Snmpd filling up /var/log/messages

Update May 2009: This  post has generated lots of alternative ideas in the comments so make sure you read through them to see what might work for your server.
At work we have a central monitoring system for servers called Solarwinds Orion Network Manager, this uses standard snmp connections to servers to get their status, disk usage, CPU performance.
On my RHEL5 linux servers the standard snmpd daemon works well with Solarwinds but the monitoring server seems to make a lot of connections to the system and each one gets logged via the syslog daemon to /var/log/messages giving rise to lots of lines saying things like

snmpd[345435]: Connection from UDP: []:135

last message repeated 8 times

last message repeated 13 times

These are only information messages saying a connection has been established. This is rather annoying when you are trying to read other things in /var/log/messages. The way to turn off these messages is to change the logging options of the snmpd daemons.

On Redhat ( and Ubuntu) the default logging ( the -L options ) show:–

-Ls d

Meaning log to syslog using the facility of daemon ( see syslogd and syslog.conf for more information on what that means in detail, for now suffice it to say it means all messages are written to /var/log/messages ).

The man pages for snmpcmd ( common to all net-snmp programmes ) explain you can set this to only log messages above a certain priority.

Using priorities 0-4 means warning messages, errors, alerts and critical etc messages are logged but notice info and debug level messages are ignored.

The manual pages are not that clear, to me at least at first, hence this blog.

So if we change the -Ls d to the following this will stop those messages but still allow important messages to get through:–

LS 0-4 d

The capital S is crucial to the syntax.

So where and how do we set these options? Well the snmpd daemon is started by a standard init script /etc/init.d/snmpd

In both RHEL5 and Ubuntu the scripts have some default options but also read in settings from a config file. In Ubuntu the relevant portion of the script is:-

SNMPDOPTS=’-Lsd -Lf /dev/null -p /var/run/’
TRAPDOPTS=’-Lsd -p /var/run/’
#Reads config file (will override defaults above)
[ -r /etc/default/snmpd] && . /etc/default/snmpd

So this sets the variable SNMPDOPTS to the default value and then if the file /etc/default/snmpd is readable it “sources” the content of that file.

Thus if /etc/default/snmpd contains the line

SNMPDOPTS='-LS 0-4 d -Lf /dev/null -p /var/run/'

Then stopping and starting the snmpd daemon will make it run with the new logging options we want.

sudo /etc/init.d/snmpd restart

In RHEL5 the equivalent file is /etc/snmp/snmpd.options and the equivalent variable is OPTIONS rather than SNMPDOPTS

Now there could be security implications to not recording the IP address of every SNMP request on your server in case some other system is connecting that shouldn’t be, but there are ways with community strings and other authentication options for SNMP to reduce the risk of that.

All in all the I think the risk of missing an important message in /var/log/messages outweighs the risks from not logging the snmpd messages.

Hey look a whole post and I never mentioned FTP once :o)


46 thoughts on “Snmpd filling up /var/log/messages

  1. Correction to this article: on rhel5 variable for parameters is OPTIONS, not SNMPDOPTS, and another correction is that sample in this article has wrong quote mark in it.

  2. Hi Bleve,

    Thanks for your comment, but I do state in that post that:-

    In RHEL5 the equivalent file is /etc/snmp/snmpd.options and the equivalent variable is OPTIONS rather than SNMPDOPTS

    Also the single quotes uses ' ' work fine and indeed that sample is cut straight from the /etc/default/snmpd on my Kubuntu system. In an RHEL5 system they use double quotes ” ” but my example was from Kubuntu. I expect single quotes should work in RHEL as well as there is no variable expansion etc. required.

  3. First, I have found this article very helpful. Thanks for writing.

    I have found that the the “0-4 d” does not work. Instead, to log messages of log level 4 or lower, you just need to have “4 d”.

    So, I use the following in /etc/snmp/snmpd.options:

    OPTIONS=”-LS 5 d -Lf /dev/null -p /var/run/ -a”

    Level of 5 is LOG_NOTICE and does not log the annoying loopback UDP connections that are seen with level 6 (LOG_INFO).

    Testing, you can see the difference in messages to /var/log/messages by incrementing the log levels and to compare the “0-4 d” to just “4 d”.

  4. Very helpful blog entry.

    I tried your suggestion and it didn’t work in my FC6 servers somehow the snmpd.options file was being ignored.

    After inspecting the init script /etc/init.d/snmpd I found that this line [ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options was missing. After adding the line everything worked fine.

    So part of the script should look like this:

    OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"

    [ -e /etc/snmp/snmpd.options ] && . /etc/snmp/snmpd.options

    Thanks for the tip!
    Robert Dohrenburg

  5. i think the reason some folks have said that the quotes don’t work is that if you copy and paste the actual code from this page, it grabs the ‘fancy’ quotes that wordpress substitutes for the stricter quotes that unix uses. that’s what i found at least – when pasting into emacs, it barfed completely, interpreting the quote marks as escape/control commands within the editor!

  6. That’s a very good point Paul and something that has caught me out before.

    I’ll see if I can get “normal” quotes to appear using the pairing in wordpress’ mark up.

    Oh and I feel I have to point out that if you cut and paste into a file using vi it doesn’t barf ;o) ( It still won’t work but it doesn’t barf ). [ Long live the editor wars! ]

  7. Found this article extremely helpful ,

    i have used this extract to resolve the problem on 50+ Centos dist’s

    echo OPTIONS=\”-LS 5 d -Lf /dev/null -p /var/run/ -a\” >>/etc/snmp/snmpd.options && service snmpd restart

    Thanks for your help

  8. I have also benefited from this article. Thanks very much. My company is a dinosaur and still using Red Hat Enterprise Linux 4 (RHEL4). I just thought I’d let any others from the Jurassic era out there know that on RHEL4, you don’t get an override config file by default so you must directly edit /etc/rc.d/init.d/snmpd. Here is a copy of my edit for reference:

    #OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd -a"
    # editing to *not* log info, only notice and above
    OPTIONS="-LS 5 d -Lf /dev/null -p /var/run/snmpd -a"

    If you check out the snmpcmd man page and search for “LF” you can see all the options. I suspect this would be the identical command:

    OPTIONS="-LS n d -Lf /dev/null -p /var/run/snmpd -a"

    Thanks again,

  9. After ‘yum updating’ my fedora core 9 /etc/snmp/snmpd.conf is deprecated and /etc/sysconfig/snmpd is used instead.

    This is the piece of code in /etc/init.d/snmpd:

    OPTIONS="-Lsd -Lf /dev/null -p /var/run/ -a"
    if [ -e /etc/sysconfig/snmpd ]; then
    . /etc/sysconfig/snmpd


  10. Thanks for the page, it was helpful. Unfortunately, SNMP is an absolute nightmare … and very frustrating.

    I am on Ubuntu 8.0 (Intrepid) – and had to use :

    SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/′

    Cheers, Alastair

  11. Thanks for the page, it was helpful. Unfortunately, SNMP is an absolute nightmare … and very frustrating.

    I am on Ubuntu 8.10 (Intrepid) – and had to use :

    SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/′

    Cheers, Alastair

  12. I chose to stop snmpd on a new server where I can’t stop the useless logging. Different releases of Redhat configure it differently. Not sure if the version of snmpd matters. The one I stopped is on RHEL5.3 where /etc/sysconfig/snmpd.options is used, while another RHEL5.3 uses /etc/snmp/snmpd.options and the snmpd logging was successfully suppressed so I let the daemon run. If needed, I’ll revisit the crappy snmp config on the new box, or wait till whoever responsible makes up their mind.

  13. On a RHEL5.3 release install after installing HP PSP 8.20, add this
    OPTIONS=”-LS5d -Lf /dev/null -p /var/run/ -a”

    to /etc/sysconfig/snmpd.options

    NET-SNMP version:

  14. I’m using RHEL 5.3. I had to edit…


    …and uncomment the OPTIONS line and alter as…

    OPTIONS=”-Ls 5 d -Lf /dev/null -p /var/run/ -a”

    …and I also noticed that -LS is now deprecated when I went into the man file and so I switched to -Ls as you see above.

  15. My bad — take the “d” out. It then becomes:

    OPTIONS=”-Ls 5 -Lf /dev/null -p /var/run/ -a”

    If I’m wrong on something here, please go to my website and let me know.

    • Hi Mike,
      I am fighting something similar on Fedora 10. I don’t believe “-Ls 5” does what you want at all (according to the documentation that would use syslog facility 5). “-LS pri facility” is *not* supposed to be deprecated – it’s the only way to get the facility *and* priority configured. “-S” is deprecated. It looks like somebody botched the code horribly. Time for a bug, sigh.

      • Bad form to reply to my reply. The parsing is now stupidly broken:
        “-LS 5 d” says option is deprecated (BUG).
        “-LS5d” works.


  16. On RHEL5.3, I cannot use “-LS5d” in the snmpd.options file. If I do, I get an error:

     invalid syslog facility: / 

    What I need to do is use “-LS 5 d”.

    Also, why do people keep including “-Lf /dev/null”? It seems like a wasteful no-op. What am I missing?

  17. The problem of big or small ‘s’ could be caused by the outdated non english man pages. For example the german man page in RHEL5 is seriously outdated – so better do.

    rpm -e man-pages-de

  18. Thank you for the tip. On Debian squeeze with snmpd 5.4.1 you have to use:

    SNMPDOPTS=’-LS4d -Lf /dev/null -u snmp -I -smux -p /var/run/′

    With capital S and without spaces. Otherwise you’ll get:

    Restarting network management services:invalid syslog facility: –

  19. Had the same issue running CentOS 5.4. The above was helpful, but nothing matched exactly what is required, so here’s a one-liner for thos in my shoes:

    echo OPTIONS=\"-LS 5 d -p /var/run/ -a\" > /etc/sysconfig/snmpd.options && service snmpd restart

    Note: snmpd no longer logs it’s own startup when loglevel is 5. But if you set it to 6, you also get all the garbage… thanks, snmpd.

  20. On RHEL5, I resolved the issue using:

    OPTIONS=”-Lnd -Lf /dev/null -p /var/run/ -a”

    The option -S d|i|0-4 is deprecated, so I used:

    -L toggle options controlling where to log to
    e: log to standard error
    o: log to standard output
    n: don’t log at all
    f file: log to the specified file
    s facility: log to syslog (via the specified facility)

  21. Pingback: Eliminar exceso de logs snmp en RHEL 5.x « InsaneCrew

  22. Pingback: Monitoring CentOS Linux with Kaseya | MCB Systems

  23. Pingback: 2010 in review « Harsh but fair

  24. Thanks! This was very helpful.

    I am using this one-liner for all my CentOS 5 versions:

    echo OPTIONS=\”-LS 5 d -Lf /dev/null -p /var/run/ -a\” >>/etc/sysconfig/snmpd.options | ln -s /etc/sysconfig/snmpd.options /etc/snmp/snmpd.options | chkconfig snmpd on | service snmpd restart

    It covers the problem with two different snmpd.options file paths in different versions.

  25. Pingback: snmp entry in log messages - Admins Goodies

  26. on RHEL 6.0 the options are now hard coded in /etc/init.d/snmpd, the file /etc/sysconfig/snmpd.options is still there but not used


  27. Thanks for this article! My /var/log/messages was getting thousands of snmpd entries a day. The following mod solved the problem on my RHEL5.8 machines. I added this to my /etc/sysconfig/snmpd.options:
    # snmpd command line options
    # OPTIONS=”-Lsd -Lf /dev/null -p /var/run/ -a”

    # editing to *not* log info, only notice and above
    OPTIONS=”-LS 5 d -Lf /dev/null -p /var/run/ -a”

  28. Still relevant in 2012!

    In a RHEL 6.2 build, after all the updates are applied, I see only /etc/sysconfig/snmpd, no snmpd.options file. Even though they are commented out, these are the settings found with the running process.

    # snmpd command line options
    # OPTIONS=”-LS0-6d -Lf /dev/null -p /var/run/”

    I uncommented and changed 6 to 4 to rid myself of the
    Connection from UDP: []:52851->[]

  29. To gag snmpd in Debian squeeze change SNMPDOPTS in /etc/default/snmpd. Do NOT, I repeat NOT change /etc/init.d/snmpd – it wont work.

  30. Pingback: Snmpd filling up /var/log/messages | LinuxHacks

  31. RHEL/CentOS/SL 5.8:

    % cat /etc/sysconfig/snmpd.options
    # snmpd command line options
    OPTIONS=”-LS 0-4 3 -p /var/run/ -a”

    worked for me (logging to local3 instead of daemon).

    Thanks to all who participated.

  32. Even easier:

    Just set

    dontLogTCPWrappersConnects true

    in your /etc/snmp/snmpd.conf.
    It will filter out exactly those annoying messages and nothing else. Even better, denied connections will still be logged (c.f. man snmpd.conf).

    (Working on Ubuntu 12.04 with snmpd 5.4.3)

  33. Pingback: Snmpd filling up /var/log/messages | Linux Hacks

  34. As pointed by Philipp Wendler setting ‘dontLogTCPWrappersConnects true’ in /etc/snmp/snmpd.conf does the desired behaviour.

    See ‘man snmpd.conf’

  35. another solution is to filter some “constant” log messages from snmpd while keeping rest
    create file with filter in /etc/rsyslog.d directory (ie. “/etc/rsyslog.d/snmpd-filter.conf”)
    and put there:
    if ($programname == ‘snmpd’) and ($msg contains “error on subcontainer” or $msg contains “Connection from UDP: [X.X.X.X]:57559->[Y.Y.Y.Y]:161” ) then {
    +test rysslog config :
    # rsyslogd -N1
    + if no errors restart rsyslogd
    # systemctl restart rsyslog.service
    # service rsyslog restart

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s