Summary

  Subject:

Zabbix Monitoring on Rocky: SNMPv3: Adding Devices

   Updated:

2023-12-18

   Author:

Tim Hammond ([email protected])

Derek Pasnick ([email protected])

Leland Petitjean ([email protected])

   Operating Systems:

Rocky 8

   Background:

This guide was written to setup a Zabbix server to monitor network devices and servers for interuptions of service. Zabbix will be configured to also send alerts through the local mail relay. It is assumed a local mail relay is already setup and configured.

Due to the length of the content, I opted to break the article into the following sections:

  1. Rocky Zabbix: Install
  2. Rocky Zabbix: Configure
  3. Rocky Zabbix: Setting up Discoveries
  4. Rocky Zabbix: Client Agent Setup
  5. Rocky Zabbix: SNMPv3: Setup and Configure
  6. Rocky Zabbix: SNMPv3: Adding Devices
  7. Rocky Zabbix: References
  

Table of Contents

Objective

This article explains how to get login and device identification information for the snmptrapd config file. Take the information gathered in this article and put it into the format as discussed in the: snmptrapd config file setup section.

Brother printer

The MFC-L2750DW SNMP setup looks like it accepts SHA/AES but it does not seem to work. MD5/DES works.

  1. Login into the Brother printer admin page.
  2. Go to: Network Tab > Protocol > SNMP Checked > SNMP Advanced Settings
  3. Use the following settings:
Username: zabbee Key Type: Password Auth Method: MD5 Auth Pass: md5KeePass Priv Pass: desKeePass Context Name: -blank-

DO NOT USE Template is old. It is more problems than it is worth.

"Template SNMP Interfaces_3.0.0.xml" is a pre-req that must be imported BEFORE the "Template Brother Printers." Then assign the Brother template to the host.

Cisco Nexus

The following is a sample configuration:

config t snmp-server user zabbee auth sha shaKeePass priv aes-128 aesKeePass snmp-server host zab01.domain.local version 3 priv zabbee snmp-server enable traps snmp-server globalEnforcePriv

Nutanix Prism Central

Prism Central will relay SNMP clients to the traps server for all clusters registered to it. So you only need to PC. If it is scale out, add all PC-VMs and PC-VIP.

For Prism Element, register ALL CVMs and the cluster VIP. The SNMP leader can move between any of the CVMs.

If you want to use the Nutanix template, add the macros to the host. Source: https://github.com/aldevar/Zabbix_Nutanix_Template.

{$NTX_SNMP_USER} SNMP username {$NTX_SNMP_AUTH} SHA password {$NTX_SNMP_PRIV} AES password

Then add the Template to the PC/PE host: Template SNMP Nutanix Cluster

Prism Element has an extra ncli command so that the CVMs can be walked. This is not enabled on Prism Central. For reference, the command for Prism Element is: snmp add-transport port=161 protocol=UDP.

The variables are as follows:

  • userName: defined in the device AND snmp server
  • shaPwd: defined in the device AND snmp server
  • aesPwd: defined in the device AND snmp server
  • snmpManagerIP: IP address of SNMP sever

If we put the variables together to create the command, it would look like:

  • ncli
  • snmp add-user username=userName priv-type=AES priv-key=aesPwd auth-type=sha auth-key=shaPwd
  • snmp add-trap version=SNMPv3 username=userName address=snmpManagerIP port=162 inform=false protocol=UDP

For an actual example:

ncli snmp add-user username=zabbee priv-type=AES priv-key=keePass auth-type=sha auth-key=keePass snmp add-trap version=SNMPv3 username=zabbee address=zab01.domain.local port=162 inform=false protocol=UDP

OPNsense

  1. Go to: Services > Zabbix Agent > Settings Main Settings.
  2. Click Add and enter the following settings.
Enabled: Checked Hostname: fw01.domain.local Listen Port: 10050 Listen IPs: 192.168.10.1 Source IP: 192.168.10.1 Zabbix Servers: zab01.domain.local Log to syslog: Unchecked Debug Level: warings(3,default) Enable sudo root perm: Unchecked
  1. Click Save.
  2. Go to: Services > Zabbix Agent > Settings Main Settings.
  3. Click Add and enter the following settings.
Enable Active Checks: Checked Active Check Servers: zab01.domain.local Active Check Refresh: 120 Enable Remote Commands: Unchecked Log Remote Commands: Unchecked PSK based encryption: Unchecked PSK Identity: -blank- PSK: -blank-
  1. Click Save.

PfSense

Install the plugin.

  1. Go to: System > Package Manager > Available Packages.
  2. Search for "zabbix-agent5".
  3. Click the +Install button.

Configure the plugin

  1. Go to: Services > Zabbix Agent 5.0
  2. Use the following settings:
Enable: Checked Server: zab01.domain.local Server Active: zab01.domain.local Hostname: fw01.domain.local

Manually add PfSense to Zabbix web interface just like any other device, except use the: "Template OS FreeBSD"

The firewall's interface came in with a 0.0.0.0 rather than it's actuall address. So update it to use the FQDN DNS name.

Supermicro Server

References:

There does not seem to be a way to automaticlly add a IPMI interface to a host through discovery. So this has to be done manually.

Reference the "Zabbix - Universal Macro Setup" to see how to add Global Macros. Enter the following Global Macros:

{$IPMI_USERNAME} ADMIN {$IPMI_PASSWORD} keePass
  1. Navigate to: Configuration > Hosts.
  2. Click on the desired IPMI device to modified.
  3. Go to: Host tab > Interfaces > Add IPMI device.
    1. Insert the IP address
    2. Insert the DNS name
    3. Select IP
  4. Go to: Templates tab
    1. Link new templates: Template Server Chassis by IPMI
    2. Click Select.
  5. Go to: IPMI tab
Authentication algorithm: Default Privilege level: Admin Username: {$IPMI_USERNAME} Password: {$IPMI_PASSWORD}
  1. Go to: Macros tab
    1. Click Inherited and host macros
    2. Click "Change" to add these items to the host:
{$IPMI.PASSWORD} {$IPMI_PASSWORD} {$IPMI.SENSOR_TYPE.MATCHES} .* {$IPMI.SENSOR_TYPE.NOT_MATCHES} invalid {$IPMI.USER} {$IPMI_USERNAME}
  1. Click Update.

Ubiquiti

Ubiquiti uses the same password for the SHA and AES. This will allow you to monitor the devices attached to the controller. This will not allow you to monitor the controller itself. Monitor the controller just as you would for any other machine.

  1. Log into the UniFi controller.
  2. Go to: Settings > Services > SNMP Tab
  3. Use the following settings:
SNMPv1, SNMPv2c: OFF SNMPv3: ON
  1. SNMPv3 uses authProtocol SHA and privProtocol AES.
Username: uniKeePass Password: uniKeePass
  1. Download the MIBs if you have not already done so.
wget http://dl.ubnt-ut.com/snmp/UBNT-MIB wget http://dl.ubnt-ut.com/snmp/UBNT-UniFi-MIB sudo mv ~/UBNT-MIB /usr/share/snmp/mibs sudo mv ~/UBNT-UBNT-UniFi-MIB /usr/share/snmp/mibs sudo chmod 755 /usr/share/snmp/mibs/* sudo chown root:root /usr/share/snmp/mibs/*

VMware

vCenter

  1. SSH into the VCSA.
Username: root Passsword: keePass
  1. To go to a BASH prompt
  2. If you log into the vCenter and you are greated with: Command > Type the following:
shell
  1. To go to a Command > prompt.
  2. If you log into the vCenter and you are greated with: root@vc01 [ ~ ]# type the following, then logout.
  3. When you log back in, you will have a Command > prompt.
chsh -s /bin/bash root
  1. To reset the SNMP config to defaults.
snmp.reset snmp.disable
  1. Set the AUTH/PRIV protocols.
snmp.set --authentication SHA1 --privacy AES128
  1. Create the auth file for the hashing command below.
shell vi /tmp/auth exit
  1. Create the priv file for the hashing command below.
shell vi /tmp/priv exit
  1. Genorate the hashes.
    1. Command Format: snmp.hash --auth_hash filePath --priv_hash filePath
snmp.hash --auth_hash /tmp/auth --priv_hash /tmp/priv
  1. Create the user.
    1. Command Format: snmp.set --user userid/authhash/privhash/security
snmp.set --user zabbee/authhash/privhash/priv
  1. Set the SNMPv3 target.
    1. Command Format: snmp.set --v3targets hostname@port/userid/secLevel/trap
snmp.set --v3targets zab01.domain.local@162/zabbee/priv/trap
  1. Enable SNMP.
snmp.enable
  1. To send a test message.
snmp.test
  1. Clean up after yourself.
shell rm /tmp/auth rm /tmp/priv exit exit
  1. View the current configuration for SNMP:
snmp.get

ESXi Host

  1. SSH into the VCSA.
Username: root Passsword: keePass
  1. To reset the SNMP config to defaults.
esxcli system snmp set --reset /etc/init.d/snmpd restart
  1. VMware ESXi seems to use the same hash and engine id for each host. The engine id MUST be unique. The following are the current vmnic0 for each of the respective hosts.
    • esx01.domain.local 0cc47a3ab028
    • esx02.domain.local 0cc47a3ab02a
    • esx03.domain.local 0cc47a3ab020
  2. Use the following command to set the engine id.
esxcli system snmp set --engineid=
  1. Set authentication to SHA and privacy to AES128:
esxcli system snmp set -a=SHA1 -x=AES128
  1. Generating authentication and privacy hashes.
    • Command Format: esxcli system snmp hash --auth-hash=SHAsecret --priv-hash=AESsecret --raw-secret
esxcli system snmp hash --auth-hash=keePass --priv-hash=keePass --raw-secret
  1. Create a user. Replace authhash and privhash with the auth and priv hashes returned from the above command.
    • Command Format: esxcli system snmp set --users userid/authhash/privhash/security
esxcli system snmp set --users zabbee/authhash/privhash/priv
  1. Specify the SNMP target address.
    • Command Format: esxcli system snmp set --v3targets trapsServer@port/user/priv/trap
esxcli system snmp set --v3targets zab01.domain.local@162/zabbee/priv/trap
  1. Enable SNMP.
esxcli system snmp set --enable=yes
  1. After the changes have been made, it is probably a good idea to restart SNMPD.
/etc/init.d/snmpd restart
  1. View the current configuration for SNMP:
esxcli system snmp get