snmpwalk on vacm tables returns error after agent restart due to sighup
Hi, I am running the net-snmp 5.3.0.1 on Redhat Linux. I've created a few user and vacm directives in the snmpd.conf file. After starting the agent I executed a couple of snmpwalks on SNMP-VIEW-BASED-ACM-MIB::vacmSecurityToGroupTable and the SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable to see the vacm configurations in the mib tables. I was able to see the corresponding entries. When I restart the agent by sending the HUP signal as: kill -s HUP , snmpwalk to the same tables returns error, but the access control still works denying/allowing access to the mibs as configured in the snmpd.conf file. The message I get is: SNMP-VIEW-BASED-ACM-MIB::vacmSecurityToGroupTable = No more variables left in this MIB View (It is past the end of the MIB tree) I need to stop and start the agent again for it to work. What am I doing wrong? Yogeeta
books, info requested
Im very new to SNMP.can any one suggest the good books or the links that a give a good idea for beginner to SNMP. Ur inputs are highly appreciated.. Jiyo cricket on Yahoo! India cricket Yahoo! Messenger Mobile Stay in touch with your buddies all the time.
Re: snmptrap - I don't understand how SNMPv3 traps are sent by thesnmptrap utility.
On Mon, 2006-02-06 at 21:57 -0800, Wes Hardaker wrote: > > On Wed, 11 Jan 2006 12:19:27 +, Dave Shield <[EMAIL PROTECTED]> > > said: > > >> (which clearly shows that VACM Authorization is required for > >> applications generating notification) > > Dave> You are quite correct - the agent doesn't not conform to this > Dave> particular aspect of RFC 3415. > > Hmm... thought 3.5 did... Robert? I would be *very* surprised if 3.5 supported any such filtering :-) Release 5.3 seems to include support for the snmpNotifyFilterTable, but that's not quite the same thing. A strict application of RFC 3415 should check all outgoing traps against vacmAccessNotifyViewName - as well as any additional (optional) filtering. Now I haven't examined the new code in great detail, but it doesn't seem to do this. Robert? Dave --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: trapsess SNMPv3, authoritative engine, wrong engineId
Hi Wes, Thanks for your quick reply. I beg to differ that the missing data is not useful. It might not matter so much with the lowest security level (-l noAuthNoPriv), but I've moved on to authenticated traps, and it fails. There is profound difference in SNMPv3 in sending a trap to (!) a user (what net-snmp is doing) or as (!) a user (what it should do). I hope the following makes sense: I added a new user 'authUser' via 'createUser' to /var/net-snmp/snmpd.conf; (createUser authUser MD5 AuthPassword) Sending a Get Request works fine: snmpget -v 3 -u authUser -l authNoPriv -a MD5 -A AuthPassword udp:.westhawk.co.uk:161 sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Tim Panton, [EMAIL PROTECTED] However, net-snmp (on ) isn't able to send an authentication failure trap to as user 'authUser', because it cannot find the user's usm details. /etc/snmp/snmpd.conf: authtrapenable 1 trapsess -v 3 -l authNoPriv -u authUser -a MD5 -A AuthPassword :162 /var/log/net-snmpd.log: usm: USM processing has begun (offset 89) trace: usm_get_user(): snmpusm.c, 2982: usm: getting user authUser trace: usm_get_user_from_list(): snmpusm.c, 2998: usm: match on user authUser trace: usm_get_user_from_list(): snmpusm.c, 3004: usm: no match on engineID () trace: usm_rgenerate_out_msg(): snmpusm.c, 1403: usm: Unknown User trace: _sess_async_send(): snmp_api.c, 4816: sess_async_send: encoding failure snmpd: send_trap: USM unknown security name (no such user exists) I assume that is because it tries to find the details of 'authUser' on instead of it's own local 'authUser'. It might seem I should be able to work around this problem by configuring (using snmpusm) the details of 'authUser' on . However, net-snmp would then send the authentication and timeliness parameters of and not . Therefor the PDU would be discarded by as not being authentic. Thanks, Birgit On Mon, Feb 06, 2006 at 09:16:08PM -0800, Wes Hardaker wrote: > > On Mon, 6 Feb 2006 18:22:23 +, Birgit Arkesteijn <[EMAIL > > PROTECTED]> said: > > Birgit> trapsess -v 3 -l noAuthNoPriv -u noAuthUser :162 > > Birgit> I receive the PDU fine, but I noticed that the trap doesn't have the > Birgit> correct authoritative engine ID, engine boots and engine time; > > Birgit> However, (as far as my knowledge goes for SNMPv3) when sending > Birgit> traps in SNMPv3, the engine acts as an authoritative engine > Birgit> and should therefor sends its own (!) authoritative engine ID, > Birgit> engine boots and engine time, and not the synchronisation > Birgit> parameters of the other party. > > That's true, the agent should be sending it's own engineid, boots and > time assuming you're sending a trap and not an inform. > > Birgit> Unless my understanding and assumptions are incorrect, it seems that > Birgit> the net-snmp behaviour is incorrect. > > Yes, I'd agree. Though the usefulness of the missing data is pretty > much 0, but that doesn't excuse that it should be filling it in > anyway. > > > -- > Wes Hardaker > Sparta, Inc. -- -- Birgit Arkesteijn, [EMAIL PROTECTED], -- Westhawk Ltd, Albion Wharf, 19 Albion Street, Manchester M1 5LN, UK -- tel.: +44 (0)161 237 0660 -- http://www.westhawk.co.uk> --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: i need a help and thanks for advanced
> On Wed, 1 Feb 2006 04:58:04 -0800 (PST), elias bourahal <[EMAIL > PROTECTED]> said: elias> I extended the snmp agent and i used the simple table in my mib and i elias> get a correct results for snmpbulkwalk and the other. This is the fairly old way of doing things and it's strongly suggested that you consider upgrading to the Net-SNMP ways of doing things instead of using the older ones. See the tutorial for the newer ones at http://www.net-snmp.org/tutorial-5/toolkit/ -- Wes Hardaker Sparta, Inc. --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
Re: "something horrible happened" when running snmpdemoapp
On Mon, 2006-02-06 at 14:38 -0800, Li Juen Hwang wrote: > What's wrong with shutting down agent with "kill -9"? Should should *NEVER* terminate *ANY* application with "kill -9", unless you've tried to shut it down cleanly first. Blindly using "kill -9" is a sign of a slapdash and unprofessional administrator. A well-written application will typically catch the standard "TERM" signal, and perform any processing necessary to shut down cleanly. (Flushing persistent data to file, unlinking named sockets, informing other applications that it's shutting down). If you use "kill -9", you're preventing this from happening.. "kill -9" is very much a last resort, when you need to shut the application down *NOW* (regardless of any mess or inconsistencies that might result), or when shutting it down cleanly has failed. You'll then need to check what inconsistencies might have resulted, and be prepared to tidy things up. It should *NOT* be used as a matter of course. Escalating straight to "kill -9" is laziness, pure and simple. Dave --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
CPU Alarm
Hi , Whenever CPU threshold crosses the some configured threshold I want to generate a alarm to SNMP Manager. Does net-snmp has some generic mibs which I can directly use to send alarms or do I need to write create new mibs. Suresh --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
make install gives the error when configured with --disable-snmptrapd-subagent option.
Title: Message Hi, We are using Net-snmp-5.2.2 in our subagent. Earlier, we reported to this list that snmptrapd of Net-snmp-5.2.2 has memory leak for every trap it receives. We have gone through the previous mails in the archive and observed that if "snmptrapd_agentx" flag is disabled, there will be no leak. So, we have configured Net-snmp-5.2.2 with the following options. ./configure --prefix=/usr --without-openssl --with-logfile="/var/log/snmpd.log" --with-persistent-directory="/var/net-snmp --disable-snmptrapd-subagent" After this we did make and make install. We observed that there is no memory leak in snmptrapd when configured with this --disable-snmptrapd-subagent option. However, following are the observations about make install when configured with --disable-snmptrapd-subagent option. make[1]: Leaving directory `/home/g20238/net-snmp/net-snmp-5.2.2/mibs'/bin/sh: line 1: test: too many arguments Even if make install ended in this way, we were able to test all snmp operations, snmpd and snmptrapd. If disable-snmptrapd-subagent option is not given in the configure command, make install successfully ended with the last line in the output as make[1]: Leaving directory `/home/g20238/net-snmp/net-snmp-5.2.2/mibs' Will "disable-snmptrapd-subagent " effect Agentx communication between subagent and snmpd..? If anyone faced this problem and had a workaround for this, please help us. Thanks, Suresh.