OpenCores
URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [rtos/] [ecos-2.0/] [packages/] [net/] [snmp/] [agent/] [v2_0/] [doc/] [manpages/] [snmpd.conf.5] - Blame information for rev 174

Details | Compare with Previous | View Log

Line No. Rev Author Line
1 27 unneback
.TH SNMPD.CONF 5 "27 Jan 2000"
2
.ds )H U.C. Davis, ECE Dept.
3
.ds ]W V4.1.2
4
.UC 4
5
.SH NAME
6
share/snmp/snmpd.conf - configuration file for the ucd-snmp SNMP agent.
7
.SH DESCRIPTION
8
.B snmpd.conf
9
is the configuration file which defines how the ucd-smnp SNMP agent
10
operates.  These files may contain any of the directives found in the
11
DIRECTIVES section below.  This file is not required for the agent to
12
operate and report mib entries.
13
.SH PLEASE READ FIRST
14
First, make sure you have read the snmp_config(5) manual page that
15
describes how the ucd-snmp configuration files operate, where they
16
are located and how they all work together.
17
.SH EXTENSIBLE-MIB
18
.PP
19
The ucd-snmp SNMP agent reports much of its information through
20
queries to the 1.3.6.1.4.1.2021 section of the mib tree.  Every mib in
21
this section has the following table entries in it.
22
.IP ".1 -- index"
23
This is the table's index numbers for each of the DIRECTIVES listed below.
24
.IP ".2 -- name"
25
The name of the given table entry.  This should be unique, but is not
26
required to be.
27
.IP ".100 -- errorFlag"
28
This is a flag returning either the integer value 1 or 0 if an error
29
is detected for this table entry.
30
.IP ".101 -- errorMsg"
31
This is a DISPLAY-STRING describing any error triggering the errorFlag above.
32
.IP ".102 -- errorFix"
33
If this entry is SNMPset to the integer value of 1 AND the errorFlag
34
defined above is indeed a 1, a program or script will get executed
35
with the table entry name from above as the argument.  The program to
36
be executed is configured in the config.h file at compile time.
37
.SS Directives
38
.IP "proc NAME"
39
.IP "proc NAME MAX"
40
.IP "proc NAME MAX MIN"
41
.IP
42
Checks to see if the NAME'd processes are running on the agent's
43
machine.  An error flag (1) and a description message are then passed
44
to the 1.3.6.1.4.1.2021.2.100 and
45
1.3.6.1.4.1.2021.2.101 mib tables (respectively) if the
46
NAME'd program is not found in the process table as reported by "/bin/ps -e".
47
.IP
48
If MAX and MIN are not specified, MAX is assumed to be
49
.B infinity
50
and MIN is assumed to be 1.
51
.IP
52
If MAX is specified but MIN is not specified, MIN is assumed to be 0.
53
.IP "procfix NAME PROG ARGS"
54
This registers a command that knows how to fix errors with the given
55
process NAME.  When 1.3.6.1.4.1.2021.2.102 for a given
56
NAMEd program is set to the integer value of 1, this command will be
57
called.  It defaults to a compiled value set using the PROCFIXCMD
58
definition in the config.h file.
59
.IP "exec NAME PROG ARGS"
60
.IP "exec MIBNUM NAME PROG ARGS"
61
.IP
62
If MIBNUM is not specified, the agent executes the named PROG with
63
arguments of ARGS and returns the exit status and the first line of
64
the STDOUT output of the PROG program to queries of the
65
1.3.6.1.4.1.2021.8.100 and
66
1.3.6.1.4.1.2021.8.101 mib tables (respectively).  All
67
STDOUT output beyond the first line is silently truncated.
68
.IP
69
If MIBNUM is specified, it acts as above but returns the exit status
70
to MIBNUM.100.0 and the entire STDOUT output to the table
71
MIBNUM.101 in a mib table.  In this case, the MIBNUM.101 mib
72
contains the entire STDOUT output, one mib table entry per line of
73
output (ie, the first line is output as MIBNUM.101.1, the second
74
at MIBNUM.101.2, etc...).
75
.RS
76
.IP Note:
77
The MIBNUM must be specified in dotted-integer notation and can
78
not be specified as ".iso.org.dod.internet..." (should instead be
79
.1.3.6.1...).
80
.IP Note:
81
The agent caches the exit status and STDOUT of the executed program
82
for 30 seconds after the initial query.  This is to increase speed and
83
maintain consistency of information for consecutive table queries.
84
The cache can be flushed by a snmp-set request of integer(1) to
85
1.3.6.1.4.1.2021.100.VERCLEARCACHE.
86
.RE
87
.IP "execfix NAME PROG ARGS"
88
This registers a command that knows how to fix errors with the given
89
exec or sh NAME.  When 1.3.6.1.4.1.2021.8.102 for a
90
given NAMEd entry is set to the integer value of 1, this command will
91
be called.  It defaults to a compiled value set using the EXECFIXCMD
92
definition in the config.h file.
93
.IP "disk PATH"
94
.IP "disk PATH [ MINSPACE | MINPERCENT% ]"
95
.IP
96
Checks the named disks mounted at PATH for available disk space.  If
97
the disk space is less than MINSPACE (kB) if specified or less than
98
MINPERCENT (%) if a % sign is specified, or DEFDISKMINIMUMSPACE (kB)
99
if not specified, the associated entry in the
100
1.3.6.1.4.1.2021.9.100 mib table will be set to (1) and
101
a descriptive error message will be returned to queries of
102
1.3.6.1.4.1.2021.9.101.
103
.IP "load MAX1"
104
.IP "load MAX1 MAX5"
105
.IP "load MAX1 MAX5 MAX15"
106
.IP
107
Checks the load average of the machine and returns an error flag (1),
108
and an text-string error message
109
to queries of 1.3.6.1.4.1.2021.10.100 and
110
1.3.6.1.4.1.2021.10.101 (respectively) when the
111
1-minute, 5-minute, or 15-minute averages exceed the associated
112
maximum values.  If any of the MAX1, MAX5, or MAX15 values are
113
unspecified, they default to a value of DEFMAXLOADAVE.
114
.IP "file FILE [MAXSIZE]"
115
Monitors file sizes and makes sure they don't grow beyond a certain
116
size.  MAXSIZE defaults to infinite if not specified, and only
117
monitors the size without reporting errors about it.
118
.SS "Errors"
119
.PP
120
Any errors in obtaining the above information are reported via the
121
1.3.6.1.4.1.2021.101.100 flag and the
122
1.3.6.1.4.1.2021.101.101 text-string description.
123
.SH SMUX SUB-AGENTS
124
To enable and SMUX based sub-agent, such as
125
.IR gated ,
126
use the
127
.I smuxpeer
128
configuration entry
129
.IP "smuxpeer OID PASS"
130
For
131
.I gated
132
a sensible entry might be
133
.IP ".1.3.6.1.4.1.4.1.3 secret"
134
.SH ACCESS CONTROL
135
snmpd supports the View-Based Access Control Model (vacm)
136
as defined in RFC 2275.
137
To this end, it recognizes the following keywords in the configuration
138
file: \fIcom2sec\fR, \fIgroup\fR, \fIaccess\fR, and \fIview\fR as well
139
as some easier-to-use wrapper directives: \fIrocommunity\fR,
140
\fIrwcommunity\fR, \fIrouser\fR, \fIrwuser\fR.
141
.IP "rocommunity COMMUNITY [SOURCE] [OID]"
142
.IP "rwcommunity COMMUNITY [SOURCE] [OID]"
143
These create read-only and read-write communities that can be used to
144
access the agent.  They are a quick method of using the following
145
\fIcom2sec\fR, \fIgroup\fR, \fIaccess\fR, and \fIview\fR directive lines.  They are
146
not as efficient either, as groups aren't created so the tables are
147
possibly larger.  In other words: don't use these if you have complex
148
situations to set up.
149
.IP
150
The format of the SOURCE is token is described in the \fIcom2sec\fR
151
directive section below.  The OID token restricts access for that
152
community to everything below that given OID.
153
.IP "rouser USER [noauth|auth|priv] [OID]"
154
.IP "rwuser USER [noauth|auth|priv] [OID]"
155
Creates a SNMPv3 USM user in the VACM access configuration tables.
156
Again, its more efficient (and powerful) to use the combined
157
\fIcom2sec\fR, \fIgroup\fR, \fIaccess\fR, and \fIview\fR directives instead.
158
.IP
159
The minimum level of authentication and privacy the user must use is
160
specified by the first token (which defaults to "auth").  The OID
161
parameter restricts access for that user to everything below the given
162
OID.
163
.IP "com2sec NAME SOURCE COMMUNITY"
164
This directive specifies the mapping from a source/community pair to
165
a security name. SOURCE can be a hostname, a subnet, or the word
166
\fI"default"\fR.
167
A subnet can be specified as IP/MASK or IP/BITS.
168
The first source/community combination that matches the incoming packet
169
is selected.
170
.IP "group NAME MODEL SECURITY"
171
This directive defines the mapping from securitymodel/securityname to group.
172
MODEL is one of \fIv1\fR, \fIv2c\fR, or \fIusm\fR.
173
.IP "access NAME CONTEXT MODEL LEVEL PREFX READ WRITE NOTIFY"
174
The access directive maps from group/security model/security level to
175
a view.
176
MODEL is one of \fIany\fR, \fIv1\fR, \fIv2c\fR, or \fIusm\fR.
177
LEVEL is one of \fInoauth\fR, \fIauth\fR, or \fIpriv\fR.
178
PREFX specifies how CONTEXT should be matched against the context of
179
the incoming pdu, either \fIexact\fR or \fIprefix\fR.
180
READ, WRITE and NOTIFY specifies the view to be used for the corresponding
181
access.
182
For v1 or v2c access, LEVEL will be noauth, and CONTEXT will be empty.
183
.IP "view NAME TYPE SUBTREE [MASK]"
184
The defines the named view. TYPE is either \fIincluded\fR or \fIexcluded\fR.
185
MASK is a list of hex octets, separated by '.' or ':'.  The MASK
186
defaults to "ff" if not specified.
187
.IP
188
The reason for the mask is, that it allows you to control access to
189
one row in a table, in a relatively simple way. As an example, as an ISP
190
you might consider giving each customer access to his or her own interface:
191
.IP
192
.nf
193
view cust1 included interfaces.ifTable.ifEntry.ifIndex.1 ff.a0
194
view cust2 included interfaces.ifTable.ifEntry.ifIndex.2 ff.a0
195
.IP
196
(interfaces.ifTable.ifEntry.ifIndex.1 == .1.3.6.1.2.1.2.2.1.1.1,
197
ff.a0 == 11111111.10100000. which nicely covers up and including
198
the row index, but lets the user vary the field of the row)
199
.IP "VACM Examples:"
200
.nf
201
#       sec.name  source          community
202
com2sec local     localhost       private
203
com2sec mynet     10.10.10.0/24   public
204
com2sec public    default         public
205
 
206
#             sec.model  sec.name
207
group mygroup v1         mynet
208
group mygroup v2c        mynet
209
group mygroup usm        mynet
210
group local   v1         local
211
group local   v2c        local
212
group local   usm        local
213
group public  v1         public
214
group public  v2c        public
215
group public  usm        public
216
 
217
#           incl/excl subtree                          mask
218
view all    included  .1                               80
219
view system included  system                           fe
220
view mib2   included  .iso.org.dod.internet.mgmt.mib-2 fc
221
 
222
#              context sec.model sec.level prefix read   write notify
223
access mygroup ""      any       noauth    exact  mib2   none  none
224
access public  ""      any       noauth    exact  system none  none
225
access local   ""      any       noauth    exact  all    all   all
226
.IP "Default VACM model"
227
The default configuration of the agent, as shipped, is functionally
228
equivalent to the following entries:
229
.nf
230
com2sec public  default public
231
group   public  v1      public
232
group   public  v2c     public
233
group   public  usm     public
234
view    all     included        .1
235
access  public  ""      any     noauth  exact   all     none    none
236
.SH SNMPv3 CONFIGURATION
237
.PP
238
.IP "engineID STRING"
239
The snmpd agent needs to be configured with an engineID to be able to
240
respond to SNMPv3 messages.  With this configuration file line, the
241
engineID will be configured from STRING.  The default value of the
242
engineID is configured with the first IP address found for the
243
hostname of the machine.
244
.IP "createUser username (MD5|SHA) authpassphrase [DES] [privpassphrase]"
245
This directive should be placed into the
246
"/var/ucd-snmp"/snmpd.conf file instead of the other normal
247
locations.  The reason is that the information is read from the file
248
and then the line is removed (eliminating the storage of the master
249
password for that user) and replaced with the key that is derived from
250
it.  This key is a localized key, so that if it is stolen it can not
251
be used to access other agents.  If the password is stolen, however,
252
it can be.
253
.IP
254
MD5 and SHA are the authentication types to use, but you must have
255
built the package with openssl installed in order to use SHA.  The
256
only privacy protocol currently supported is DES.  If the privacy
257
passphrase is not specified, it is assumed to be the same as the
258
authentication passphrase.  Note that the users created will be
259
useless unless they are also added to the VACM access control tables
260
described above.
261
.IP
262
Warning: the minimum pass phrase length is 8 characters.
263
.IP
264
SNMPv3 users can be created at runtime using the
265
.I snmpusm
266
command.
267
.IP
268
.SH SETTING SYSTEM INFORMATION
269
.IP "syslocation STRING"
270
.IP "syscontact STRING"
271
.IP
272
Sets the system location and the system contact for the agent.  This
273
information is reported by the 'system' table in the mibII tree.
274
.IP "authtrapenable NUMBER"
275
Setting authtrapenable to 1 enables generation of authentication failure
276
traps. The default value is 2 (disable).
277
.IP "trapcommunity STRING"
278
This defines the default community string to be used when sending traps.
279
Note that this command must be used prior to any of the following three
280
commands that are intended use this community string.
281
.IP "trapsink HOST [COMMUNITY [PORT]]"
282
.IP "trap2sink HOST [COMMUNITY [PORT]]"
283
.IP "informsink HOST [COMMUNITY [PORT]]"
284
These commands define
285
the hosts to receive traps (and/or inform notifications). The
286
daemon sends a Cold Start trap when it starts up. If enabled, it also sends
287
traps on authentication failures.  Multiple \fItrapsink\fR, \fItrap2sink\fR
288
and \fIinformsink\fR lines may be specified to specify multiple destinations.
289
Use \fItrap2sink\fR to send SNMPv2 traps and \fIinformsink\fR to send
290
inform notifications.
291
If COMMUNITY is not specified, the string from a preceding \fItrapcommunity\fR
292
directive will be used. If PORT is not specified, the well known SNMP trap
293
port (162) will be used.
294
.SH "PASS-THROUGH CONTROL"
295
.IP "pass MIBOID EXEC"
296
Passes entire control of MIBOID to the EXEC program.  The EXEC program
297
is called in one of the following three ways:
298
.RS
299
.IP "EXEC -g MIBOID"
300
.IP "EXEC -n MIBOID"
301
.IP
302
These call lines match to SNMP get and getnext requests.  It is
303
expected that the EXEC program will take the arguments passed to it
304
and return the appropriate response through it's stdout.
305
.IP
306
The first line of stdout should be the mib OID of the returning value.
307
The second line should be the TYPE of value returned, where TYPE is
308
one of the text strings:
309
.B string, integer, unsigned, objectid, timeticks, ipaddress, counter,
310
or
311
.B gauge.
312
The third line of stdout should be the VALUE corresponding with the
313
returned TYPE.
314
.IP
315
For instance, if a script was to return the value integer value "42"
316
when a request for .1.3.6.1.4.100 was requested, the script should
317
return the following 3 lines:
318
.br
319
.RS
320
  .1.3.6.1.4.100
321
.br
322
  integer
323
.br
324
  42
325
.RE
326
.IP
327
To indicate that the script is unable to comply with the request due
328
to an end-of-mib condition or an invalid request, simple exit and
329
return no output to stdout at all.  A snmp error will be generated
330
corresponding to the SNMP NO-SUCH-NAME response.
331
.IP "EXEC -s MIBOID TYPE VALUE"
332
.IP
333
For SNMP set requests, the above call method is used.  The TYPE passed
334
to the EXEC program is one of the text strings:
335
.B integer, counter, gauge, timeticks, ipaddress, objid,
336
or
337
.B string,
338
indicating the type of value passed in the next argument.
339
.IP
340
Return nothing to stdout, and the set will assumed to have been
341
successful.  Otherwise, return one of the following error strings to
342
signal an error:
343
.B not-writable,
344
or
345
.B wrong-type
346
and the appropriate error response will be generated instead.
347
.RS
348
.IP Note:
349
By default, the only community allowed to write (ie snmpset) to your
350
script will be the "private" community,or community #2 if defined
351
differently by the "community" token discussed above.  Which
352
communities are allowed write access are controlled by the RWRITE
353
definition in the snmplib/snmp_impl.h source file.
354
.RE
355
.RE
356
.SH "EXAMPLE"
357
See the EXAMPLE.CONF file in the top level source directory for a more
358
detailed example of how the above information is used in real
359
examples.
360
.SH "RE-READING snmpd.conf and snmpd.local.conf"
361
The ucd-snmp agent can be forced to re-read its configuration files.
362
It can be told to do so by one of two ways:
363
.IP 1.
364
An snmpset of integer(1) to 1.3.6.1.4.1.2021.100.VERUPDATECONFIG.
365
.IP 2.
366
A "kill -HUP" signal sent to the snmpd agent process.
367
.SH "FILES"
368
share/snmp/snmpd.conf
369
.SH "SEE ALSO"
370
snmp_config(5), snmpd(1), EXAMPLE.conf, read_config(3).
371
.\" Local Variables:
372
.\"  mode: nroff
373
.\" End:

powered by: WebSVN 2.1.0

© copyright 1999-2024 OpenCores.org, equivalent to Oliscience, all rights reserved. OpenCores®, registered trademark.