SNMP is a protocol for monitoring and managing devices or components within a network. SNMP supports three primary monitoring methods: getting, walking, and trapping.
This article will focus on configuring the Gateway appliance to allow remote monitors to be queried via getting and walking.
By default the gateway has SNMP installed AND enabled but it only listens on 127.0.0.1 (lo0) so to poll it, you need to open up SNMP to the outside world.
Run this command to validate that SNMP is listening to localhost:
# snmpwalk -v 1 -Ou 127.0.0.1 -c layer7 1
Component: APIGTW
Version Gateway 10.x
Implementation
Leveraging SNMP requires the following changes:
1) Configuring the Firewall
# cd /etc/sysconfig/
# vi iptables
** In VI search for 161
/161
** You will see 2 rules you need to uncomment as below remove the #
[0:0] -A INPUT -i ssg_eth0 -p tcp -m tcp --dport 161 -j ACCEPT
[0:0] -A INPUT -i ssg_eth0 -p udp -m udp --dport 161 -j ACCEPT
** Save the file
2) Setting the initialization parameters
A configuration file prevents the SNMP daemon from listening on any interface besides the loopback interface via UDP. Execute the following procedure to bind the daemon to all interfaces over UDP:
An example configuration file is illustrated as follows:
# snmpd command line options
OPTIONS="-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid"
3) Host configuration
Allowing external requestors to access the SNMP daemon
Access to the SNMP daemon is restricted by an access control list. This list must be modified to allow external hosts access to this daemon.
An abridged configuration file is illustrated as follows:
snmpd: ALL
sshd: ALL
4) Setting desired configuration options
NOTE: Only 4a OR 4b is required and it's strongly suggested just to use method 4a.
4a) Simple setup
# vi /etc/snmp/snmpd.conf
** search for ro
/rocom
*** Remove 127.0.0.1 from the rocommunity as below as it's an acl that only allows localhost to authenticate.
rocommunity layer7
*** Note this community as it is the password in the SNMP walk command.
**** Reboot for all changes to take effect.
# reboot -n
**** After reboot validate you can snmpwalk using eth0
# snmpwalk -v 1 -Ou <YourHostnameHere> -c layer7 1
4b) Complex setup with privileged separation
Several configuration options should be set to secure the SNMP implementation on the Gateway appliance. It consists of the following goals:
To make these changes, open up the SNMP daemon configuration file (located at /etc/snmp/snmpd.conf) in a text editor. The applicable portions of an example configuration file are displayed below with the applicable changes in boldface.
Specifying an acceptable IP address or range
SNMP requires specifying an IP address or IP range (in CIDR notation) and assigning it to a community. The values of sec.name, source, and community can be modified. An example is as follows:
# First, map the community name "public" into a "security name"
# sec.name source community
#com2sec notConfigUser default public
com2sec myNetwork 172.16/12 ca
Attaching the address or range to a security group
A named security group must be created that specifies the SNMP security version to use and assign a named IP address or range to the group. The values of groupName and securityModel can be modified. The value of securityName should reflect the value of sec.name set previously. An example is as follows:
# Second, map the security name into a group name:
# groupName securityModel securityName
#group notConfigGroup v1 notConfigUser
#group notConfigGroup v2c notConfigUser
group myGroup v1 myNetwork
group myGroup v2c myNetwork
Allowing the security group to access a particular view
A view specifies a container restricting what system information can be accessed. This section permits a group to access a specific view. The values of the name and subtree mask can be modified but should be set as follows. An example is as follows:
# Third, create a view for us to let the group have rights to:
# Open up the whole tree for ro, make the RFC 1213 required ones rw.
# name incl/excl subtree mask(optional)
#view roview included .1
#view rwview included system.sysContact
#view rwview included system.sysName
#view rwview included system.sysLocation
view systemview included system
view systemview included .1.3.6.1.4.1.17304
Note that in this step you should add to the view the root nodes for the MIBs you want to be able to view. In the above example, the CA APIM MIB is added to the view in the second uncommented line. If you also want to see the subtree containing system information (CPU, Memory, disk usage) add the following subtree mask to the view: .1.3.6.1.4.1.2021.
Permitting read-only access to that view
A relationship must be configured between a security group and a view. This relationship controls what information is accessible by which entities. The value of the group should reflect the value of the groupName set previously. The value of read should reflect the value of the name set in the previous step. An example is as follows:
# Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif
#access notConfigGroup "" any noauth exact roview rwview none
access myGroup "" any noauth exact systemview none none
Completing the configuration
All configuration files that have been modified should be saved after they are edited. The Gateway appliance should be restarted after saving. The changes will manifest after the restart completes and the SNMP daemon initializes.
For Gateway 11, please use this KB
Regarding Memory usage this is not part of our MIB this is 3rd party agent for UCD-SNMP-MIB
Link to additional OID related to third party MIB
http://www.linux-admins.net/2012/02/linux-snmp-oids-for-cpumemory-and-disk.html
Example of all available memory regarding memory
# snmpwalk -v 2c -c layer7 <gatewayHostName.DomainName> .1.3.6.1.4.1.2021.4
UCD-SNMP-MIB::memIndex.0 = INTEGER: 0
UCD-SNMP-MIB::memErrorName.0 = STRING: swap
UCD-SNMP-MIB::memTotalSwap.0 = INTEGER: 2097148 kB
UCD-SNMP-MIB::memAvailSwap.0 = INTEGER: 1525544 kB
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 6109244 kB
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 405276 kB
UCD-SNMP-MIB::memTotalFree.0 = INTEGER: 1930820 kB
UCD-SNMP-MIB::memMinimumSwap.0 = INTEGER: 16000 kB
UCD-SNMP-MIB::memShared.0 = INTEGER: 7448 kB
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 192968 kB
UCD-SNMP-MIB::memCached.0 = INTEGER: 755160 kB
UCD-SNMP-MIB::memTotalSwapX.0 = Counter64: 2097148 kB
UCD-SNMP-MIB::memAvailSwapX.0 = Counter64: 1525544 kB
UCD-SNMP-MIB::memTotalRealX.0 = Counter64: 6109244 kB
UCD-SNMP-MIB::memAvailRealX.0 = Counter64: 405276 kB
UCD-SNMP-MIB::memTotalFreeX.0 = Counter64: 1930820 kB
UCD-SNMP-MIB::memMinimumSwapX.0 = Counter64: 16000 kB
UCD-SNMP-MIB::memSharedX.0 = Counter64: 7448 kB
UCD-SNMP-MIB::memBufferX.0 = Counter64: 192968 kB
UCD-SNMP-MIB::memCachedX.0 = Counter64: 755160 kB
UCD-SNMP-MIB::memSwapError.0 = INTEGER: noError(0)
UCD-SNMP-MIB::memSwapErrorMsg.0 = STRING: