My activities New request

contact atmail support

PH: +61 (7) 5357-6605

support@atmail.com

Follow

Monitoring Using SNMP

Stewart -

PROBLEM
I want to monitor my Atmail installation with SNMP.

ENVIRONMENT

  • On-Premise Server + WebMail Installations: Version 6.0 > Current Version

CAUSE

  • Requirement for monitoring Atmail with SNMP

RESOLUTION

Using SNMP (Simple Network Monitoring Protocol)

Most servers keep their operational stats that you can remotely retrieve via the Simple Network Management Protocol - known as SNMP. Using SNMP, you can use a variety of clients and services to fetch operational data from remote servers.

This document covers the Linux operating system - CentOS and Fedora, specifically.

Installing SNMP

SNMP packages are available for Fedora, CentOS and Ubuntu/Debian operating systems via the following names:

  • net-snmp
  • net-snmp-devel
  • net-snmp-utils

In CentOS or Fedora, you can install the packages via this command:

yum install net-snmp net-snmp-devel net-snmp-utils

Activate, and restart the services:

chkconfig snmpd on /etc/init.d/snmpd restart

Configuring SNMPD - Simple (V1)

This portion of the document deals with configuring the SNMPD service as readonly. It does not ask for passwords, and is only recommended for secure services where SNMP connections are only available via the LAN.

You will need to reconfigure the snmpd service.

cd /etc/snmp/ mv snmpd.conf snmpd.conf.old touch snmpd.conf chmod 600 snmpd.conf

In the snmpd.conf file, add a single line denoting the string and community the username will fall under. For this example, we will use john.walker :

rocommunity johnny

Restart the SNMP service afterwards:

/etc/init.d/snmpd restart

You can now test out basic SNMP access via this command:

snmpwalk -v 1 -c john.walker localhost system

Configuring SNMPD with Network restrictions (V2)

There is an issue with SNMP V1 - mainly that it allows access from anyone with the string, without restrictions. This SNMP method allows for finer restrictions that should allow you to define the access level of users.

This portion of the document uses the user 'john.walker' as the community string, and has different definitions for each IP block. You will need to reconfigure the snmpd service.

cd /etc/snmp/ mv snmpd.conf snmpd.conf.old touch snmpd.conf chmod 600 snmpd.conf

In the snmpd.conf file, add a single line denoting the string and community the username will fall under. For this example, we will use john.walker :

rocommunity johnny

Above this line, add the following line block:

com2sec local localhost johnny com2sec lan_eth1 172.16.1.0/24 johnny com2sec lan_eth2 192.168.2.0/24 johnny
 
group readonlygroup_local v1 local group readonlygroup_LAN v1 lan_eth1 group readonlygroup_WAN v2c lan_eth2
 
view all-mibs included .1 80
 
access readonlygroup_local "" v1 noauth exact all-mibs none none access readonlygroup_LAN "" v1 noauth exact all-mibs none none

Each block defines a separate treatment/permissions profile. This part of the configuration file lists the community strings to use - and in this case, we will use the community string johnny .

com2sec local localhost johnny com2sec lan_eth2 192.168.2.0/24 johnny

johnny will be connecting from multiple networks, and is defined as such. We will define different rules for communities accessing via localhost, and communities accessing from the LAN. WAN IPs are not listed, but can be added accordingly.

Next, we will define the group names and access models for each subnet:

group readonlygroup_local v1 local group readonlygroup_LAN v1 lan_eth1

You can use any groupnames, but they have been set to 'readonlygroup_local' and 'readonlygroup_LAN' for simplicity. Different groups are set for different security contexts - different treatments for wherever the johnny community string will be.

This is then followed by the access clause, which defines the scope of access that will be afforded to the community string:

access readonlygroup_local "" v1 noauth exact all-mibs none none access readonlygroup_LAN "" v1 noauth exact all-mibs none none

Save changes, then restart snmpd.

/etc/init.d/snmpd restart

You can test this by querying the server with different community strings through different IPs:

snmpwalk -v 1 -c johnny 192.168.0.1 system

This assumes that you are in another server in the LAN; 192.168.0.1 being the location of your SNMP server.

snmpwalk -v 1 -c johnny localhost system

The above assumes testing from the same server where SNMPD is installed. A successful connection will have an output similar to below:

SNMPv2-MIB::sysDescr.0 = STRING: Linux suzumiya 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (39828) 0:06:38.28 SNMPv2-MIB::sysContact.0 = STRING: root@localhost SNMPv2-MIB::sysName.0 = STRING: churuya SNMPv2-MIB::sysLocation.0 = STRING: Unknown SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance SNMPv2-MIB::sysORID.8 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities SNMPv2-MIB::sysORDescr.2 = STRING: The MIB module for managing TCP implementations SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module for managing IP and ICMP implementations SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for managing UDP implementations SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP. SNMPv2-MIB::sysORDescr.6 = STRING: The SNMP Management Architecture MIB. SNMPv2-MIB::sysORDescr.7 = STRING: The MIB for Message Processing and Dispatching. SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model. SNMPv2-MIB::sysORUpTime.1 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.2 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.3 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.4 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.5 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.6 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.7 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.8 = Timeticks: (2) 0:00:00.02

Whereas a failed login will have the following output:

Timeout: No Response from 192.168.0.1

Congratulations! Now, you can access your appliance statistics via SNMP.

Configuring SNMPv3

SNMP v3 allows for passwords to be set with usernames, in place of community strings which did not require authentication. Compared to the above, configuration of SNMP V3 is easy, and can be done by a single command:

net-snmp-config --create-snmpv3-user -ro -a MD5 -A changeme johnny

This allows for the user johnnny to be added to your SNMP configuration, with the password changeme. Upon executing the command, you will see the following output:

adding the following line to /var/net-snmp/snmpd.conf:

createUser johnny MD5 "changeme" MD5

adding the following line to /etc/snmp/snmpd.conf:

rouser johnny

If you check the last line of your /etc/snmpd/snmpd.conf file, you should see this:

rouser johnny

This can then be tested by authenticating against the SNMP server:

snmpget -v 3 -u johnny -l authNoPriv -a MD5 -A changeme 192.168.0.1 SNMPv2-MIB::sysORDescr.5

To which, you can get the following output:

SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.

Displaying more details can be done via this command:

snmpwalk -v 3 -u johnny -l authNoPriv -a MD5 -A changeme 192.168.0.1 system

The output of which, should be similar to:

SNMPv2-MIB::sysDescr.0 = STRING: Linux suzumiya 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (195232) 0:32:32.32 SNMPv2-MIB::sysContact.0 = STRING: root@localhost SNMPv2-MIB::sysName.0 = STRING: churuya SNMPv2-MIB::sysLocation.0 = STRING: Unknown SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance SNMPv2-MIB::sysORID.8 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities SNMPv2-MIB::sysORDescr.2 = STRING: The MIB module for managing TCP implementations SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module for managing IP and ICMP implementations SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for managing UDP implementations SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP. SNMPv2-MIB::sysORDescr.6 = STRING: The SNMP Management Architecture MIB. SNMPv2-MIB::sysORDescr.7 = STRING: The MIB for Message Processing and Dispatching. SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model. SNMPv2-MIB::sysORUpTime.1 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.2 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.3 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.4 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.5 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.6 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.7 = Timeticks: (2) 0:00:00.02 SNMPv2-MIB::sysORUpTime.8 = Timeticks: (2) 0:00:00.02

 

 

Have more questions? Submit a request

Comments