Configuring snmptrapd

It is important to configure the simple network management protocol (SNMP) target before deploying the snmp-gateway because the snmptrapd daemon contains the auth settings that you need to specify when creating the snmp-gateway service.

The SNMP gateway feature provides a means of exposing the alerts that are generated in the Prometheus stack to an SNMP management platform. You can configure the SNMP traps to the destination based on the snmptrapd tool. This tool allows you to establish one or more SNMP trap listeners.

The following parameters are important for configuration:

  • The engine-id is a unique identifier for the device, in hex, and required for SNMPV3 gateway. IBM recommends using 8000C53F_CLUSTER_FSID_WITHOUT_DASHESfor this parameter.

  • The snmp-community, which is the SNMP_COMMUNITY_FOR_SNMPV2 parameter, is public for SNMPV2c gateway.

  • The auth-protocol which is the AUTH_PROTOCOL, is mandatory for SNMPV3 gateway and is SHA by default.

  • The privacy-protocol, which is the PRIVACY_PROTOCOL, is mandatory for SNMPV3 gateway.

  • The PRIVACY_PASSWORD is mandatory for SNMPV3 gateway with encryption.

  • The SNMP_V3_AUTH_USER_NAME is the user name and is mandatory for SNMPV3 gateway.

  • The SNMP_V3_AUTH_PASSWORD is the password and is mandatory for SNMPV3 gateway.

Prerequisites

  • A running IBM Storage Ceph cluster.

  • Root-level access to the nodes.

  • Install firewalld on Red Hat Enterprise Linux system.

Procedure

  1. On the SNMP management host, install the SNMP packages.

    Example

    [root@host01 ~]# dnf install -y net-snmp-utils net-snmp
  2. Open the port 162 for SNMP to receive alerts.

    Example

    [root@host01 ~]# firewall-cmd --zone=public --add-port=162/udp
    [root@host01 ~]# firewall-cmd --zone=public --add-port=162/udp --permanent
  3. Implement the management information base (MIB) to make sense of the SNMP notification and enhance SNMP support on the destination host. Copy the raw file from the main repository. https://github.com/ceph/ceph/blob/master/monitoring/snmp/CEPH-MIB.txt

    Example

    [root@host01 ~]# curl -o CEPH_MIB.txt -L https://raw.githubusercontent.com/ceph/ceph/master/monitoring/snmp/CEPH-MIB.txt
    [root@host01 ~]# scp CEPH_MIB.txt root@host02:/usr/share/snmp/mibs
  4. Create the snmptrapd directory.

    Example

    [root@host01 ~]# mkdir /root/snmptrapd/
  5. Create the configuration files in snmptrapd directory for each protocol based on the SNMP version.

    Syntax

    format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n
    createuser -e 0x_ENGINE_ID_ SNMPV3_AUTH_USER_NAME AUTH_PROTOCOL SNMP_V3_AUTH_PASSWORD PRIVACY_PROTOCOL PRIVACY_PASSWORD
    authuser log,execute SNMP_V3_AUTH_USER_NAME
    authCommunity   log,execute,net SNMP_COMMUNITY_FOR_SNMPV2
    • For SNMPV2c, create the snmptrapd_public.conf file as follows:

      Example

      format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n
      
      authCommunity   log,execute,net public

      The public setting here must match the snmp_community setting used when deploying the snmp-gateway service.

    • For SNMPV3 with authentication only, create the snmptrapd_auth.conf file.

      Example

      format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n
      createuser -e 0x8000C53Ff64f341c655d11eb8778fa163e914bcc myuser SHA mypassword
      authuser log,execute myuser

      The 0x8000C53Ff64f341c655d11eb8778fa163e914bcc string is the engine_id, and myuser and mypassword are the credentials. The password security is defined by the SHA algorithm.

      This corresponds to the settings for deploying the snmp-gateway daemon.

      Example

      snmp_v3_auth_username: myuser
      snmp_v3_auth_password: mypassword
    • For SNMPV3 with authentication and encryption, create the snmptrapd_authpriv.conf file.

      Example

      format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n
      createuser -e 0x8000C53Ff64f341c655d11eb8778fa163e914bcc myuser SHA mypassword DES mysecret
      authuser log,execute myuser

      The 0x8000C53Ff64f341c655d11eb8778fa163e914bcc string is the engine_id, and myuser and mypassword are the credentials. The password security is defined by the SHA algorithm and DES is the type of privacy encryption.

      This corresponds to the settings for deploying the snmp-gateway daemon.

      Example

      snmp_v3_auth_username: myuser
      snmp_v3_auth_password: mypassword
      snmp_v3_priv_password: mysecret
  6. Run the daemon on the SNMP management host.

    Syntax

    /usr/sbin/snmptrapd -M /usr/share/snmp/mibs -m CEPH-MIB.txt -f -C -c /root/snmptrapd/CONFIGURATION_FILE -Of -Lo :162

    Example

    [root@host01 ~]# /usr/sbin/snmptrapd -M /usr/share/snmp/mibs -m CEPH-MIB.txt -f -C -c /root/snmptrapd/snmptrapd_auth.conf -Of -Lo :162
  7. If any alert is triggered on the storage cluster, you can monitor the output on the SNMP management host. Verify the SNMP traps and also the traps decoded by MIB.

    Example

    NET-SNMP version 5.8
     Agent Address: 0.0.0.0
     Agent Hostname: <UNKNOWN>
     Date: 15 - 5 - 12 - 8 - 10 - 4461391
     Enterprise OID: .
     Trap Type: Cold Start
     Trap Sub-Type: 0
     Community/Infosec Context: TRAP2, SNMP v3, user myuser, context
     Uptime: 0
     Description: Cold Start
     PDU Attribute/Value Pair Array:
    .iso.org.dod.internet.mgmt.mib-2.1.3.0 = Timeticks: (292276100) 3 days, 19:52:41.00
    .iso.org.dod.internet.snmpV2.snmpModules.1.1.4.1.0 = OID: .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive
    .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive.1 = STRING: "1.3.6.1.4.1.50495.1.2.1.6.2[alertname=CephMgrPrometheusModuleInactive]"
    .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive.2 = STRING: "critical"
    .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive.3 = STRING: "Status: critical
    - Alert: CephMgrPrometheusModuleInactive
      Summary: Ceph's mgr/prometheus module is not available
      Description: The mgr/prometheus module at 10.70.39.243:9283 is unreachable. This could mean that the module has been disabled or the mgr itself is down.
    Without the mgr/prometheus module metrics and alerts will no longer function. Open a shell to ceph and use 'ceph -s' to determine whether the mgr is active. If the mgr is not active, restart it, otherwise you can check the mgr/prometheus module is loaded with 'ceph mgr module ls'  and if it's not listed as enabled, enable it with 'ceph mgr module enable prometheus'"

    In the above example, an alert is generated after the Prometheus module is disabled.