OpenBSD manual page server

Manual Page Search Parameters
SNMPD.CONF(5) File Formats Manual SNMPD.CONF(5)

snmpd.confSNMP daemon configuration file

snmpd.conf is the configuration file for the snmpd(8) daemon.

The snmpd.conf file is divided into the following main sections:

User-defined variables may be defined and used later, simplifying the configuration file.
Global runtime settings for snmpd(8).
USM user definitions.
Custom configuration of SNMP object identifiers and values.

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, or underscore must be quoted.

Additional configuration files can be included with the include keyword, for example:

include "/etc/snmpd.conf.local"

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, community, system, or oid). Macros are not expanded inside quotes.

For example:

ext_addr="192.168.0.1"
listen on $ext_addr

The following options can be set globally:

oid
Remove the oid subtree from view. Multiple blocklist statements are supported.
(yes | no)
If set to yes, ask the kernel to filter route update messages on the routing socket. Routing table information will not be available, but CPU use will be reduced during bulk updates. The default is no.
[tcp | udp] address [port port] [flags]
Specify the local address snmpd(8) should listen on for incoming SNMP messages, or any to listen on all local IPv4 and IPv6 addresses. Multiple listen on statements are supported. If no listen on statement is present, the default is listen on any.

The flags are as follows:

Accept get, getnext and bulkget requests.
Accepts set requests.
Accepts trapv1 and trapv2 requests.
Enable SNMPv1 subsystem on the listen address.
Enable SNMPv2c subsystem on the listen address.
Enable SNMPv3 subsystem on the listen address.

The default protocol is udp. The default port is 161, unless notify is the only permission flag; which sets the port to 162. If no permission flags are specified it defaults to “read write”, or notify when port is 162. If no subsystem flags are specified, it defaults to snmpv3.

Having notify set requires at least one trap handle statement.

[path path] [owner owner] [group group] [mode mode]
Set up an agentx master socket at path and defaults to /var/agentx/master. Socket owner, group, and permissions can be set with owner, group, and mode respectively and defaults to root, _agentx, and 660. Multiple agentx statements are supported. Only unix sockets are supported.
[pen enterprise] format
Set the snmp engineid, used for instance identification and key generation for the user auth and key. enterprise specifies the private enterprise number of the instance and can be either an integer or openbsd (default).

format can be one of the following:

address
The engineID's format identifier is set to 1 and the ipv4 address is used in the format.
address
The engineID's format identifier is set to 2 and the ipv6 address is used in the format.
address
The engineID's format identifier is set to 3 and the mac address is used in the format.
text
The engineID's format identifier is set to 4 and the ASCII text is used in the format.
octetstring
The engineID's format identifier is set to 5 and the octetstring in hexadecimal is used in the format.
[hostname]
The engineID's format identifier is set to 129 and the first 27 bytes of the sha256 hash of the hostname are used in the format. This option is only valid for enterprise openbsd. If used for the local engineID, then hostname defaults to the value of hostname(1). This format is the default.
number octetstring
The engineID's format identifier is set to number and the octetstring in hexadecimal is used in the format. This format is only available if enterprise is not openbsd.
octetstring
RFC1910 legacy format. octetstring must be 8 bytes (or 16 characters in hexadecimal format).
string
Specify the name of the read-only community. There is no default value.
community string
Specify the name of the read-write community. There is no default value.
(none | auth | enc)
Specify the lowest security level that snmpd(8) accepts on SNMPv3:
Both authentication and encryption of messages is optional.
Authentication of messages is mandatory. snmpd(8) will discard any messages that don't have a valid digest. Encryption of messages is optional.
Messages must be encrypted and must have a valid digest for authentication. Otherwise they will be discarded. This is the default value.
string
Specify the name or description of the system contact, typically a name or an email address. The default value is root@hostname using the hostname of the local machine.
string
Specify a description of the local system. The default value is the operating system identification as printed by the uname(1) command using the -a flag: 
OpenBSD myhost.example.com 4.2 GENERIC#595 i386
string
Specify the string describing the location of the local system, typically a physical location. The default value is an empty string.
string
Specify the name of the local system, typically a fully-qualified domain name. The default value is the hostname of the local system.
oid-string
Specify the authoritative identification of the local system. The default value is 1.3.6.1.4.1.30155.23.1 (iso.org.dod.internet.private.enterprises.openbsd.23.1) identifying a common OpenBSD system.
number
Specify a magic value which indicates the set of services that the local system may provide. Refer to the sysServices description in the SNMP MIB for details. The value is given in decimal.
string
Specify the name of the trap community. There is no default value.
oid "command"
Execute command upon receipt of an SNMP trap that begins with a prefix of oid. Alternately, the string "default" may be used, in which case the prefix used is 1.3. The invoked command will receive the following information about the trap on standard input, one per line, in this order: the resolved hostname of the host sending the trap, the IP address of the host sending the trap, and any variable bindings contained in the trap (the OID followed by the value, separated by a single space). This option requires at least one listen on statement with a notify flag set. Traps over SNMPv3 are currently unsupported.
address [oid oid-string] snmpv2c [community string] [source-address address]
Specify the address or FQDN of a remote trap receiver for outgoing traps sent by snmpd(8). This option may be specified multiple times. The daemon will send outgoing traps in snmpv2c format. The default community is specified by the global trap community option. The IPv4 or IPv6 source address of the traps can be enforced using
address [oid oid-string] [snmpv3] user name [seclevel level] [source-address address]
Specify the address or FQDN of a remote trap receiver for outgoing traps sent by snmpd(8). This option may be specified multiple times. The daemon will send outgoing traps in snmpv3 format. user must point to an existing global user. If seclevel is not defined, it defaults to the global seclevel option. The IPv4 or IPv6 source address of the traps can be enforced using source-address.

Users for the SNMP User-based Security Model (USM, RFC 3414) must be defined in the configuration file:

name [authkey key auth hmac] [enckey key enc cipher]
Defines a known user. The authkey keyword is required to specify the digest key used to authenticate messages. If this keyword is omitted then authentication is disabled for this user account. Optionally the HMAC algorithm used for authentication can be specified. hmac must be either hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, or hmac-sha512. If omitted, the default is hmac-sha1.

With enckey the encryption key used to encrypt and decrypt messages for privacy is defined. Without an enckey specification the user account will neither accept encrypted incoming messages nor will it encrypt outgoing messages. The enc algorithm can be either des or aes and defaults to aes.

Any user account that has encryption enabled requires authentication to be enabled too.

It is possible to specify user-defined OIDs in the configuration file:

oid-string name name [read-only | read-write] [type] value
Return the specified value to the client for this OID. The read-write option may allow the client to override it, and the type is either string or integer.

/etc/snmpd.conf
Default location of the configuration file.
/etc/examples/snmpd.conf
Example configuration file.

The following example will tell snmpd(8) to listen on localhost for SNMPv2c messages only with the community “8LHQtm1QLGzk”, override the default system OID, set the magic services value, and provide some custom OID values:

listen on 127.0.0.1 snmpv2c
read-only community 8LHQtm1QLGzk

system oid 1.3.6.1.4.1.30155.23.2
system services 74

oid 1.3.6.1.4.1.30155.42.1 name myName read-only string "humppa"
oid 1.3.6.1.4.1.30155.42.2 name myStatus read-only integer 1

The next example will enforce SNMPv3 with authenticated and encrypted communication and the user-based security model. The configuration defines several users using varying encryption and authentication algorithms.

seclevel enc

user "mgmt" auth hmac-sha256 authkey "password123" enc aes enckey "321drowssap"
user "hans" auth hmac-sha1 authkey "password456" enc aes enckey "654drowssap"
user "sophie" auth hmac-md5 authkey "password789" enc des enckey "987drowssap"

snmp(1), snmpd(8)

The snmpd.conf file format first appeared in OpenBSD 4.3.

The snmpd(8) program was written by Reyk Floeter <reyk@openbsd.org>.

March 2, 2023 OpenBSD-current