NET-SNMP Package Now Available for pfSense 2.4 (SNMPv3, TLS, IPv6, and more)
-
Great, thanks!
This reminds me that I have been using something like this for MBUFs with Zabbix all along. Those can easily be adapted to be used with net-snmp I guess. So if someone needs them:
UserParameter=sysstat.mbuf.curr,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f1 UserParameter=sysstat.mbuf.cache,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f2 UserParameter=sysstat.mbuf.total,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f3 UserParameter=sysstat.mbuf.max,/usr/bin/netstat -mb | /usr/bin/grep "mbuf clusters in use" | /usr/bin/awk '{ print $1 }' | cut -d"/" -f4 -
@jimp: Impressive package (incl. those ~500 lines of input validation code, LOL :D) Definitely a huge improvement compared to bnsmpd. 8)
Will need to play with that when I have more time.
-
Thanks!
And yeah, that input validation code kind of grew and grew as I went on, but I wanted to make sure things were done right from the start. As much as possible anyhow, there are still a number of fields that are impossible to properly validate as it is.
It's a lot easier to work with and expand than bsnmpd, I just wish there was an up-to-date patch or module for accessing pf counters without having to script it.
-
I just wish there was an up-to-date patch or module for accessing pf counters without having to script it.
Hmmm… https://www.packetmischief.ca/openbsd-snmp-mibs/ has been maintained up to ~2012 (OpenBSD 5.1). Not sure how much usable that is.
-
That's the one I was looking at. They migrated their code to bsnmpd and left net-snmp behind. Which isn't surprising given that they were focused on OpenBSD, but bsnmpd isn't all it's cracked up to be.
We could run them both together and proxy over the requests for the pf-specific parts but I'm not too crazy about that idea.
-
Yeah, no longer maintained, but the pf parts for net-snmp seem to be from 2011-2012… would not seem so hopelessly outdated to port over. Proxying, yeah, not excited about that either.
-
- No direct access to pf information
What sort of information does this include?
I plan to run snmpd on my pfSense unit but I have a decision to make bsnmpd or net-snmp. The latter is my preference as I use that on dozens of server's so am used to it.
-
Things like state table size, altq information, various packet info counters tracked by pf, state table metadata… Here's the MIB from bsnmpd so you can see what's in it: http://files.atx.pfsense.org/jimp/mibs/BEGEMOT-PF-MIB.txt
-
Does this mean Observium (supports basically NET-SNMP for servers) can be used for detailed Pfsense monitoring? This sound very promising, as BSNMPd was providing limited information. Looking forward to try on a productive system.
-
I don't use observium but if it has profiles for NET-SNMP then it should be able to get anything it would usually get for a NET-SNMP host from it.
-
hmm, I finally got round to playing with this.
I did a full snmpwalk on bnsmpd data but no pf data to be found.
I may just use extend with net-snmpd instead.
-
I did a full snmpwalk on bnsmpd data but no pf data to be found.
I may just use extend with net-snmpd instead.
That's correct, net-snmpd has no special knowledge of pf. There is no current/supported net-snmp module for FreeBSD that can interface with pf. You could use some extend entries to call various pfctl commands to gather info, depending on what you need/want.
-
it was bsnmpd running on pfsense when I ran the snmpwalk.
Also a suggestion for the net-snmp package
You use the flags -Ls but this floods the log everytime a snmpd server connects, I suggest changing to -LF 0-4 I already patched my local pfsense.
root@PFSENSE pkg # ps axww | grep snmp 78025 - S 0:29.48 /usr/local/sbin/snmpd -LF 0-4 d -p /var/run/net_snmpd.pid -M /usr/share/snmp/mibs/:/usr/local/share/snmp/mibs -C -c /var/etc/netsnmpd.conf,/var/etc/netsnmpd-users.conf -
thx for this tip, my logs were being spammed also. Any idea idea if this will be rolled into a future upgrade?
For anyone else who needs to make the change, edit line 590 of /usr/local/pkg/net-snmp.inc
from/usr/local/sbin/snmpd -Ls d \to
/usr/local/sbin/snmpd -LF 0-4 d \ -
Thanks for the tip about changing that line to reduce Log Spam.
