rootninja

snmpd sending too much to syslog by default

Why does snmpd try to log everything by default in Fedora? If you’re polling every five minutes or so for MRTG or a commercial product like Solarwinds, you might find /var/log/messages filling up with successful connection messages:

Oct 22 04:00:01 ServerName snmpd[2089]:last message repeated 5 times
Oct 22 04:00:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:40732
Oct 22 04:00:01 ServerName snmpd[2089]: Received SNMP packet(s) from UDP: [127.0.0.1]:40732
Oct 22 04:00:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:40732
Oct 22 04:05:01 ServerName snmpd[2089]:last message repeated 5 times
Oct 22 04:05:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:34007
Oct 22 04:05:01 ServerName snmpd[2089]: Received SNMP packet(s) from UDP: [127.0.0.1]:34007
Oct 22 04:05:01 ServerName snmpd[2089]: Connection from UDP: [127.0.0.1]:34007

To stop this nonsense, override the default options being fed to snmpd in the init script. (no, don’t hack the init script!  You’ll forget to re-hack it when you update your system and your changes get overwritten, doh!)

Create /etc/snmp/snmpd.options and provide your own options to the snmpd daemon.  This is what I use on most clients to tell syslog to only log levels 0 through 4.

OPTIONS=”-LS 4 d -Lf /dev/null -p /var/run/snmpd.pid -a”

If you have a client that doesn’t have ipv6 addresses and you check TCP connections with snmp, you’ll want to change the 4 to a 2.  Otherwise you’ll still get messages like these:

Oct 22 04:20:31 ThisOldServer snmpd[21882]: could not open /proc/net/if_inet6
Oct 22 04:21:31 ThisOldServer snmpd[21882]: cannot open /proc/net/snmp6 …

In /etc/init.d/snmpd you should see where it’s looking for /etc/snmp/snmpd.options, and if it doesn’t find it, it provides a set of defaults, which is to let syslog log everything.

if [ -e /etc/snmp/snmpd.options ]; then
. /etc/snmp/snmpd.options
else
OPTIONS=”-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a”
fi

After you make your snmpd.options file in /etc/snmp/ just restart snmpd and it should find your file and not follow the else clause which was setting those options for you before.  Just to make sure, wait 5 minutes (or force a snmp check) and look at the logs.  You could add an entry to your logs with ‘logger’ just to make a note of when you made the change.  But it should be quite obvious if you don’t a ton of syslog traffic.  You should also see the log level in the process list since you made the change and restarted the service.

ninja@ThisOldServer ~$ ps -ef | grep snmpd
root     21900     1  0 14:21 ?        00:00:00 /usr/sbin/snmpd -LS 2 d -Lf /dev/null -p /var/run/snmpd.pid -a
acarr    21936 21915  0 14:56 pts/0    00:00:00 grep snmpd
ninja@ThisOldServer ~$


Posted on October 22nd, by admica in Linux.
5 comments

5 thoughts on “snmpd sending too much to syslog by default

  1. On my CentOS 5.4 system the snmpd.options file goes in /etc/sysconfig rather than /etc/snmp. Thanks for the information, it was helpful.

  3. Thanks for the excellent info !
    Same comment for CentOS. Got a little baffled by a weird error, until I noticed that pasting in vi had included curly quotes instead of straight ones. After correcting, all went smooth. Thanks !

  4. Thanks for this post. i was stuck with this issue and get fixed with
    OPTIONS=”-LS 2 d -Lf /dev/null -p /var/run/snmpd.pid -a”

  5. You should just be able to add this into your snmpd.conf and it won’t log all of the connections.

    dontLogTCPWrappersConnects yes

    Thanks for the tip on the ipv6 errors though, eliminated them by changing the options path to the 2. :)

Support