SNMPD.CONF(5) | File Formats Manual | SNMPD.CONF(5) |
snmpd.conf
—
Simple Network Management Protocol daemon configuration
file
snmpd.conf
is the configuration file for
the snmpd(8) daemon.
The snmpd.conf
file is divided into the
following main sections:
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, or underscore must be quoted.
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/snmpd.conf.local"
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore, and may contain
any of those characters. Macro names may not be reserved words (for example,
community
, system
, or
oid
). Macros are not expanded inside quotes.
For example:
ext_addr="192.168.0.1" listen on $ext_addr
The following options can be set globally:
filter-pf-addresses
(yes
| no
)yes
,
snmpd(8) will filter out the
OPENBSD-PF-MIB::pfTblAddrTable tree. Addresses stored in PF tables will
not be available, but CPU use will be reduced during bulk walks. The
default is no
.filter-routes
(yes
| no
)yes
, ask the kernel to filter route
update messages on the routing socket. Routing table information will not
be available, but CPU use will be reduced during bulk updates. The default
is no
.listen
on
[tcp
| udp
]
address [port
port] [flags]any
to listen on all local IPv4
and IPv6 addresses. Multiple listen on
statements
are supported. If no listen on
statement is
present, the default is listen on
any
.
The flags are as follows:
read
write
notify
snmpv1
snmpv2c
snmpv3
The default protocol is udp
. The
default port is 161, unless
notify
is the only permission flag; which sets
the port to 162. If no permission flags are
specified it defaults to “read
write
”, or notify
when port is 162. If no subsystem flags are
specified, it defaults to snmpv3
.
Having notify
set requires at least
one trap handle
statement.
engineid
[pen
enterprise]
formatuser
auth and
key. enterprise specifies the
private enterprise number of the instance and can be either an integer or
openbsd
(default).
format can be one of the following:
ipv4
addressipv6
addressmac
addresstext
textoctets
octetstringhosthash
[hostname]openbsd
. If
used for the local engineID, then hostname
defaults to the value of
hostname(1). This format is the
default.openbsd
.agentid
octetstringread-only
community
stringread-write
community
stringseclevel
(none
| auth
|
enc
)none
auth
enc
system
contact
stringsystem
description
string-a
flag:
OpenBSD myhost.example.com 4.2 GENERIC#595 i386
system
location
stringsystem
name
stringsystem
oid
oid-stringsystem
services
numbertrap
community
stringtrap
handle
oid
"command"command
upon receipt of an SNMP trap that
begins with a prefix of oid
. Alternately, the
string "default
" may be used, in which
case the prefix used is 1.3
. The invoked
command will receive the following information about
the trap on standard input, one per line, in this order: the resolved
hostname of the host sending the trap, the IP address of the host sending
the trap, and any variable bindings contained in the trap (the OID
followed by the value, separated by a single space). This option requires
at least one listen on
statement with a
notify
flag set. Traps over SNMPv3 are currently
unsupported.trap
receiver
address
[oid
oid-string]
snmpv2c
[community
string] [source-address
address]snmpv2c
format. The default community is specified
by the global trap community
option. The IPv4 or
IPv6 source address of the traps can be enforced usingtrap
receiver
address
[oid
oid-string]
[snmpv3
] user
name [seclevel
level] [source-address
address]snmpv3
format. user
must
point to an existing global user
. If
seclevel
is not defined, it defaults to the global
seclevel
option. The IPv4 or IPv6 source address
of the traps can be enforced using
source-address
.Users for the SNMP User-based Security Model (USM, RFC 3414) must be defined in the configuration file:
user
name [authkey
key auth
hmac] [enckey
key enc
cipher]authkey
keyword is
required to specify the digest key used to authenticate messages. If this
keyword is omitted then authentication is disabled for this user account.
Optionally the HMAC algorithm used for authentication can be specified.
hmac must be either
hmac-md5
, hmac-sha1
,
hmac-sha224
, hmac-sha256
,
hmac-sha384
, or
hmac-sha512
. If omitted, the default is
hmac-sha1
.
With enckey
the encryption key used to
encrypt and decrypt messages for privacy is defined. Without an
enckey
specification the user account will
neither accept encrypted incoming messages nor will it encrypt outgoing
messages. The enc algorithm can be either
des
or aes
and defaults
to aes
.
Any user account that has encryption enabled requires authentication to be enabled too.
It is possible to specify user-defined OIDs in the configuration file:
oid
oid-string name
name [read-only
|
read-write
] [type]
valueread-write
option may allow the client to override
it, and the type is either string
or
integer
.The following example will tell snmpd(8) to listen on localhost for SNMPv2c messages only with the community “8LHQtm1QLGzk”, override the default system OID, set the magic services value, and provide some custom OID values:
listen on 127.0.0.1 snmpv2c read-only community 8LHQtm1QLGzk system oid 1.3.6.1.4.1.30155.23.2 system services 74 oid 1.3.6.1.4.1.30155.42.1 name myName read-only string "humppa" oid 1.3.6.1.4.1.30155.42.2 name myStatus read-only integer 1
The next example will enforce SNMPv3 with authenticated and encrypted communication and the user-based security model. The configuration defines several users using varying encryption and authentication algorithms.
seclevel enc user "mgmt" auth hmac-sha256 authkey "password123" enc aes enckey "321drowssap" user "hans" auth hmac-sha1 authkey "password456" enc aes enckey "654drowssap" user "sophie" auth hmac-md5 authkey "password789" enc des enckey "987drowssap"
The snmpd.conf
file format first appeared
in OpenBSD 4.3.
The snmpd(8) program was written by Reyk Floeter <reyk@openbsd.org>.
March 31, 2022 | OpenBSD-current |