How To
Summary
How to assign a different community name to SNMP.
How to configure and test SNMP Traps. (Optional)
Objective
AIX ships with SNMP v3 as the default. The SNMP v3 configuration file is /etc/snmpdv3.conf and it's configured to use community name public. In virtually all cases users want to change to a different community name for security reasons.
Community public is easily guessed. Therefore you should use a community name other than public. This document provides steps on how to change the SNMP community name. This document also provides steps on how to configure SNMP to forward Trap messages and alerts.
Environment
SNMP On AIX 6.1,7.1 and 7.2
Steps
PART I
Configure SNMP to use a community name other than the default public.
SNMP on AIX by default ships with community name public.
In this example we are changing the default community name from public to community name foo1234.
By default the SNMP daemon snmpd is linked to snmpdv3ne which is for SNMP v3.
# ls -l /usr/sbin/snmpd
lrwxrwxrwx 1 root system 19 Jul 13 2017 /usr/sbin/snmpd -> /usr/sbin/snmpdv3ne
lrwxrwxrwx 1 root system 19 Jul 13 2017 /usr/sbin/snmpd -> /usr/sbin/snmpdv3ne
The /etc/snmpdv3.conf file is the configuration file for the SNMP version 3 agent.
The /etc/snmpd.conf file is the configuration file for the SNMP version 1 agent.
The /etc/snmpd.conf file is the configuration file for the SNMP version 1 agent.
SNMP version 3 agent can also handle all SNMP v1 requests.
In order to configure SNMP to use a community name other than public here are the lines that must be changed in /etc/snmpdv3.conf .
Each occurrence of public must be changed to the new community name and remove the comment (if it exist) from the internet line and the COMMUNITY line.
VACM_GROUP group1 SNMPv1 public -
TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 public noAuthNoPriv -
#COMMUNITY public public noAuthNoPriv 0.0.0.0 0.0.0.0 -
In this example the new community name is foo1234. Each occurrence of public has been changed to foo1234.
VACM_GROUP group1 SNMPv1 foo1234 -
TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 foo1234 noAuthNoPriv -
Remove the # from the internet line.
VACM_VIEW defaultView internet - included -
Removed the # from the COMMUNITY line and changed public to the new name.
COMMUNITY foo1234 foo1234 noAuthNoPriv 0.0.0.0 0.0.0.0 -
It is also recommended to include the MIBs provided by DPI2 subagent aixmibd.
Change this line from:
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - excluded -
Change to:
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - included -
Since we are now using a different community name we must assign the new community name to DPI2 subagents aixmibd, hostmibd and snmpmibd.
Use the chssys command to add the new community name to the ODM so that whenever the DPI2 subagents are started they will automatically be assigned the new community name.
# chssys -s aixmibd -a "-c foo1234"
# chssys -s hostmibd -a "-c foo1234"
# chssys -s snmpmibd -a "-c foo1234"
Stop and restart the 3 DPI2 subagents and snmpd to pick up the changes.
STOP
# stopsrc -s aixmibd;stopsrc -s hostmibd;stopsrc -s snmpmibd
# stopsrc -s snmpd
START
# startsrc -s snmpd
# startsrc -s aixmibd;startsrc -s hostmibd; startsrc -s snmpmibd
Check the process table and you should see the new community name assigned to the 3 DPI2 subagents
# ps -ef |grep mibd
/usr/sbin/hostmibd -c foo1234
/usr/sbin/aixmibd -c foo1234
/usr/sbin/snmpmibd -c foo1234
Use the odmget command to check the new community name. The community name will be assigned to the cmdargs value.
# odmget -q subsysname=aixmibd SRCsubsys
SRCsubsys:
subsysname = "aixmibd"
synonym = ""
cmdargs = "-c foo1234"
path = "/usr/sbin/aixmibd"
....
....
grpname = "tcpip"
subsysname = "aixmibd"
synonym = ""
cmdargs = "-c foo1234"
path = "/usr/sbin/aixmibd"
....
....
grpname = "tcpip"
You can also query the ODM using the lssrc command for each subagent.
# lssrc -Ss aixmibd
#subsysname:synonym:cmdargs:path:uid:auditid:standin:standout:standerr:action:multi:contact:svrkey:svrmtype:priority:signorm:sigforce:display:waittime:grpname:
aixmibd::-c foo1234:/usr/sbin/aixmibd:0:0:/dev/console:/dev/console:/dev/console:-O:-Q:-K:0:0:20:0:0:-d:20:tcpip:
#subsysname:synonym:cmdargs:path:uid:auditid:standin:standout:standerr:action:multi:contact:svrkey:svrmtype:priority:signorm:sigforce:display:waittime:grpname:
aixmibd::-c foo1234:/usr/sbin/aixmibd:0:0:/dev/console:/dev/console:/dev/console:-O:-Q:-K:0:0:20:0:0:-d:20:tcpip:
To null out (undo) the community name change in the ODM use the chssys command.
# chssys -s aixmibd -a ""
Make the same change to hostmibd and snmpmibd and restart the daemons as demonstrated in Part I of this document. When the cmdargs value is blank the community name public is used.
To test SNMP use snmpinfo or the clsnmp command. In this example we are sending a SNMP query back to itself.
# snmpinfo -md -v -c foo1234 system
sysDescr.0 = "IBM PowerPC CHRP Computer
Machine Type: 0x0800004c Processor id: 00F8A0A14C00
Base Operating System Runtime AIX version: 06.01.0009.0100
.....
Machine Type: 0x0800004c Processor id: 00F8A0A14C00
Base Operating System Runtime AIX version: 06.01.0009.0100
.....
# snmpinfo -md -v -c foo1234 aixpagingspace
aixPageThreshold.0 = 95
aixPageName.1 = "hd6"
aixPageNameVG.1 = "rootvg"
aixPageNamePV.1 = "hdisk0"
aixPageSize.1 = 1536
.....
aixPageName.1 = "hd6"
aixPageNameVG.1 = "rootvg"
aixPageNamePV.1 = "hdisk0"
aixPageSize.1 = 1536
.....
# snmpinfo -md -c foo1234 aixpagingspace
1.3.6.1.4.1.2.6.191.2.4.1.0 = 95
1.3.6.1.4.1.2.6.191.2.4.2.1.1.1 = "hd6"
1.3.6.1.4.1.2.6.191.2.4.2.1.2.1 = "rootvg"
1.3.6.1.4.1.2.6.191.2.4.2.1.3.1 = "hdisk0"
1.3.6.1.4.1.2.6.191.2.4.2.1.4.1 = 1536
1.3.6.1.4.1.2.6.191.2.4.1.0 = 95
1.3.6.1.4.1.2.6.191.2.4.2.1.1.1 = "hd6"
1.3.6.1.4.1.2.6.191.2.4.2.1.2.1 = "rootvg"
1.3.6.1.4.1.2.6.191.2.4.2.1.3.1 = "hdisk0"
1.3.6.1.4.1.2.6.191.2.4.2.1.4.1 = 1536
.....
# clsnmp -v -c foo1234 walk aixpagingspace
aixPageThreshold.0 = 95
aixPageName.1 = hd6
aixPageNameVG.1 = rootvg
aixPageNamePV.1 = hdisk0
aixPageSize.1 = 1536
.....
aixPageThreshold.0 = 95
aixPageName.1 = hd6
aixPageNameVG.1 = rootvg
aixPageNamePV.1 = hdisk0
aixPageSize.1 = 1536
.....
# clsnmp -c foo1234 walk aixpagingspace
1.3.6.1.4.1.2.6.191.2.4.1.0 = 95
1.3.6.1.4.1.2.6.191.2.4.2.1.1.1 = hd6
1.3.6.1.4.1.2.6.191.2.4.2.1.2.1 = rootvg
1.3.6.1.4.1.2.6.191.2.4.2.1.3.1 = hdisk0
1.3.6.1.4.1.2.6.191.2.4.1.0 = 95
1.3.6.1.4.1.2.6.191.2.4.2.1.1.1 = hd6
1.3.6.1.4.1.2.6.191.2.4.2.1.2.1 = rootvg
1.3.6.1.4.1.2.6.191.2.4.2.1.3.1 = hdisk0
1.3.6.1.4.1.2.6.191.2.4.2.1.4.1 = 1536
.....
.....
PART II (Optional)
Configure and Test SNMP TRAPs
A SNMP Trap Message is just an alert that informs the remote end (SNMP Manager) that a condition that was previously set has been met.
Such as informing the SNMP manager that a filesystem has reached a certain threshold.
Or, it can be a message that was manually sent by an Administrator.
There should be a SNMP manager to receive the trap messages sent by the SNMP agent.
To test receiving trap messages use the clsnmp trap utility on AIX to receive traps.
The clsnmp command supports both sending of SNMP requests and receiving SNMP traps.
Here is an example of an /etc/snmpdv3.conf file that has been configured for community based SNMP with community name foo1234. It has also been configured to forward SNMP Trap messages.
Community public has been replaced with community foo1234.
<begin>
VACM_GROUP group1 SNMPv1 foo1234 -
VACM_VIEW defaultView internet - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.2.1.1.1.0 - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191.1.6 - included -
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191.1.6 - included -
# exclude snmpv3 related MIBs from the default view
VACM_VIEW defaultView snmpModules - excluded -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.4 - included -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.5 - included -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.4 - included -
VACM_VIEW defaultView 1.3.6.1.6.3.1.1.5 - included -
# exclude aixmibd managed MIBs from the default view
VACM_VIEW defaultView 1.3.6.1.4.1.2.6.191 - included -
VACM_ACCESS group1 - - noAuthNoPriv SNMPv1 defaultView - defaultView -
NOTIFY notify1 traptag trap -
TARGET_ADDRESS Target1 UDP 127.0.0.1 traptag trapparms1 - - -
TARGET_ADDRESS Target2 UDP 9.40.205.179 traptag trapparms2 - - -
TARGET_ADDRESS Target2 UDP 9.40.205.179 traptag trapparms2 - - -
TARGET_PARAMETERS trapparms1 SNMPv1 SNMPv1 foo1234 noAuthNoPriv -
TARGET_PARAMETERS trapparms2 SNMPv1 SNMPv1 foo1234 noAuthNoPriv -
TARGET_PARAMETERS trapparms2 SNMPv1 SNMPv1 foo1234 noAuthNoPriv -
COMMUNITY foo1234 foo1234 noAuthNoPriv 0.0.0.0 0.0.0.0 -
DEFAULT_SECURITY no-access - -
logging file=/usr/tmp/snmpdv3.log enabled
logging size=100000 level=0
logging size=100000 level=0
smux 1.3.6.1.4.1.2.3.1.2.1.2 gated_password # gated
<end>
The receiving server for the trap messages is 9.40.205.179. It's the AIX server that is running the clsnmp trap utility.
# clsnmp trap
The command will just hang waiting on input.
To exit, crtl-c.
Test SNMP Traps
In this example I have configured the /etc/aixmibd.conf file on the SNMP Agent to send an alert message when a filesystem is more than 95% used.
Default /etc/aixmibd.conf
fsPollInterval=0
vgPollInterval=0
cpuPollInterval=0
pagePollInterval=0
lfPollInterval=0
CPUThreshold=95
VgThreshold=95
FsThreshold=95
PageThreshold=95
LoginFailedThreshold=20
LoginFailedTimePeriod=300
vgPollInterval=0
cpuPollInterval=0
pagePollInterval=0
lfPollInterval=0
CPUThreshold=95
VgThreshold=95
FsThreshold=95
PageThreshold=95
LoginFailedThreshold=20
LoginFailedTimePeriod=300
Below is a modified /etc/aixmibd.conf file. Set the pollInterval,fsPollInterval and the vgPollInterval. The FsThreshold was set to 95% by default.
agentAccess=0
pollInterval=120
fsPollInterval=120
vgPollInterval=60
cpuPollInterval=0
pagePollInterval=0
lfPollInterval=0
CPUThreshold=95
VgThreshold=95
FsThreshold=95
PageThreshold=95
LoginFailedThreshold=20
LoginFailedTimePeriod=300
fsPollInterval=0
cpuPollInterval=0
fsPollInterval=0
cpuPollInterval=0
pollInterval=120
fsPollInterval=120
vgPollInterval=60
cpuPollInterval=0
pagePollInterval=0
lfPollInterval=0
CPUThreshold=95
VgThreshold=95
FsThreshold=95
PageThreshold=95
LoginFailedThreshold=20
LoginFailedTimePeriod=300
fsPollInterval=0
cpuPollInterval=0
fsPollInterval=0
cpuPollInterval=0
Started clsnmp utility on target server defined in /etc/snmpdv3.conf.
Target server:
# clsnmp trap
The command will hang waiting on an alert or message.
Note: The snmpd daemon doesn't have to be running in order to use clsnmp trap.
On AIX SNMP Agent:
# pwd
/tmp
# df -k /tmp
Filesystem 1024-blocks Free %Used Iused %Iused Mounted on
/dev/hd3 4063232 1163332 72% 2044 1% /tmp
Filesystem 1024-blocks Free %Used Iused %Iused Mounted on
/dev/hd3 4063232 1163332 72% 2044 1% /tmp
Increased /tmp %Used to be greater than 95%.
# lmktemp junk 1000M ; df -k /tmp
# df -k /tmp
Filesystem 1024-blocks Free %Used Iused %Iused Mounted on
/dev/hd3 4063232 139264 97% 2044 5% /tmp
The /tmp filesystem is now 97% used.
Filesystem 1024-blocks Free %Used Iused %Iused Mounted on
/dev/hd3 4063232 139264 97% 2044 5% /tmp
The /tmp filesystem is now 97% used.
In ~2 minutes the clsnmp trap utility which is running on the target host received an alert message that /tmp was more than 95% used.
Here is the data received by the clsnmp trap utility.
Display of SNMPv1 trap:
community: foo1234
enterprise oid: 1.3.6.1.4.1.2.6.191
..... ibmProd.191
agentAddress: 9.40.205.172
generic-trap: enterpriseSpecific ('00000006'h)
specific-trap: 1 ('00000001'h)
time-stamp: 13400 - 2 minutes, 14.00 seconds
varBind oid: OBJECT_IDENTIFIER 1.3.6.1.4.1.2.6.191.1.4.2.0
name: ibmProd.191.1.4.2.0
value: OCTET_STRING The current used percentage 96 of the file system /tmp is above the threshold 95
Notice that it detected that /tmp was more than 95% used.
community: foo1234
enterprise oid: 1.3.6.1.4.1.2.6.191
..... ibmProd.191
agentAddress: 9.40.205.172
generic-trap: enterpriseSpecific ('00000006'h)
specific-trap: 1 ('00000001'h)
time-stamp: 13400 - 2 minutes, 14.00 seconds
varBind oid: OBJECT_IDENTIFIER 1.3.6.1.4.1.2.6.191.1.4.2.0
name: ibmProd.191.1.4.2.0
value: OCTET_STRING The current used percentage 96 of the file system /tmp is above the threshold 95
Notice that it detected that /tmp was more than 95% used.
A SNMP Trap message can also be sent from the command line using the snmptrap command on the SNMP Agent
# snmptrap -c foo1234 -m "Hello, trap sent from 9.40.205.172"
The /etc/snmpdv3.conf file is checked to determine where to send the message.
Here is the data received by the clsnmp trap utility.
Display of SNMPv1 trap:
community: foo1234
enterprise oid: 1.3.6.1.4.1.2.6.191
..... ibmProd.191
agentAddress: 9.40.205.172
generic-trap: enterpriseSpecific ('00000006'h)
specific-trap: 1 ('00000001'h)
time-stamp: 443181900 - 51 days, 7 hours, 3 minutes, 39.00 seconds
varBind oid: OBJECT_IDENTIFIER 1.3.6.1.4.1.2.6.191.1.6.1.0
name: ibmProd.191.1.6.1.0
value: OCTET_STRING Hello, trap sent from 9.40.205.172
community: foo1234
enterprise oid: 1.3.6.1.4.1.2.6.191
..... ibmProd.191
agentAddress: 9.40.205.172
generic-trap: enterpriseSpecific ('00000006'h)
specific-trap: 1 ('00000001'h)
time-stamp: 443181900 - 51 days, 7 hours, 3 minutes, 39.00 seconds
varBind oid: OBJECT_IDENTIFIER 1.3.6.1.4.1.2.6.191.1.6.1.0
name: ibmProd.191.1.6.1.0
value: OCTET_STRING Hello, trap sent from 9.40.205.172
Here you can see the message 'Hello, trap sent from 9.40.205.172'. The message was sent from the SNMP Agent.
Another method for testing if a trap message has been sent by the SNMP Agent is to start snmpd. The snmpd daemon will send a coldStart trap to the Target host defined in /etc/snmpdv3.conf whenever snmpd is started.
# startsrc -s snmpd
Here is the coldStart trap received by the clsnmp trap utility running on the target server.
Display of SNMPv1 trap:
community: foo1234
enterprise oid: 1.3.6.1.4.1.2.3.1.2.1.1.3
..... aix.2.1.1.3
agentAddress: 9.40.205.172
generic-trap: coldStart ('00000000'h)
specific-trap: 0 ('00000000'h)
time-stamp: 200 - 2.00 seconds
By the fact that the clsnmp trap utility running on target server received the coldStart trap indicates that snmp trap is configured correctly on the SNMP Agent.
community: foo1234
enterprise oid: 1.3.6.1.4.1.2.3.1.2.1.1.3
..... aix.2.1.1.3
agentAddress: 9.40.205.172
generic-trap: coldStart ('00000000'h)
specific-trap: 0 ('00000000'h)
time-stamp: 200 - 2.00 seconds
By the fact that the clsnmp trap utility running on target server received the coldStart trap indicates that snmp trap is configured correctly on the SNMP Agent.
Additional Information
How to debug SNMP problems.
LogFiles
By default the SNMP log file is defined in /etc/snmpdv3.conf
The file name is /usr/tmp/snmpdv3.log
The current file is /usr/tmp/snmpdv3.log and there could also be a maximum of 3 additional log files depending on how many times the current log file has rotated.
To increase the level of debug change loglevel=0 to loglevel=4.
Stop and restart snmpd.
SNMP Packet Tracing
Use tcpdump or iptrace to trace SNMP data. The tcpdump and iptrace output files are pcap type files and can be analyzed using Wireshark.
To start iptrace:
# startsrc -s iptrace -a "-L 200000000 -p 53,161,162 /tmp/iptrace.bin"
Send a query from SNMP the monitoring station to SNMP on AIX.
For non AIX servers you can use the snmpwalk command to send the request.
Send a SNMP query back to itself using snmpinfo or the clsnmp command.
To stop iptrace
# stopsrc -s iptrace
In the above iptrace example we are tracing DNS port 53, SNMP port 161 and SNMP Trap port 162.
Provide a snap, the iptrace output file(s) and snmpdv3.log file(s) if further assistance.
If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract. The technical support specialist assigned to your case will confirm that you have completed these steps.
1. Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred.
2. Capture any logs or data relevant to the situation.
3. Contact IBM to open a case:
-For electronic support, please visit the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, please visit the web page:
https://www.ibm.com/planetwide/
4. Provide a good description of your issue, and reference this Technote, and any issues you had with the instructions.
5. Collect the system snap and upload all of the details and data for your case.
| To collect a complete snap of your system information: |
|---|
|
5.1) Remove previously gathered data # snap -r 5.2) Copy related files from #1 and #2 to the snap data directory # mkdir -p /tmp/ibmsupt/testcase # cp <logs, screenshots, etc> /tmp/ibmsupt/testcase 5.3) Run the snap command with one of the following options to collect all info. * If you have already engaged with a support engineer, use the flags specified by your support team.
# snap -aZc (Omits system dump data)
OR
# snap -ac (Use if system dump data is needed)
5.4) Rename the testcase to include your case number to ensure it is properly attached to your case # mv /tmp/ibmsupt/snap.pax.Z /tmp/ibmsupt/yourcase#[.optional_description].snap.pax.Z 5.5) Upload the file by one of the following options (a, b, or c) a) Attach to your case b) Upload to the Enhanced Customer Data Repository(ECuRep) c) Upload to the Blue Diamond FTP server (Blue Diamond Customers Only) * Note: For information about blue diamond upload see:
|
Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"AIX 6.1, 7.1, 7.2","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
12 February 2020
UID
ibm10884646