Harsh but fair

Open source chicanery and the battle with my inner geek

Snmpd filling up /var/log/messages

Posted by raetsel on February 15, 2008

Update May 2009: This  post has generated lots of alternative ideas in the comments so make sure you read through them to see what might work for your server.
 
At work we have a central monitoring system for servers called Solarwinds Orion Network Manager, this uses standard snmp connections to servers to get their status, disk usage, CPU performance.
On my RHEL5 linux servers the standard snmpd daemon works well with Solarwinds but the monitoring server seems to make a lot of connections to the system and each one gets logged via the syslog daemon to /var/log/messages giving rise to lots of lines saying things like

snmpd[345435]: Connection from UDP: [10.225.46.136]:135

last message repeated 8 times

last message repeated 13 times

These are only information messages saying a connection has been established. This is rather annoying when you are trying to read other things in /var/log/messages. The way to turn off these messages is to change the logging options of the snmpd daemons.

On Redhat ( and Ubuntu) the default logging ( the -L options ) show:–

-Ls d

Meaning log to syslog using the facility of daemon ( see syslogd and syslog.conf for more information on what that means in detail, for now suffice it to say it means all messages are written to /var/log/messages ).

The man pages for snmpcmd ( common to all net-snmp programmes ) explain you can set this to only log messages above a certain priority.

Using priorities 0-4 means warning messages, errors, alerts and critical etc messages are logged but notice info and debug level messages are ignored.

The manual pages are not that clear, to me at least at first, hence this blog.

So if we change the -Ls d to the following this will stop those messages but still allow important messages to get through:–

LS 0-4 d

The capital S is crucial to the syntax.

So where and how do we set these options? Well the snmpd daemon is started by a standard init script /etc/init.d/snmpd

In both RHEL5 and Ubuntu the scripts have some default options but also read in settings from a config file. In Ubuntu the relevant portion of the script is:-

SNMPDOPTS=’-Lsd -Lf /dev/null -p /var/run/snmpd.pid’
TRAPDRUN=no
TRAPDOPTS=’-Lsd -p /var/run/snmptrapd.pid’
#Reads config file (will override defaults above)
[ -r /etc/default/snmpd] && . /etc/default/snmpd

So this sets the variable SNMPDOPTS to the default value and then if the file /etc/default/snmpd is readable it “sources” the content of that file.

Thus if /etc/default/snmpd contains the line

SNMPDOPTS='-LS 0-4 d -Lf /dev/null -p /var/run/snmpd.pid'

Then stopping and starting the snmpd daemon will make it run with the new logging options we want.

sudo /etc/init.d/snmpd restart

In RHEL5 the equivalent file is /etc/snmp/snmpd.options and the equivalent variable is OPTIONS rather than SNMPDOPTS

Now there could be security implications to not recording the IP address of every SNMP request on your server in case some other system is connecting that shouldn’t be, but there are ways with community strings and other authentication options for SNMP to reduce the risk of that.

All in all the I think the risk of missing an important message in /var/log/messages outweighs the risks from not logging the snmpd messages.

Hey look a whole post and I never mentioned FTP once :o)

About these ads

44 Responses to “Snmpd filling up /var/log/messages”

  1. Bleve said

    Correction to this article: on rhel5 variable for parameters is OPTIONS, not SNMPDOPTS, and another correction is that sample in this article has wrong quote mark in it.

  2. raetsel said

    Hi Bleve,

    Thanks for your comment, but I do state in that post that:-

    In RHEL5 the equivalent file is /etc/snmp/snmpd.options and the equivalent variable is OPTIONS rather than SNMPDOPTS

    Also the single quotes uses ' ' work fine and indeed that sample is cut straight from the /etc/default/snmpd on my Kubuntu system. In an RHEL5 system they use double quotes ” ” but my example was from Kubuntu. I expect single quotes should work in RHEL as well as there is no variable expansion etc. required.

  3. robert said

    First, I have found this article very helpful. Thanks for writing.

    I have found that the the “0-4 d” does not work. Instead, to log messages of log level 4 or lower, you just need to have “4 d”.

    So, I use the following in /etc/snmp/snmpd.options:

    OPTIONS=”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a”

    Level of 5 is LOG_NOTICE and does not log the annoying loopback UDP connections that are seen with level 6 (LOG_INFO).

    Testing, you can see the difference in messages to /var/log/messages by incrementing the log levels and to compare the “0-4 d” to just “4 d”.

  4. raetsel said

    Glad the article was helpful Robert, I’ll have to revisit my settings in light of your findings as see what I get.

  5. Robert Dohrenburg said

    Very helpful blog entry.

    I tried your suggestion and it didn’t work in my FC6 servers somehow the snmpd.options file was being ignored.

    After inspecting the init script /etc/init.d/snmpd I found that this line [ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options was missing. After adding the line everything worked fine.

    So part of the script should look like this:

    OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
    RETVAL=0
    prog="snmpd"

    [ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options

    Thanks for the tip!
    Robert Dohrenburg

  6. Paul said

    i think the reason some folks have said that the quotes don’t work is that if you copy and paste the actual code from this page, it grabs the ‘fancy’ quotes that wordpress substitutes for the stricter quotes that unix uses. that’s what i found at least – when pasting into emacs, it barfed completely, interpreting the quote marks as escape/control commands within the editor!

  7. That’s a very good point Paul and something that has caught me out before.

    I’ll see if I can get “normal” quotes to appear using the pairing in wordpress’ mark up.

    Oh and I feel I have to point out that if you cut and paste into a file using vi it doesn’t barf ;o) ( It still won’t work but it doesn’t barf ). [ Long live the editor wars! ]

  8. IK said

    Found this article extremely helpful ,

    i have used this extract to resolve the problem on 50+ Centos dist’s

    echo OPTIONS=\”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a\” >>/etc/snmp/snmpd.options && service snmpd restart

    Thanks for your help
    IanK

  9. Chris said

    Worked like a champ on Ubuntu 8.04.

  10. I have also benefited from this article. Thanks very much. My company is a dinosaur and still using Red Hat Enterprise Linux 4 (RHEL4). I just thought I’d let any others from the Jurassic era out there know that on RHEL4, you don’t get an override config file by default so you must directly edit /etc/rc.d/init.d/snmpd. Here is a copy of my edit for reference:


    #OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
    # editing to *not* log info, only notice and above
    OPTIONS="-LS 5 d -Lf /dev/null -p /var/run/snmpd -a"

    If you check out the snmpcmd man page and search for “LF” you can see all the options. I suspect this would be the identical command:


    OPTIONS="-LS n d -Lf /dev/null -p /var/run/snmpd -a"

    Thanks again,
    Rick

  11. After ‘yum updating’ my fedora core 9 /etc/snmp/snmpd.conf is deprecated and /etc/sysconfig/snmpd is used instead.

    This is the piece of code in /etc/init.d/snmpd:


    OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a"
    if [ -e /etc/sysconfig/snmpd ]; then
    . /etc/sysconfig/snmpd
    fi

    Marc

  12. Alastair said

    Thanks for the page, it was helpful. Unfortunately, SNMP is an absolute nightmare … and very frustrating.

    I am on Ubuntu 8.0 (Intrepid) – and had to use :

    SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′

    Cheers, Alastair

  13. Alastair said

    Thanks for the page, it was helpful. Unfortunately, SNMP is an absolute nightmare … and very frustrating.

    I am on Ubuntu 8.10 (Intrepid) – and had to use :

    SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′

    Cheers, Alastair

  14. Yong Huang said

    I chose to stop snmpd on a new server where I can’t stop the useless logging. Different releases of Redhat configure it differently. Not sure if the version of snmpd matters. The one I stopped is 5.3.2.2 on RHEL5.3 where /etc/sysconfig/snmpd.options is used, while another RHEL5.3 uses /etc/snmp/snmpd.options and the snmpd logging was successfully suppressed so I let the daemon run. If needed, I’ll revisit the crappy snmp config on the new box, or wait till whoever responsible makes up their mind.

  15. Karl said

    On a RHEL5.3 release install after installing HP PSP 8.20, add this
    OPTIONS=”-LS5d -Lf /dev/null -p /var/run/snmpd.pid -a”

    to /etc/sysconfig/snmpd.options

    NET-SNMP version: 5.3.2.2

  16. Yong Huang said

    Karl, thanks a lot. That worked!

  17. Volomike said

    I’m using RHEL 5.3. I had to edit…

    /etc/sysconfig/snmpd.options

    …and uncomment the OPTIONS line and alter as…

    OPTIONS=”-Ls 5 d -Lf /dev/null -p /var/run/snmpd.pid -a”

    …and I also noticed that -LS is now deprecated when I went into the man file and so I switched to -Ls as you see above.

  18. Volomike said

    My bad — take the “d” out. It then becomes:

    OPTIONS=”-Ls 5 -Lf /dev/null -p /var/run/snmpd.pid -a”

    If I’m wrong on something here, please go to my website and let me know.

    • Tim Wright said

      Hi Mike,
      I am fighting something similar on Fedora 10. I don’t believe “-Ls 5″ does what you want at all (according to the documentation that would use syslog facility 5). “-LS pri facility” is *not* supposed to be deprecated – it’s the only way to get the facility *and* priority configured. “-S” is deprecated. It looks like somebody botched the code horribly. Time for a bug, sigh.

      • Tim Wright said

        Bad form to reply to my reply. The parsing is now stupidly broken:
        “-LS 5 d” says option is deprecated (BUG).
        “-LS5d” works.

        Sigh.

  19. Michael Schwager said

    On RHEL5.3, I cannot use “-LS5d” in the snmpd.options file. If I do, I get an error:

     invalid syslog facility: / 
    

    What I need to do is use “-LS 5 d”.

    Also, why do people keep including “-Lf /dev/null”? It seems like a wasteful no-op. What am I missing?
    -Mike

  20. Rainer said

    The problem of big or small ‘s’ could be caused by the outdated non english man pages. For example the german man page in RHEL5 is seriously outdated – so better do.

    rpm -e man-pages-de

  21. Thank you for the tip. On Debian squeeze with snmpd 5.4.1 you have to use:

    SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1′

    With capital S and without spaces. Otherwise you’ll get:

    Restarting network management services:invalid syslog facility: -

  22. Niels said

    Had the same issue running CentOS 5.4. The above was helpful, but nothing matched exactly what is required, so here’s a one-liner for thos in my shoes:

    echo OPTIONS=\"-LS 5 d -p /var/run/snmpd.pid -a\" > /etc/sysconfig/snmpd.options && service snmpd restart

    Note: snmpd no longer logs it’s own startup when loglevel is 5. But if you set it to 6, you also get all the garbage… thanks, snmpd.

  23. tferb said

    On RHEL5, I resolved the issue using:

    OPTIONS=”-Lnd -Lf /dev/null -p /var/run/snmpd.pid -a”

    The option -S d|i|0-4 is deprecated, so I used:

    -L toggle options controlling where to log to
    e: log to standard error
    o: log to standard output
    n: don’t log at all
    f file: log to the specified file
    s facility: log to syslog (via the specified facility)

  24. [...] https://raetsel.wordpress.com/2008/02/15/snmpd-filling-up-varlogmessages/ http://kbase.redhat.com/faq/docs/DOC-25144 [...]

  25. [...] of this, /var/logs/messages, set up for weekly rotation, only reached about 85MB before rotating. This article and this manual page helped me figure out that I could turn off this logging by adding this line to [...]

  26. [...] Posts Mac OS X Snow Leopard & Cisco AnyConnect VPNSnmpd filling up /var/log/messagesUsing Exclude Files in rsync – watch those spaces!Laptop Build: apt-get behind a proxyKDE4 Save [...]

  27. brajan said

    Thanks! This was very helpful.

    I am using this one-liner for all my CentOS 5 versions:

    echo OPTIONS=\”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a\” >>/etc/sysconfig/snmpd.options | ln -s /etc/sysconfig/snmpd.options /etc/snmp/snmpd.options | chkconfig snmpd on | service snmpd restart

    It covers the problem with two different snmpd.options file paths in different versions.

  28. [...] seems only snmp log, nothing to worried, please refers to https://raetsel.wordpress.com/2008/02/15/snmpd-filling-up-varlogmessages/ [...]

  29. Works like a charm.

  30. Mike said

    on RHEL 6.0 the options are now hard coded in /etc/init.d/snmpd, the file /etc/sysconfig/snmpd.options is still there but not used

    Regards

  31. banjer said

    Thanks! I found the options on CentOS 6.2 were in /etc/sysconfig/snmpd.

  32. Scott Bringen said

    Thanks for this article! My /var/log/messages was getting thousands of snmpd entries a day. The following mod solved the problem on my RHEL5.8 machines. I added this to my /etc/sysconfig/snmpd.options:
    # snmpd command line options
    # OPTIONS=”-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a”

    # editing to *not* log info, only notice and above
    OPTIONS=”-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a”

  33. Jeff said

    Still relevant in 2012!

    In a RHEL 6.2 build, after all the updates are applied, I see only /etc/sysconfig/snmpd, no snmpd.options file. Even though they are commented out, these are the settings found with the running process.

    # snmpd command line options
    # OPTIONS=”-LS0-6d -Lf /dev/null -p /var/run/snmpd.pid”

    I uncommented and changed 6 to 4 to rid myself of the
    Connection from UDP: [127.0.0.1]:52851->[127.0.0.1]
    messages.

  34. Mike said

    Thanks, Jeff!

  35. Boyan said

    Worked on CheckPoint SecurePlatform (SPLAT).

  36. Jan said

    To gag snmpd in Debian squeeze change SNMPDOPTS in /etc/default/snmpd. Do NOT, I repeat NOT change /etc/init.d/snmpd – it wont work.

  37. [...] Link: https://raetsel.wordpress.com/2008/02/15/snmpd-filling-up-varlogmessages/ Snmpd filling up [...]

  38. RHEL/CentOS/SL 5.8:

    % cat /etc/sysconfig/snmpd.options
    # snmpd command line options
    OPTIONS=”-LS 0-4 3 -p /var/run/snmpd.pid -a”

    worked for me (logging to local3 instead of daemon).

    Thanks to all who participated.

  39. Philipp Wendler said

    Even easier:

    Just set

    dontLogTCPWrappersConnects true

    in your /etc/snmp/snmpd.conf.
    It will filter out exactly those annoying messages and nothing else. Even better, denied connections will still be logged (c.f. man snmpd.conf).

    (Working on Ubuntu 12.04 with snmpd 5.4.3)

  40. […] Visit Link: https://raetsel.wordpress.com/2008/02/15/snmpd-filling-up-varlogmessages/ […]

  41. Tente usar esta opção:

    #OPTIONS=’-Lnd -Lf /dev/null -p /var/run/snmpd.pid -a’
    OPTIONS=’-LS 5 d -Lf /dev/null -p /var/run/snmpd.pid -a’

    Para mais informações acesse:
    http://www.linuxusers.com.br

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: