Using static context engine ID with SNMP Exporter (Prometheus) - snmp

I'm tring to run snmp-exporter (Prometheus) with static context-engine-id (SNMP v3 option).
But I cannot find that setting in "SNMP Exporter Config Generator".
(https://github.com/prometheus/snmp_exporter/tree/master/generator)
How to configure context-engine-id in snmp-exporter/snmp-exporter-config-gen ?
(Or not supported yet ?)
I found -E option in snmpwalk -h.
That is what I seek in snmp-exporter (config-gen).
$ snmpwalk -h
USAGE: snmpwalk [OPTIONS] AGENT [OID]
Version: 5.6.2.1
<snip>
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)

This is not presently supported. If you send a PR, it can be added.

Related

SNMP (Ubuntu 18.04) on AudioCodes M500L not working

i try to monitor values with nagios over snmp from my two audiocodes SBCs (M500L).
For these i download two MIBs "AC-ALARM-MIB" + "IP-MIB_rfc4293" from https://github.com/librenms/librenms/tree/master/mibs/audiocodes rename it to .txt at the end and upload it to my ubuntu server in path /usr/share/snmp/mibs/.
Then i try to use the following command in command line.
snmpget -v3 -l authPriv -u xxxxxx -a SHA -A xxxxx -x AES -X xxxxx 123.456.789.100 AcAlarm:acActiveAlarmName
and i get the following output
AcAlarm::acActiveAlarmName = No Such Instance currently exists at this OID
I try to find out the OID from these in MIB Browser - seems like it is " .1.3.6.1.4.1.5003.11.1.1.1.1.5". When i use these OID i get same output.
Anyone has an idea?
SNMP treats all values as being entries in some database. OIDs are used to identify entries in this conceptual database. MIB files allow an SNMP manager to translate OIDs into a human-readable string, with an accompanying textual description.
The issue here is not that the MIB files are bad, or the OIDs are wrong, the problem is that, either the devices that hold this (imaginary) database do not support the entries you are trying to access, or that your user is not authorized to access those entries. A simple way to find out what OIDs are supported would be to do a full walk of the database, using something like snmpwalk <hostname> 1.3.6.1

SNMP trap message shows source and destination as unknown

I am trying to send snmp traps using TLS/DTLS with net-snmp 5.7.2 package. I am unable to see the source and destination address in my trap message. It is showing 'unknown' instead of the address.
I used the below command to send the trap.
snmptrap -Ci -v 3 -T our_identity=snmpd -T their_identity=manager tlstcp:{destination_ip}:10162 "" UCD-SNMP-MIB::ucdStart
The trap I received was
2021-01-09 19:11:30 TLSTCP: unknown [TLSTCP: unknown]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (37091491) 4 days, 7:01:54.91 SNMPv2-MIB::snmpTrapOID.0 = OID: UCD-SNMP-MIB::ucdStart
This is my snmptrapd configuration file.
[snmp] localCert manager
certSecName 20 snmpd --sn joecool
authUser log -s tsm joecool
I have tried using '-n' flag in the snmptrapd server to use numeric address instead of attempting hostname lookups but it didn't help.
I faced no such issue while using snmp v2 or snmp v3 (usm) for sending traps.

snmpd.conf clientaddr not working for sending trap /inform with given IP source address

Given the following sample/simple snmpd.conf (Net-SNMP 5.7.2 on RHEL 7.4)
rwcommunity private 192.168.56.101
trapsess -Ci --clientaddr=192.168.56.128 -v 2c -c private 192.168.56.101:162
when starting a SNMP Daemon
snmpd -f -Lo -D -C -c data/snmpd_test.conf udp:192.168.56.128:161
We obtain ''Start Up'' InformRequest with IP source 192.56.168.1 instead of ...128 (WireShark snapshot below)
It is not surprising as the -D option allows us to output the debug information saying that
trace: netsnmp_config_process_memory_list(): read_config.c, 696:
read_config:mem: processing memory: clientaddr 192.168.56.128
trace: run_config_handler(): read_config.c, 562:
9:read_config:parser: clientaddr handler not registered for this time
Web sources however say:
snmp.conf
...This value is also used by snmpd when generating notifications.
snmpd.conf
trapsess [SNMPCMD_ARGS] HOST
provides a more generic mechanism for defining notification destinations.
SNMPCMD_ARGS should be the command-line options required for an equivalent
snmptrap (or snmpinform) command to send the desired notification
I read also some old threads like this one
However this option is working well with snmptrap
snmptrap -D -Lo -Ci --clientaddr=192.168.56.128 -M+path_to_my_mibs -v 2c -c private 192.168.56.101:162 "" .1.3.6.1.4.1.a.b.c.d.e.f.0 i 0
This option is also working when placed in snmp.conf ( mind there is no 'd' here ) and then it applies to snmpset and snmpget (and maybe other)
So my question is: Is it a documentation error, a bug, a misuse of the Net-SNMP stack ?
After a long struggle I may have an answer and I write a short note as I just found a trick
It seems that clientaddr is not parsed correctly wherever in the snmpd.conf
(I tried not also inside the trapsess line)
But it seems to be a valid option in the command line of snmpd
like it was a valid option in the snmptrap command line. So I assumed it could be the same parsing mechanism for both.
a condition also is that the IP addres must be valid one
which means that
snmpd -f -Lo -D -C -c data/snmpd_test.conf --clientaddr=192.168.56.128 udp:192.168.56.128:161
seems to fully solve my problem.
I will perform more tests and if accurate format this answer a little bit better but it seems a good hint.

SNMP giving authorization issues: Error in packet

I have started jboss EAP 6.4 server with following parameter:
JAVA_OPTS: -server -XX:+UseCompressedOops -verbose:gc -Xloggc:"/home/sshekhar/EAP-6.4.0/test02/standalone/log/gc.log"
-XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
-XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Djava.awt.headless=true -XX:MaxPermSize=512m
-XX:-UseGCOverheadLimit -Dcom.propFile=local_jboss -Dfile.encoding=UTF-8 -Dcom.sun.management.snmp.port=1610
-Dcom.sun.management.snmp.acl.file=/home/sshekhar/.snmp/mibs/snmp.acl
-Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager -Djava.awt.headless=true -Djava.util.logging.manager=org.jboss.logmanager.LogManager
-Xbootclasspath/p:/home/sshekhar/EAP-6.4.0/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-1.5.4.Final-redhat-1.jar
Server starts successfully.
I am running command: snmpwalk -c public -v 2c 127.0.0.1:1610
It gives
Error in packet.
Reason: authorizationError (access denied to that object)
File: /home/sshekhar/.snmp/mibs/snmp.acl has 700 access set to it.
I am new to SNMP and all I am looking forward is to configure JBoss 6.4 to use SNMP for monitoring.
Also, there is no data written in file: /home/sshekhar/.snmp/mibs/snmp.acl
Also, I created a user using
net-snmp-create-v3-user -ro -A password -X password -a MD5 -x DES myUser
Now, when I am trying to run the command snmpwalk -c public -v3 -u myUser -a MD5 -x DES -X password -A password localhost:1610
it gives me error saying snmpwalk: Unknown user name
snmpwalk -v1 -c public localhost:1610 gives no result
snmpwalk -v1 -c groupv3 localhost:1610 gives End of MIB
Can anyone please help me in understanding what might be the error and what should be my next steps to debug/resolve the issue?
I'm afraid I don't have an exact answer for you, but I can give you a little context about the SNMP versions-
SNMPv1 and SNMPv2c only use community string for authentication
An example SNMPv1 walk is as follows (community string is "public):
snmpwalk -v1 -c public 192.168.1.1
And an example SNMPv2c walk:
snmpwalk -v2c -c public 192.168.1.1
SNMPv3 has quite configurable authentication, using up to:
Security name (aka username)
Security level (noAuthNoPriv, authNoPriv, noAuthPriv, authPriv)
Auth protocol (e.g. SHA, AES)
Auth key (string)
Privacy protocol (e.g. MD5, DES)
Privacy key (string)
(optional) Context name
(optional Engine ID
As you can see, it can be quite complex- the "security level" is a setting that sometimes needs to be specified, it defines how much of the SNMPv3 security model you're using- if you're using an auth protocol and key and a privacy protocol and key, you'll need to use authPriv; if you're using none of those, you'll need to use noAuthNoPriv (just the security name).
An example SNMPv3 walk is as follows:
snmpwalk -v3 -u some_username -a SHA -A 'some_auth_key' -l authPriv -x AES -X 'some_privacy_key' 192.168.1.1
Basically, I'd recommend trying to setup SNMPv1 or SNMPv2c until you can get everything working nicely- I can't speak for JBoss, but on most networking devices this is simply a matter of picking an SNMP version (e.g. v2c) and specifying the read only community string (e.g. "public").
When/if you get to configuring SNMPv3, you might just have to be flexible with some of the different settings I find (again, in the context of network devices) that you won't find one setting that'll work on lots of different vendors of devices, you'll have to try some different auth protocols, different privacy protocols etc.
Best of luck!

Convert SNMP traps from v1 to v3

I'm trying to convert snmp v1 traps to v3. I've followed this discussion but it's vague.
I've also looked here but without success.
To be more clear: I have a Centos 6 station, with net-snmp 5.5 on it. I need to generate v1 traps, receive them, convert them to v3, then forward them.
Regarding the first guide, this is what I managed so far:
Master:
snmpd -Lo --master=agentx --agentXSocket=tcp:192.168.58.64:42000 udp:1161
Listen:
snmpwalk -v3 -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.58.64:1161
Later edit:
I have made some progress, I was able to run snmpd as master, connect snmptrapd as agent to it, then have v1 traps mechanism functional.
I did the following:
In order to get snmptrapd connected as a subagent to snmpd you need to do the following:
###1 EDIT /etc/hosts.allow and add
snmpd: $(your_ip)
smptrapd: $(your_ip)
this is important because snmptrapd fails silently if rejected
by tcp wrap.
###2 EDIT /etc/snmp/snmpd.conf and add at the bottom of the other
com2sec directives.
com2sec infwnet $(your_ip) YOUR-COMMUNITY
add these lines
group MyROGroup v1 infwnet
group MyROGroup v2c infwnet
group MyROGroup usm infwnet
under
"# Second, map the security names into group names:"
add this view at the bottom of the other views
view all included .1 80
add this group acces at the bottom of other group access directives
access MyROGroup "" any noauth exact all none none
add this line as well:
master agentx
###3 TEST it with this:
snmpwalk -v1 -c YOUR_COMMUNITY $(your_ip) .
###4 CREATE THE FOLLOWING TRAP TEST EXAMPLE:
touch /usr/share/snmp/mibs/UCD-TRAP-TEST-MIB.txt
###5 COPY PASTE THE TEXT BELOW INTO IT:
UCD-TRAP-TEST-MIB DEFINITIONS ::= BEGIN
IMPORTS ucdExperimental FROM UCD-SNMP-MIB;
demotraps OBJECT IDENTIFIER ::= { ucdExperimental 990 }
demoTrap TRAP-TYPE
ENTERPRISE demotraps
VARIABLES { sysLocation }
DESCRIPTION "An example of an SMIv1 trap"
::= 17
END
###6 EDIT /etc/sysconfig/snmptrapd (not /etc/default/snmptrapd !!)
replace OPTIONS with this:
OPTIONS="-Lsd -m ALL -M /usr/share/snmp/mibs -p /var/run/snmptrapd.pid"
###7 TEST IT WITH
snmptrap -v 1 -c public $(your_ip) UCD-TRAP-TEST-MIB::demotraps "" 6 17 "" SNMPv2-MIB::sysLocation.0 s "Just here"
Now I just need to find a way to convert them to v3 and read/receive them from a remote snmpd

Resources