356 lines
10 KiB
Modula-2
356 lines
10 KiB
Modula-2
.TH SNMPD 8 "30 Jun 2010" VVERSIONINFO "Net-SNMP"
|
|
.SH NAME
|
|
snmpd - daemon to respond to SNMP request packets.
|
|
.SH SYNOPSIS
|
|
.B snmpd
|
|
[OPTIONS] [LISTENING ADDRESSES]
|
|
.SH DESCRIPTION
|
|
.B snmpd
|
|
is an SNMP agent which binds to a port and awaits requests from
|
|
SNMP management software. Upon receiving a request, it processes the
|
|
request(s), collects the requested information and/or performs the
|
|
requested operation(s) and returns the information to the sender.
|
|
.SH OPTIONS
|
|
.TP 8
|
|
.B \-a
|
|
Log the source addresses of incoming requests.
|
|
.TP
|
|
.B \-A
|
|
Append to the log file rather than truncating it.
|
|
.TP
|
|
.B "\-c" \fIFILE
|
|
Read
|
|
.I FILE
|
|
as a configuration file
|
|
(or a comma-separated list of configuration files). Note that the loaded
|
|
file will only understand snmpd.conf tokens, unless the configuration type
|
|
is specified in the file as described in the snmp_config man page under
|
|
SWITCHING CONFIGURATION TYPES IN MID-FILE.
|
|
.TP
|
|
.B \-C
|
|
Do not read any configuration files except the ones optionally specified by the
|
|
.B \-c
|
|
option.
|
|
Note that this behaviour also covers the persistent configuration files.
|
|
This may result in dynamically-assigned values being reset following an
|
|
agent restart, unless the relevant persistent config files are
|
|
explicitly loaded using the
|
|
.B \-c
|
|
option.
|
|
.TP
|
|
.B \-d
|
|
Dump (in hexadecimal) the sent and received SNMP packets.
|
|
.TP
|
|
.B \-D\fI[TOKEN[,...]]
|
|
Turn on debugging output for the given
|
|
.IR "TOKEN" "(s)."
|
|
Without any tokens specified, it defaults to printing all the tokens
|
|
(which is equivalent to the keyword "ALL").
|
|
You might want to try
|
|
.IR ALL
|
|
for extremely verbose output. Note: You can not put a space between
|
|
the \-D flag and the listed TOKENs.
|
|
.TP
|
|
.B \-f
|
|
Do not fork() from the calling shell.
|
|
.TP
|
|
.B \-g \fIGID
|
|
Change to the numerical group ID
|
|
.I GID
|
|
after opening listening sockets.
|
|
.TP
|
|
.B \-h, \-\-help
|
|
Display a brief usage message and then exit.
|
|
.TP
|
|
.B \-H
|
|
Display a list of configuration file directives understood by the
|
|
agent and then exit.
|
|
.TP
|
|
.B \-I \fI[\-]INITLIST
|
|
Specifies which modules should (or should not) be initialized
|
|
when the agent starts up. If the comma-separated
|
|
.I INITLIST
|
|
is preceded
|
|
with a '\-', it is the list of modules that should \fInot\fR be started.
|
|
Otherwise this is the list of the \fIonly\fR modules that should be started.
|
|
|
|
To get a list of compiled modules, run the agent with the arguments
|
|
.I "\-Dmib_init \-H"
|
|
(assuming debugging support has been compiled in).
|
|
.TP
|
|
.B \-L[eEfFoOsSnN]
|
|
Specify where logging output should be directed (standard error or output,
|
|
to a file or via syslog). See LOGGING OPTIONS in snmpcmd(1) for details.
|
|
.TP
|
|
.BR \-m " \fIMIBLIST"
|
|
Specifies a colon separated list of MIB modules to load for this
|
|
application. This overrides the environment variable MIBS.
|
|
See \fIsnmpcmd(1)\fR for details.
|
|
.TP
|
|
.BR \-M " \fIDIRLIST"
|
|
Specifies a colon separated list of directories to search for MIBs.
|
|
This overrides the environment variable MIBDIRS.
|
|
See \fIsnmpcmd(1)\fR for details.
|
|
.TP
|
|
.B \-n \fINAME
|
|
Set an alternative application name (which will affect the
|
|
configuration files loaded).
|
|
By default this will be \fIsnmpd\fR, regardless of the name
|
|
of the actual binary.
|
|
.TP
|
|
.B \-p \fIFILE
|
|
Save the process ID of the daemon in
|
|
.IR FILE "."
|
|
.TP
|
|
.B \-q
|
|
Print simpler output for easier automated parsing.
|
|
.TP
|
|
.B \-r
|
|
Do not require root access to run the daemon. Specifically, do not exit
|
|
if files only accessible to root (such as /dev/kmem etc.) cannot be
|
|
opened.
|
|
.TP
|
|
.B \-u \fIUID
|
|
Change to the user ID
|
|
.I UID
|
|
(which can be given in numerical or textual form) after opening
|
|
listening sockets.
|
|
.TP
|
|
.B \-U
|
|
Instructs the agent to not remove its pid file (see the
|
|
.B \-p
|
|
option) on shutdown. Overrides the leave_pidfile token in the
|
|
.I snmpd.conf
|
|
file, see
|
|
.I snmpd.conf(5).
|
|
.TP
|
|
.B \-v, \-\-version
|
|
Print version information for the agent and then exit.
|
|
.TP
|
|
.B \-V
|
|
Symbolically dump SNMP transactions.
|
|
.TP
|
|
.B \-x \fIADDRESS
|
|
Listens for AgentX connections on the specified address
|
|
rather than the default AGENTX_SOCKET.
|
|
The address can either be a Unix domain socket path,
|
|
or the address of a network interface. The format is the same as the
|
|
format of listening addresses described below.
|
|
.TP
|
|
.B \-X
|
|
Run as an AgentX subagent rather than as an SNMP master agent.
|
|
.TP
|
|
.BI \-\- "name"="value"
|
|
Allows one to specify any token ("name") supported in the
|
|
.I snmpd.conf
|
|
file and sets its value to "value". Overrides the corresponding token in the
|
|
.I snmpd.conf
|
|
file. See
|
|
.I snmpd.conf(5)
|
|
for the full list of tokens.
|
|
.SH LISTENING ADDRESSES
|
|
By default,
|
|
.B snmpd
|
|
listens for incoming SNMP requests on UDP port 161 on all IPv4 interfaces.
|
|
However, it is possible to modify this behaviour by specifying one or more
|
|
listening addresses as arguments to \fBsnmpd\fR.
|
|
A listening address takes the form:
|
|
.IP
|
|
[<transport-specifier>:]<transport-address>
|
|
.PP
|
|
At its simplest, a listening address may consist only of a port
|
|
number, in which case
|
|
.B snmpd
|
|
listens on that UDP port on all IPv4 interfaces. Otherwise, the
|
|
<transport-address> part of the specification is parsed according to
|
|
the following table:
|
|
.RS 4
|
|
.TP 28
|
|
.BR "<transport-specifier>"
|
|
.BR "<transport-address> format"
|
|
.IP "udp \fI(default)\fR" 28
|
|
hostname[:port]
|
|
.I or
|
|
IPv4-address[:port]
|
|
.IP "tcp" 28
|
|
hostname[:port]
|
|
.I or
|
|
IPv4-address[:port]
|
|
.IP "unix" 28
|
|
pathname
|
|
.IP "ipx" 28
|
|
[network]:node[/port]
|
|
.TP 28
|
|
.IR "" "aal5pvc " or " pvc"
|
|
[interface.][VPI.]VCI
|
|
.TP 28
|
|
.IR "" "udp6 " or " udpv6 " or " udpipv6"
|
|
hostname[:port]
|
|
.I or
|
|
IPv6-address[:port]
|
|
.TP 28
|
|
.IR "" "tcp6 " or " tcpv6 " or " tcpipv6"
|
|
hostname[:port]
|
|
.I or
|
|
IPv6-address[:port]
|
|
.TP 28
|
|
.IR "" "ssh"
|
|
hostname:port
|
|
.TP 28
|
|
.IR "" "dtlsudp"
|
|
hostname:port
|
|
.RE
|
|
.PP
|
|
Note that <transport-specifier> strings are case-insensitive so that,
|
|
for example, "tcp" and "TCP" are equivalent. Here are some examples,
|
|
along with their interpretation:
|
|
.TP 24
|
|
.IR "127.0.0.1:161"
|
|
listen on UDP port 161, but only on the loopback interface. This
|
|
prevents
|
|
.B snmpd
|
|
being queried remotely. The port specification ":161" is
|
|
not strictly necessary since that is the default SNMP port.
|
|
.TP 24
|
|
.IR "TCP:1161"
|
|
listen on TCP port 1161 on all IPv4 interfaces.
|
|
.TP 24
|
|
.IR "ipx:/40000"
|
|
listen on IPX port 40000 on all IPX interfaces.
|
|
.TP 24
|
|
.IR "unix:/tmp/local\-agent"
|
|
listen on the Unix domain socket \fI/tmp/local\-agent\fR.
|
|
.TP 24
|
|
.IR "/tmp/local\-agent"
|
|
is identical to the previous specification, since the Unix domain is
|
|
assumed if the first character of the <transport-address> is '/'.
|
|
.TP 24
|
|
.IR "PVC:161"
|
|
listen on the AAL5 permanent virtual circuit with VPI=0 and VCI=161
|
|
(decimal) on the first ATM adapter in the machine.
|
|
.TP 24
|
|
.IR "udp6:10161"
|
|
listen on port 10161 on all IPv6 interfaces.
|
|
.TP 24
|
|
.IR "ssh:127.0.0.1:22"
|
|
Allows connections from the snmp subsystem on the ssh server on port
|
|
22. The details of using SNMP over SSH are defined below.
|
|
.TP 24
|
|
.IR "dtlsudp:127.0.0.1:9161"
|
|
Listen for connections over DTLS on UDP port 9161. The snmp.conf file
|
|
must have the
|
|
.IR serverCert,
|
|
configuration tokens defined.
|
|
.PP
|
|
Note that not all the transport domains listed above will always be
|
|
available; for instance, hosts with no IPv6 support will not be able
|
|
to use udp6 transport addresses, and attempts to do so will result in
|
|
the error "Error opening specified endpoint". Likewise, since AAL5
|
|
PVC support is only currently available on Linux, it will fail with
|
|
the same error on other platforms.
|
|
.SH Transport Specific Notes
|
|
.RS 0
|
|
.TP 8
|
|
ssh
|
|
The SSH transport, on the server side, is actually just a unix
|
|
named pipe that can be connected to via a ssh subsystem configured in
|
|
the main ssh server. The pipe location (configurable with the
|
|
sshtosnmpsocket token in snmp.conf) is
|
|
.I /var/net\-snmp/sshtosnmp.
|
|
Packets should be submitted to it via the sshtosnmp application, which
|
|
also sends the user ID as well when starting the connection. The TSM
|
|
security model should be used when packets should process it.
|
|
.IP
|
|
The
|
|
.I sshtosnmp
|
|
command knows how to connect to this pipe and talk to
|
|
it. It should be configured in the
|
|
.IR "OpenSSH sshd"
|
|
configuration file (which is normally
|
|
.IR "/etc/ssh/sshd_config"
|
|
using the following configuration line:
|
|
.TP 8
|
|
.IP
|
|
Subsystem snmp /usr/local/bin/sshtosnmp
|
|
.IP
|
|
The
|
|
.I sshtosnmp
|
|
command will need read/write access to the
|
|
.I /var/net\-snmp/sshtosnmp
|
|
pipe. Although it should be fairly safe to grant access to the
|
|
average user since it still requires modifications to the ACM settings
|
|
before the user can perform operations, paranoid administrators may
|
|
want to make the /var/net\-snmp directory accessible only by users in a
|
|
particular group. Use the
|
|
.I sshtosnmpsocketperms
|
|
snmp.conf configure option to set the permissions, owner and group of
|
|
the created socket.
|
|
.IP
|
|
Access control can be granted to the user "foo" using the following
|
|
style of simple snmpd.conf settings:
|
|
.TP 8
|
|
.IP
|
|
rouser \-s tsm foo authpriv
|
|
.IP
|
|
Note that "authpriv" is acceptable assuming as SSH protects everything
|
|
that way (assuming you have a non-insane setup).
|
|
snmpd has no notion of how SSH has actually protected a packet and
|
|
thus the snmp agent assumes all packets passed through the SSH
|
|
transport have been protected at the authpriv level.
|
|
.TP 8
|
|
dtlsudp
|
|
The DTLS protocol, which is based off of TLS, requires both client and
|
|
server certificates to establish the connection and authenticate both
|
|
sides. In order to do this, the client will need to configure the
|
|
snmp.conf file
|
|
with the
|
|
.IR clientCert
|
|
configuration tokens. The server will need to configure the snmp.conf
|
|
file with the
|
|
.IR serverCert
|
|
configuration tokens defined.
|
|
.IP
|
|
Access control setup is similar to the ssh transport as the TSM
|
|
security model should be used to protect the packet.
|
|
.RE
|
|
.SH CONFIGURATION FILES
|
|
.PP
|
|
.B snmpd
|
|
checks for the existence of and parses the following files:
|
|
.TP 6
|
|
.B SYSCONFDIR/snmp/snmp.conf
|
|
Common configuration for the agent and applications. See
|
|
.I snmp.conf(5)
|
|
for details.
|
|
.TP
|
|
.B SYSCONFDIR/snmp/snmpd.conf
|
|
.TP
|
|
.B SYSCONFDIR/snmp/snmpd.local.conf
|
|
Agent-specific configuration. See
|
|
.I snmpd.conf(5)
|
|
for details. These files are optional and may be used to configure
|
|
access control, trap generation, subagent protocols and much else
|
|
besides.
|
|
.IP
|
|
In addition to these two configuration files in SYSCONFDIR/snmp, the
|
|
agent will read any files with the names
|
|
.I snmpd.conf
|
|
and
|
|
.I snmpd.local.conf
|
|
in a colon separated path specified in the
|
|
SNMPCONFPATH environment variable.
|
|
.TP
|
|
.B DATADIR/snmp/mibs/
|
|
The agent will also load all files in this directory as MIBs. It will
|
|
not, however, load any file that begins with a '.' or descend into
|
|
subdirectories.
|
|
.SH SEE ALSO
|
|
(in recommended reading order)
|
|
.PP
|
|
snmp_config(5),
|
|
snmp.conf(5),
|
|
snmpd.conf(5)
|
|
.\" Local Variables:
|
|
.\" mode: nroff
|
|
.\" End:
|