+++ /dev/null
-<!-- Copyright (C) 2003 Red Hat, Inc. -->
-<!-- This material may be distributed only subject to the terms -->
-<!-- and conditions set forth in the Open Publication License, v1.0 -->
-<!-- or later (the latest version is presently available at -->
-<!-- http://www.opencontent.org/openpub/). -->
-<!-- Distribution of the work or derivative of the work in any -->
-<!-- standard (paper) book form is prohibited unless prior -->
-<!-- permission is obtained from the copyright holder. -->
-<HTML
-><HEAD
-><TITLE
->snmpd.conf</TITLE
-><meta name="MSSmartTagsPreventParsing" content="TRUE">
-<META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
-"><LINK
-REL="HOME"
-TITLE="eCos Reference Manual"
-HREF="ecos-ref.html"><LINK
-REL="UP"
-TITLE="SNMP for eCos"
-HREF="net-snmp-ecos-port.html"><LINK
-REL="PREVIOUS"
-TITLE="MIB Compiler "
-HREF="net-snmp-mib-compiler.html"><LINK
-REL="NEXT"
-TITLE="Embedded HTTP Server"
-HREF="net-httpd.html"></HEAD
-><BODY
-CLASS="SECT1"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><DIV
-CLASS="NAVHEADER"
-><TABLE
-SUMMARY="Header navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TH
-COLSPAN="3"
-ALIGN="center"
->eCos Reference Manual</TH
-></TR
-><TR
-><TD
-WIDTH="10%"
-ALIGN="left"
-VALIGN="bottom"
-><A
-HREF="net-snmp-mib-compiler.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="80%"
-ALIGN="center"
-VALIGN="bottom"
->Chapter 47. SNMP for <SPAN
-CLASS="emphasis"
-><I
-CLASS="EMPHASIS"
->eCos</I
-></SPAN
-></TD
-><TD
-WIDTH="10%"
-ALIGN="right"
-VALIGN="bottom"
-><A
-HREF="net-httpd.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-></TABLE
-><HR
-ALIGN="LEFT"
-WIDTH="100%"></DIV
-><DIV
-CLASS="SECT1"
-><H1
-CLASS="SECT1"
-><A
-NAME="NET-SNMP-AGENT-MANPAGES-SNMPD.CONF">snmpd.conf</H1
-><TABLE
-BORDER="5"
-BGCOLOR="#E0E0F0"
-WIDTH="70%"
-><TR
-><TD
-><PRE
-CLASS="SCREEN"
->SNMPD.CONF(5) SNMPD.CONF(5)
-
-
-
-NAME
- share/snmp/snmpd.conf - configuration file for the ucd-
- snmp SNMP agent.
-
-DESCRIPTION
- snmpd.conf is the configuration file which defines how the
- ucd-smnp SNMP agent operates. These files may contain any
- of the directives found in the DIRECTIVES section below.
- This file is not required for the agent to operate and
- report mib entries.
-
-PLEASE READ FIRST
- First, make sure you have read the snmp_config(5) manual
- page that describes how the ucd-snmp configuration files
- operate, where they are located and how they all work
- together.
-
-EXTENSIBLE-MIB
- The ucd-snmp SNMP agent reports much of its information
- through queries to the 1.3.6.1.4.1.2021 section of the mib
- tree. Every mib in this section has the following table
- entries in it.
-
- .1 -- index
- This is the table's index numbers for each of the
- DIRECTIVES listed below.
-
- .2 -- name
- The name of the given table entry. This should be
- unique, but is not required to be.
-
- .100 -- errorFlag
- This is a flag returning either the integer value 1
- or 0 if an error is detected for this table entry.
-
- .101 -- errorMsg
- This is a DISPLAY-STRING describing any error trig-
- gering the errorFlag above.
-
- .102 -- errorFix
- If this entry is SNMPset to the integer value of 1
- AND the errorFlag defined above is indeed a 1, a
- program or script will get executed with the table
- entry name from above as the argument. The program
- to be executed is configured in the config.h file
- at compile time.
-
- Directives
- proc NAME
-
- proc NAME MAX
-
- proc NAME MAX MIN
-
- Checks to see if the NAME'd processes are running
- on the agent's machine. An error flag (1) and a
- description message are then passed to the
- 1.3.6.1.4.1.2021.2.100 and 1.3.6.1.4.1.2021.2.101
- mib tables (respectively) if the NAME'd program is
- not found in the process table as reported by
- "/bin/ps -e".
-
- If MAX and MIN are not specified, MAX is assumed to
- be infinity and MIN is assumed to be 1.
-
- If MAX is specified but MIN is not specified, MIN
- is assumed to be 0.
-
- procfix NAME PROG ARGS
- This registers a command that knows how to fix
- errors with the given process NAME. When
- 1.3.6.1.4.1.2021.2.102 for a given NAMEd program is
- set to the integer value of 1, this command will be
- called. It defaults to a compiled value set using
- the PROCFIXCMD definition in the config.h file.
-
- exec NAME PROG ARGS
-
- exec MIBNUM NAME PROG ARGS
-
- If MIBNUM is not specified, the agent executes the
- named PROG with arguments of ARGS and returns the
- exit status and the first line of the STDOUT output
- of the PROG program to queries of the
- 1.3.6.1.4.1.2021.8.100 and 1.3.6.1.4.1.2021.8.101
- mib tables (respectively). All STDOUT output
- beyond the first line is silently truncated.
-
- If MIBNUM is specified, it acts as above but
- returns the exit status to MIBNUM.100.0 and the
- entire STDOUT output to the table MIBNUM.101 in a
- mib table. In this case, the MIBNUM.101 mib con-
- tains the entire STDOUT output, one mib table entry
- per line of output (ie, the first line is output as
- MIBNUM.101.1, the second at MIBNUM.101.2, etc...).
-
- Note: The MIBNUM must be specified in dotted-inte-
- ger notation and can not be specified as
- ".iso.org.dod.internet..." (should instead
- be
-
- Note: The agent caches the exit status and STDOUT
- of the executed program for 30 seconds after
- the initial query. This is to increase
- speed and maintain consistency of informa-
- tion for consecutive table queries. The
- cache can be flushed by a snmp-set request
- of integer(1) to 1.3.6.1.4.1.2021.100.VER-
- CLEARCACHE.
-
- execfix NAME PROG ARGS
- This registers a command that knows how to fix
- errors with the given exec or sh NAME. When
- 1.3.6.1.4.1.2021.8.102 for a given NAMEd entry is
- set to the integer value of 1, this command will be
- called. It defaults to a compiled value set using
- the EXECFIXCMD definition in the config.h file.
-
- disk PATH
-
- disk PATH [ MINSPACE | MINPERCENT% ]
-
- Checks the named disks mounted at PATH for avail-
- able disk space. If the disk space is less than
- MINSPACE (kB) if specified or less than MINPERCENT
- (%) if a % sign is specified, or DEFDISKMINI-
- MUMSPACE (kB) if not specified, the associated
- entry in the 1.3.6.1.4.1.2021.9.100 mib table will
- be set to (1) and a descriptive error message will
- be returned to queries of 1.3.6.1.4.1.2021.9.101.
-
- load MAX1
-
- load MAX1 MAX5
-
- load MAX1 MAX5 MAX15
-
- Checks the load average of the machine and returns
- an error flag (1), and an text-string error message
- to queries of 1.3.6.1.4.1.2021.10.100 and
- 1.3.6.1.4.1.2021.10.101 (respectively) when the
- 1-minute, 5-minute, or 15-minute averages exceed
- the associated maximum values. If any of the MAX1,
- MAX5, or MAX15 values are unspecified, they default
- to a value of DEFMAXLOADAVE.
-
- file FILE [MAXSIZE]
- Monitors file sizes and makes sure they don't grow
- beyond a certain size. MAXSIZE defaults to infi-
- nite if not specified, and only monitors the size
- without reporting errors about it.
-
- Errors
- Any errors in obtaining the above information are reported
- via the 1.3.6.1.4.1.2021.101.100 flag and the
- 1.3.6.1.4.1.2021.101.101 text-string description.
-
-SMUX SUB-AGENTS
- To enable and SMUX based sub-agent, such as gated, use the
- smuxpeer configuration entry
-
- smuxpeer OID PASS
- For gated a sensible entry might be
-
- .1.3.6.1.4.1.4.1.3 secret
-
-ACCESS CONTROL
- snmpd supports the View-Based Access Control Model (vacm)
- as defined in RFC 2275. To this end, it recognizes the
- following keywords in the configuration file: com2sec,
- group, access, and view as well as some easier-to-use
- wrapper directives: rocommunity, rwcommunity, rouser,
- rwuser.
-
- rocommunity COMMUNITY [SOURCE] [OID]
-
- rwcommunity COMMUNITY [SOURCE] [OID]
- These create read-only and read-write communities
- that can be used to access the agent. They are a
- quick method of using the following com2sec, group,
- access, and view directive lines. They are not as
- efficient either, as groups aren't created so the
- tables are possibly larger. In other words: don't
- use these if you have complex situations to set up.
-
- The format of the SOURCE is token is described in
- the com2sec directive section below. The OID token
- restricts access for that community to everything
- below that given OID.
-
- rouser USER [noauth|auth|priv] [OID]
-
- rwuser USER [noauth|auth|priv] [OID]
- Creates a SNMPv3 USM user in the VACM access
- configuration tables. Again, its more efficient
- (and powerful) to use the combined com2sec, group,
- access, and view directives instead.
-
- The minimum level of authentication and privacy the
- user must use is specified by the first token
- (which defaults to "auth"). The OID parameter
- restricts access for that user to everything below
- the given OID.
-
- com2sec NAME SOURCE COMMUNITY
- This directive specifies the mapping from a
- source/community pair to a security name. SOURCE
- can be a hostname, a subnet, or the word "default".
- A subnet can be specified as IP/MASK or IP/BITS.
- The first source/community combination that matches
- the incoming packet is selected.
-
- group NAME MODEL SECURITY
- This directive defines the mapping from security-
- model/securityname to group. MODEL is one of v1,
- v2c, or usm.
-
- access NAME CONTEXT MODEL LEVEL PREFX READ WRITE NOTIFY
- The access directive maps from group/security
- model/security level to a view. MODEL is one of
- any, v1, v2c, or usm. LEVEL is one of noauth,
- auth, or priv. PREFX specifies how CONTEXT should
- be matched against the context of the incoming pdu,
- either exact or prefix. READ, WRITE and NOTIFY
- specifies the view to be used for the corresponding
- access. For v1 or v2c access, LEVEL will be
- noauth, and CONTEXT will be empty.
-
- view NAME TYPE SUBTREE [MASK]
- The defines the named view. TYPE is either included
- or excluded. MASK is a list of hex octets, sepa-
- rated by '.' or ':'. The MASK defaults to "ff" if
- not specified.
-
- The reason for the mask is, that it allows you to
- control access to one row in a table, in a rela-
- tively simple way. As an example, as an ISP you
- might consider giving each customer access to his
- or her own interface:
-
- view cust1 included interfaces.ifTable.ifEntry.ifIndex.1 ff.a0
- view cust2 included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0
-
- (interfaces.ifTable.ifEntry.ifIndex.1 == .1.3.6.1.2.1.2.2.1.1.1,
- ff.a0 == 11111111.10100000. which nicely covers up and including
- the row index, but lets the user vary the field of the row)
-
- VACM Examples:
- # sec.name source community
- com2sec local localhost private
- com2sec mynet 10.10.10.0/24 public
- com2sec public default public
-
- # sec.model sec.name
- group mygroup v1 mynet
- group mygroup v2c mynet
- group mygroup usm mynet
- group local v1 local
- group local v2c local
- group local usm local
- group public v1 public
- group public v2c public
- group public usm public
-
- # incl/excl subtree mask
- view all included .1 80
- view system included system fe
- view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
-
- # context sec.model sec.level prefix read write notify
- access mygroup "" any noauth exact mib2 none none
- access public "" any noauth exact system none none
- access local "" any noauth exact all all all
-
- Default VACM model
- The default configuration of the agent, as shipped, is functionally
- equivalent to the following entries:
- com2sec public default public
- group public v1 public
- group public v2c public
- group public usm public
- view all included .1
- access public "" any noauth exact all none none
-
-SNMPv3 CONFIGURATION
- engineID STRING
- The snmpd agent needs to be configured with an
- engineID to be able to respond to SNMPv3 messages.
- With this configuration file line, the engineID
- will be configured from STRING. The default value
- of the engineID is configured with the first IP
- address found for the hostname of the machine.
-
- createUser username (MD5|SHA) authpassphrase [DES] [priv-
- passphrase]
- This directive should be placed into the "/var/ucd-
- snmp"/snmpd.conf file instead of the other normal
- locations. The reason is that the information is
- read from the file and then the line is removed
- (eliminating the storage of the master password for
- that user) and replaced with the key that is
- derived from it. This key is a localized key, so
- that if it is stolen it can not be used to access
- other agents. If the password is stolen, however,
- it can be.
-
- MD5 and SHA are the authentication types to use,
- but you must have built the package with openssl
- installed in order to use SHA. The only privacy
- protocol currently supported is DES. If the pri-
- vacy passphrase is not specified, it is assumed to
- be the same as the authentication passphrase. Note
- that the users created will be useless unless they
- are also added to the VACM access control tables
- described above.
-
- Warning: the minimum pass phrase length is 8 char-
- acters.
-
- SNMPv3 users can be created at runtime using the
- snmpusm command.
-
-
-SETTING SYSTEM INFORMATION
- syslocation STRING
-
- syscontact STRING
-
- Sets the system location and the system contact for
- the agent. This information is reported by the
- 'system' table in the mibII tree.
-
- authtrapenable NUMBER
- Setting authtrapenable to 1 enables generation of
- authentication failure traps. The default value is
- 2 (disable).
-
- trapcommunity STRING
- This defines the default community string to be
- used when sending traps. Note that this command
- must be used prior to any of the following three
- commands that are intended use this community
- string.
-
- trapsink HOST [COMMUNITY [PORT]]
-
- trap2sink HOST [COMMUNITY [PORT]]
-
- informsink HOST [COMMUNITY [PORT]]
- These commands define the hosts to receive traps
- (and/or inform notifications). The daemon sends a
- Cold Start trap when it starts up. If enabled, it
- also sends traps on authentication failures. Mul-
- tiple trapsink, trap2sink and informsink lines may
- be specified to specify multiple destinations. Use
- trap2sink to send SNMPv2 traps and informsink to
- send inform notifications. If COMMUNITY is not
- specified, the string from a preceding trapcommu-
- nity directive will be used. If PORT is not speci-
- fied, the well known SNMP trap port (162) will be
- used.
-
-PASS-THROUGH CONTROL
- pass MIBOID EXEC
- Passes entire control of MIBOID to the EXEC pro-
- gram. The EXEC program is called in one of the
- following three ways:
-
- EXEC -g MIBOID
-
- EXEC -n MIBOID
-
- These call lines match to SNMP get and get-
- next requests. It is expected that the EXEC
- program will take the arguments passed to it
- and return the appropriate response through
- it's stdout.
-
- The first line of stdout should be the mib
- OID of the returning value. The second line
- should be the TYPE of value returned, where
- TYPE is one of the text strings: string,
- integer, unsigned, objectid, timeticks,
- ipaddress, counter, or gauge. The third
- line of stdout should be the VALUE corre-
- sponding with the returned TYPE.
-
- For instance, if a script was to return the
- value integer value "42" when a request for
- .1.3.6.1.4.100 was requested, the script
- should return the following 3 lines:
- .1.3.6.1.4.100
- integer
- 42
-
- To indicate that the script is unable to
- comply with the request due to an end-of-mib
- condition or an invalid request, simple exit
- and return no output to stdout at all. A
- snmp error will be generated corresponding
- to the SNMP NO-SUCH-NAME response.
-
- EXEC -s MIBOID TYPE VALUE
-
- For SNMP set requests, the above call method
- is used. The TYPE passed to the EXEC pro-
- gram is one of the text strings: integer,
- counter, gauge, timeticks, ipaddress, objid,
- or string, indicating the type of value
- passed in the next argument.
-
- Return nothing to stdout, and the set will
- assumed to have been successful. Otherwise,
- return one of the following error strings to
- signal an error: not-writable, or wrong-type
- and the appropriate error response will be
- generated instead.
-
- Note: By default, the only community
- allowed to write (ie snmpset) to
- your script will be the "private"
- community,or community #2 if defined
- differently by the "community" token
- discussed above. Which communities
- are allowed write access are con-
- trolled by the RWRITE definition in
- the snmplib/snmp_impl.h source file.
-
-EXAMPLE
- See the EXAMPLE.CONF file in the top level source direc-
- tory for a more detailed example of how the above informa-
- tion is used in real examples.
-
-RE-READING snmpd.conf and snmpd.local.conf
- The ucd-snmp agent can be forced to re-read its configura-
- tion files. It can be told to do so by one of two ways:
-
- 1. An snmpset of integer(1) to
- 1.3.6.1.4.1.2021.100.VERUPDATECONFIG.
-
- 2. A "kill -HUP" signal sent to the snmpd agent pro-
- cess.
-
-FILES
- share/snmp/snmpd.conf
-
-SEE ALSO
- snmp_config(5), snmpd(1), EXAMPLE.conf, read_config(3).
-
-
-
- 27 Jan 2000 SNMPD.CONF(5)
- </PRE
-></TD
-></TR
-></TABLE
-></DIV
-><DIV
-CLASS="NAVFOOTER"
-><HR
-ALIGN="LEFT"
-WIDTH="100%"><TABLE
-SUMMARY="Footer navigation table"
-WIDTH="100%"
-BORDER="0"
-CELLPADDING="0"
-CELLSPACING="0"
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
-><A
-HREF="net-snmp-mib-compiler.html"
-ACCESSKEY="P"
->Prev</A
-></TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="ecos-ref.html"
-ACCESSKEY="H"
->Home</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
-><A
-HREF="net-httpd.html"
-ACCESSKEY="N"
->Next</A
-></TD
-></TR
-><TR
-><TD
-WIDTH="33%"
-ALIGN="left"
-VALIGN="top"
->MIB Compiler</TD
-><TD
-WIDTH="34%"
-ALIGN="center"
-VALIGN="top"
-><A
-HREF="net-snmp-ecos-port.html"
-ACCESSKEY="U"
->Up</A
-></TD
-><TD
-WIDTH="33%"
-ALIGN="right"
-VALIGN="top"
->Embedded HTTP Server</TD
-></TR
-></TABLE
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file