labunix's blog

labunixのラボUnix

RHEL7のSNMP/SNMPTrapdを設定してみる。

■RHEL7のSNMP/SNMPTrapdを設定してみる。

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.1 (Maipo)

■SNMPのデフォルトの設定を確認。

$ sudo awk '!/^#|^$/' /etc/snmp/snmpd.conf 
com2sec notConfigUser  default       public
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
view    systemview    included   .1.3.6.1.2.1.1
view    systemview    included   .1.3.6.1.2.1.25.1.1
access  notConfigGroup ""      any       noauth    exact  systemview none none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
dontLogTCPWrappersConnects yes

■コミュニティ名myhomeとしてアクセス権を追加。

$ sudo grep myhome /etc/snmp/snmpd.conf || \
    echo 'rocommunity myhome  172.31.31.0/24 .1.3.6.1.2.1.1' | \
      sudo tee -a /etc/snmp/snmpd.conf; \
    sudo systemctl reload snmpd; \
    sudo grep  $(date '+%H:%M:%S') /var/log/messages
rocommunity myhome  172.31.31.0/24 .1.3.6.1.2.1.1
Apr 23 22:50:53 localhost systemd: Reloading Simple Network Management Protocol (SNMP) Daemon..
Apr 23 22:50:53 localhost snmpd[26139]: Reconfiguring daemon
Apr 23 22:50:53 localhost snmpd[26139]: NET-SNMP version 5.7.2 restarted
Apr 23 22:50:53 localhost systemd: Reloaded Simple Network Management Protocol (SNMP) Daemon..

$ netstat -an | grep :16[12]
udp        0      0 0.0.0.0:161             0.0.0.0:*

$ snmpwalk -c myhome -v1 172.31.31.54 | awk '/SNMP/{sum+=1}END{print sum}'
36

$ snmpwalk -c myhome -v2c 172.31.31.54 | awk '/SNMP/{sum+=1}END{print sum}'
37

■firewall-cmdのデフォルト設定の確認

$ firewall-cmd --get-active-zones
public
  interfaces: eno16780032
$ firewall-cmd --list-all --zone=public
public (default, active)
  interfaces: eno16780032
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

■[dhcpv6-client]はサービスに登録あり、再起動後も使用しない[--permanent]ので削除。

$ firewall-cmd --get-services | tr ' ' '\n' | awk '/dhcpv6-client/'
dhcpv6-client
$ sudo firewall-cmd --remove-service=dhcpv6-client --zone=public --permanent; \
  sudo firewall-cmd --reload;firewall-cmd --list-all --zone=public
success
public (default, active)
  interfaces: eno16780032
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

■SNMPはサービスに登録なし、ポート[161/ufp]として再起動後も使用する[--permanent]ので追加。

$ firewall-cmd --get-services | tr ' ' '\n' | awk '/snmp/'
$ sudo firewall-cmd --list-all-zones  | awk '/^[a-z]/'
block
dmz
drop
external
home
internal
public (default, active)
trusted
work

$ sudo firewall-cmd --add-port=161/udp --zone=public --permanent; \
  sudo firewall-cmd --reload;firewall-cmd --list-all --zone=public
success
public (default, active)
  interfaces: eno16780032
  sources: 
  services: ssh
  ports: 161/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

■[public]とはいえ、内部からしか使用しないので、[sources]を制限。

$ sudo firewall-cmd --add-source=172.31.31.0/24 --zone=public --permanent; \
  sudo firewall-cmd --reload;firewall-cmd --list-all --zone=public
success
public (default, active)
  interfaces: eno16780032
  sources: 172.31.31.0/24
  services: ssh
  ports: 161/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

■SNMPTrapdを設定

$ systemctl status snmptrapd
snmptrapd.service - Simple Network Management Protocol (SNMP) Trap Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmptrapd.service; disabled)
   Active: inactive (dead)
$ sudo systemctl enable snmptrapd.service 

$ sudo grep "disableauthorization yes" /etc/snmp/snmptrapd.conf || \
    echo "disableauthorization yes" | sudo tee -a /etc/snmp/snmptrapd.conf; \
  sudo grep "^auth.*public" /etc/snmp/snmptrapd.conf || \
    echo "authCommunity log,execute,net public" | sudo tee -a /etc/snmp/snmptrapd.conf; \
  sudo grep "^auth.*myhome" /etc/snmp/snmptrapd.conf || \
    echo "authCommunity log,execute,net myhome" | sudo tee -a /etc/snmp/snmptrapd.conf; \
  sudo systemctl restart snmptrapd;sudo grep $(date '+%H:%M:%S') /var/log/messages
disableauthorization yes
authCommunity log,execute,net public
authCommunity log,execute,net myhome
Apr 23 23:53:07 localhost systemd: Stopping Simple Network Management Protocol (SNMP) Trap Daemon....
Apr 23 23:53:07 localhost snmptrapd[32630]: 2016-04-23 23:53:07 NET-SNMP version 5.7.2 Stopped.
Apr 23 23:53:07 localhost snmptrapd[32630]: Stopping snmptrapd
Apr 23 23:53:07 localhost systemd: Starting Simple Network Management Protocol (SNMP) Trap Daemon....
Apr 23 23:53:07 localhost snmptrapd[32755]: NET-SNMP version 5.7.2
Apr 23 23:53:07 localhost systemd: Started Simple Network Management Protocol (SNMP) Trap Daemon..

$ sudo snmptrap -v 2c -c public localhost '' .1.3.6.1.4.1.8072.100 .1.3.6.1.4.1.8072.100.1 s "hogehoge"; \
    sudo grep snmptrapd /var/log/messages | grep $(date '+%H:%M:%S')
Apr 23 23:36:01 localhost snmptrapd[31762]: 2016-04-23 23:36:01 localhost [UDP: [127.0.0.1]:44171->[127.0.0.1]:162]:
$ sudo snmptrap -v 2c -c myhome localhost '' .1.3.6.1.4.1.8072.100 .1.3.6.1.4.1.8072.100.1 s "hogehoge"; \
    sudo grep snmptrapd /var/log/messages | grep $(date '+%H:%M:%S')
Apr 23 23:36:31 localhost snmptrapd[31762]: 2016-04-23 23:36:31 localhost [UDP: [127.0.0.1]:35168->[127.0.0.1]:162]:

■SNMPDTrapdのポート開放

$ sudo firewall-cmd --add-port=162/udp --zone=public --permanent; \
  sudo firewall-cmd --reload;firewall-cmd --list-all --zone=public
success
success
public (default, active)
  interfaces: eno16780032
  sources: 172.31.31.0/24
  services: ssh
  ports: 162/udp 161/udp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

■firewall-cmdの[sources]範囲からのトラップメッセージが受信出来ることを確認。

$ sudo tail -2 /var/log/messages | sed -e 's/\t/\n  /g' -e 's/snmptrapd\[[0-9]*\]:/&\n  /g'
Apr 23 23:44:54 localhost snmptrapd[31762]:
   2016-04-23 23:54:44 <UNKNOWN> [UDP: [172.31.31.55]:33821->[172.31.31.54]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (24627465) 2 days, 20:24:34.65
  SNMPv2-MIB::snmpTrapOID.0 = OID: NET-SNMP-MIB::netSnmp.100
  NET-SNMP-MIB::netSnmp.100.1 = STRING: "hogehoge"