|
snmpdをMRTGの為に設定する
snmpdをMRTGの為に設定する
0.改訂履歴
- 2005.11.02 新規作成
- 2006.07.18 SNMPデーモンの自動起動設定方法を追加
- 2006.12.12 おまけの追加
1.はじめに
このドキュメントでは,MRTGを使ってサーバリソースを監視するために,SNMPデーモンを設定する手順を説明する. snmpd.confファイルにて,com2secを初めとする設定を行い,snmpdを起動させてsnmpwalkコマンドによって動作確認を行う.
なお,使用しているSNMPデーモンは,RedHat Linux ES3.0上で稼働しているNetSNMP5.0である.
2.現状の確認
[shinnai@uranos shinnai]$ ps -ef | grep snmpd
shinnai 16505 16465 0 20:40 pts/0 00:00:00 grep snmpd
[shinnai@uranos shinnai]$
|
- 現在動作していないことが確認できた.
- パッケージがインストールされているか確認する.
[shinnai@uranos shinnai]$ rpm -qa | grep snmp
net-snmp-5.0.9-2.30E.15
net-snmp-utils-5.0.9-2.30E.15
net-snmp-libs-5.0.9-2.30E.15
net-snmp-perl-5.0.9-2.30E.15
net-snmp-devel-5.0.9-2.30E.15
[shinnai@uranos shinnai]$
|
- RedHatをインストールするときに全部入りにしてあるので,これがフルセットだと思われる.
- snmpd.confファイルの位置を確認する.
[shinnai@uranos shinnai]$ locate snmpd.conf
/etc/snmp/snmpd.conf
/usr/share/man/man5/snmpd.conf.5.gz
/usr/share/man/ja/man5/snmpd.conf.5.gz
[shinnai@uranos shinnai]$
|
3.設定ファイルを確認する
- まだ何も設定を変更していないsnmpd.confを確認する.
設定前のsnmpd.confの中身
[root@uranos mrtg-2]# cat /etc/snmp/snmpd.conf
###############################################################################
#
# snmpd.conf:
# An example configuration file for configuring the ucd-snmp snmpd agent.
#
###############################################################################
#
# This file is intended to only be as a starting point. Many more
# configuration directives exist than are mentioned in this file. For
# full details, see the snmpd.conf(5) manual page.
#
# All lines beginning with a '#' are comments and are intended for you
# to read. All other lines are configuration commands for the agent.
###############################################################################
# Access Control
###############################################################################
# As shipped, the snmpd demon will only respond to queries on the
# system mib group until this file is replaced or modified for
# security purposes. Examples are shown below about how to increase the
# level of access.
# By far, the most common question I get about the agent is "why won't
# it work?", when really it should be "how do I configure the agent to
# allow me to access it?"
#
# By default, the agent responds to the "public" community for read
# only access, if run out of the box without any configuration file in
# place. The following examples show you other ways of configuring
# the agent so that you can change the community names, and give
# yourself write access to the mib tree as well.
#
# For more information, read the FAQ as well as the snmpd.conf(5)
# manual page.
####
# First, map the community name "public" into a "security name"
# sec.name source community
com2sec notConfigUser default public
####
# Second, map the security name into a group name:
# groupName securityModel securityName
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
####
# Third, create a view for us to let the group have rights to:
# Make at least snmpwalk -v 1 localhost -c public system fast again.
# name incl/excl subtree mask(optional)
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
####
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
access notConfigGroup "" any noauth exact systemview none none
# -----------------------------------------------------------------------------
# Here is a commented out example configuration that allows less
# restrictive access.
# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY
# KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO
# SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
## sec.name source community
#com2sec local localhost COMMUNITY
#com2sec mynetwork NETWORK/24 COMMUNITY
## group.name sec.model sec.name
#group MyRWGroup any local
#group MyROGroup any mynetwork
#
#group MyRWGroup any otherv3user
#...
## incl/excl subtree mask
#view all included .1 80
## -or just the mib2 tree-
#view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
## context sec.model sec.level prefix read write notif
#access MyROGroup "" any noauth 0 all none none
#access MyRWGroup "" any noauth 0 all all all
###############################################################################
# Sample configuration to make net-snmpd RFC 1213.
# Unfortunately v1 and v2c don't allow any user based authentification, so
# opening up the default config is not an option from a security point.
#
# WARNING: If you uncomment the following lines you allow write access to your
# snmpd daemon from any source! To avoid this use different names for your
# community or split out the write access to a different community and
# restrict it to your local network.
# Also remember to comment the syslocation and syscontact parameters later as
# otherwise they are still read only (see FAQ for net-snmp).
#
# First, map the community name "public" into a "security name"
# sec.name source community
#com2sec notConfigUser default public
# Second, map the security name into a group name:
# groupName securityModel securityName
#group notConfigGroup v1 notConfigUser
#group notConfigGroup v2c notConfigUser
# Third, create a view for us to let the group have rights to:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
# name incl/excl subtree mask(optional)
#view roview included .1
#view rwview included system.sysContact
#view rwview included system.sysName
#view rwview included system.sysLocation
#view rwview included interfaces.ifTable.ifEntry.ifAdminStatus
#view rwview included at.atTable.atEntry.atPhysAddress
#view rwview included at.atTable.atEntry.atNetAddress
#view rwview included ip.ipForwarding
#view rwview included ip.ipDefaultTTL
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
#view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState
#view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
#view rwview included snmp.snmpEnableAuthenTraps
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup "" any noauth exact roview rwview none
###############################################################################
# System contact information
#
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
# Example output of snmpwalk:
# % snmpwalk -v 1 localhost -c public system
# system.sysDescr.0 = "SunOS name sun4c"
# system.sysObjectID.0 = OID: enterprises.ucdavis.ucdSnmpAgent.sunos4
# system.sysUpTime.0 = Timeticks: (595637548) 68 days, 22:32:55
# system.sysContact.0 = "Me <me@somewhere.org>"
# system.sysName.0 = "name"
# system.sysLocation.0 = "Right here, right now."
# system.sysServices.0 = 72
# -----------------------------------------------------------------------------
###############################################################################
# Process checks.
#
# The following are examples of how to use the agent to check for
# processes running on the host. The syntax looks something like:
#
# proc NAME [MAX=0] [MIN=0]
#
# NAME: the name of the process to check for. It must match
# exactly (ie, http will not find httpd processes).
# MAX: the maximum number allowed to be running. Defaults to 0.
# MIN: the minimum number to be running. Defaults to 0.
#
# Examples (commented out by default):
#
# Make sure mountd is running
#proc mountd
# Make sure there are no more than 4 ntalkds running, but 0 is ok too.
#proc ntalkd 4
# Make sure at least one sendmail, but less than or equal to 10 are running.
#proc sendmail 10 1
# A snmpwalk of the process mib tree would look something like this:
#
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2
# enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1
# enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2
# enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3
# enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd"
# enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd"
# enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail"
# enterprises.ucdavis.procTable.prEntry.prMin.1 = 0
# enterprises.ucdavis.procTable.prEntry.prMin.2 = 0
# enterprises.ucdavis.procTable.prEntry.prMin.3 = 1
# enterprises.ucdavis.procTable.prEntry.prMax.1 = 0
# enterprises.ucdavis.procTable.prEntry.prMax.2 = 4
# enterprises.ucdavis.procTable.prEntry.prMax.3 = 10
# enterprises.ucdavis.procTable.prEntry.prCount.1 = 0
# enterprises.ucdavis.procTable.prEntry.prCount.2 = 0
# enterprises.ucdavis.procTable.prEntry.prCount.3 = 1
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0
# enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0
# enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running."
# enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = ""
# enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = ""
# enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0
# enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0
# enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0
#
# Note that the errorFlag for mountd is set to 1 because one is not
# running (in this case an rpc.mountd is, but thats not good enough),
# and the ErrMessage tells you what's wrong. The configuration
# imposed in the snmpd.conf file is also shown.
#
# Special Case: When the min and max numbers are both 0, it assumes
# you want a max of infinity and a min of 1.
#
# -----------------------------------------------------------------------------
###############################################################################
# Executables/scripts
#
#
# You can also have programs run by the agent that return a single
# line of output and an exit code. Here are two examples.
#
# exec NAME PROGRAM [ARGS ...]
#
# NAME: A generic name.
# PROGRAM: The program to run. Include the path!
# ARGS: optional arguments to be passed to the program
# a simple hello world
#exec echotest /bin/echo hello world
# Run a shell script containing:
#
# #!/bin/sh
# echo hello world
# echo hi there
# exit 35
#
# Note: this has been specifically commented out to prevent
# accidental security holes due to someone else on your system writing
# a /tmp/shtest before you do. Uncomment to use it.
#
#exec shelltest /bin/sh /tmp/shtest
# Then,
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.8
# enterprises.ucdavis.extTable.extEntry.extIndex.1 = 1
# enterprises.ucdavis.extTable.extEntry.extIndex.2 = 2
# enterprises.ucdavis.extTable.extEntry.extNames.1 = "echotest"
# enterprises.ucdavis.extTable.extEntry.extNames.2 = "shelltest"
# enterprises.ucdavis.extTable.extEntry.extCommand.1 = "/bin/echo hello world"
# enterprises.ucdavis.extTable.extEntry.extCommand.2 = "/bin/sh /tmp/shtest"
# enterprises.ucdavis.extTable.extEntry.extResult.1 = 0
# enterprises.ucdavis.extTable.extEntry.extResult.2 = 35
# enterprises.ucdavis.extTable.extEntry.extOutput.1 = "hello world."
# enterprises.ucdavis.extTable.extEntry.extOutput.2 = "hello world."
# enterprises.ucdavis.extTable.extEntry.extErrFix.1 = 0
# enterprises.ucdavis.extTable.extEntry.extErrFix.2 = 0
# Note that the second line of the /tmp/shtest shell script is cut
# off. Also note that the exit status of 35 was returned.
# -----------------------------------------------------------------------------
###############################################################################
# disk checks
#
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
# disk PATH [MIN=100000]
#
# PATH: mount path to the disk in question.
# MIN: Disks with space below this value will have the Mib's errorFlag set.
# Default value = 100000.
# Check the / partition and make sure it contains at least 10 megs.
#disk / 10000
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.9
# enterprises.ucdavis.diskTable.dskEntry.diskIndex.1 = 0
# enterprises.ucdavis.diskTable.dskEntry.diskPath.1 = "/" Hex: 2F
# enterprises.ucdavis.diskTable.dskEntry.diskDevice.1 = "/dev/dsk/c201d6s0"
# enterprises.ucdavis.diskTable.dskEntry.diskMinimum.1 = 10000
# enterprises.ucdavis.diskTable.dskEntry.diskTotal.1 = 837130
# enterprises.ucdavis.diskTable.dskEntry.diskAvail.1 = 316325
# enterprises.ucdavis.diskTable.dskEntry.diskUsed.1 = 437092
# enterprises.ucdavis.diskTable.dskEntry.diskPercent.1 = 58
# enterprises.ucdavis.diskTable.dskEntry.diskErrorFlag.1 = 0
# enterprises.ucdavis.diskTable.dskEntry.diskErrorMsg.1 = ""
# -----------------------------------------------------------------------------
###############################################################################
# load average checks
#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX: If the 1 minute load average is above this limit at query
# time, the errorFlag will be set.
# 5MAX: Similar, but for 5 min average.
# 15MAX: Similar, but for 15 min average.
# Check for loads:
#load 12 14 14
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.10
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.1 = 1
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.2 = 2
# enterprises.ucdavis.loadTable.laEntry.loadaveIndex.3 = 3
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.1 = "Load-1"
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.2 = "Load-5"
# enterprises.ucdavis.loadTable.laEntry.loadaveNames.3 = "Load-15"
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.1 = "0.49" Hex: 30 2E 34 39
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.2 = "0.31" Hex: 30 2E 33 31
# enterprises.ucdavis.loadTable.laEntry.loadaveLoad.3 = "0.26" Hex: 30 2E 32 36
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.1 = "12.00"
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.2 = "14.00"
# enterprises.ucdavis.loadTable.laEntry.loadaveConfig.3 = "14.00"
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.1 = 0
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.2 = 0
# enterprises.ucdavis.loadTable.laEntry.loadaveErrorFlag.3 = 0
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.1 = ""
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.2 = ""
# enterprises.ucdavis.loadTable.laEntry.loadaveErrMessage.3 = ""
# -----------------------------------------------------------------------------
###############################################################################
# Extensible sections.
#
# This alleviates the multiple line output problem found in the
# previous executable mib by placing each mib in its own mib table:
# Run a shell script containing:
#
# #!/bin/sh
# echo hello world
# echo hi there
# exit 35
#
# Note: this has been specifically commented out to prevent
# accidental security holes due to someone else on your system writing
# a /tmp/shtest before you do. Uncomment to use it.
#
# exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.50
# enterprises.ucdavis.50.1.1 = 1
# enterprises.ucdavis.50.2.1 = "shelltest"
# enterprises.ucdavis.50.3.1 = "/bin/sh /tmp/shtest"
# enterprises.ucdavis.50.100.1 = 35
# enterprises.ucdavis.50.101.1 = "hello world."
# enterprises.ucdavis.50.101.2 = "hi there."
# enterprises.ucdavis.50.102.1 = 0
# Now the Output has grown to two lines, and we can see the 'hi
# there.' output as the second line from our shell script.
#
# Note that you must alter the mib.txt file to be correct if you want
# the .50.* outputs above to change to reasonable text descriptions.
# Other ideas:
#
# exec .1.3.6.1.4.1.2021.51 ps /bin/ps
# exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top
# exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
# -----------------------------------------------------------------------------
###############################################################################
# Pass through control.
#
# Usage:
# pass MIBOID EXEC-COMMAND
#
# This will pass total control of the mib underneath the MIBOID
# portion of the mib to the EXEC-COMMAND.
#
# Note: You'll have to change the path of the passtest script to your
# source directory or install it in the given location.
#
# Example: (see the script for details)
# (commented out here since it requires that you place the
# script in the right location. (its not installed by default))
# pass .1.3.6.1.4.1.2021.255 /bin/sh /usr/local/local/passtest
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255
# enterprises.ucdavis.255.1 = "life the universe and everything"
# enterprises.ucdavis.255.2.1 = 42
# enterprises.ucdavis.255.2.2 = OID: 42.42.42
# enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42
# enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1
# enterprises.ucdavis.255.5 = 42
# enterprises.ucdavis.255.6 = Gauge: 42
#
# % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5
# enterprises.ucdavis.255.5 = 42
#
# % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string"
# enterprises.ucdavis.255.1 = "New string"
#
# For specific usage information, see the man/snmpd.conf.5 manual page
# as well as the local/passtest script used in the above example.
# Added for support of bcm5820 cards.
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
###############################################################################
# Further Information
#
# See the snmpd.conf manual page, and the output of "snmpd -H".
[root@uranos mrtg-2]#
|
4.snmpd.confの基本設定を行う
- まずは,コミュニティ名とセキュリティ名とネットワークを設定する.
変更前
|
####
# First, map the community name "public" into a "security name"
# sec.name source community
com2sec notConfigUser default public
|
| 変更後 |
# First, map the community name "public" into a "security name"
# sec.name source community
#com2sec notConfigUser default public
com2sec local localhost local_community
com2sec secret_net 127.0.0.1 secret_community
|
- まずは,デフォルトの設定をコメントアウトしている.
- ここでは,IPアドレスを指定して,secret_netにアクセスできる接続できるホストを設定している.
- snmpでデータを収集しようとするマシンのIPアドレスを設定しておく.
- そのマシンは,secret_communityというコミュニティ名でアクセスをしてくる.
- 定義したセキュリティ名とSNMPのセキュリティモデルの組み合わせを使って,グループ名を定義する.
- SNMPのセキュリティモデルでは,プロトコルがv1,v2,v3があり,それぞれをv1,v2c,usmと記述する.
変更前
|
# Second, map the security name into a group name:
# groupName securityModel securityName
#group notConfigGroup v1 notConfigUser
#group notConfigGroup v2c notConfigUser
|
| 変更後 |
# Second, map the security name into a group name:
# groupName securityModel securityName
#group notConfigGroup v1 notConfigUser
#group notConfigGroup v2c notConfigUser
group local_group v1 local
group local_group v2c local
group local_group usm local
group secure_group v1 secret_net
group secure_group v2c secret_net
group securel_group usm secret_net
|
- 最初のcom2seで,セキュリティ名をlocalとsecret_netの2つを定義している.
- その2つのセキュリティ名を,それぞれプロトコル毎に記述して,グルーピングしている.
- 3番目に設定するのは,MIBツリーの範囲を指定する.
変更前
|
# Third, create a view for us to let the group have rights to:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
# name incl/excl subtree mask(optional)
#view roview included .1
#view rwview included system.sysContact
#view rwview included system.sysName
#view rwview included system.sysLocation
#view rwview included interfaces.ifTable.ifEntry.ifAdminStatus
#view rwview included at.atTable.atEntry.atPhysAddress
#view rwview included at.atTable.atEntry.atNetAddress
#view rwview included ip.ipForwarding
#view rwview included ip.ipDefaultTTL
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask
#view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMedia
IfIndex
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMedia
PhysAddress
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMedia
NetAddress
#view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType
#view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState
#view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger
#view rwview included snmp.snmpEnableAuthenTraps
|
| 変更後 |
#view rwview included snmp.snmpEnableAuthenTraps
view view_all included .1
view view_mib2 included .1.3.6.1.2.1
view view_ucdavis included .1.3.6.1.4.1.2021
|
- 最初はすべてコメントアウトされている.
- よって,3行追加している.
- ここでは,次の3つのMIBツリーを指定している.
| 名前 |
取得範囲 |
| view_all |
iso(1)以下の全情報 |
| view_mib2 |
.iso(1).org(3).dod(6).internet(1).mgmt(2).mib2(1)以下の全情報 |
| view_ucdavis |
iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).ucdavis(2021)以下の全情報 |
- 最後に,これまで定義した情報を元に,アクセス範囲を設定する.
変更前
|
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup "" any noauth exact roview rwview none
|
| 変更後 |
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup "" any noauth exact roview rwview none
access local_group "" any noauth exact view_all none none
access secure_group "" any noauth exact view_mib2 none none
|
- この例では,local_group(次ホスト)に対しては,view_allで取得できるデータへアクセスを可能とし,secure_groupではview_mib2で指定した範囲のデータにアクセスできることを示している.
- 次に,管理者への情報として連絡先を設定しておく.
変更前
|
###############################################################################
# System contact information
#
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
|
| 変更後 |
###############################################################################
# System contact information
#
# It is also possible to set the sysContact and sysLocation system
# variables through the snmpd.conf file:
syslocation UJP Office Japan (edit /etc/snmp/snmpd.conf)
syscontact Root <no_spam@ujp.jp> (configure /etc/snmp/snmp.local.conf)
|
5.その他監視項目のしきい値設定を行う
- 基本的な定義を終えたら,引き続きsnmpd.confにて,プロセスやディスク容量などの監視を行う.
- ここで設定した閾値などを超えた場合にアラートがOpenView等のSNMPマネージャに通知される.
- そういうSNMPマネージャを持っていない組織の場合は設定不要.
変更前
|
###############################################################################
# Process checks.
#
# The following are examples of how to use the agent to check for
# processes running on the host. The syntax looks something like:
#
# proc NAME [MAX=0] [MIN=0]
#
# NAME: the name of the process to check for. It must match
# exactly (ie, http will not find httpd processes).
# MAX: the maximum number allowed to be running. Defaults to 0.
# MIN: the minimum number to be running. Defaults to 0.
#
# Examples (commented out by default):
#
# Make sure mountd is running
#proc mountd
# Make sure there are no more than 4 ntalkds running, but 0 is ok too.
#proc ntalkd 4
# Make sure at least one sendmail, but less than or equal to 10 are running.
#proc sendmail 10 1
|
| 変更後 |
###############################################################################
# Process checks.
#
# The following are examples of how to use the agent to check for
# processes running on the host. The syntax looks something like:
#
# proc NAME [MAX=0] [MIN=0]
#
# NAME: the name of the process to check for. It must match
# exactly (ie, http will not find httpd processes).
# MAX: the maximum number allowed to be running. Defaults to 0.
# MIN: the minimum number to be running. Defaults to 0.
#
# Examples (commented out by default):
#
# Make sure mountd is running
#proc mountd
# Make sure there are no more than 4 ntalkds running, but 0 is ok too.
#proc ntalkd 4
# Make sure at least one sendmail, but less than or equal to 10 are running.
#proc sendmail 10 1
proc httpd 10 1
|
- ここでは,httpdプロセスの監視を行い,最大10,最小1として設定している.
- 次にハードディスクの情報を確認する.
- 今回設定しているマシンは,次の通り.
[root@uranos shinnai]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hdc2 36G 5.0G 29G 15% /
/dev/hdc1 99M 9.1M 85M 10% /boot
/dev/hdc5 487M 8.2M 453M 2% /home
none 250M 0 250M 0% /dev/shm
[root@uranos shinnai]#
|
- ここでは,ルートパーティションと/homeパーティションを監視することとする.
変更前
|
###############################################################################
# disk checks
#
# The agent can check the amount of available disk space, and make
# sure it is above a set limit.
# disk PATH [MIN=100000]
#
# PATH: mount path to the disk in question.
# MIN: Disks with space below this value will have the Mib's errorFlag set.
# Default value = 100000.
# Check the / partition and make sure it contains at least 10 megs.
#disk / 10000
|
| 変更後 |
# Check the / partition and make sure it contains at least 10 megs.
#disk / 10000
disk / 10%
disk /home 10%
|
- サンプルに記述されている数値は,KB単位で指定している.
- ここでは,空き容量が10%以下になったらアラートとして設定しておく.
- CPUのロードアベレージについて設定を有効にする.
変更前
|
###############################################################################
# load average checks
#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX: If the 1 minute load average is above this limit at query
# time, the errorFlag will be set.
# 5MAX: Similar, but for 5 min average.
# 15MAX: Similar, but for 15 min average.
# Check for loads:
#load 12 14 14
|
| 変更後 |
###############################################################################
# load average checks
#
# load [1MAX=12.0] [5MAX=12.0] [15MAX=12.0]
#
# 1MAX: If the 1 minute load average is above this limit at query
# time, the errorFlag will be set.
# 5MAX: Similar, but for 5 min average.
# 15MAX: Similar, but for 15 min average.
# Check for loads:
load 12 14 14
|
- これは,このままコメントをはずしてONにしておく.
- デフォルトでこの数値を超えるような場合には,異常だといえる.
6.SNMPデーモンの設定確認
- snmpd.confの設定を終えたので,SNMPデーモンを起動して,各種ステータスが取得できるかチェックする.
- snmpデーモンを起動する.
[root@uranos shinnai]# /etc/rc.d/init.d/snmpd start
Starting snmpd: [ OK ]
[root@uranos shinnai]# /etc/rc.d/init.d/snmpd status
snmpd (pid 16680) is running...
[root@uranos shinnai]#
|
[root@uranos shinnai]# snmpwalk -v 2c localhost -c local_community .1.3.6.1.2.1.2
IF-MIB::ifNumber.0 = INTEGER: 3
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.2 = INTEGER: 2
IF-MIB::ifIndex.3 = INTEGER: 3
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0
IF-MIB::ifDescr.3 = STRING: eth1
IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)
IF-MIB::ifMtu.1 = INTEGER: 16436
IF-MIB::ifMtu.2 = INTEGER: 1500
IF-MIB::ifMtu.3 = INTEGER: 1500
IF-MIB::ifSpeed.1 = Gauge32: 10000000
IF-MIB::ifSpeed.2 = Gauge32: 100000000
IF-MIB::ifSpeed.3 = Gauge32: 10000000
IF-MIB::ifPhysAddress.1 = STRING:
IF-MIB::ifPhysAddress.2 = STRING: 0:90:fc:20:ab:23
IF-MIB::ifPhysAddress.3 = STRING: 0:50:fc:b7:3c:8f
IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
IF-MIB::ifAdminStatus.2 = INTEGER: up(1)
IF-MIB::ifAdminStatus.3 = INTEGER: down(2)
IF-MIB::ifOperStatus.1 = INTEGER: up(1)
IF-MIB::ifOperStatus.2 = INTEGER: up(1)
IF-MIB::ifOperStatus.3 = INTEGER: down(2)
IF-MIB::ifInOctets.1 = Counter32: 9003870
IF-MIB::ifInOctets.2 = Counter32: 7955733
IF-MIB::ifInOctets.3 = Counter32: 0
IF-MIB::ifInUcastPkts.1 = Counter32: 84443
IF-MIB::ifInUcastPkts.2 = Counter32: 45484
IF-MIB::ifInUcastPkts.3 = Counter32: 0
IF-MIB::ifInDiscards.1 = Counter32: 0
IF-MIB::ifInDiscards.2 = Counter32: 0
IF-MIB::ifInDiscards.3 = Counter32: 0
IF-MIB::ifInErrors.1 = Counter32: 0
IF-MIB::ifInErrors.2 = Counter32: 0
IF-MIB::ifInErrors.3 = Counter32: 0
IF-MIB::ifOutOctets.1 = Counter32: 9005859
IF-MIB::ifOutOctets.2 = Counter32: 5881658
IF-MIB::ifOutOctets.3 = Counter32: 0
IF-MIB::ifOutUcastPkts.1 = Counter32: 84467
IF-MIB::ifOutUcastPkts.2 = Counter32: 31053
IF-MIB::ifOutUcastPkts.3 = Counter32: 0
IF-MIB::ifOutDiscards.1 = Counter32: 0
IF-MIB::ifOutDiscards.2 = Counter32: 0
IF-MIB::ifOutDiscards.3 = Counter32: 0
IF-MIB::ifOutErrors.1 = Counter32: 0
IF-MIB::ifOutErrors.2 = Counter32: 0
IF-MIB::ifOutErrors.3 = Counter32: 0
IF-MIB::ifOutQLen.1 = Gauge32: 0
IF-MIB::ifOutQLen.2 = Gauge32: 0
IF-MIB::ifOutQLen.3 = Gauge32: 0
IF-MIB::ifSpecific.1 = OID: SNMPv2-SMI::zeroDotZero
IF-MIB::ifSpecific.2 = OID: SNMPv2-SMI::zeroDotZero
IF-MIB::ifSpecific.3 = OID: SNMPv2-SMI::zeroDotZero
[root@uranos shinnai]#
|
- このマシンの場合,ネットワークインタフェイスが2つあるのでいっぱい出ている...
- CPUのステータスを確認する.
[root@uranos shinnai]# snmpwalk -v 2c localhost -c local_community .1.3.6.1.4.1.2021.10.1.5
UCD-SNMP-MIB::laLoadInt.1 = INTEGER: 0
UCD-SNMP-MIB::laLoadInt.2 = INTEGER: 0
UCD-SNMP-MIB::laLoadInt.3 = INTEGER: 0
[root@uranos shinnai]#
|
- ここでは1分,5分,15分平均のロード値がでている.
- メモリについて確認する.
[root@uranos shinnai]# snmpwalk -v 2c localhost -c local_community .1.3.6.1.4.1.2021.4
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 1044216
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 1037084
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 511928
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 16056
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 1053140
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000
UCD-SNMP-MIB::memShared.0 = INTEGER: 0
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 131416
UCD-SNMP-MIB::memCached.0 = INTEGER: 186816
UCD-SNMP-MIB::memSwapError.0 = INTEGER: 0
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING:
[root@uranos shinnai]#
|
- この数値はバイト単位で表示されている.
- Disk使用率について調べる.
[root@uranos shinnai]# snmpwalk -v 2c localhost -c local_community .1.3.6.1.4.1.2021.9
UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskIndex.2 = INTEGER: 2
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /home
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/hdc2
UCD-SNMP-MIB::dskDevice.2 = STRING: /dev/hdc5
UCD-SNMP-MIB::dskMinimum.1 = INTEGER: -1
UCD-SNMP-MIB::dskMinimum.2 = INTEGER: -1
UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: 10
UCD-SNMP-MIB::dskMinPercent.2 = INTEGER: 10
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 36827176
UCD-SNMP-MIB::dskTotal.2 = INTEGER: 497829
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 29802100
UCD-SNMP-MIB::dskAvail.2 = INTEGER: 463795
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 5154308
UCD-SNMP-MIB::dskUsed.2 = INTEGER: 8332
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 15
UCD-SNMP-MIB::dskPercent.2 = INTEGER: 2
UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 6
UCD-SNMP-MIB::dskPercentNode.2 = INTEGER: 0
UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: 0
UCD-SNMP-MIB::dskErrorFlag.2 = INTEGER: 0
UCD-SNMP-MIB::dskErrorMsg.1 = STRING:
UCD-SNMP-MIB::dskErrorMsg.2 = STRING:
[root@uranos shinnai]#
|
- ディスクのI/Oについては,別の方法になるので今回は割愛する.
- サービスの自動起動設定を行う.
[root@uranos shinnai]# /sbin/chkconfig --list | grep snmp
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@uranos shinnai]# /sbin/chkconfig --level 345 snmpd on
[root@uranos shinnai]#
|
7.おまけ
snmpd.confコピペ用
com2sec local localhost local_community
com2sec secret_net 127.0.0.1 secret_community
group local_group v1 local
group local_group v2c local
group local_group usm local
group secure_group v1 secret_net
group secure_group v2c secret_net
group securel_group usm secret_net
view view_all included .1
view view_mib2 included .1.3.6.1.2.1
view view_ucdavis included .1.3.6.1.4.1.2021
access local_group "" any noauth exact view_all none none
access secure_group "" any noauth exact view_mib2 none none
|
|
|
