Snmpd filling up /var/log/messages
Posted by raetsel on February 15, 2008
snmpd[345435]: Connection from UDP: [10.225.46.136]:135last message repeated 8 times
last message repeated 13 times
These are only information messages saying a connection has been established. This is rather annoying when you are trying to read other things in /var/log/messages. The way to turn off these messages is to change the logging options of the snmpd daemons.
On Redhat ( and Ubuntu) the default logging ( the -L options ) show:–
-Ls d
Meaning log to syslog using the facility of daemon ( see syslogd and syslog.conf for more information on what that means in detail, for now suffice it to say it means all messages are written to /var/log/messages ).
The man pages for snmpcmd ( common to all net-snmp programmes ) explain you can set this to only log messages above a certain priority.
Using priorities 0-4 means warning messages, errors, alerts and critical etc messages are logged but notice info and debug level messages are ignored.
The manual pages are not that clear, to me at least at first, hence this blog.
So if we change the -Ls d to the following this will stop those messages but still allow important messages to get through:–
LS 0-4 d
The capital S is crucial to the syntax.
So where and how do we set these options? Well the snmpd daemon is started by a standard init script /etc/init.d/snmpd
In both RHEL5 and Ubuntu the scripts have some default options but also read in settings from a config file. In Ubuntu the relevant portion of the script is:-
SNMPDOPTS=’-Lsd -Lf /dev/null -p /var/run/snmpd.pid’
TRAPDRUN=no
TRAPDOPTS=’-Lsd -p /var/run/snmptrapd.pid’
#Reads config file (will override defaults above)
[ -r /etc/default/snmpd] && . /etc/default/snmpd
So this sets the variable SNMPDOPTS to the default value and then if the file /etc/default/snmpd is readable it “sources” the content of that file.
Thus if /etc/default/snmpd contains the line
SNMPDOPTS=’-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid’
Then stopping and starting the snmpd daemon will make it run with the new logging options we want.
sudo /etc/init.d/snmpd restart
In RHEL5 the equivalent file is /etc/snmp/snmpd.options and the equivalent variable is OPTIONS rather than SNMPDOPTS
Now there could be security implications to not recording the IP address of every SNMP request on your server in case some other system is connecting that shouldn’t be, but there are ways with community strings and other authentication options for SNMP to reduce the risk of that.
All in all the I think the risk of missing an important message in /var/log/messages outweighs the risks from not logging the snmpd messages.
Hey look a whole post and I never mentioned FTP once :o)
February 28, 2008 at 4:13 pm
Correction to this article: on rhel5 variable for parameters is OPTIONS, not SNMPDOPTS, and another correction is that sample in this article has wrong quote mark in it.
February 29, 2008 at 11:24 am
Hi Bleve,
Thanks for your comment, but I do state in that post that:-
Also the single quotes uses
' 'work fine and indeed that sample is cut straight from the /etc/default/snmpd on my Kubuntu system. In an RHEL5 system they use double quotes ” ” but my example was from Kubuntu. I expect single quotes should work in RHEL as well as there is no variable expansion etc. required.June 13, 2008 at 1:46 pm
First, I have found this article very helpful. Thanks for writing.
I have found that the the “0-4 d” does not work. Instead, to log messages of log level 4 or lower, you just need to have “4 d”.
So, I use the following in /etc/snmp/snmpd.options:
OPTIONS=”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a”
Level of 5 is LOG_NOTICE and does not log the annoying loopback UDP connections that are seen with level 6 (LOG_INFO).
Testing, you can see the difference in messages to /var/log/messages by incrementing the log levels and to compare the “0-4 d” to just “4 d”.
June 13, 2008 at 3:03 pm
Glad the article was helpful Robert, I’ll have to revisit my settings in light of your findings as see what I get.
June 19, 2008 at 10:11 pm
Very helpful blog entry.
I tried your suggestion and it didn’t work in my FC6 servers somehow the snmpd.options file was being ignored.
After inspecting the init script /etc/init.d/snmpd I found that this line [ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options was missing. After adding the line everything worked fine.
So part of the script should look like this:
OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
RETVAL=0
prog="snmpd"
[ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options
Thanks for the tip!
Robert Dohrenburg
July 23, 2008 at 7:22 pm
i think the reason some folks have said that the quotes don’t work is that if you copy and paste the actual code from this page, it grabs the ‘fancy’ quotes that wordpress substitutes for the stricter quotes that unix uses. that’s what i found at least - when pasting into emacs, it barfed completely, interpreting the quote marks as escape/control commands within the editor!
July 23, 2008 at 7:26 pm
That’s a very good point Paul and something that has caught me out before.
I’ll see if I can get “normal” quotes to appear using the
pairing in wordpress’ mark up.Oh and I feel I have to point out that if you cut and paste into a file using vi it doesn’t barf ;o) ( It still won’t work but it doesn’t barf ). [ Long live the editor wars! ]