NAME
snmpd.conf
—
Simple Network Management Protocol
daemon configuration file
DESCRIPTION
snmpd.conf
is the configuration file for
the snmpd(8) daemon.
The snmpd.conf
file is divided into the
following main sections:
- Macros
- User-defined variables may be defined and used later, simplifying the configuration file.
- Global Configuration
- Global runtime settings for snmpd(8).
- User Configuration
- USM user definitions.
- OID Configuration
- Custom configuration of SNMP object identifiers and values.
The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.
Argument names not beginning with a letter, digit, or underscore must be quoted.
Additional configuration files can be included with the
include
keyword, for example:
include "/etc/snmpd.conf.local"
MACROS
Macros can be defined that will later be expanded in context.
Macro names must start with a letter, digit, or underscore, and may contain
any of those characters. Macro names may not be reserved words (for example,
community
, system
, or
oid
). Macros are not expanded inside quotes.
For example:
ext_addr="192.168.0.1" listen on $ext_addr
GLOBAL CONFIGURATION
The following options can be set globally:
filter-pf-addresses
(yes
|no
)- If set to
yes
, snmpd(8) will filter out the OPENBSD-PF-MIB::pfTblAddrTable tree. Addresses stored in PF tables will not be available, but CPU use will be reduced during bulk walks. The default isno
. filter-routes
(yes
|no
)- If set to
yes
, ask the kernel to filter route update messages on the routing socket. Routing table information will not be available, but CPU use will be reduced during bulk updates. The default isno
. listen on
address [tcp
|udp
]- Specify the local address
snmpd(8) should listen on for incoming SNMP messages. Multiple
listen on
statements are supported, the default is UDP. read-only community
string- Specify the name of the read-only community. The default value is public.
read-write
(community
string |disabled
)- Specify the name of the read-write community, or disallow writes completely. The default value is private.
seclevel
(none
|auth
|enc
)- Specify the lowest security level that
snmpd(8) accepts:
none
- Both authentication and encryption of messages is optional. This is the default value.
auth
- Authentication of messages is mandatory. snmpd(8) will discard any messages that don't have a valid digest. Encryption of messages is optional.
enc
- Messages must be encrypted and must have a valid digest for authentication. Otherwise they will be discarded.
If the chosen value is different from
none
snmpd(8) will accept only SNMPv3 requests since older versions neither support authentication nor encryption. socket
"path" [restricted
|agentx
]- Create a control socket at path. If
restricted
is specified, a restricted control socket will be created. Ifagentx
is specified, a socket which speaks the AgentX protocol will be created. Multiplerestricted
andagentx
sockets may be created. By default /var/run/snmpd.sock is created and no other sockets are created. system contact
string- Specify the name or description of the system contact, typically a name or an email address. The default value is root@hostname using the hostname of the local machine.
system description
string- Specify a description of the local system. The default value is the
operating system identification as printed by the
uname(1) command using the
-a
flag:OpenBSD myhost.example.com 4.2 GENERIC#595 i386
system location
string- Specify the string describing the location of the local system, typically a physical location. The default value is an empty string.
system name
string- Specify the name of the local system, typically a fully-qualified domain name. The default value is the hostname of the local system.
system oid
oid-string- Specify the authoritative identification of the local system. The default value is 1.3.6.1.4.1.30155.23.1 (iso.org.dod.internet.private.enterprises.openbsd.23.1) identifying a common OpenBSD system.
system services
number- Specify a magic value which indicates the set of services that the local system may provide. Refer to the sysServices description in the SNMP MIB for details.
trap community
string- Specify the name of the trap community. The default value is public.
trap handle
oid "command"- Execute
command
upon receipt of an SNMP trap that begins with a prefix ofoid
. Alternately, the string "default
" may be used, in which case the prefix used is1.3
. The invoked command will receive the following information about the trap on standard input, one per line, in this order: the resolved hostname of the host sending the trap, the IP address of the host sending the trap, and any variable bindings contained in the trap (the OID followed by the value, separated by a single space). Traps will will be accepted on alllisten on
UDP addresses. trap receiver
string [oid
oid-string] [community
string] [source-address
address]- Specify the address or FQDN of a remote trap receiver for outgoing traps
sent by snmpd(8). This option may be specified multiple times. The
daemon will send outgoing traps using the revised SNMPv2 format and the
configured trap community. The default community is specified by the
global
trap community
option. The IPv4 or IPv6 source address of the traps can be enforced usingsource-address
.
USER CONFIGURATION
Users for the SNMP User-based Security Model (USM, RFC 3414) must be defined in the configuration file:
user
name [authkey
keyauth
hmac] [enckey
keyenc
cipher]- Defines a known user. The
authkey
keyword is required to specify the digest key used to authenticate messages. If this keyword is omitted then authentication is disabled for this user account. Optionally the HMAC algorithm used for authentication can be specified. hmac must be eitherhmac-md5
,hmac-sha1
,hmac-sha224
,hmac-sha256
,hmac-sha384
, orhmac-sha512
. If omitted the default ishmac-sha1
.With
enckey
the encryption key used to encrypt and decrypt messages for privacy is defined. Without anenckey
specification the user account will neither accept encrypted incoming messages nor will it encrypt outgoing messages. The enc algorithm can be eitherdes
oraes
and defaults todes
.Any user account that has encryption enabled requires authentication to be enabled too.
OID CONFIGURATION
It is possible to specify user-defined OIDs in the configuration file:
oid
oid-stringname
name [read-only
|read-write
] [type] value- Return the specified value to the client for this OID. The
read-write
option may allow the client to override it, and the type is eitherstring
orinteger
.
FILES
- /etc/snmpd.conf
- Default location of the configuration file.
- /etc/examples/snmpd.conf
- Example configuration file.
EXAMPLES
The following example will tell snmpd(8) to listen on localhost, override the default system OID, set the magic services value and provides some custom OID values:
listen on 127.0.0.1 system oid 1.3.6.1.4.1.30155.23.2 system services 74 oid 1.3.6.1.4.1.30155.42.1 name myName read-only string "humppa" oid 1.3.6.1.4.1.30155.42.2 name myStatus read-only integer 1
The next example will enforce SNMPv3 with authenticated and
encrypted communication and the user-based security model. The configuration
defines two users, the first one is using the aes
encryption algorithm and the second one the default
des
algorithm.
seclevel enc user "hans" authkey "password123" enc aes enckey "321drowssap" user "sophie" authkey "password456" enckey "654drowssap"
SEE ALSO
HISTORY
The snmpd.conf
file format first appeared
in OpenBSD 4.3.
AUTHORS
The snmpd(8) program was written by Reyk Floeter <reyk@openbsd.org>.