Introduction

aix-logo

The following instructions have been tested with IBM AIX 5.3 and 6.1 on IBM system p hardware. Although IBM is known for a ultra-conservative approach, they are a rare vendor to run SNMPv3 by default. This guide describes a configuration of the AIX default SNMPv3 daemon for system monitoring through Nagios. IBM's SNMPv3 configuration is quite difficult to understand and to manage, I hope this information benefits others.

Below is a example output on a AIX 6.1 system highlighting the use of the SNMPv3 daemon. If I remember right, the last 2 characters "ne" in snmpdv3ne stand for "no encryption". 

# ls -l /usr/sbin/snmpd
lrwxrwxrwx    1 root   system        9 Sep 24 2009  /usr/sbin/snmpd -> snmpdv3ne

# ls -l /usr/sbin/snmpd*
lrwxrwxrwx    1 root   system        9 Sep 24 2009  /usr/sbin/snmpd -> snmpdv3ne
-rwxr-x---    1 root   system   363688 Aug 13 2009  /usr/sbin/snmpd64v1
-rwxr-x---    1 root   system   334912 Aug 13 2009  /usr/sbin/snmpdv1
-rwxr-x---    1 root   system   335828 Mar 30 2009  /usr/sbin/snmpdv3ne

Configuring the AIX SNMP daemon

Since we are not using SNMPv3 in our environment, we want to configure the default AIX SNMP daemon to respond to SNMPv1 requests. For the most basic security configuration, we also want set a custom SNMP community for Nagios read access. IBM's AIX SNMP dameon's configuration file is /etc/snmpdv3.conf. Important configuration settings to change are:

Below is a example configuration file with updated settings for Nagios: 

$ vi /etc/snmpdv3.conf
VACM_GROUP group1 SNMPv1  SECro  -

VACM_VIEW defaultView       internet                    - included -

VACM_VIEW defaultView        1.3.6.1.4.1.2.2.1.1.1.0    - included -
VACM_VIEW defaultView        1.3.6.1.4.1.2.6.191.1.6    - included -

# exclude snmpv3 related MIBs from the default view
VACM_VIEW defaultView        snmpModules                - excluded -
VACM_VIEW defaultView        1.3.6.1.6.3.1.1.4          - included -   
VACM_VIEW defaultView        1.3.6.1.6.3.1.1.5          - included -  

# include aixmibd managed MIBs into the default view for Nagios
VACM_VIEW defaultView        1.3.6.1.4.1.2.6.191        - included -

VACM_ACCESS  group1 - - noAuthNoPriv SNMPv1  defaultView - defaultView -

NOTIFY notify1 traptag trap -

TARGET_ADDRESS Target1 UDP 127.0.0.1       traptag trapparms1 - - -

TARGET_PARAMETERS trapparms1 SNMPv1  SNMPv1  public  noAuthNoPriv -

# The line below only sets the community string, but allows access 
# from any IP using the 0.0.0.0 (IP) and 0.0.0.0 (netmask) wildcard
#COMMUNITY SECro SECro noAuthNoPriv 0.0.0.0    0.0.0.0  -

# If we want to restrict access by IP, we need to allow localhost
# communication with the SNMP subagents (aixmibd, snmpmibd, ...)
COMMUNITY SECro SECro noAuthNoPriv 127.0.0.1    255.255.255.255  -

# Here we restrict the SNMP access to the Nagios server IP address
COMMUNITY SECro SECro noAuthNoPriv 192.168.1.34    255.255.255.255  -


DEFAULT_SECURITY no-access - -

logging         file=/usr/tmp/snmpdv3.log       enabled
logging         size=100000                     level=0

smux            1.3.6.1.4.1.2.3.1.2.1.2         gated_password  # gated
smux 1.3.6.1.4.1.2.3.1.2.3.1.1 muxatmd_password #muxatmd

Enabling and running the SNMP MIB agents

We typically start all three AIX SNMP MIB subagents on our systems: aixmibd, hostmibd and snmpmibd. These agents provide additional system data to be queried through SNMP. Because we changed the community string for the SNMP daemon, the subagents now need to be run with the new community as well. After updating the SNMP daemon's configuration above, we can manually stop and restart all SNMP related services with the new community string as shown below: 

# stopsrc -s aixmibd; stopsrc -s hostmibd; stopsrc -s snmpmibd; stopsrc -s snmpd
0513-044 The /usr/sbin/aixmibd Subsystem was requested to stop.
0513-044 The /usr/sbin/hostmibd Subsystem was requested to stop.
0513-044 The snmpmibd Subsystem was requested to stop.
0513-044 The snmpd Subsystem was requested to stop.
# startsrc -s aixmibd -a "-c SECro"; startsrc -s hostmibd -a "-c SECro"
0513-059 The aixmibd Subsystem has been started. Subsystem PID is 233826.
0513-059 The hostmibd Subsystem has been started. Subsystem PID is 196776.
# startsrc -s snmpmibd -a "-c SECro"; startsrc -s snmpd
0513-059 The snmpmibd Subsystem has been started. Subsystem PID is 266358.
0513-059 The snmpd Subsystem has been started. Subsystem PID is 237738.

The SNMP daemon and SNMP subagents are started in /etc/rc.tcpip. In order to enable the subagents to be started after a system reboot with the correct community string, we add the "-c SECro" option as shown in the example below. 

# grep snmpd /etc/rc.tcpip
start /usr/sbin/snmpd "$src_running"
# 
# grep mib /etc/rc.tcpip
# Start up the hostmibd daemon
start /usr/sbin/hostmibd "$src_running" "-c SECro"
# Start up the snmpmibd daemon
start /usr/sbin/snmpmibd "$src_running" "-c SECro"
# Start up the aixmibd daemon
start /usr/sbin/aixmibd "$src_running" "-c SECro"

Verify the SNMP access from the Nagios system

Before we set up the nagios configuration, we confirm the SNMP access works as intended. 

fm@susie112:~> snmpwalk -v 1 -c SECro 192.168.1.109 | head -7
SNMPv2-MIB::sysDescr.0 = STRING: IBM PowerPC CHRP Computer
Machine Type: 0x0800004c Processor id: 00CF06A44C00
Base Operating System Runtime AIX version: 06.01.0003.0000
TCP/IP Client Support version: 06.01.0003.0002
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2.3.1.2.1.1.3
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (110900) 0:18:29.00
SNMPv2-MIB::sysContact.0 = STRING:

The snmpwalk command (without using the pipe to 'head' for limiting the output) should return a long list of OID's. If the returned OID list is very short, then the subagents are not responding. We can easily verify this by querying for a particular OID subtree provided by the aixmibd subagent, as shown in the example below: 

fm@susie112:~> snmpwalk -v 1 -c SECro 192.168.1.109 1.3.6.1.4.1.2.6.191 |head -6
SNMPv2-SMI::enterprises.2.6.191.1.1.1.0 = INTEGER: 5
SNMPv2-SMI::enterprises.2.6.191.1.1.2.0 = ""
SNMPv2-SMI::enterprises.2.6.191.1.1.3.0 = INTEGER: 2
SNMPv2-SMI::enterprises.2.6.191.1.1.4.0 = Gauge32: 0
SNMPv2-SMI::enterprises.2.6.191.1.1.5.0 = INTEGER: 0
SNMPv2-SMI::enterprises.2.6.191.1.1.6.0 = INTEGER: 2

For troubleshooting, the SNMP daemon and subagent logs are in /var/tmp. I had a case were the loopback/localhost ip 127.0.0.1 was commented out in /etc/hosts by a careless admin, which made the subagents fail to respond. 

# ls -l /var/tmp
total 336
...
-rw-r--r--    1 root     system         6572 Dec  2 15:58 aixmibd.log
-rw-r--r--    1 root     system         8527 Dec  2 15:58 hostmibd.log
-rw-r--r--    1 root     system        85496 Dec  2 15:58 snmpdv3.log
-rw-r--r--    1 root     system        13280 Dec  2 15:58 snmpmibd.log

# tail /var/tmp/aixmibd.log
Thu Dec  2 15:58:19 JST 2010  DPI sub-agent (AIX Enterprise MIB Support subagent):
 connected, ready to receive requests...
stopsrc issued
Thu Dec  2 15:58:34 JST 2010  DPI sub-agent (AIX Enterprise MIB Support subagent):
 connected, ready to receive requests...

After we confirmed the SNMP access and response, we can start configuring Nagios. Below is just one more SNMP access test using the Nagios plugin check_snmp_load.pl to get the AIX system load. From there on, the normal Nagios configurations for accessing the SNMP data for memory, load, diskspace etc can be used. 

susie112:/srv/app/nagios/libexec # ./check_snmp_load.pl -H 192.168.1.109 -C SECro -T stand -w 75 -c 90
6 CPU, average load 0.0% < 75% : OK

Credits, copyrights and links

Topics:

More Information: