Install and Configure SNMP on CentOS 8

2
3495

Welcome to our guide on how to install and configure SNMP on CentOS 8. SNMP stands for Simple Network Management Protocol. It is an Internet Standard protocol that provides an agentless method of managing and monitoring of network devices and servers for health information, system metrics such as CPU load, Physical Memory usage, number of running processes, service states or any other metric that support polling over the SNMP protocol.

Install and Configure SNMP on CentOS 8

Installing Net-SNMP on CentOS 8

The Net-SNMP is a suite of applications which provides an agent and utilities that enables retrieval of data from systems using the SNMP protocol.

Before you can install Net-SNMP, ensure your system packages are up-to-date.

dnf update

To install Net-SNMP (SNMP agent, SNMP daemon and other SNMP utilities) on CentOS 8, simply execute the command below;

dnf install net-snmp net-snmp-libs net-snmp-utils

Running SNMP Daemon on CentOS 8

When installed, Net-SNMP creates a SystemD service called snmpd. The service can be managed using the systemctl command.

For example, to start and enable it to run on system boot;

systemctl enable --now snmpd

To check the status;

systemctl status snmpd
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-03-04 20:36:52 EAT; 2s ago
 Main PID: 3017 (snmpd)
    Tasks: 1 (limit: 11500)
   Memory: 4.8M
   CGroup: /system.slice/snmpd.service
           └─3017 /usr/sbin/snmpd -LS0-6d -f

Mar 04 20:36:52 centos8.kifarunix-demo.com systemd[1]: Stopped Simple Network Management Protocol (SNMP) Daemon..
Mar 04 20:36:52 centos8.kifarunix-demo.com systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Mar 04 20:36:52 centos8.kifarunix-demo.com snmpd[3017]: NET-SNMP version 5.8
Mar 04 20:36:52 centos8.kifarunix-demo.com systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..

To restart SNMP daemon;

systemctl restart snmpd

Configure SNMP on CentOS 8

Once the installation of Net-SNMP is done, proceed to configure it to enable you to remotely poll your system metrics.

The default configuration file of the Net-SNMP agent daemon is is /etc/snmp/snmpd.conf. The file is highly commented and thus, we will only make a few changes. As a result, make a copy of the original file before you can proceed.

cp /etc/snmp/snmpd.{conf,orig}

Configure System Information

By default, Net-SNMP provides basic information such the hostname, the location, the administrator contact information about the system. This information is provided by the values of the objects sysName, sysLocation and sysContact respectively.

To list the default system information using SNMP, simply use snmpwalk command with the default version 2 community string, public. Ensure that SNMP daemon is running before you can run the command below;

snmpwalk -v2c -c public localhost system

You can even try using the server IP;

snmpwalk -v2c -c public 192.168.58.9 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux centos8.kifarunix-demo.com 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (7884) 0:01:18.84
SNMPv2-MIB::sysContact.0 = STRING: Root <[email protected]> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: centos8.kifarunix-demo.com
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
...

To update this information, simply open the SNMPD configuration file, /etc/snmp/snmpd.conf and adjust the values of the above objects;

vim /etc/snmp/snmpd.conf

Note that the value of the sysName object is set to system hostname by default. Hence, sysLocation and sysContact can be set in the configuration file under System contact information section.

###############################################################################
# System contact information
#

# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:

# Comment the default lines below
#syslocation Unknown (edit /etc/snmp/snmpd.conf)
#syscontact Root <[email protected]> (configure /etc/snmp/snmp.local.conf)
syslocation Serverfarm, DC2, Rack 3
syscontact Kifarunix-Admin <[email protected]>

Save the configuration file and reload SNMPD to effect the changes.

systemctl reload snmpd

Verify the changes;

snmpwalk -v2c -c public localhost system
SNMPv2-MIB::sysDescr.0 = STRING: Linux centos8.kifarunix-demo.com 4.18.0-147.5.1.el8_1.x86_64 #1 SMP Wed Feb 5 02:00:39 UTC 2020 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (138942) 0:23:09.42
SNMPv2-MIB::sysContact.0 = STRING: Kifarunix-Admin <[email protected]>
SNMPv2-MIB::sysName.0 = STRING: centos8.kifarunix-demo.com
SNMPv2-MIB::sysLocation.0 = STRING: Serverfarm, DC2, Rack 3
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

Configuring SNMP Authentication

SNMP supports three versions of SNMP protocol; version 1, 2c and 3.

  • Both version 1 and 2c provides authentication using community string, a shared secret between the agent and the client that is passed in clear text over the network.
  • Version 3 supports user authentication and message encryption using a variety of protocols and is thus a bit more secure.

Configuring SNMP Version 2c Community on CentOS 8

As stated above, SNMP v2 provides access using a permission directive, a community string and the source Address. The source address can be IP of the Nagios Server (SNMP server). This directive should be set in the format;

directive community [source [OID]]

where directive can be rocommunity (provides read-only access) or rwcommunity (provides read-write access), OID is the optional SNMP tree to provide access to.

To configure SNMP v2c, for example, to allow a read-only access from a specific source host, like the monitoring servers such as Nagios, to system objects using the community string, monsvronly, simply enter the line below in the snmpd config file.

rocommunity monsvronly 192.168.58.8

You can use the command below;

echo -e "# SNMP version 2c community\nrocommunity monsvronly 192.168.58.8" >> /etc/snmp/snmpd.conf

Where 192.168.58.8 is the IP of the remote server allowed access.

To allow from localhost, add the line;

rocommunity monsvronly 127.0.0.1

Configure SNMP Daemon Connection Port

By default, SNMP daemon agent receives requests on UDP port 161. SNMPd however does not open this port by default.

To configure SNMPd to listen on a loopback and an IP interface over UDP port 161, you need to edit the snmpd systemd start-up script, /lib/systemd/system/snmpd.service as shown below;

vim /lib/systemd/system/snmpd.service

Replace the line:

ExecStart=/usr/sbin/snmpd $OPTIONS -f

With;

ExecStart=/usr/sbin/snmpd $OPTIONS -f udp:127.0.0.1:161 udp:192.168.56.9:161

Where 192.168.58.9 is the server interface IP.

Such that you configuration looks like;

[Unit]
Description=Simple Network Management Protocol (SNMP) Daemon.
After=syslog.target network.target

[Service]
Type=notify
Environment=OPTIONS="-LS0-6d"
EnvironmentFile=-/etc/sysconfig/snmpd
#ExecStart=/usr/sbin/snmpd $OPTIONS -f
ExecStart=/usr/sbin/snmpd $OPTIONS -f udp:127.0.0.1:161 udp:192.168.58.9:161
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Save the configuration file and reload systemd units;

systemctl daemon-reload

Restart SNMP daemon.

systemctl restart snmpd

Verify that the UDP port 161 is open.

netstat -alun | grep 161
udp        0      0 192.168.58.9:161      0.0.0.0:*                          
udp        0      0 127.0.0.1:161           0.0.0.0:*

Open SNMP Port on FirewallD

If firewalld is running, run the commands below to open SNMPd port

firewall-cmd --add-port=161/udp --permanent
firewall-cmd --reload

Verify Connectivity

Test connectivity from the allowed remote host.

Check if the UDP port is reachable on the server.

nc -uvz 192.168.58.9 161
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.58.9:161.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.03 seconds.

Test that you can query the SNMP objects on the server using the snmpwalk and read the first 10 lines of the output.

snmpwalk -v2c -c monsvronly 192.168.58.9 | head -10
SNMPv2-MIB::sysDescr.0 = STRING: Linux centos8.kifarunix-demo.com 4.18.0-147.3.1.el8_1.x86_64 #1 SMP Fri Jan 3 23:55:26 UTC 2020 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (732) 0:00:07.32
SNMPv2-MIB::sysContact.0 = STRING: Kifarunix-Admin <[email protected]>
SNMPv2-MIB::sysName.0 = STRING: centos8.kifarunix-demo.com
SNMPv2-MIB::sysLocation.0 = STRING: Serverfarm, DC2, Rack 3
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
...

Configuring SNMP Version 3 on CentOS 8

SNMP v3 uses a username, permission, security level, authentication and privacy passphrases to allow access.

As a result, you need to create user for authenticating. When created, the user is added to the following configuration files; /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf.

Before you can proceed, make a copy of the original configuration file just like we did above.

cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak

Comment the snmp V2 configuration lines added above;

# rocommunity monsvronly 127.0.0.1
# rocommunity monsvronly 192.168.58.8

Stop SNMP daemon

systemctl stop snmpd

Create a read-only authentication user using the net-snmp-create-v3-user command. The command syntax is;

net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass][-x DES|AES] [username]

For example;

net-snmp-create-v3-user -ro -A [email protected] -a SHA -X [email protected] -x AES snmpadmin
adding the following line to /var/lib/net-snmp/snmpd.conf:
   createUser snmpadmin SHA "[email protected]" AES "[email protected]"
adding the following line to /etc/snmp/snmpd.conf:
   rouser snmpadmin

Start SNMP daemon

systemctl start snmpd

Enable SNMP daemon to run on system reboot.

systemctl enable snmpd

Configure inbound Firewall rules to UDP port 161 as we did above.

Test to verify that everything is working as expected.

snmpwalk -v3 -a SHA -A [email protected] -x AES -X [email protected] -l authPriv -u snmpadmin localhost | head
SNMPv2-MIB::sysDescr.0 = STRING: Linux centos8.kifarunix-demo.com 4.18.0-147.3.1.el8_1.x86_64 #1 SMP Fri Jan 3 23:55:26 UTC 2020 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (5705) 0:00:57.05
SNMPv2-MIB::sysContact.0 = STRING: Kifarunix-Admin <[email protected]>
SNMPv2-MIB::sysName.0 = STRING: centos8.kifarunix-demo.com
SNMPv2-MIB::sysLocation.0 = STRING: Serverfarm, DC2, Rack 3
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance

Verify from remote host;

snmpwalk -v3 -a SHA -A [email protected] -x AES -X [email protected] -l authPriv -u snmpadmin 192.168.58.9 | head
SNMPv2-MIB::sysDescr.0 = STRING: Linux centos8.kifarunix-demo.com 4.18.0-147.3.1.el8_1.x86_64 #1 SMP Fri Jan 3 23:55:26 UTC 2020 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (22366) 0:03:43.66
SNMPv2-MIB::sysContact.0 = STRING: Kifarunix-Admin <[email protected]>
SNMPv2-MIB::sysName.0 = STRING: centos8.kifarunix-demo.com
SNMPv2-MIB::sysLocation.0 = STRING: Serverfarm, DC2, Rack 3
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance

Magnificent!!! You have successfully installed and configured SNMP on CentOS 8. You can now poll your system metrics from your remote monitoring server.

Related Tutorials:

 Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM.

Install and Configure SNMP on Debian 10 Buster

How to Configure SNMP version 3 on Debian 9

How to Configure SNMP Version 2c on Debian 9

Install and Configure SNMP on Ubuntu 18.04 and CentOS 7

2 COMMENTS

  1. This is excellent, very helpful. Can you please explain the use of nrocommunity in:

    echo -e “# SNMP version 2c community\nrocommunity monsvronly 192.168.58.8” >> /etc/snmp/snmpd.conf

    I understand it to be either ro or rwcommunity and I am confused. Additional research on my part hasn’t provided an answer. Thank you

    • Thank you for the feedback Micheal. in regards to \n basically tells echo to write the statement, rocommunity monsvronly 192.168.58.8, on the next line as per the echo -e option.
      Hope that helps.

LEAVE A REPLY

Please enter your comment!
Please enter your name here