Contents
Monitoring of servers is very important in any IT environment. It’s important to know when a device is down before people start calling you or that a hard drive is full before the operating system stops responding. It allows you as a system admin to be proactive about the state of your network. Cacti needs SNMP to be up and running to be able to monitor a server.
The following describes the steps needed to get SNMP running in CentOS 7.
Install SNMP daemon
#Perform general update to the system (optional) sudo yum update # Actually install the SNMP daemon sudo yum install net-snmp #Install the snmp-utils package includes snmpwalk utility sudo yum install net-snmp-utils
Modify the configuration files
Modify the following file
sudo nano /etc/snmp/snmpd.conf
with the following information (Customize for your environment)
Modify the agentAddress
# Listen for connections from the local system only #agentAddress udp:127.0.0.1:161 # Listen for connections on all interfaces (both IPv4 *and* IPv6) #agentAddress udp:161,udp6:[::1]:161 agentAddress 161 rocommunity public syslocation "Boyds, MD" syscontact info@example.net #..... #..... # Comment out the following #syslocation Unknown (edit /etc/snmp/snmpd.conf) #..... #..... # disk checks # # The agent can check the amount of available disk space, and make # sure it is above a set limit. # disk PATH [MIN=100000] # # PATH: mount path to the disk in question. # MIN: Disks with space below this value will have the Mib's errorFlag set. # Default value = 100000. # Check the / partition and make sure it contains at least 10 megs. disk / 10000 includeAllDisks 10% #syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
Modify the following file
sudo nano /etc/default/snmpd
# Don't load any MIBs by default. # You might comment this lines once you have the MIBs downloaded. export MIBS=/usr/share/snmp/mibs
Restart the SNMP daemon
#Ensure that the snmpd daemon will start up on boot sudo systemctl enable snmpd #Manually start up the snmpd daemon sudo service snmpd restart
To check that things are working you can ‘walk’ the MIB tree by doing the following
snmpwalk -v2c -c public localhost system
You’ll see a lot of information scroll by with information that is used by cacti.
Notes on SNMP security
SNMP is widely known to be insecure. In SNMP versions 1, 2, and 2c the community strings used for authentication are communicated in cleartext over the network and can potentially be captured. Then used to conduct subsequent attacks against other internal network infrastructure.
SNMP V3 improved the situation by essentially using the community string as a password for the device. However, successfully implementing SNMPv3 is not for the faint of heart.
Our recommendations are
- Have your community string set read only (as above) so that no one can affect that settings on your infrastructure.
- Use your EC2 security group settings to block access to port 161
- Don’t have monitoring setup across the open internet. Setup a VPN to monitor hosts/devices outside AWS.