.IR serverCert,
|
|
Packit |
fcad23 |
configuration tokens defined.
|
|
Packit |
fcad23 |
.PP
|
|
Packit |
fcad23 |
Note that not all the transport domains listed above will always be
|
|
Packit |
fcad23 |
available; for instance, hosts with no IPv6 support will not be able
|
|
Packit |
fcad23 |
to use udp6 transport addresses, and attempts to do so will result in
|
|
Packit |
fcad23 |
the error "Error opening specified endpoint". Likewise, since AAL5
|
|
Packit |
fcad23 |
PVC support is only currently available on Linux, it will fail with
|
|
Packit |
fcad23 |
the same error on other platforms.
|
|
Packit |
fcad23 |
.SH Transport Specific Notes
|
|
Packit |
fcad23 |
.RS 0
|
|
Packit |
fcad23 |
.TP 8
|
|
Packit |
fcad23 |
ssh
|
|
Packit |
fcad23 |
The SSH transport, on the server side, is actually just a unix
|
|
Packit |
fcad23 |
named pipe that can be connected to via a ssh subsystem configured in
|
|
Packit |
fcad23 |
the main ssh server. The pipe location (configurable with the
|
|
Packit |
fcad23 |
sshtosnmpsocket token in snmp.conf) is
|
|
Packit |
fcad23 |
.I /var/net\-snmp/sshtosnmp.
|
|
Packit |
fcad23 |
Packets should be submitted to it via the sshtosnmp application, which
|
|
Packit |
fcad23 |
also sends the user ID as well when starting the connection. The TSM
|
|
Packit |
fcad23 |
security model should be used when packets should process it.
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
The
|
|
Packit |
fcad23 |
.I sshtosnmp
|
|
Packit |
fcad23 |
command knows how to connect to this pipe and talk to
|
|
Packit |
fcad23 |
it. It should be configured in the
|
|
Packit |
fcad23 |
.IR "OpenSSH sshd"
|
|
Packit |
fcad23 |
configuration file (which is normally
|
|
Packit |
fcad23 |
.IR "/etc/ssh/sshd_config"
|
|
Packit |
fcad23 |
using the following configuration line:
|
|
Packit |
fcad23 |
.TP 8
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
Subsystem snmp /usr/local/bin/sshtosnmp
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
The
|
|
Packit |
fcad23 |
.I sshtosnmp
|
|
Packit |
fcad23 |
command will need read/write access to the
|
|
Packit |
fcad23 |
.I /var/net\-snmp/sshtosnmp
|
|
Packit |
fcad23 |
pipe. Although it should be fairly safe to grant access to the
|
|
Packit |
fcad23 |
average user since it still requires modifications to the ACM settings
|
|
Packit |
fcad23 |
before the user can perform operations, paranoid administrators may
|
|
Packit |
fcad23 |
want to make the /var/net\-snmp directory accessible only by users in a
|
|
Packit |
fcad23 |
particular group. Use the
|
|
Packit |
fcad23 |
.I sshtosnmpsocketperms
|
|
Packit |
fcad23 |
snmp.conf configure option to set the permissions, owner and group of
|
|
Packit |
fcad23 |
the created socket.
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
Access control can be granted to the user "foo" using the following
|
|
Packit |
fcad23 |
style of simple snmpd.conf settings:
|
|
Packit |
fcad23 |
.TP 8
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
rouser \-s tsm foo authpriv
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
Note that "authpriv" is acceptable assuming as SSH protects everything
|
|
Packit |
fcad23 |
that way (assuming you have a non-insane setup).
|
|
Packit |
fcad23 |
snmpd has no notion of how SSH has actually protected a packet and
|
|
Packit |
fcad23 |
thus the snmp agent assumes all packets passed through the SSH
|
|
Packit |
fcad23 |
transport have been protected at the authpriv level.
|
|
Packit |
fcad23 |
.TP 8
|
|
Packit |
fcad23 |
dtlsudp
|
|
Packit |
fcad23 |
The DTLS protocol, which is based off of TLS, requires both client and
|
|
Packit |
fcad23 |
server certificates to establish the connection and authenticate both
|
|
Packit |
fcad23 |
sides. In order to do this, the client will need to configure the
|
|
Packit |
fcad23 |
snmp.conf file
|
|
Packit |
fcad23 |
with the
|
|
Packit |
fcad23 |
.IR clientCert
|
|
Packit |
fcad23 |
configuration tokens. The server will need to configure the snmp.conf
|
|
Packit |
fcad23 |
file with the
|
|
Packit |
fcad23 |
.IR serverCert
|
|
Packit |
fcad23 |
configuration tokens defined.
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
Access control setup is similar to the ssh transport as the TSM
|
|
Packit |
fcad23 |
security model should be used to protect the packet.
|
|
Packit |
fcad23 |
.RE
|
|
Packit |
fcad23 |
.SH CONFIGURATION FILES
|
|
Packit |
fcad23 |
.PP
|
|
Packit |
fcad23 |
.B snmpd
|
|
Packit |
fcad23 |
checks for the existence of and parses the following files:
|
|
Packit |
fcad23 |
.TP 6
|
|
Packit |
fcad23 |
.B SYSCONFDIR/snmp/snmp.conf
|
|
Packit |
fcad23 |
Common configuration for the agent and applications. See
|
|
Packit |
fcad23 |
.I snmp.conf(5)
|
|
Packit |
fcad23 |
for details.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B SYSCONFDIR/snmp/snmpd.conf
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B SYSCONFDIR/snmp/snmpd.local.conf
|
|
Packit |
fcad23 |
Agent-specific configuration. See
|
|
Packit |
fcad23 |
.I snmpd.conf(5)
|
|
Packit |
fcad23 |
for details. These files are optional and may be used to configure
|
|
Packit |
fcad23 |
access control, trap generation, subagent protocols and much else
|
|
Packit |
fcad23 |
besides.
|
|
Packit |
fcad23 |
.IP
|
|
Packit |
fcad23 |
In addition to these two configuration files in SYSCONFDIR/snmp, the
|
|
Packit |
fcad23 |
agent will read any files with the names
|
|
Packit |
fcad23 |
.I snmpd.conf
|
|
Packit |
fcad23 |
and
|
|
Packit |
fcad23 |
.I snmpd.local.conf
|
|
Packit |
fcad23 |
in a colon separated path specified in the
|
|
Packit |
fcad23 |
SNMPCONFPATH environment variable.
|
|
Packit |
fcad23 |
.TP
|
|
Packit |
fcad23 |
.B DATADIR/snmp/mibs/
|
|
Packit |
fcad23 |
The agent will also load all files in this directory as MIBs. It will
|
|
Packit |
fcad23 |
not, however, load any file that begins with a '.' or descend into
|
|
Packit |
fcad23 |
subdirectories.
|
|
Packit |
fcad23 |
.SH SEE ALSO
|
|
Packit |
fcad23 |
(in recommended reading order)
|
|
Packit |
fcad23 |
.PP
|
|
Packit |
fcad23 |
snmp_config(5),
|
|
Packit |
fcad23 |
snmp.conf(5),
|
|
Packit |
fcad23 |
snmpd.conf(5)
|
|
Packit |
fcad23 |
.\" Local Variables:
|
|
Packit |
fcad23 |
.\" mode: nroff
|
|
Packit |
fcad23 |
.\" End:
|