Configuring the snmpd service in the operating system

3 July 2024

ID 222969

Interaction with KSMG over SNMP is achieved using the 'snmpd' service of the operating system. The snmpd service acts as a master agent, receiving and processing requests from monitoring systems and other external consumers over SNMP. KSMG connects to the snmpd service as a subagent over the AgentX protocol through a UNIX socket.

Installing the snmpd service

Make sure the snmpd service is installed in your operating system. If the service is not installed, install the appropriate packages.

To install the snmpd service and auxiliary utilities

enter the following command:

  • On Red Hat Enterprise Linux, Rocky Linux:

    yum install net-snmp net-snmp-utils

  • In Ubuntu:

    apt install snmp snmpd

Creating a user account for access to the data

Before creating the account, stop the snmpd service.

To ensure the security of access to the data over SNMPv3 with authentication and encryption, you need to create a user account on the snmpd service side with the following information:

  • User name (case sensitive)
  • Authentication algorithm (MD5 or SHA, SHA is recommended)
  • Authentication password
  • Encryption algorithm (only AES supported)
  • Encryption password

For security purposes, we recommend using an independent user account on each node of the KSMG cluster.

You can create a user account in the following ways:

  • Using the net-snmp-create-v3-user utility, if available in the operating system.
  • Manually by adding the appropriate directive to the configuration file of the snmpd service.

To create a user account using the net-snmp-create-v3-user utility:

net-snmp-create-v3-user -ro -a <authentication algorithm> -x <encryption algorithm> <user name>

Authentication and encryption passwords are requested interactively.

Example:

net-snmp-create-v3-user -ro -a SHA -x AES MonitoringUser

To create a user account without the utility:

  1. Create the /var/lib/snmp/snmpd.conf configuration file:

    touch /var/lib/snmp/snmpd.conf

  2. Add the following line to the configuration file:

    createUser <user name> <authentication algorithm> "<authentication password>" <encryption algorithm> "<encryption password>"

    Example:

    createUser MonitoringUser SHA "MonitoringAuthSecret" AES "MonitoringPrivSecret"

Creating a user account for receiving SNMP traps

To receive SNMP traps over SNMPv3 with authentication and encryption, you need to create an account on the side of the monitoring system in the context of the corresponding service (usually the snmptrapd service).

The account must contain the following information:

  • User name.
  • Authentication algorithm
  • Authentication password
  • Encryption algorithm
  • Encryption password

For security purposes, you must use separate user accounts for access to data and for receiving SNMP traps.
We recommend creating independent user accounts for receiving SNMP traps from each node of the KSMG cluster.

For instructions on creating a user account for receiving SNMP traps, refer to the documentation of your monitoring system.

Configuring the snmpd service

The configuration of the snmpd service is stored in the /etc/snmp/snmpd.conf file. You can add the necessary information to an existing configuration file or create a new configuration file and add the lines listed below, in the given order.

To configure the snmpd service:

  1. If you chose to create a new configuration file, make sure that only the superuser has access to it. If necessary, set permissions:

    chown root:root /etc/snmp/snmpd.conf

    chmod 600 /etc/snmp/snmpd.conf

  2. Specify the protocol, network interface address, and port number on which the snmpd service must listen for incoming requests.
    • If you want to listen for requests on all network interfaces, add the following lines to the configuration file:

      # Listen for incoming SNMP requests via UDP

      agentAddress udp:161

    • If you want to listen for requests only on the local network interface, for example, if the monitoring system is installed on the same machine, add the following lines:

      # Listen for incoming SNMP requests via UDP

      agentAddress udp:127.0.0.1:161

  3. Specify the path and permissions for the UNIX socket on which the snmpd service must listen for subagent connections over the AgentX protocol. To do so, add the following lines to the configuration file:

    # Listen for subagent connections via UNIX socket

    master agentx

    agentXSocket unix:/var/run/agentx-master.socket

    agentXPerms 770 770 kluser klusers

  4. If necessary, you can provide a system description, location of the system, and the contact address of the administrator. To do so, add the following lines to the configuration file:

    # Basic system information

    sysDescr <system description>

    sysLocation <system location>

    sysContact <contact address of the administrator>

    sysServices 72

  5. Specify the scope of the OID tree that you want to be available to your monitoring system via the SNMP protocol. To have access to KSMG data, add the following lines to the configuration file:

    # Kaspersky Secure Mail Gateway SNMP statistics

    view monitoring included .1.3.6.1.4.1.23668.1735

  6. If necessary, you can additionally specify the scope of the OID tree containing information about the operating system that is stored by the snmpd service. This scope will be available to your monitoring system.

    Information about the operating system includes, for example, information about CPU and RAM usage, free space on disk partitions, load of network interfaces; a list of installed software; a list of open network connections; and a list of running processes. Part of this information may be confidential.

    • If you want to allow access only to general system information and information about the usage of RAM, CPU, and disk devices, add the following lines to the configuration file:

      # SNMPv2-MIB - Basic system information

      view monitoring included .1.3.6.1.2.1.1

      # HOST-RESOURCES-MIB - CPU, Memory, Filesystems

      view monitoring included .1.3.6.1.2.1.25.1

      view monitoring included .1.3.6.1.2.1.25.2

      view monitoring included .1.3.6.1.2.1.25.3

      view monitoring included .1.3.6.1.2.1.25.5

      # UCD-SNMP-MIB - Memory and CPU usage

      view monitoring included .1.3.6.1.4.1.2021.4

      view monitoring included .1.3.6.1.4.1.2021.10

      view monitoring included .1.3.6.1.4.1.2021.11

      # UCD-SNMP-DISKIO-MIB - Block devices I/O statistics

      view monitoring included .1.3.6.1.4.1.2021.13

      # IF-MIB - Network interfaces I/O statistics

      view monitoring included .1.3.6.1.2.1.2

      view monitoring included .1.3.6.1.2.1.31

    • If you want to allow access to all system information, add the following lines to the configuration file:

      # Allow access to the whole OID tree

      view monitoring included .1

  7. Specify the access mode and scope of information for the created user account. To do so, add the following lines to the configuration file:

    # Access control for SNMPv3 monitoring system user

    rouser <user name> priv -V monitoring

  8. To send SNMP traps, specify the IP address of the monitoring system and user credentials for receiving traps. To do so, add the following lines to the configuration file:

    # Send SNMPv3 traps to the monitoring system

    trapsess -Ci -v3 -t0.1 -r1 -l authPriv -u <user name for receiving traps> -a <authentication algorithm> -A "<user password for receiving traps>" -x <encryption algorithm> -X "<encryption password>" udp:<IP address>:162

The snmpd service will be configured.

To integrate with multiple monitoring systems, create a separate user account for each system, specify the scope of available information for each user account (the 'view' and 'rouser' directives) and configure the sending of SNMP traps (the 'trapsess' directive).

Example of an snmpd service configuration file

Starting the snmpd service with the new configuration

To apply the new configuration:

  1. Restart the snmpd service:

    systemctl restart snmpd

  2. Check the status of the snmpd service:

    systemctl status snmpd

    The status must be running.

  3. Allow the service to start automatically at operating system startup:

    systemctl enable snmpd

  4. If you are using a firewall in your operating system or network equipment, add rules to let SNMP packets through.

The snmpd service is configured.

Checking the health of the snmpd service

To test the snmpd service, configure the use of SNMP in the KSMG web interface and request SNMP data using the 'snmpwalk' utility.

To get the scopes of SNMP data provided by KSMG:

snmpwalk -v3 -l authPriv -u <user name> -a <authentication algorithm> -A "<authentication password>" -x <encryption algorithm> -X "<encryption password>" <IP address> .1.3.6.1.4.1.23668.1735

Example:

snmpwalk -v3 -l authPriv -u MonitoringUser -a SHA -A "MonitoringAuthSecret" -x AES -X "MonitoringPrivSecret" 127.0.0.1 .1.3.6.1.4.1.23668.1735

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.