Configuring snmptrapd
It is important to configure the simple network management protocol (SNMP) target before
deploying the snmp-gateway because the snmptrapd daemon contains
the auth settings that you need to specify when creating the snmp-gateway
service.
The SNMP gateway feature provides a means of exposing the alerts that are generated in the
Prometheus stack to an SNMP management platform. You can configure the SNMP traps to the destination
based on the snmptrapd tool. This tool allows you to establish one or more SNMP
trap listeners.
The following parameters are important for configuration:
-
The
engine-idis a unique identifier for the device, in hex, and required for SNMPV3 gateway. IBM recommends using8000C53F_CLUSTER_FSID_WITHOUT_DASHESfor this parameter. -
The
snmp-community, which is the SNMP_COMMUNITY_FOR_SNMPV2 parameter, ispublicfor SNMPV2c gateway. -
The
auth-protocolwhich is the AUTH_PROTOCOL, is mandatory for SNMPV3 gateway and isSHAby default. -
The
privacy-protocol, which is the PRIVACY_PROTOCOL, is mandatory for SNMPV3 gateway. -
The PRIVACY_PASSWORD is mandatory for SNMPV3 gateway with encryption.
-
The SNMP_V3_AUTH_USER_NAME is the user name and is mandatory for SNMPV3 gateway.
-
The SNMP_V3_AUTH_PASSWORD is the password and is mandatory for SNMPV3 gateway.
Prerequisites
-
A running IBM Storage Ceph cluster.
-
Root-level access to the nodes.
-
Install
firewalldon Red Hat Enterprise Linux system.
Procedure
-
On the SNMP management host, install the SNMP packages.
Example
[root@host01 ~]# dnf install -y net-snmp-utils net-snmp -
Open the port 162 for SNMP to receive alerts.
Example
[root@host01 ~]# firewall-cmd --zone=public --add-port=162/udp [root@host01 ~]# firewall-cmd --zone=public --add-port=162/udp --permanent -
Implement the management information base (MIB) to make sense of the SNMP notification and enhance SNMP support on the destination host. Copy the raw file from the main repository. https://github.com/ceph/ceph/blob/master/monitoring/snmp/CEPH-MIB.txt
Example
[root@host01 ~]# curl -o CEPH_MIB.txt -L https://raw.githubusercontent.com/ceph/ceph/master/monitoring/snmp/CEPH-MIB.txt [root@host01 ~]# scp CEPH_MIB.txt root@host02:/usr/share/snmp/mibs -
Create the
snmptrapddirectory.Example
[root@host01 ~]# mkdir /root/snmptrapd/ -
Create the configuration files in
snmptrapddirectory for each protocol based on the SNMP version.Syntax
format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n createuser -e 0x_ENGINE_ID_ SNMPV3_AUTH_USER_NAME AUTH_PROTOCOL SNMP_V3_AUTH_PASSWORD PRIVACY_PROTOCOL PRIVACY_PASSWORD authuser log,execute SNMP_V3_AUTH_USER_NAME authCommunity log,execute,net SNMP_COMMUNITY_FOR_SNMPV2-
For SNMPV2c, create the
snmptrapd_public.conffile as follows:Example
format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n authCommunity log,execute,net publicThe
publicsetting here must match thesnmp_communitysetting used when deploying thesnmp-gatewayservice. -
For SNMPV3 with authentication only, create the
snmptrapd_auth.conffile.Example
format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n createuser -e 0x8000C53Ff64f341c655d11eb8778fa163e914bcc myuser SHA mypassword authuser log,execute myuserThe
0x8000C53Ff64f341c655d11eb8778fa163e914bccstring is theengine_id, andmyuserandmypasswordare the credentials. The password security is defined by theSHAalgorithm.This corresponds to the settings for deploying the
snmp-gatewaydaemon.Example
snmp_v3_auth_username: myuser snmp_v3_auth_password: mypassword -
For SNMPV3 with authentication and encryption, create the
snmptrapd_authpriv.conffile.Example
format2 %V\n% Agent Address: %A \n Agent Hostname: %B \n Date: %H - %J - %K - %L - %M - %Y \n Enterprise OID: %N \n Trap Type: %W \n Trap Sub-Type: %q \n Community/Infosec Context: %P \n Uptime: %T \n Description: %W \n PDU Attribute/Value Pair Array:\n%v \n -------------- \n createuser -e 0x8000C53Ff64f341c655d11eb8778fa163e914bcc myuser SHA mypassword DES mysecret authuser log,execute myuserThe
0x8000C53Ff64f341c655d11eb8778fa163e914bccstring is theengine_id, andmyuserandmypasswordare the credentials. The password security is defined by theSHAalgorithm andDESis the type of privacy encryption.This corresponds to the settings for deploying the
snmp-gatewaydaemon.Example
snmp_v3_auth_username: myuser snmp_v3_auth_password: mypassword snmp_v3_priv_password: mysecret
-
-
Run the daemon on the SNMP management host.
Syntax
/usr/sbin/snmptrapd -M /usr/share/snmp/mibs -m CEPH-MIB.txt -f -C -c /root/snmptrapd/CONFIGURATION_FILE -Of -Lo :162Example
[root@host01 ~]# /usr/sbin/snmptrapd -M /usr/share/snmp/mibs -m CEPH-MIB.txt -f -C -c /root/snmptrapd/snmptrapd_auth.conf -Of -Lo :162 -
If any alert is triggered on the storage cluster, you can monitor the output on the SNMP management host. Verify the SNMP traps and also the traps decoded by MIB.
Example
NET-SNMP version 5.8 Agent Address: 0.0.0.0 Agent Hostname: <UNKNOWN> Date: 15 - 5 - 12 - 8 - 10 - 4461391 Enterprise OID: . Trap Type: Cold Start Trap Sub-Type: 0 Community/Infosec Context: TRAP2, SNMP v3, user myuser, context Uptime: 0 Description: Cold Start PDU Attribute/Value Pair Array: .iso.org.dod.internet.mgmt.mib-2.1.3.0 = Timeticks: (292276100) 3 days, 19:52:41.00 .iso.org.dod.internet.snmpV2.snmpModules.1.1.4.1.0 = OID: .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive.1 = STRING: "1.3.6.1.4.1.50495.1.2.1.6.2[alertname=CephMgrPrometheusModuleInactive]" .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive.2 = STRING: "critical" .iso.org.dod.internet.private.enterprises.ceph.cephCluster.cephNotifications.prometheus.promMgr.promMgrPrometheusInactive.3 = STRING: "Status: critical - Alert: CephMgrPrometheusModuleInactive Summary: Ceph's mgr/prometheus module is not available Description: The mgr/prometheus module at 10.70.39.243:9283 is unreachable. This could mean that the module has been disabled or the mgr itself is down. Without the mgr/prometheus module metrics and alerts will no longer function. Open a shell to ceph and use 'ceph -s' to determine whether the mgr is active. If the mgr is not active, restart it, otherwise you can check the mgr/prometheus module is loaded with 'ceph mgr module ls' and if it's not listed as enabled, enable it with 'ceph mgr module enable prometheus'"In the above example, an alert is generated after the Prometheus module is disabled.