SNMP.CONF(5) Net-SNMP SNMP.CONF(5)
NAME
snmp.conf - configuration files for the Net-SNMP applications
DESCRIPTION
Applications built using the Net-SNMP libraries typically use one or
more configuration files to control various aspects of their operation.
These files (snmp.conf and snmp.local.conf) can be located in one of
several locations, as described in the snmp_config(5) manual page.
In particular, /etc/snmp/snmp.conf is a common file, containing the
settings shared by all users of the system. ~/.snmp/snmp.conf is a
personal file, with the settings specific to a particular user.
HOST-SPECIFIC FILES
Host-specific files may also be loaded and will be searched for if a
transport name is specified that matches a PATH/hosts/HOST.conf file.
For example, if you wanted a particular host to use SNMPv2c by default
you could create a ~/.snmp/hosts/NAME.conf file and in it put:
defVersion 2c
Any connections set to connect to the hostname NAME will use SNMPv2c.
Also see the transport token below for additional host-specific exam-
ples.
Host-specific configuration files are loaded at the time the connection
is opened. Thus they're generally loaded after all other configuration
files and can be used to override settings from the generic files.
To avoid loading any host-specific config files set "dontLoadHostConfig
true" in your snmp.conf file.
COMMAND-LINE OPTIONS
All of the tokens described in this file can be used on the command
line of Net-SNMP applications as well by prefixing them with "--". EG,
specifying --dontLoadHostConfig=true on the command line will turn of
loading of the host specific configuration files.
IMPORTANT NOTE
Several of these directives may contain sensitive information (such as
pass phrases). Configuration files that include such settings should
only be readable by the user concerned.
As well as application-specific configuration tokens, there are several
directives that relate to standard library behaviour, relevant to most
Net-SNMP applications. Many of these correspond to standard command-
line options, which are described in the snmpcmd(1) manual page.
These directives can be divided into several distinct groups.
CLIENT BEHAVIOUR
defDomain application domain
The transport domain that should be used for a certain applica-
tion type unless something else is specified.
defTarget application domain target
The target that should be used for connections to a certain ap-
plication if the connection should be in a specific domain.
defaultPort PORT
defines the default UDP port that client SNMP applications will
attempt to connect to. This can be overridden by explicitly in-
cluding a port number in the AGENT specification. See the snm-
pcmd(1) manual page for more details.
If not specified, the default value for this token is 161.
transport HOSTSPECIFIER
This special token should go into a hostname-specific configura-
tion file in a hosts sub-directory. For example if the file
hosts/foo.conf exists in the search path it will be loaded if a
transport name of foo was used. Within the foo.conf file you
may put both general snmp.conf settings as well as a special
transport string to specify the destination to connect to. For
example, putting:
transport tcp:foo.example.com:9876
in the hosts/foo.conf file will make applications referencing
the foo hostname (e.g. snmpget) to actually connect via TCP to
foo.exmaple.com on port 9876.
defVersion (1|2c|3)
defines the default version of SNMP to use. This can be over-
ridden using the -v option.
defCommunity STRING
defines the default community to use for SNMPv1 and SNMPv2c re-
quests. This can be overridden using the -c option.
alias NAME DEFINITION
Creates an aliased tied to NAME for a given transport defini-
tion. The alias can the be referred to using an alias: prefix.
Eg, a line of "alias here udp:127.0.0.1:6161" would allow you to
use a destination host of "alias:here" instead of
"udp:127.0.0.1:6161". This becomes more useful with complex
transport addresses involving IPv6 addresses, etc.
dumpPacket yes
defines whether to display a hexadecimal dump of the raw SNMP
requests sent and received by the application. This is equiva-
lent to the -d option.
doDebugging (1|0)
turns on debugging for all applications run if set to 1.
debugTokens TOKEN[,TOKEN...]
defines the debugging tokens that should be turned on when doDe-
bugging is set. This is equivalent to the -D option.
debugLogLevel (emerg|alert|crit|err|warning|notice|info|debug)
Set the priority level for logging of debug output. Defaults to
debug.
16bitIDs yes
restricts requestIDs, etc to 16-bit values.
The SNMP specifications define these ID fields as 32-bit quanti-
ties, and the Net-SNMP library typically initialises them to
random values for security. However certain (broken) agents
cannot handle ID values greater than 2^16 - this option allows
interoperability with such agents.
clientaddr [<transport-specifier>:]<transport-address>
specifies the source address to be used by command-line applica-
tions when sending SNMP requests. See snmpcmd(1) for more infor-
mation about the format of addresses.
This value is also used by snmpd when generating notifications.
clientaddrUsesPort no
specifies, if clientaddr option contains a port number. Set this
option to "yes", if clientaddr contains a port number and this
port should be used for sending outgoing SNMP requests.
clientRecvBuf INTEGER
specifies the desired size of the buffer to be used when receiv-
ing responses to SNMP requests. If the OS hard limit is lower
than the clientRecvBuf value, then this will be used instead.
Some platforms may decide to increase the size of the buffer ac-
tually used for internal housekeeping.
This directive will be ignored if the platforms does not support
setsockopt().
clientSendBuf INTEGER
is similar to clientRecvBuf, but applies to the size of the buf-
fer used when sending SNMP requests.
noRangeCheck yes
disables the validation of varbind values against the MIB defi-
nition for the relevant OID. This is equivalent to the -Ir op-
tion.
This directive is primarily relevant to the snmpset command, but
will also apply to any application that calls snmp_add_var()
with a non-NULL value.
noTokenWarnings
disables warnings about unknown config file tokens.
reverseEncodeBER (1|yes|true|0|no|false)
controls how the encoding of SNMP requests is handled.
The default behaviour is to encode packets starting from the end
of the PDU and working backwards. This directive can be used to
disable this behaviour, and build the encoded request in the
(more obvious) forward direction.
It should not normally be necessary to change this setting, as
the encoding is basically the same in either case - but working
backwards typically produces a slightly more efficient encoding,
and hence a smaller network datagram.
dontLoadHostConfig (1|yes|true|0|no|false)
Specifies whether or not the host-specific configuration files
are loaded. Set to "true" to turn off the loading of the host
specific configuration files.
retries INTEGER
Specifies the number of retries to be used in the requests.
timeout INTEGER
Specifies the timeout in seconds between retries.
SNMPv1/SNMPv2c SETTINGS
disableSNMPv1 (1|yes|true|0|no|false)
disableSNMPv2c (1|yes|true|0|no|false)
Disables protocol versions at runtime. Incoming and outgoing
packets for the protocol will be dropped.
SNMPv3 SETTINGS
disableSNMPv3 (1|yes|true|0|no|false)
Disables protocol versions at runtime. Incoming and outgoing
packets for the protocol will be dropped.
defSecurityName STRING
defines the default security name to use for SNMPv3 requests.
This can be overridden using the -u option.
defSecurityLevel noAuthNoPriv|authNoPriv|authPriv
defines the default security level to use for SNMPv3 requests.
This can be overridden using the -l option.
If not specified, the default value for this token is noAuthNo-
Priv.
Note: authPriv is only available if the software has been com-
piled to use the OpenSSL libraries.
defPassphrase STRING
defAuthPassphrase STRING
defPrivPassphrase STRING
define the default authentication and privacy pass phrases to
use for SNMPv3 requests. These can be overridden using the -A
and -X options respectively.
The defPassphrase value will be used for the authentication
and/or privacy pass phrases if either of the other directives
are not specified.
defAuthType MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224
defPrivType DES|AES
define the default authentication and privacy protocols to use
for SNMPv3 requests. These can be overridden using the -a and
-x options respectively.
If not specified, SNMPv3 requests will default to MD5 authenti-
cation and DES encryption.
Note: If the software has not been compiled to use the OpenSSL
libraries, then only MD5 authentication is supported.
Neither SHA authentication nor any form of encryption
will be available.
defContext STRING
defines the default context to use for SNMPv3 requests. This
can be overridden using the -n option.
If not specified, the default value for this token is the de-
fault context (i.e. the empty string "").
defSecurityModel STRING
defines the security model to use for SNMPv3 requests. The de-
fault value is "usm" which is the only widely used security
model for SNMPv3.
defAuthMasterKey 0xHEXSTRING
defPrivMasterKey 0xHEXSTRING
defAuthLocalizedKey 0xHEXSTRING
defPrivLocalizedKey 0xHEXSTRING
define the (hexadecimal) keys to be used for SNMPv3 secure com-
munications. SNMPv3 keys are frequently derived from a
passphrase, as discussed in the defPassphrase section above.
However for improved security a truely random key can be gener-
ated and used instead (which would normally has better entropy
than a password unless it is amazingly long). The directives
are equivalent to the short-form command line options -3m, -3M,
-3k, and -3K.
Localized keys are master keys which have been converted to a
unique key which is only suitable for on particular SNMP engine
(agent). The length of the key needs to be appropriate for the
authentication or encryption type being used (auth keys: MD5=16
bytes, SHA1=20 bytes; priv keys: DES=16 bytes (8 bytes of which
is used as an IV and not a key), and AES=16 bytes).
sshtosnmpsocket PATH
Sets the path of the sshtosnmp socket created by an application
(e.g. snmpd) listening for incoming ssh connections through the
sshtosnmp unix socket.
sshtosnmpsocketperms MODE [OWNER [GROUP]]
Sets the mode, owner and group of the sshtosnmp socket created
by an application (e.g. snmpd) listening for incoming ssh con-
nections through the sshtosnmp unix socket. The socket needs to
be read/write privileged for SSH users that are allowed to con-
nect to the SNMP service (VACM access still needs to be granted
as well, most likely through the TSM security model).
sshusername NAME
Sets the SSH user name for logging into the remote system.
sshpubkey FILE
Set the public key file to use when connecting to a remote sys-
tem.
sshprivkey FILE
Set the private key file to use when connecting to a remote sys-
tem.
SERVER BEHAVIOUR
persistentDir DIRECTORY
defines the directory where snmpd and snmptrapd store persistent
configuration settings.
If not specified, the persistent directory defaults to
/var/lib/snmp
noPersistentLoad yes
noPersistentSave yes
disable the loading and saving of persistent configuration in-
formation.
Note: This will break SNMPv3 operations (and other behaviour
that relies on changes persisting across application
restart). Use With Care.
tempFilePattern PATTERN
defines a filename template for creating temporary files, for
handling input to and output from external shell commands. Used
by the mkstemp() and mktemp() functions.
If not specified, the default pattern is "/tmp/snmpdXXXXXX".
serverRecvBuf INTEGER
specifies the desired size of the buffer to be used when receiv-
ing incoming SNMP requests. If the OS hard limit is lower than
the serverRecvBuf value, then this will be used instead. Some
platforms may decide to increase the size of the buffer actually
used for internal housekeeping.
This directive will be ignored if the platforms does not support
setsockopt().
serverSendBuf INTEGER
is similar to serverRecvBuf, but applies to the size of the buf-
fer used when sending SNMP responses.
sourceFilterType none|whitelist|blacklist
specifies whether or not addresses added with sourceFilterAd-
dress are whitelisted or blacklisted. The default is none, indi-
cating that incoming packets will not be checked agains the fil-
ter list.
sourceFilterAddress ADDRESS
specifies an address to be added to the source address filter
list. sourceFilterType configuration determines whether or not
addresses are whitelisted or blacklisted.
MIB HANDLING
mibdirs DIRLIST
specifies a list of directories to search for MIB files. This
operates in the same way as the -M option - see snmpcmd(1) for
details. Note that this value can be overridden by the MIBDIRS
environment variable, and the -M option.
mibs MIBLIST
specifies a list of MIB modules (not files) that should be
loaded. This operates in the same way as the -m option - see
snmpcmd(1) for details. Note that this list can be overridden
by the MIBS environment variable, and the -m option.
mibfile FILE
specifies a (single) MIB file to load, in addition to the list
read from the mibs token (or equivalent configuration). Note
that this value can be overridden by the MIBFILES environment
variable.
showMibErrors (1|yes|true|0|no|false)
whether to display MIB parsing errors.
commentToEOL (1|yes|true|0|no|false)
whether MIB parsing should be strict about comment termination.
Many MIB writers assume that ASN.1 comments extend to the end of
the text line, rather than being terminated by the next "--" to-
ken. This token can be used to accept such (strictly incorrect)
MIBs.
Note that this directive was previous (mis-)named strictComment-
Term, but with the reverse behaviour from that implied by the
name. This earlier token is still accepted for backwards com-
patibility.
mibAllowUnderline (1|yes|true|0|no|false)
whether to allow underline characters in MIB object names and
enumeration values. This token can be used to accept such
(strictly incorrect) MIBs.
mibWarningLevel INTEGER
the minimum warning level of the warnings printed by the MIB
parser.
OUTPUT CONFIGURATION
logTimestamp (1|yes|true|0|no|false)
Whether the commands should log timestamps with their error/mes-
sage logging or not. Note that output will not look as pretty
with timestamps if the source code that is doing the logging
does incremental logging of messages that are not line buffered
before being passed to the logging routines. This option is
only used when file logging is active.
printNumericEnums (1|yes|true|0|no|false)
Equivalent to -Oe.
printNumericOids (1|yes|true|0|no|false)
Equivalent to -On.
dontBreakdownOids (1|yes|true|0|no|false)
Equivalent to -Ob.
escapeQuotes (1|yes|true|0|no|false)
Equivalent to -OE.
quickPrinting (1|yes|true|0|no|false)
Equivalent to -Oq.
printValueOnly (1|yes|true|0|no|false)
Equivalent to -Ov.
dontPrintUnits (1|yes|true|0|no|false)
Equivalent to -OU.
numericTimeticks (1|yes|true|0|no|false)
Equivalent to -Ot.
printHexText (1|yes|true|0|no|false)
Equivalent to -OT.
hexOutputLength integer
Specifies where to break up the output of hexadecimal strings.
Set to 0 to disable line breaks. Defaults to 16.
suffixPrinting (0|1|2)
The value 1 is equivalent to -Os and the value 2 is equivalent
to -OS.
oidOutputFormat (1|2|3|4|5|6)
Maps -O options as follow: -Os=1, -OS=2, -Of=3, -On=4, -Ou=5.
The value 6 has no matching -O option. It suppresses output.
extendedIndex (1|yes|true|0|no|false)
Equivalent to -OX.
noDisplayHint (1|yes|true|0|no|false)
Disables the use of DISPLAY-HINT information when parsing in-
dices and values to set. Equivalent to -Ih.
outputPrecision PRECISION
Uses the PRECISION string to allow modification of the value
output format. See snmpcmd(1) for details. Equivalent to -Op
(which takes precedence over the config file).
FILES
System-wide configuration files:
/etc/snmp/snmp.conf
/etc/snmp/snmp.local.conf
User-specific configuration settings:
$HOME/.snmp/snmp.conf
$HOME/.snmp/snmp.local.conf
Destination host specific files:
/etc/snmp/hosts/HOSTNAME.conf
$HOME/.snmp/hosts/HOSTNAME.conf
SEE ALSO
snmp_config(5), netsnmp_config_api(3), snmpcmd(1).
V5.8 21 Apr 2010 SNMP.CONF(5)