How to Configure SNMP with net-snmp on RHEL 8

SNMP (Simple Network Management Protocol) is the foundation of most enterprise network monitoring stacks. While SNMPv1 and v2c rely on community strings that travel in plaintext, SNMPv3 adds authentication and encryption, making it suitable for production environments where security matters. On RHEL 8 the net-snmp package provides both the agent daemon (snmpd) and a rich set of command-line utilities for querying and testing. This guide covers installing net-snmp, creating a secure SNMPv3 user, walking the MIB tree, extending the agent with custom OIDs, and connecting the setup to external monitoring tools.

Prerequisites

• RHEL 8 server with root or sudo access
• A monitoring host (Nagios, Zabbix, or another RHEL 8 machine with net-snmp-utils) on the same network
• Basic familiarity with firewall-cmd and systemctl
• Strong passwords prepared for the SNMPv3 authentication and privacy passphrases (minimum 8 characters each)

Step 1 — Install net-snmp

Install the agent and utilities from the default RHEL 8 AppStream repository, then enable the daemon.

dnf install -y net-snmp net-snmp-utils
systemctl enable snmpd

Do not start the daemon yet — the SNMPv3 user must be created while snmpd is stopped, otherwise the utility will fail to write the user credentials into the persistent store.

Step 2 — Create a SNMPv3 User

Use net-snmp-create-v3-user to generate a read-only SNMPv3 user with SHA authentication and AES-128 privacy encryption. Run this command while snmpd is stopped.

systemctl stop snmpd

# Syntax: net-snmp-create-v3-user [-ro|-rw] -a AUTH_PROTOCOL -A AUTH_PASS -x PRIV_PROTOCOL -X PRIV_PASS USERNAME
net-snmp-create-v3-user -ro -a SHA -A 'MyAuthPass1!' -x AES -X 'MyPrivPass2@' monitoruser

systemctl start snmpd
systemctl status snmpd

The tool writes the user definition into /var/lib/net-snmp/snmpd.conf and adds a rouser monitoruser line to /etc/snmp/snmpd.conf. Use separate, strong passphrases — treat them like passwords to a privileged account.

Step 3 — Harden /etc/snmp/snmpd.conf

Open /etc/snmp/snmpd.conf and make the following adjustments to restrict access and disable insecure SNMPv1/v2c community strings.

# /etc/snmp/snmpd.conf — recommended security hardening

# Comment out or remove the default v2c community string
# com2sec notConfigUser  default       public

# Restrict the agent to listen only on localhost and a specific interface
agentAddress  udp:127.0.0.1:161,udp:192.168.1.10:161

# System contact information
syslocation  "Server Room Rack 3"
syscontact   "[email protected]"

# The rouser line was added automatically by net-snmp-create-v3-user
# rouser monitoruser

systemctl restart snmpd

Step 4 — Open the Firewall and Test with snmpwalk

Allow UDP port 161 through the firewall, then verify the setup from a remote host (or localhost) using snmpwalk.

firewall-cmd --add-service=snmp --permanent
firewall-cmd --reload

# Run from a remote monitoring host (replace 192.168.1.10 with your server IP)
snmpwalk -v3 -u monitoruser 
         -a SHA  -A 'MyAuthPass1!' 
         -x AES  -X 'MyPrivPass2@' 
         -l authPriv 
         192.168.1.10 1.3.6.1.2.1.1

A successful walk returns system information such as sysDescr, sysUpTime, and sysContact. If the command times out, check that snmpd is listening on the expected interface (ss -ulnp | grep 161) and that the firewall rule is applied.

Step 5 — Extend SNMP with Custom OIDs

The extend directive in snmpd.conf lets you expose the output of any shell command or script as an SNMP OID under the nsExtendOutput subtree. This is useful for exposing application-level metrics to your monitoring system without installing an agent plugin.

# /etc/snmp/snmpd.conf — add these lines

# Report disk usage of /var as a custom OID
extend var_disk_usage /bin/df -h /var --output=avail

# Report number of active Apache worker processes
extend apache_procs /bin/bash -c "pgrep -c httpd || echo 0"

systemctl restart snmpd

# Query the custom extension table from a remote host
snmpwalk -v3 -u monitoruser -a SHA -A 'MyAuthPass1!' 
         -x AES -X 'MyPrivPass2@' -l authPriv 
         192.168.1.10 NET-SNMP-EXTEND-MIB::nsExtendOutput1Table

Step 6 — Integrate with Nagios or Zabbix

With a working SNMPv3 agent, adding the host to Nagios or Zabbix is straightforward.

# Nagios: test SNMP check from the Nagios server
/usr/lib64/nagios/plugins/check_snmp 
  -H 192.168.1.10 
  -P 3 --seclevel=authPriv 
  -U monitoruser 
  -a SHA -A 'MyAuthPass1!' 
  -x AES -X 'MyPrivPass2@' 
  -o sysUpTime.0

In Zabbix, create a new host, set the SNMP interface to 192.168.1.10:161, and configure the SNMP macro credentials ({$SNMPV3_USER}, {$SNMPV3_AUTHPASS}, {$SNMPV3_PRIVPASS}) at the host level. Apply the built-in Linux by SNMP template to immediately start collecting CPU, memory, disk, and network metrics.

Conclusion

You have installed net-snmp on RHEL 8, created a secure SNMPv3 user with SHA authentication and AES encryption, hardened the agent configuration, and extended it with custom OIDs. The setup integrates cleanly with standard monitoring platforms like Nagios and Zabbix, giving you deep visibility into system health without exposing credentials in plaintext as older SNMP versions do.

Next steps: How to Monitor RHEL 8 Servers with Prometheus and Node Exporter, How to Configure SNMP Traps on RHEL 8, and How to Set Up Centralized Logging with Rsyslog on RHEL 8.