Summary

  Subject:

Zabbix Monitoring on Rocky: SNMPv3: Setup and Configure

   Updated:

2023-12-18

   Author:

Tim Hammond ([email protected])

Derek Pasnick ([email protected])

Leland Petitjean ([email protected])

   Operating Systems:

Rocky 8

   Background:

This guide was written to setup a Zabbix server to monitor network devices and servers for interuptions of service. Zabbix will be configured to also send alerts through the local mail relay. It is assumed a local mail relay is already setup and configured.

Due to the length of the content, I opted to break the article into the following sections:

  1. Rocky Zabbix: Install
  2. Rocky Zabbix: Configure
  3. Rocky Zabbix: Setting up Discoveries
  4. Rocky Zabbix: Client Agent Setup
  5. Rocky Zabbix: SNMPv3: Setup and Configure
  6. Rocky Zabbix: SNMPv3: Adding Devices
  7. Rocky Zabbix: References
  

Table of Contents

Install - SNMP

Install - SNMP

sudo dnf -y install net-snmp-utils net-snmp-perl net-snmp net-snmp-libs

Add firewall rules

sudo firewall-cmd --permanent --add-port=162/udp sudo firewall-cmd --reload sudo firewall-cmd --list-all

Add apps to startup

sudo systemctl enable snmptrapd

Start Services

sudo systemctl restart snmptrapd

MIB and Template Resources

There are a TON of Zabbix templates here: https://www.zabbix.com/integrations.

There are a TON of MIBs here: https://github.com/hsnodgrass/snmp_mib_archive/tree/master/snmp_mib_archive.

Outdated Zabbix Templates:

Brother:

Nutanix:

Template_SNMP_Nutanix_Cluster.xml - this is a template that I found on the Zabbix Integraions website. It only seems to work with Prism Central and not Prism Element. Source: https://github.com/aldevar/Zabbix_Nutanix_Template.

The following templates are also available: wininventory.xml - already installed in the "Windows Inventory Template Setup" section of this guide.

Import Process

  1. Navigate to: Configuration > Templates.
  2. Click the Import button on the top right.
  3. Click the browse button and select the *.xml file.
  4. Leave all of the check boxes as the defaults.
  5. Click the "Import" button.
  6. Download the respective MIBs and Templates.
  1. Create the following directory. This is the folder that will store all of the MIBs.
sudo mkdir -p /usr/local/share/snmp/mibs
  1. Create a config file called: snmp.conf
echo "mibdirs +/usr/local/share/snmp/mibs" | sudo tee -a /etc/snmp/snmp.conf
  1. Upload all of the approriate MIBs to:
/usr/local/share/snmp/mibs
  1. Set the permissions.
sudo chmod -R 755 /usr/local/share/snmp/mibs sudo chown -R root:root /usr/local/share/snmp/mibs

Zabbix Server SNMP Config

Create the directory for the logs file.

sudo mkdir -p /opt/zabbix/

Make the following changes to the zabbix_server.conf.

sudo sed -i 's/# SNMPTrapperFile=\/tmp\/zabbix_traps.tmp/SNMPTrapperFile=\/opt\/zabbix\/zabbix_traps.tmp/g' /etc/zabbix/zabbix_server.conf sudo sed -i 's/SNMPTrapperFile=\/var\/log\/snmptrap\/snmptrap.log/# SNMPTrapperFile=\/var\/log\/snmptrap\/snmptrap.log/g' /etc/zabbix/zabbix_server.conf sudo sed -i 's/# StartSNMPTrapper=0/StartSNMPTrapper=1/g' /etc/zabbix/zabbix_server.conf sudo sed -i 's/# StartIPMIPollers=0/StartIPMIPollers=5/g' /etc/zabbix/zabbix_server.conf

Downlad the latest Zabbix Trap Receiver script to /tmp.
The script can be obtained from: https://www.zabbix.com/download_sources.
Extract the tar.
Copy the "/zabbix_trap_receiver.pl" to it's new home (misc/snmptrap).

cd /tmp wget https://cdn.zabbix.com/zabbix/sources/stable/5.0/zabbix-5.0.17.tar.gz tar -xvf zabbix-*.tar.gz sudo cp /tmp/zabbix-*/misc/snmptrap/zabbix_trap_receiver.pl /opt/zabbix/zabbix_trap_receiver.pl

Update the log location of the the trap receiver config.

sudo sed -i 's/\$SNMPTrapperFile = '\''\/tmp\/zabbix_traps.tmp'\''\;/\$SNMPTrapperFile = '\''\/opt\/zabbix\/zabbix_traps.tmp'\''\;/g' /opt/zabbix/zabbix_trap_receiver.pl

Verify that the snmptrapd and Zabbix log paths are pointing to the same file.

sudo cat /etc/zabbix/zabbix_server.conf | grep -i StartSNMPTrapper sudo cat /etc/zabbix/zabbix_server.conf | grep -i "SNMPTrapperFile=" sudo cat /opt/zabbix/zabbix_trap_receiver.pl | grep -i "SNMPTrapperFile = '" sudo cat /etc/zabbix/zabbix_server.conf | grep -i StartIPMIPollers

Set the appropriate permission.

sudo chmod +x /opt/zabbix/zabbix_trap_receiver.pl sudo chown root:root /opt/zabbix/zabbix_trap_receiver.pl

Enable log rotation.

sudo tee -a /etc/logrotate.d/zabbix_traps >/dev/null <<EOF /opt/zabbix/zabbix_traps.tmp { daily rotate 7 size=100M compress delaycompress missingok notifempty } EOF

How to snmpwalk

Devices like Nutanix Prism Central and VMware vCenter cannot be walked as they do not have the traps service intsalled.

snmpwalk switches:

  • userName: defined in the device AND snmp server
  • shaPwd: defined in the device AND snmp server
  • aesPwd: defined in the device AND snmp server
  • deviceIP: IP address of device that is to be SNMP walked

Example: snmpwalk using SHA/AES:

snmpwalk -v3 -l authpriv -u zabbee -a SHA -A keePass -x AES -X keePass pe01.domain.local

Example: snmpwalk with MD5/DES (Old APC PDU):
Note: The passwords must be at least 12 characters.

snmpwalk -v3 -l authpriv -u zabbee -a MD5 -A keePass -x DES -X keePass pdu01.domain.local

Example: Find the OID with SHA/AES:
Adding a generic OID to the snmpwalk, for insance: "1.3.6.1.6.3.10.2.1.1.0" The output resemble the following. Delete carriage return if present. SNMP-FRAMEWORK-MIB::snmpEngineID.0 = Hex-STRING: 80 00 xx xx xx xx xx xx xx xx xx xx xx

snmpwalk -v3 -l authpriv -u zabbee -a SHA -A keePass -x AES -X keePass pe01.domain.local 1.3.6.1.6.3.10.2.1.1.0

Example: Find the OID - MD5/DES (Old APC PDU):
Note: The passwords must be at least 12 characters.

snmpwalk -v3 -l authpriv -u zabbee -a MD5 -A keePass -x DES -X keePass pdu01.domain.local 1.3.6.1.6.3.10.2.1.1.0

snmptrapd config file setup

In order for SNMPv3 to work, loign creditials must be the same on both the device and the server. The file below is what establised said creditals along with uniquie identitiers that allow the commuinications.

The following file is a BASIC example of what the server configureation looks like. The device also needs to be configured with the credentials and a target to sent the SNMP information to. The SNMPv3: Adding Devices article has detailed examples for common manufacturers devices.

Setup the login creds. Add the <EngineID>, AUTH, and PRIV content.

sudo tee -a /etc/snmp/snmptrapd.conf >/dev/null <<EOF # ########################################################### # # Each device MUST have a uniquene EngineID added to the # trap config file. Use the snmpwalk command to accomplish # this task. Then add each device to the config. # # <ENGINEID> # This is what identifies the device. Must begin with 0x # # <USER> # The SNMP user name can contain up to 32 characters in any # combination of alphanumeric characters (uppercase and # lowercase letters, and numbers).Spaces not allowed. # # <AUTHKEY> # This is either MD5 or SHA. # The password must be 15-32 ASCII characters long. # # <PRIVKEY> # This is either DES or AES. # The password must be 15-32 ASCII characters long. # # Example: # DeviceName # createUser -e <ENGINEID> <USER> SHA <AUTHKEY> AES <PRIVKEY> # # ########################################################### # APC ########################################################### # # PDU01 createUser -e "0x80 00 01 3E 03 00 C0 B7 73 6D 65" zabbee MD5 md5KeePass DES desKeePass authUser log,execute zabbee # # UPS01 createUser -e "0x80 00 01 3E 03 00 C0 B7 9F 9C C5" zabbee SHA shaKeePass AES aesKeePass authUser log,execute zabbee # # ########################################################### # Supermicro ########################################################### # # IPMI01 createUser -e "0x80 00 1F 88 80 CE 0F 6C 15 3F 4C 7B 61" zabbee SHA shaKeePass AES aesKeePass authUser log,execute zabbee # # ########################################################### # Ubiquiti ########################################################### # # ap01 createUser -e "0x80 00 1F 88 80 7C 4B 1D EC 61 7F 61 FE" zabbee SHA uniKeePass AES uniKeePass authUser log,execute zabbee # # sw01 createUser -e "0x80 00 A0 98 03 FC EC DA 7F A7 71" zabbee SHA uniKeePass AES uniKeePass authUser log,execute zabbee # # ########################################################### # VMware ########################################################### # # esx01 createUser -e "0x0c c4 7a 3a b0 28" zabbee SHA shaKeePass AES aesKeePass authUser log,execute zabbee # # vCenter createUser -e "0x80 00 1a dc 80 95 de 5b 40 98 b1 80 61 00 00 00 00" zabbee SHA shaKeePass AES aesKeePass authUser log,execute zabbee # # ########################################################### # Wrap It Up Boyo ########################################################### # # The disableAuthorization directive allows SNMP v2 traps # from any device. If you did not want your snmptrap server # to accept SNMP v2 traps from any device then you need to # comment out the disableAuthorization directive. # # disableAuthorization yes # # The following MUST be at the bottom of the file. perl do "/opt/zabbix/zabbix_trap_receiver.pl"; # # EOF

Restart services.

sudo systemctl restart snmptrapd sudo systemctl restart zabbix-server

Universal Macro Setup

  1. Log into Zabbix web interface.
  2. Navigate to: Administration > General.
  3. On the top left of the window, use the pulldown to select: "Macros"
  4. Remove the default SNMPv2 community macro.
  5. Create the following macros. Replace the xxxKeePass with the passwords stored in Keepass.
{$SNMPV3_STD_USERNAME} zabbee {$SNMPV3_STD_OID} SNMPv2-MIB::sysDescr.0 {$SNMPV3_STD01_AUTH_SHA} shaKeePass {$SNMPV3_STD01_PRIV_AES} aesKeePass {$SNMPV3_STD02_AUTH_MD5} md5KeePass {$SNMPV3_STD02_PRIV_DES} desKeePass {$SNMPV3_UNIFI_BOTH} uniKeePass
  1. After you have enetered all of the passwords, click on the T icon the right of the text box and click the "Secret Text" icon to replace the actual passwords with dots. If you need to update, change the password later, click on the Lock icon again, then change it to Text. Paste the new password, then enable the Secret text. Once the password is entered, it cannot be displayed again.

Template Setup

THIS SECTION IS ONLY REQUIRED IF A NEW SNMP TRAPS TEMPALE NEEDS TO BE CREATED.

OTHERWISE, modify the existing "Template Module Generic SNMP > SNMP traps (fallback)."

  1. Log into Zabbix web interface.
  2. Navigate to: Configuration > Templates.
  3. Click "Create template" button on the top right.
Template tab: Template name: 00_SNMPv3 Visible name None Groups: Templates/Network devices Description: None
  1. Click Add
  2. The template must be saved before items can be added. Modify the newley created template and add this item.
Items tab: Name: SNMP Trap v3 Type: SNMP Trap Key snmptrap.fallback Host interface: FQDN:161 (set during device creation) Type of info: Text History: Storage period New application: blank Applications: -None- Inventory field: -None- Description: blank Enabled: Checked
  1. Click Add

SNMP Trap Log Type

  1. Log into Zabbix web interface.
  2. Navigate to: Configuration > Templates
  3. Set the Filter name to: generic
  4. Click on:
    1. Template Module Generic SNMP
    2. Items
    3. SNMP traps (fallback)
    4. Change the "Type of information" to: text
    5. Click Update
  5. Repeat the above for "Template Power APC UPS SNMP"
  6. While under this template, go to the Macros Tab.
  7. Change the Macro Values to the following:
Macro Value {$UPS.INPUT_FREQ.MAX.WARN} 63 {$UPS.INPUT_FREQ.MIN.WARN} 57 {$UPS.INPUT_VOLT.MAX.WARN} 130 {$UPS.INPUT_VOLT.MIN.WARN} 110
  1. Click Update

Discovery Setup (SNMPv3)

  1. Log into Zabbix web interface.
  2. Navigate to: Configuration > Discovery.
Edit: Local Network
  1. Rename the default "Local Network" and configure it as follows:
Name: See Notes Below Discovery by proxy: No Proxy IP range: See Notes Below Update Interval: 6h Checks: Check type: SNMPv3 agent Port range: 161 SNMP OID: {$SNMPV3_STD_OID} Context name: blank Security name: {$SNMPV3_STD_USERNAME} Security level: authPriv Auth protocol: See Notes Below Auth pass: See Notes Below Priv protocol: See Notes Below Priv pass: See Notes Below Device uniqueness: IP address Host name: DNS address Visible name: DNS address Enabled: Checked
  1. Click Update.
  2. NOTE: The default "Checks" is "Zabbix agent." The settings for the "Type" are Zabbix agent "system.uname" For instance:
Type: Zabbix agent Port Range: 10050 Key: system.uname
  1. Create the following "Discovery rules" if you please. Hint: Create one of the following then CLONE it.
SHA x AES x This is an example where the SHA and the AES passwords are the SAME.
It is also very IMPORTANT to note that Ubiquiti uses the same password for both SHA AND AES passwords. Name: IP Range: ntw_-_ubiquiti 192.168.10.26-28 Auth-SHA: {$SNMPV3_UNIFI_BOTH} Priv-AES: {$SNMPV3_UNIFI_BOTH} SHA x AES y This is an example where the SHA and the AES passwords are DIFFERENT. Name: IP Range: devMGMT_-_apc-ups 192.168.20.25-26 devMGMT_-_ipmi 192.168.20.50-60 ntw_-_cisco 192.168.30.250-251 servers_-_ntnx 192.168.30.120 servers_-_vmware 192.168.21.50-60, 192.168.30.105 Auth-SHA: {$SNMPV3_STD01_AUTH_SHA} Priv-AES: {$SNMPV3_STD01_PRIV_AES} MD5 x DES y This is an example where the MD5 and DES passwords are DIFFERENT. Name: IP Range: devMGMT_-_apc-pdu 192.168.20.27-30 servers_-_printers 192.168.31.50 Auth-MD5: {$SNMPV3_STD02_AUTH_MD5} Priv-DES: {$SNMPV3_STD02_PRIV_DES}
  1. Update the zabbix_server.conf discovers config to match the number of Discoverys you created above.
sudo sed -i 's/# StartDiscoverers=1/StartDiscoverers=8/g' /etc/zabbix/zabbix_server.conf
  1. Verify the changes.
sudo cat /etc/zabbix/zabbix_server.conf | grep -i "StartDiscoverers="

Actions Setup (SNMPv3)

  1. Log into Zabbix web interface.
  2. Navigate to: Configuration > Actions.
  3. On the top left of the window, use the pulldown to select: "Discovery actions"
  4. Click "Create action" on the top right.
  5. Create the following Actions.
Name: SNMPv3_-_devMGMT_-_apc-pdu Action Tab Type of calc: And Conditions: A: Discovery rule equals devMGMT_-_apc-pdu
B: Received value contains APC Enabled: Checked Operations Tab Add to host groups: Templates/Power Remove from host groups: Discovered hosts Link to templates: Template Module Generic SNMP Set host inventory mode: Automatic
  1. Click Add.
Name: SNMPv3_-_devMGMT_-_apc-ups Action Tab Type of calc: And Conditions: A: Discovery rule equals devMGMT_-_apc-ups
B: Received value contains APC Enabled: Checked Operations Tab Add to host groups: Templates/Power Remove from host groups: Discovered hosts Link to templates: Template Power APC UPS SNMP Set host inventory mode: Automatic
  1. Click Add.
  2. The "Template Module Generic SNMP" template is already included in the SMC Aten template and thus cannot be added in addition to the "Template Server Supermicro Aten SNMP."
  3. The "Template Server Supermicro Aten SNMP" does a pretty good job of capturing the system values. For more detailed info, the "Template Server Chassis by IPMI" can be added manually. This template is not well documented and it requires additional configuration on the Zabbix host. See the "IPMI Device Setup - Supermicro Server" section for how to add the IPMI checking.
Name: SNMPv3_-_devMGMT_-_ipmi Action Tab Type of calc: And Conditions: A: Discovery rule equals devMGMT_-_ipmi
B: Received value contains Linux Enabled: Checked Operations Tab Add to host groups: Templates/Server hardware Remove from host groups: Discovered hosts Link to templates: Template Server Supermicro Aten SNMP Set host inventory mode: Automatic
  1. Click Add.
Name: SNMPv3_-_ntw_-_cisco Action Tab Type of calc: And Conditions: A: Discovery rule equals ntw_-_cisco
B: Received value contains Cisco Enabled: Checked Operations Tab Add to host groups: Templates/Network devices Remove from host groups: Discovered hosts Link to templates: Template Module Generic SNMP Set host inventory mode: Automatic
  1. Click Add.
  2. For the next Action, a few examples of Ubiquiti device strings are:
    • US-8-150W, 5.64.8.13083, Linux 3.6.5
    • UAP-AC-Pro-Gen2 5.43.46.12754
Name: SNMPv3_-_ntw_-_ubiquiti Action Tab Type of calc: And Conditions: A: Discovery rule equals ntw_-_ubiquiti
B: Received value contains U Enabled: Checked Operations Tab Add to host groups: Templates/Network devices Remove from host groups: Discovered hosts Link to templates: Template Module Generic SNMP Set host inventory mode: Automatic
  1. Click Add.
Name: SNMPv3_-_servers_-_ntnx Action Tab Type of calc: And Conditions: A: Discovery rule equals servers_-_ntnx
B: Received value contains ntnx Enabled: Checked Operations Tab Add to host groups: Templates/Operating systems Remove from host groups: Discovered hosts Link to templates: Template Module Generic SNMP
Template SNMP Nutanix Cluster Set host inventory mode: Automatic
  1. Click Add.
Name: SNMPv3_-_servers_-_printers Action Tab Type of calc: And Conditions: A: Discovery rule equals servers_-_printers
B: Received value contains Brother Enabled: Checked Operations Tab Add to host groups: Templates/Network devices Remove from host groups: Discovered hosts Link to templates: Template Module Generic SNMP Set host inventory mode: Automatic
  1. Click Add.
Name: SNMPv3_-_servers_-_vmware Action Tab Type of calc: And Conditions: A: Discovery rule equals servers_-_vmware
B: Received value contains VMware Enabled: Checked Operations Tab Add to host groups: Templates/Server hardware Remove from host groups: Discovered hosts Link to templates: Template Module Generic SNMP
Template VM VMware Hypervisor Set host inventory mode: Automatic
  1. Click Add.

Manual Device Setup (SNMPv3)

  1. Log into Zabbix web interface.
  2. Navigate to: Configuration > Hosts.
  3. Click "Create host" button on the top right.
Host Hostname: use FQDN Groups: Templates/Network devices Interfaces: SNMP DNS Name: use FQDN Connect to: DNS Port: 161 SNMP version: SNMPv3 Context name: none Security name: zabbix Security level: authPriv Auth protocol: SHA Privacy passphrase: AES Use bulk requests: Checked Interfaces: Agent Click the remove button Templates Select: Custom SNMP v3 Macros: Click on the "Inherited and host macros"
The template items will appear.
Click "Change" for each line item.

SNMP Testing (SNMPv3)

To clear the Zabbix cache, use the following cmd.

sudo zabbix_server -R config_cache_reload

Send a SNMPv1 test to: localhost

snmptrap -v 1 -c public 127.0.0.1 '.1.3.6.1.6.3.1.1.5.4' '0.0.0.0' 6 33 '55' .1.3.6.1.6.3.1.1.5.4 s "eth0"

Send a SNMPv3 test to: localhost

snmptrap -v 3 -e 0x8000013E0300C0B79F9CC5 -u zabbix -a SHA -A 123456789123456789 -x AES -X 123456789123456789 -l authPriv localhost '' 1.3.6.1.4.1.8072.2.3.0.1 1.3.6.1.4.1.8072.2.3.2.1 i 123456

After making changes to the Discovery and Action, you can restart the Zabbix server service then monitor the progress.

sudo systemctl restart zabbix-server ps ax | grep disc

Verify the zabbix_traps.tmp has written data.

sudo cat /opt/zabbix/zabbix_traps.tmp