bgrasmo.com blog

home

posts

index

about

now

uses

tags

SNMP and RRDtool


Introduction #

Having a server, I like to know a little about how it is doing when it comes to CPU load and network usage, both of which we can get information about using SNMP. Then we can use RRDtool to create various graphs of these, showing any changes over time.

There are lots of good tutorials on digitalocean.com, so also for this: how-to-install-and-configure-an-snmp-daemon-and-client can be followed mostly to the letter. I’m running everything on my server instead of having a client to query the server for the data, and then creating the graphs on the client, so there are some minor changes. In addition there are some new algorithms available.

SNMP #

Since I run everything on the server, I install everything there. In other words, there is no need to run snmp in one place and then snmpd on another. Also we add rrdtool at the same time:

$ sudo apt install snmp snmp-mibs-downloader snmpd rrdtool

Edit /etc/snmp/snmp.conf as specified, and commentout the “mibs :” line so it looks like this:

# mibs :

For snmpd, there is no need to have it listen on anything but localhost so don’t change the agentaddress line but make sure it stays like this:

agentaddress  127.0.0.1,[::1]

That is probably also safer as misconfigured snmpd could give bad actors access to a lot of information about your server.

Do add the createuser line at the end of sndmpd.conf, but change MD5 to SHA and DES to AES. SHA and AES er newer algorithms, which are faster and/or safer than the old ones. The article is a little old and for SHA states it is the only option, but you can select between the various lengths: SHA-512, SHA-384, SHA-256, SHA-224 I just use SHA and let the system decide the length, it is probably fine for this setup.

createUser bootstrap SHA temp_password AES

There are two more lines to add to snmpd.conf for the user that will be created later.

rwuser bootstrap priv
rwuser snmprwuser priv

The first word on the line, rwuser specifies that this will be a user with read-write access. It should be possible to create a read-only user, but I haven’t quite figured out to do that yet.

snmprwuser is the username that will be created, you can set this to anything you want.

Then restart snmpd for the changes to take effect:

$ sudo systemctl restart snmpd

Since this is all running on the same machine, there is no need to configure the firewall.

Now comes the time to test if this works:

$ snmpget -u bootstrap -l authPriv -a SHA -x AES -A temp_password -X temp_password localhost 1.3.6.1.2.1.1.1.0

This should return the same as uname -a.

If all is good, we can create the actual user we will be using with better passwords:

$ snmpusm -u bootstrap -l authPriv -a SHA -x AES -A temp_password -X temp_password localhost create snmprwuser bootstrap

This has copied the bootstrap user and made the snmprwuser with the same credentials. Let’s change that. The command will have to be run twice to first change the authentication key (the key related to the -a and -A parameter) and then again to change the private key (the key related to the -x and -X parameter).

$ snmpusm -Ca -u snmprwuser -l authPriv -a SHA -x AES -A temp_password -X temp_password localhost passwd temp_password new_secret_auth_key
$ snmpusm -Cx -u snmprwuser -l authPriv -a SHA -x AES -A new_secret_auth_key -X temp_password localhost passwd temp_password new_secret_private_key

Now it’s a little tedious to type all those parameters (-l, -a, -x, -A, -X …) each time we make a request, so fortunately they can be stored in a configuration file. Either in /etc/snmp/snmp.conf or if you want to store the credentials for only a given user, a new .snmp directory in that users directory with snmpd.conf in it: ~/.snmp/snmp.conf

$ umask 077
$ mkdir ~/.snmp
$ vi ~/.snmp/snmp.conf

The contents of the file should look like this:

defSecurityName snmprwuser
defSecurityLevel authPriv
defAuthType SHA
defPrivType AES
defAuthPassphrase new_secret_auth_key
defPrivPassphrase new_secret_private_key

Now we can shorten the command to this:

$ snmpget localhost 1.3.6.1.2.1.1.1.0

Nice!

Now on to RRDtool.

RRDtool #

RRDtool is a time series database. Another description, and perhaps the full name for this is round robin database tool. This means that we will create a database that will contain a given number of elements, and that when we add a new element, the oldest one will be deleted. Time series hints to that this is related to time, so we will add an element every X amount of time.

This should maybe be its own post as it is quite an extensive subject to explore.

To be continued.

back to top