Snmpd filling up /var/log/messages
Posted by raetsel on February 15, 2008
snmpd[345435]: Connection from UDP: [10.225.46.136]:135last message repeated 8 times
last message repeated 13 times
These are only information messages saying a connection has been established. This is rather annoying when you are trying to read other things in /var/log/messages. The way to turn off these messages is to change the logging options of the snmpd daemons.
On Redhat ( and Ubuntu) the default logging ( the -L options ) show:–
-Ls d
Meaning log to syslog using the facility of daemon ( see syslogd and syslog.conf for more information on what that means in detail, for now suffice it to say it means all messages are written to /var/log/messages ).
The man pages for snmpcmd ( common to all net-snmp programmes ) explain you can set this to only log messages above a certain priority.
Using priorities 0-4 means warning messages, errors, alerts and critical etc messages are logged but notice info and debug level messages are ignored.
The manual pages are not that clear, to me at least at first, hence this blog.
So if we change the -Ls d to the following this will stop those messages but still allow important messages to get through:–
LS 0-4 d
The capital S is crucial to the syntax.
So where and how do we set these options? Well the snmpd daemon is started by a standard init script /etc/init.d/snmpd
In both RHEL5 and Ubuntu the scripts have some default options but also read in settings from a config file. In Ubuntu the relevant portion of the script is:-
SNMPDOPTS=’-Lsd -Lf /dev/null -p /var/run/snmpd.pid’
TRAPDRUN=no
TRAPDOPTS=’-Lsd -p /var/run/snmptrapd.pid’
#Reads config file (will override defaults above)
[ -r /etc/default/snmpd] && . /etc/default/snmpd
So this sets the variable SNMPDOPTS to the default value and then if the file /etc/default/snmpd is readable it “sources” the content of that file.
Thus if /etc/default/snmpd contains the line
SNMPDOPTS='-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid'
Then stopping and starting the snmpd daemon will make it run with the new logging options we want.
sudo /etc/init.d/snmpd restart
In RHEL5 the equivalent file is /etc/snmp/snmpd.options and the equivalent variable is OPTIONS rather than SNMPDOPTS
Now there could be security implications to not recording the IP address of every SNMP request on your server in case some other system is connecting that shouldn’t be, but there are ways with community strings and other authentication options for SNMP to reduce the risk of that.
All in all the I think the risk of missing an important message in /var/log/messages outweighs the risks from not logging the snmpd messages.
Hey look a whole post and I never mentioned FTP once 
)
Bleve said
Correction to this article: on rhel5 variable for parameters is OPTIONS, not SNMPDOPTS, and another correction is that sample in this article has wrong quote mark in it.
raetsel said
Hi Bleve,
Thanks for your comment, but I do state in that post that:-
Also the single quotes uses
' 'work fine and indeed that sample is cut straight from the /etc/default/snmpd on my Kubuntu system. In an RHEL5 system they use double quotes ” ” but my example was from Kubuntu. I expect single quotes should work in RHEL as well as there is no variable expansion etc. required.robert said
First, I have found this article very helpful. Thanks for writing.
I have found that the the “0-4 d” does not work. Instead, to log messages of log level 4 or lower, you just need to have “4 d”.
So, I use the following in /etc/snmp/snmpd.options:
OPTIONS=”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a”
Level of 5 is LOG_NOTICE and does not log the annoying loopback UDP connections that are seen with level 6 (LOG_INFO).
Testing, you can see the difference in messages to /var/log/messages by incrementing the log levels and to compare the “0-4 d” to just “4 d”.
raetsel said
Glad the article was helpful Robert, I’ll have to revisit my settings in light of your findings as see what I get.
Robert Dohrenburg said
Very helpful blog entry.
I tried your suggestion and it didn’t work in my FC6 servers somehow the snmpd.options file was being ignored.
After inspecting the init script /etc/init.d/snmpd I found that this line [ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options was missing. After adding the line everything worked fine.
So part of the script should look like this:
OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
RETVAL=0
prog="snmpd"
[ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options
Thanks for the tip!
Robert Dohrenburg
Paul said
i think the reason some folks have said that the quotes don’t work is that if you copy and paste the actual code from this page, it grabs the ‘fancy’ quotes that wordpress substitutes for the stricter quotes that unix uses. that’s what i found at least – when pasting into emacs, it barfed completely, interpreting the quote marks as escape/control commands within the editor!
Simon Stanford said
That’s a very good point Paul and something that has caught me out before.
I’ll see if I can get “normal” quotes to appear using the
pairing in wordpress’ mark up.Oh and I feel I have to point out that if you cut and paste into a file using vi it doesn’t barf ;o) ( It still won’t work but it doesn’t barf ). [ Long live the editor wars! ]
IK said
Found this article extremely helpful ,
i have used this extract to resolve the problem on 50+ Centos dist’s
echo OPTIONS=\”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a\” >>/etc/snmp/snmpd.options && service snmpd restart
Thanks for your help
IanK
Chris said
Worked like a champ on Ubuntu 8.04.
Rick Noelle said
I have also benefited from this article. Thanks very much. My company is a dinosaur and still using Red Hat Enterprise Linux 4 (RHEL4). I just thought I’d let any others from the Jurassic era out there know that on RHEL4, you don’t get an override config file by default so you must directly edit /etc/rc.d/init.d/snmpd. Here is a copy of my edit for reference:
#OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
# editing to *not* log info, only notice and above
OPTIONS="-LS 5 d -Lf /dev/null -p /var/run/snmpd -a"
If you check out the snmpcmd man page and search for “LF” you can see all the options. I suspect this would be the identical command:
OPTIONS="-LS n d -Lf /dev/null -p /var/run/snmpd -a"
Thanks again,
Rick
Marc Villacorta said
After ‘yum updating’ my fedora core 9 /etc/snmp/snmpd.conf is deprecated and /etc/sysconfig/snmpd is used instead.
This is the piece of code in /etc/init.d/snmpd:
OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a"
if [ -e /etc/sysconfig/snmpd ]; then
. /etc/sysconfig/snmpd
fi
Marc
Alastair said
Thanks for the page, it was helpful. Unfortunately, SNMP is an absolute nightmare … and very frustrating.
I am on Ubuntu 8.0 (Intrepid) – and had to use :
SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′
Cheers, Alastair
Alastair said
Thanks for the page, it was helpful. Unfortunately, SNMP is an absolute nightmare … and very frustrating.
I am on Ubuntu 8.10 (Intrepid) – and had to use :
SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′
Cheers, Alastair
Yong Huang said
I chose to stop snmpd on a new server where I can’t stop the useless logging. Different releases of Redhat configure it differently. Not sure if the version of snmpd matters. The one I stopped is 5.3.2.2 on RHEL5.3 where /etc/sysconfig/snmpd.options is used, while another RHEL5.3 uses /etc/snmp/snmpd.options and the snmpd logging was successfully suppressed so I let the daemon run. If needed, I’ll revisit the crappy snmp config on the new box, or wait till whoever responsible makes up their mind.
Karl said
On a RHEL5.3 release install after installing HP PSP 8.20, add this
OPTIONS=”-LS5d -Lf /dev/null -p /var/run/snmpd.pid -a”
to /etc/sysconfig/snmpd.options
NET-SNMP version: 5.3.2.2
Yong Huang said
Karl, thanks a lot. That worked!
Volomike said
I’m using RHEL 5.3. I had to edit…
/etc/sysconfig/snmpd.options
…and uncomment the OPTIONS line and alter as…
OPTIONS=”-Ls 5 d -Lf /dev/null -p /var/run/snmpd.pid -a”
…and I also noticed that -LS is now deprecated when I went into the man file and so I switched to -Ls as you see above.
Volomike said
My bad — take the “d” out. It then becomes:
OPTIONS=”-Ls 5 -Lf /dev/null -p /var/run/snmpd.pid -a”
If I’m wrong on something here, please go to my website and let me know.
Tim Wright said
Hi Mike,
I am fighting something similar on Fedora 10. I don’t believe “-Ls 5″ does what you want at all (according to the documentation that would use syslog facility 5). “-LS pri facility” is *not* supposed to be deprecated – it’s the only way to get the facility *and* priority configured. “-S” is deprecated. It looks like somebody botched the code horribly. Time for a bug, sigh.
Tim Wright said
Bad form to reply to my reply. The parsing is now stupidly broken:
“-LS 5 d” says option is deprecated (BUG).
“-LS5d” works.
Sigh.
Michael Schwager said
On RHEL5.3, I cannot use “-LS5d” in the snmpd.options file. If I do, I get an error:
What I need to do is use “-LS 5 d”.
Also, why do people keep including “-Lf /dev/null”? It seems like a wasteful no-op. What am I missing?
-Mike
Rainer said
The problem of big or small ’s’ could be caused by the outdated non english man pages. For example the german man page in RHEL5 is seriously outdated – so better do.
rpm -e man-pages-de
Dovydas Sankauskas said
Thank you for the tip. On Debian squeeze with snmpd 5.4.1 you have to use:
SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′
With capital S and without spaces. Otherwise you’ll get:
Restarting network management services:invalid syslog facility: -