Convert SNMP traps from v1 to v3 - snmp

I'm trying to convert snmp v1 traps to v3. I've followed this discussion but it's vague.
I've also looked here but without success.
To be more clear: I have a Centos 6 station, with net-snmp 5.5 on it. I need to generate v1 traps, receive them, convert them to v3, then forward them.
Regarding the first guide, this is what I managed so far:
Master:
snmpd -Lo --master=agentx --agentXSocket=tcp:192.168.58.64:42000 udp:1161
Listen:
snmpwalk -v3 -u snmpv3user -A snmpv3pass -a MD5 -l authnoPriv 192.168.58.64:1161
Later edit:
I have made some progress, I was able to run snmpd as master, connect snmptrapd as agent to it, then have v1 traps mechanism functional.
I did the following:
In order to get snmptrapd connected as a subagent to snmpd you need to do the following:
###1 EDIT /etc/hosts.allow and add
snmpd: $(your_ip)
smptrapd: $(your_ip)
this is important because snmptrapd fails silently if rejected
by tcp wrap.
###2 EDIT /etc/snmp/snmpd.conf and add at the bottom of the other
com2sec directives.
com2sec infwnet $(your_ip) YOUR-COMMUNITY
add these lines
group MyROGroup v1 infwnet
group MyROGroup v2c infwnet
group MyROGroup usm infwnet
under
"# Second, map the security names into group names:"
add this view at the bottom of the other views
view all included .1 80
add this group acces at the bottom of other group access directives
access MyROGroup "" any noauth exact all none none
add this line as well:
master agentx
###3 TEST it with this:
snmpwalk -v1 -c YOUR_COMMUNITY $(your_ip) .
###4 CREATE THE FOLLOWING TRAP TEST EXAMPLE:
touch /usr/share/snmp/mibs/UCD-TRAP-TEST-MIB.txt
###5 COPY PASTE THE TEXT BELOW INTO IT:
UCD-TRAP-TEST-MIB DEFINITIONS ::= BEGIN
IMPORTS ucdExperimental FROM UCD-SNMP-MIB;
demotraps OBJECT IDENTIFIER ::= { ucdExperimental 990 }
demoTrap TRAP-TYPE
ENTERPRISE demotraps
VARIABLES { sysLocation }
DESCRIPTION "An example of an SMIv1 trap"
::= 17
END
###6 EDIT /etc/sysconfig/snmptrapd (not /etc/default/snmptrapd !!)
replace OPTIONS with this:
OPTIONS="-Lsd -m ALL -M /usr/share/snmp/mibs -p /var/run/snmptrapd.pid"
###7 TEST IT WITH
snmptrap -v 1 -c public $(your_ip) UCD-TRAP-TEST-MIB::demotraps "" 6 17 "" SNMPv2-MIB::sysLocation.0 s "Just here"
Now I just need to find a way to convert them to v3 and read/receive them from a remote snmpd

Related

snmpd.conf clientaddr not working for sending trap /inform with given IP source address

Given the following sample/simple snmpd.conf (Net-SNMP 5.7.2 on RHEL 7.4)
rwcommunity private 192.168.56.101
trapsess -Ci --clientaddr=192.168.56.128 -v 2c -c private 192.168.56.101:162
when starting a SNMP Daemon
snmpd -f -Lo -D -C -c data/snmpd_test.conf udp:192.168.56.128:161
We obtain ''Start Up'' InformRequest with IP source 192.56.168.1 instead of ...128 (WireShark snapshot below)
It is not surprising as the -D option allows us to output the debug information saying that
trace: netsnmp_config_process_memory_list(): read_config.c, 696:
read_config:mem: processing memory: clientaddr 192.168.56.128
trace: run_config_handler(): read_config.c, 562:
9:read_config:parser: clientaddr handler not registered for this time
Web sources however say:
snmp.conf
...This value is also used by snmpd when generating notifications.
snmpd.conf
trapsess [SNMPCMD_ARGS] HOST
provides a more generic mechanism for defining notification destinations.
SNMPCMD_ARGS should be the command-line options required for an equivalent
snmptrap (or snmpinform) command to send the desired notification
I read also some old threads like this one
However this option is working well with snmptrap
snmptrap -D -Lo -Ci --clientaddr=192.168.56.128 -M+path_to_my_mibs -v 2c -c private 192.168.56.101:162 "" .1.3.6.1.4.1.a.b.c.d.e.f.0 i 0
This option is also working when placed in snmp.conf ( mind there is no 'd' here ) and then it applies to snmpset and snmpget (and maybe other)
So my question is: Is it a documentation error, a bug, a misuse of the Net-SNMP stack ?
After a long struggle I may have an answer and I write a short note as I just found a trick
It seems that clientaddr is not parsed correctly wherever in the snmpd.conf
(I tried not also inside the trapsess line)
But it seems to be a valid option in the command line of snmpd
like it was a valid option in the snmptrap command line. So I assumed it could be the same parsing mechanism for both.
a condition also is that the IP addres must be valid one
which means that
snmpd -f -Lo -D -C -c data/snmpd_test.conf --clientaddr=192.168.56.128 udp:192.168.56.128:161
seems to fully solve my problem.
I will perform more tests and if accurate format this answer a little bit better but it seems a good hint.

SNMP giving authorization issues: Error in packet

I have started jboss EAP 6.4 server with following parameter:
JAVA_OPTS: -server -XX:+UseCompressedOops -verbose:gc -Xloggc:"/home/sshekhar/EAP-6.4.0/test02/standalone/log/gc.log"
-XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5
-XX:GCLogFileSize=3M -XX:-TraceClassUnloading -Djava.awt.headless=true -XX:MaxPermSize=512m
-XX:-UseGCOverheadLimit -Dcom.propFile=local_jboss -Dfile.encoding=UTF-8 -Dcom.sun.management.snmp.port=1610
-Dcom.sun.management.snmp.acl.file=/home/sshekhar/.snmp/mibs/snmp.acl
-Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager -Djava.awt.headless=true -Djava.util.logging.manager=org.jboss.logmanager.LogManager
-Xbootclasspath/p:/home/sshekhar/EAP-6.4.0/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-1.5.4.Final-redhat-1.jar
Server starts successfully.
I am running command: snmpwalk -c public -v 2c 127.0.0.1:1610
It gives
Error in packet.
Reason: authorizationError (access denied to that object)
File: /home/sshekhar/.snmp/mibs/snmp.acl has 700 access set to it.
I am new to SNMP and all I am looking forward is to configure JBoss 6.4 to use SNMP for monitoring.
Also, there is no data written in file: /home/sshekhar/.snmp/mibs/snmp.acl
Also, I created a user using
net-snmp-create-v3-user -ro -A password -X password -a MD5 -x DES myUser
Now, when I am trying to run the command snmpwalk -c public -v3 -u myUser -a MD5 -x DES -X password -A password localhost:1610
it gives me error saying snmpwalk: Unknown user name
snmpwalk -v1 -c public localhost:1610 gives no result
snmpwalk -v1 -c groupv3 localhost:1610 gives End of MIB
Can anyone please help me in understanding what might be the error and what should be my next steps to debug/resolve the issue?
I'm afraid I don't have an exact answer for you, but I can give you a little context about the SNMP versions-
SNMPv1 and SNMPv2c only use community string for authentication
An example SNMPv1 walk is as follows (community string is "public):
snmpwalk -v1 -c public 192.168.1.1
And an example SNMPv2c walk:
snmpwalk -v2c -c public 192.168.1.1
SNMPv3 has quite configurable authentication, using up to:
Security name (aka username)
Security level (noAuthNoPriv, authNoPriv, noAuthPriv, authPriv)
Auth protocol (e.g. SHA, AES)
Auth key (string)
Privacy protocol (e.g. MD5, DES)
Privacy key (string)
(optional) Context name
(optional Engine ID
As you can see, it can be quite complex- the "security level" is a setting that sometimes needs to be specified, it defines how much of the SNMPv3 security model you're using- if you're using an auth protocol and key and a privacy protocol and key, you'll need to use authPriv; if you're using none of those, you'll need to use noAuthNoPriv (just the security name).
An example SNMPv3 walk is as follows:
snmpwalk -v3 -u some_username -a SHA -A 'some_auth_key' -l authPriv -x AES -X 'some_privacy_key' 192.168.1.1
Basically, I'd recommend trying to setup SNMPv1 or SNMPv2c until you can get everything working nicely- I can't speak for JBoss, but on most networking devices this is simply a matter of picking an SNMP version (e.g. v2c) and specifying the read only community string (e.g. "public").
When/if you get to configuring SNMPv3, you might just have to be flexible with some of the different settings I find (again, in the context of network devices) that you won't find one setting that'll work on lots of different vendors of devices, you'll have to try some different auth protocols, different privacy protocols etc.
Best of luck!

set additional folder for snmp MIBs

I am rebuilding an Icinga server that has been left behind by a previous employee. I have everything up and running, except for a bunch of MIB files for 3com switches that I cannot get to work.
The server is a CentOS 6 OpenVZ container.
In the original server there is a bunch of mib files in the default location at /usr/share/snmp/mibs/ and the 3com ones at /usr/share/snmp/mibs/3Com_4500/MIBs. The 3Com mibs work fine:
/usr/lib/nagios/plugins/check_snmp -H 10.10.111.11 -P 2c -C public -o hwDevMFanStatus.65536 -s "active(1)" -m A3COM-HUAWEI-LswDEVM-MIBSNMP OK - active(1) |
In the new server, the MIBs in the 3com folder do not get acknowledged and I get errors like the following:
/usr/lib/nagios/plugins/check_snmp -H 10.10.111.11 -P2c -C someuser -o hwDevMFanStatus.65536 -s "active(1)" -m A3COM-HUAWEI-LswDEVM-MIB
External command error: No log handling enabled - turning on stderr logging
Cannot find module (A3COM-HUAWEI-LswDEVM-MIB): At line 0 in (none)
hwDevMFanStatus.65536: Unknown Object Identifier (Sub-id not found: (top) -> hwDevMFanStatus)
/etc/snmp/snmpd.conf is identical for both servers and so is /etc/sysconfig/snmp.
set does not show any ENV variable related to snmp or mib.
Thanks
You are confusing snmpd.conf and snmp.conf the former being the configuration file for the SNMP daemon whereas Net-SNMP applications use snmp.conf.
The mibs/mibdirs directives you are interested in would be specified in snmp.conf (see also man snmp.conf.

I am trying to send a snmp message via snmptrap

I am trying to send an snmp message with snmptrap from the commandline, and the manual isn't super clear.
I have managed to send the example message successfully (10.0.0.1 == where I'm sending the messages to)
snmptrap -v 1 -c private 10.0.0.1 NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification "" 6 17 "" netSnmpExampleHeartbeatRate i 13546
But when I want to send a resynchronisation message such as:
snmptrap -v 1 -c private 10.0.0.1 HW-IMAPV1NORTHBOUND-TRAP-MIB::hwNmNorthboundEventSynchronizationCommandStart
I need to add a few more arguements. I've tried adding myip:myport:date:date or just myip:myport, but no success. I'm not too clear on what should be the following arguements. The man page:
snmptrap -v 1 [COMMON OPTIONS] [-Ci] enterprise-oid agent generic-trap specific-trap uptime [OID TYPE VALUE]
What should be the generic-trap, specific-trap etc?
From the MIB files:
: 1.3.6.1.4.1.2011.2.15.1.7.7.4
hwNmNorthboundEventSynchronizationCommandStart OBJECT-TYPE
SYNTAX OCTET STRING
ACCESS read-write
STATUS mandatory
DESCRIPTION
Format to omit dst flag:- IP:port:start time:end time:timezone, will consider the dstflag to be 0
Does someone have a bit more experience than me with SNMP to understand what I need to put in the command line arguements?
thanks!
I don't know if I should delete this question, or leave it, but my problem was partly because somehow the mib file was no read, and I had to use the OID directly. Otherwise the "arguments" depends on the mib file, the 6 is always 6, the 17 on the otherhand should correspond to the last number in the oid of the mib..

NoAccess error in snmpset

I have a MIB object with read-write permission. MIB section looks like this:
EnableHalt OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-write
STATUS current
DESCRIPTION "implemented in NetSnmpcodsMr.c file."
DEFVAL { 0 }
::= { Scalars 4 }
When I do a set on this object I get:
$ sudo snmpset -v 2c -c public localhost 1.3.6.1.4.1.8072.2.2.4.0 i 1
Error in packet.
Reason: noAccess
Failed object: NET-SNMP-MIB::netSnmp.2.2.4.0
When I do a get:
$ snmpget -v 2c -c public localhost 1.3.6.1.4.1.8072.2.2.4.0
NET-SNMP-MIB::netSnmp.2.2.4.0 = INTEGER: 1
All is fine!
In snmpd.conf I added the line:
rwcommunity public localhost
Still noAccess issue. I'm using net snmp 5.4.2.1 on Ubuntu
What am I doing wrong? Please advice Thanks Gil
It's nine months since you asked this but in case it's helpful...
Is your community string correct? You specified it as "public", which is the default read-only community string. Perhaps it should be "private" instead, which is the default read-write community string.
try:
snmpget -v 2c -c public localhost 1.3.6.1.4.1.8072.2.2.4.0 NET-SNMP-MIB::netSnmp.2.2.4.0
Gil,
If that object is read-only, then you probably will receive notWritable instead of noAccess.
http://www.tcpipguide.com/free/t_SNMPVersion2SNMPv2MessageFormats-5.htm
So I think it is still a Net-SNMP configuration issue and you can post to Net-SNMP mail list or check out the archive,
http://www.net-snmp.org/support/contacts.html
modify the snmpd.conf file, add below line into the end of file.Provide write permission.
rwcommunity public
noAccess (as opposed to notWritable) could be caused by your VACM view configuration in snmpd.conf. Look to the com2sec, group, view, and access directives. Respectively, these map a community string and source address/subnet to a security name; add a security name as a member of a VACM group; define an OID subtree as a named view; and finally indicate the access level for a given set of those other parameters along with security model and security level. If gets return noError but sets return noAccess, chances are good that one of these directives has configured your community string or your IP address for read-only access for what would otherwise be a read-write variable.
I have edited the access control section in snmpd.conf and it working perfectly fine for me,
########################################################################
#######
# Access Control
#######################################################################
# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY
# KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO
# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
# By far, the most common question I get about the agent is "why won't
# it work?", when really it should be "how do I configure the agent to
# allow me to access it?"
#
# By default, the agent responds to the "public" community for read
# only access, if run out of the box without any configuration file in
# place. The following examples show you other ways of configuring
# the agent so that you can change the community names, and give
# yourself write access as well.
#
# The following lines change the access permissions of the agent so
# that the COMMUNITY string provides read-only access to your entire
# NETWORK (EG: 10.10.10.0/24), and read/write access to only the
# localhost (127.0.0.1, not its real ipaddress).
#
# For more information, read the FAQ as well as the snmpd.conf(5)
# manual page.
####
# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):
# sec.name source community
#com2sec paranoid default public
#com2sec readonly default public
com2sec readwrite default private
####
# Second, map the security names into group names:
# sec.model sec.name
#group MyROSystem v1 paranoid
#group MyROSystem v2c paranoid
#group MyROSystem usm paranoid
#group MyROGroup v1 readonly
#group MyROGroup v2c readonly
#group MyROGroup usm readonly
group MyRWGroup v1 readwrite
group MyRWGroup v2c readwrite
group MyRWGroup usm readwrite
####
# Third, create a view for us to let the groups have rights to:
# incl/excl subtree mask
view all included .1 80
view system included .iso.org.dod.internet.mgmt.mib-2.system
####
# Finally, grant the 2 groups access to the 1 view with different
# write permissions:
# context sec.model sec.level match read write notif
#access MyROSystem "" any noauth exact system none none
#access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
# ------------------------------------------------------------------

Resources