GzNow.org 的伺服器使用 PHP 的 Cacti 向伺服器集群里所允許的 SNMP 服務獲取當前系統狀態並生成圖表。############################################################################### # # snmpd.conf: # An example configuration file for configuring the ucd-snmp snmpd agent. # ############################################################################### # # This file is intended to only be as a starting point. Many more # configuration directives exist than are mentioned in this file. For # full details, see the snmpd.conf(5) manual page. # # All lines beginning with a '#' are comments and are intended for you # to read. All other lines are configuration commands for the agent.
############################################################################### # Access Control ###############################################################################
# As shipped, the snmpd demon will only respond to queries on the # system mib group until this file is replaced or modified for # security purposes. Examples are shown below about how to increase the # level of access.
# By far, the most common question I get about the agent is "why won't # it work?", when really it should be "how do I configure the agent to # allow me to access it?" # # By default, the agent responds to the "public" community for read # only access, if run out of the box without any configuration file in # place. The following examples show you other ways of configuring # the agent so that you can change the community names, and give # yourself write access to the mib tree as well. # # For more information, read the FAQ as well as the snmpd.conf(5) # manual page.
#### # First, map the community name "public" into a "security name"
# sec.name source community com2sec notConfigUser 127.0.0.1 public
#### # Second, map the security name into a group name:
# groupName securityModel securityName group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser
#### # Third, create a view for us to let the group have rights to:
# Make at least snmpwalk -v 1 localhost -c public system fast again. # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1
#### # Finally, grant the group read-only access to the systemview view.
# group context sec.model sec.level prefix read write notif access notConfigGroup "" any noauth exact all none none
# Here is a commented out example configuration that allows less # restrictive access.
# YOU SHOULD CHANGE THE "COMMUNITY" TOKEN BELOW TO A NEW KEYWORD ONLY # KNOWN AT YOUR SITE. YOU *MUST* CHANGE THE NETWORK TOKEN BELOW TO # SOMETHING REFLECTING YOUR LOCAL NETWORK ADDRESS SPACE.
## sec.name source community #com2sec local localhost COMMUNITY #com2sec mynetwork NETWORK/24 COMMUNITY
## group.name sec.model sec.name #group MyRWGroup any local #group MyROGroup any mynetwork # #group MyRWGroup any otherv3user #...
## incl/excl subtree mask view all included .1 80
## -or just the mib2 tree-
#view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
## context sec.model sec.level prefix read write notif #access MyROGroup "" any noauth 0 all none none #access MyRWGroup "" any noauth 0 all all all
############################################################################### # Sample configuration to make net-snmpd RFC 1213. # Unfortunately v1 and v2c don't allow any user based authentification, so # opening up the default config is not an option from a security point. # # WARNING: If you uncomment the following lines you allow write access to your # snmpd daemon from any source! To avoid this use different names for your # community or split out the write access to a different community and # restrict it to your local network. # Also remember to comment the syslocation and syscontact parameters later as # otherwise they are still read only (see FAQ for net-snmp). #
# First, map the community name "public" into a "security name" # sec.name source community #com2sec notConfigUser default public
# Second, map the security name into a group name: # groupName securityModel securityName #group notConfigGroup v1 notConfigUser #group notConfigGroup v2c notConfigUser
# Third, create a view for us to let the group have rights to: # Open up the whole tree for ro, make the RFC 1213 required ones rw. # name incl/excl subtree mask(optional) #view roview included .1 #view rwview included system.sysContact #view rwview included system.sysName #view rwview included system.sysLocation #view rwview included interfaces.ifTable.ifEntry.ifAdminStatus #view rwview included at.atTable.atEntry.atPhysAddress #view rwview included at.atTable.atEntry.atNetAddress #view rwview included ip.ipForwarding #view rwview included ip.ipDefaultTTL #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteDest #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteIfIndex #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric1 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric2 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric3 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric4 #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteType #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteAge #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMask #view rwview included ip.ipRouteTable.ipRouteEntry.ipRouteMetric5 #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaIfIndex #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaNetAddress #view rwview included ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaType #view rwview included tcp.tcpConnTable.tcpConnEntry.tcpConnState #view rwview included egp.egpNeighTable.egpNeighEntry.egpNeighEventTrigger #view rwview included snmp.snmpEnableAuthenTraps
# Finally, grant the group read-only access to the systemview view. # group context sec.model sec.level prefix read write notif #access notConfigGroup "" any noauth exact roview rwview none
############################################################################### # System contact information #
# It is also possible to set the sysContact and sysLocation system # variables through the snmpd.conf file:
############################################################################### # Process checks. # # The following are examples of how to use the agent to check for # processes running on the host. The syntax looks something like: # # proc NAME # # NAME: the name of the process to check for. It must match # exactly (ie, http will not find httpd processes). # MAX: the maximum number allowed to be running. Defaults to 0. # MIN: the minimum number to be running. Defaults to 0.
# # Examples (commented out by default): #
# Make sure mountd is running #proc mountd
# Make sure there are no more than 4 ntalkds running, but 0 is ok too. #proc ntalkd 4
# Make sure at least one sendmail, but less than or equal to 10 are running. #proc sendmail 10 1
# A snmpwalk of the process mib tree would look something like this: # # % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.2 # enterprises.ucdavis.procTable.prEntry.prIndex.1 = 1 # enterprises.ucdavis.procTable.prEntry.prIndex.2 = 2 # enterprises.ucdavis.procTable.prEntry.prIndex.3 = 3 # enterprises.ucdavis.procTable.prEntry.prNames.1 = "mountd" # enterprises.ucdavis.procTable.prEntry.prNames.2 = "ntalkd" # enterprises.ucdavis.procTable.prEntry.prNames.3 = "sendmail" # enterprises.ucdavis.procTable.prEntry.prMin.1 = 0 # enterprises.ucdavis.procTable.prEntry.prMin.2 = 0 # enterprises.ucdavis.procTable.prEntry.prMin.3 = 1 # enterprises.ucdavis.procTable.prEntry.prMax.1 = 0 # enterprises.ucdavis.procTable.prEntry.prMax.2 = 4 # enterprises.ucdavis.procTable.prEntry.prMax.3 = 10 # enterprises.ucdavis.procTable.prEntry.prCount.1 = 0 # enterprises.ucdavis.procTable.prEntry.prCount.2 = 0 # enterprises.ucdavis.procTable.prEntry.prCount.3 = 1 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.1 = 1 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.2 = 0 # enterprises.ucdavis.procTable.prEntry.prErrorFlag.3 = 0 # enterprises.ucdavis.procTable.prEntry.prErrMessage.1 = "No mountd process running." # enterprises.ucdavis.procTable.prEntry.prErrMessage.2 = "" # enterprises.ucdavis.procTable.prEntry.prErrMessage.3 = "" # enterprises.ucdavis.procTable.prEntry.prErrFix.1 = 0 # enterprises.ucdavis.procTable.prEntry.prErrFix.2 = 0 # enterprises.ucdavis.procTable.prEntry.prErrFix.3 = 0 # # Note that the errorFlag for mountd is set to 1 because one is not # running (in this case an rpc.mountd is, but thats not good enough), # and the ErrMessage tells you what's wrong. The configuration # imposed in the snmpd.conf file is also shown. # # Special Case: When the min and max numbers are both 0, it assumes # you want a max of infinity and a min of 1. #
# # You can also have programs run by the agent that return a single # line of output and an exit code. Here are two examples. # # exec NAME PROGRAM # # NAME: A generic name. # PROGRAM: The program to run. Include the path! # ARGS: optional arguments to be passed to the program
# a simple hello world
#exec echotest /bin/echo hello world
# Run a shell script containing: # # #!/bin/sh # echo hello world # echo hi there # exit 35 # # Note: this has been specifically commented out to prevent # accidental security holes due to someone else on your system writing # a /tmp/shtest before you do. Uncomment to use it. # #exec shelltest /bin/sh /tmp/shtest
############################################################################### # disk checks #
# The agent can check the amount of available disk space, and make # sure it is above a set limit.
# disk PATH # # PATH: mount path to the disk in question. # MIN: Disks with space below this value will have the Mib's errorFlag set. # Default value = 100000.
# Check the / partition and make sure it contains at least 10 megs.
############################################################################### # load average checks #
# load # # 1MAX: If the 1 minute load average is above this limit at query # time, the errorFlag will be set. # 5MAX: Similar, but for 5 min average. # 15MAX: Similar, but for 15 min average.
# This alleviates the multiple line output problem found in the # previous executable mib by placing each mib in its own mib table:
# Run a shell script containing: # # #!/bin/sh # echo hello world # echo hi there # exit 35 # # Note: this has been specifically commented out to prevent # accidental security holes due to someone else on your system writing # a /tmp/shtest before you do. Uncomment to use it. # # exec .1.3.6.1.4.1.2021.50 shelltest /bin/sh /tmp/shtest
# Now the Output has grown to two lines, and we can see the 'hi # there.' output as the second line from our shell script. # # Note that you must alter the mib.txt file to be correct if you want # the .50.* outputs above to change to reasonable text descriptions.
# Other ideas: # # exec .1.3.6.1.4.1.2021.51 ps /bin/ps # exec .1.3.6.1.4.1.2021.52 top /usr/local/bin/top # exec .1.3.6.1.4.1.2021.53 mailq /usr/bin/mailq
############################################################################### # Pass through control. #
# Usage: # pass MIBOID EXEC-COMMAND # # This will pass total control of the mib underneath the MIBOID # portion of the mib to the EXEC-COMMAND. # # Note: You'll have to change the path of the passtest script to your # source directory or install it in the given location. # # Example: (see the script for details) # (commented out here since it requires that you place the # script in the right location. (its not installed by default))
# % snmpwalk -v 1 localhost -c public .1.3.6.1.4.1.2021.255 # enterprises.ucdavis.255.1 = "life the universe and everything" # enterprises.ucdavis.255.2.1 = 42 # enterprises.ucdavis.255.2.2 = OID: 42.42.42 # enterprises.ucdavis.255.3 = Timeticks: (363136200) 42 days, 0:42:42 # enterprises.ucdavis.255.4 = IpAddress: 127.0.0.1 # enterprises.ucdavis.255.5 = 42 # enterprises.ucdavis.255.6 = Gauge: 42 # # % snmpget -v 1 localhost public .1.3.6.1.4.1.2021.255.5 # enterprises.ucdavis.255.5 = 42 # # % snmpset -v 1 localhost public .1.3.6.1.4.1.2021.255.1 s "New string" # enterprises.ucdavis.255.1 = "New string" #
# For specific usage information, see the man/snmpd.conf.5 manual page # as well as the local/passtest script used in the above example.
# Added for support of bcm5820 cards. pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
############################################################################### # Further Information # # See the snmpd.conf manual page, and the output of "snmpd -H".