How to Configure SNMP with net-snmp on RHEL 7
Simple Network Management Protocol (SNMP) is the industry standard for monitoring network devices, servers, and applications. Whether you use Nagios, Zabbix, Cacti, LibreNMS, or a commercial NMS, SNMP is the universal query language they all speak. RHEL 7 ships the mature net-snmp suite, which includes the snmpd agent daemon, a rich set of command-line tools, and the ability to extend SNMP with your own custom scripts. This tutorial takes you from a bare installation through SNMPv3 user creation, firewall configuration, OID testing, and custom extension scripts.
Prerequisites
- RHEL 7 server with network connectivity to a monitoring host.
- Root or
sudoaccess. - Basic understanding of OID (Object Identifier) tree concepts.
- A second host to run
snmpwalk/snmpgetqueries against the server (or test from localhost).
Step 1: Install net-snmp and Utilities
sudo yum install -y net-snmp net-snmp-utilsThe net-snmp package provides the snmpd daemon. The net-snmp-utils package provides the client tools: snmpwalk, snmpget, snmpset, snmptrap, and snmptranslate. Optionally install the net-snmp-perl package if you need PERL-based MIB processing.
rpm -qa | grep net-snmpStep 2: Configure /etc/snmp/snmpd.conf
The default configuration file is verbose and full of examples. Back it up and create a clean, production-ready version:
sudo cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig
sudo vi /etc/snmp/snmpd.confReplace the contents with this well-structured configuration:
# -----------------------------------------------
# System identification
# -----------------------------------------------
syslocation "Server Room A, Rack 3, Unit 12"
syscontact "[email protected] (On-Call: 555-1234)"
# -----------------------------------------------
# Agent listening address
# Listen on all interfaces; restrict by community/view
# -----------------------------------------------
agentAddress udp:161,udp6:[::1]:161
# -----------------------------------------------
# SNMPv2c read-only community strings
# -----------------------------------------------
# Allow queries from a specific monitoring server only
rocommunity public 192.168.10.50
rocommunity netops 192.168.10.0/24
# -----------------------------------------------
# MIB-II view definitions
# -----------------------------------------------
view systemonly included .1.3.6.1.2.1.1 # system MIB
view systemonly included .1.3.6.1.2.1.25.1 # hrSystem (host resources)
view allview included .1 # everything
# -----------------------------------------------
# Access control for SNMPv2c
# -----------------------------------------------
access mygroup "" any noauth exact allview none none
# Group membership
group mygroup v2c public
# -----------------------------------------------
# Disk and load monitoring
# -----------------------------------------------
# Alert if / drops below 500 MB free
disk / 500000
# Load averages (1-min, 5-min, 15-min max)
load 12 10 8
# -----------------------------------------------
# Process monitoring
# -----------------------------------------------
proc sshd
proc httpd 10 1
# -----------------------------------------------
# Trap destination for SNMPv2c
# -----------------------------------------------
trap2sink 192.168.10.50 public
# -----------------------------------------------
# Logging
# -----------------------------------------------
dontLogTCPWrappersConnects yesKey directives explained:
- rocommunity: Defines a read-only community string and optionally restricts it to a source IP or subnet. Never use
publicwithout an IP restriction in production. - view: Defines named OID subtrees that can be exposed to access groups.
- access: Binds a group to a view with an authentication level (
noauth,auth,priv). - disk: Enables the
dskTableOID so monitoring tools can read disk usage. - proc: Enables the
prTableOID for process monitoring.
Step 3: Create an SNMPv3 User
SNMPv2c sends community strings in plaintext — never acceptable for production traffic traversing untrusted networks. SNMPv3 provides authentication (HMAC-SHA) and encryption (AES). Create a user with net-snmp-config. The daemon must be stopped first:
sudo systemctl stop snmpd
sudo net-snmp-config --create-snmpv3-user
-ro
-A "MyAuthPassword1!"
-a SHA
-X "MyPrivPassword2!"
-x AES
monitoruserOptions explained:
-ro: Read-only user.-A: Authentication passphrase (minimum 8 characters).-a SHA: Use SHA for authentication HMAC.-X: Privacy (encryption) passphrase.-x AES: Use AES-128 for encryption.monitoruser: The username.
This command writes a createUser line into /var/lib/net-snmp/snmpd.conf. Add the corresponding access line to /etc/snmp/snmpd.conf:
# SNMPv3 access for monitoruser
rouser monitoruser privThe priv keyword requires both authentication and privacy encryption. Start the daemon:
sudo systemctl start snmpdStep 4: Enable and Start snmpd
sudo systemctl enable snmpd
sudo systemctl start snmpd
sudo systemctl status snmpdStep 5: Open the Firewall
sudo firewall-cmd --permanent --add-port=161/udp
sudo firewall-cmd --reload
sudo firewall-cmd --list-portsIf you are also receiving SNMP traps (port 162), add that as well:
sudo firewall-cmd --permanent --add-port=162/udp
sudo firewall-cmd --reloadStep 6: Test with snmpwalk and snmpget
From the monitoring host (or localhost), test SNMPv2c:
# Walk the entire system MIB
snmpwalk -v2c -c public 192.168.10.5 system
# Get a single OID: sysDescr
snmpget -v2c -c public 192.168.10.5 .1.3.6.1.2.1.1.1.0
# Walk disk table
snmpwalk -v2c -c public 192.168.10.5 .1.3.6.1.4.1.2021.9
# Walk process table
snmpwalk -v2c -c public 192.168.10.5 .1.3.6.1.4.1.2021.2Test SNMPv3 with authentication and privacy:
snmpwalk
-v3
-l authPriv
-u monitoruser
-A "MyAuthPassword1!"
-a SHA
-X "MyPrivPassword2!"
-x AES
192.168.10.5 systemA successful walk returns dozens of OIDs beginning with SNMPv2-MIB::sysDescr.0.
Step 7: Extend SNMP with Custom Scripts
The extend directive in snmpd.conf runs an arbitrary command and exposes its output under the NET-SNMP-EXTEND-MIB. This lets you expose any metric — CPU temperature, application queue depth, licence counts — without writing a full MIB.
Example: expose the number of logged-in users:
# In /etc/snmp/snmpd.conf
extend logged_users /bin/sh -c "who | wc -l"Example: expose a custom application health check:
extend app_health /usr/local/bin/check_app_health.shThe script at /usr/local/bin/check_app_health.sh should return 0 for OK, non-zero for error, and print a single line of output:
#!/bin/bash
# check_app_health.sh
if systemctl is-active --quiet myapp; then
echo "OK"
exit 0
else
echo "FAILED"
exit 1
fisudo chmod +x /usr/local/bin/check_app_health.sh
sudo systemctl restart snmpdQuery the extended OID:
snmpwalk -v2c -c public 192.168.10.5 NET-SNMP-EXTEND-MIB::nsExtendOutput1TableStep 8: Translate OIDs to Human-Readable Names
MIBs translate raw numeric OIDs into names. net-snmp ships many standard MIBs. Use snmptranslate to convert between formats:
# Numeric to name
snmptranslate -IR -On sysDescr
# Name to numeric
snmptranslate .1.3.6.1.2.1.1.1.0
# Walk and output both
snmpwalk -v2c -c public -On 192.168.10.5 systemConclusion
You have installed net-snmp on RHEL 7, configured /etc/snmp/snmpd.conf with IP-restricted SNMPv2c communities, created a fully encrypted SNMPv3 user with SHA authentication and AES privacy, opened the firewall for UDP/161, and validated the configuration with snmpwalk and snmpget. You also extended the agent with a custom shell script exposed via the extend directive. This foundation integrates directly with any standard monitoring platform. For production deployments, disable SNMPv2c entirely, use only SNMPv3 with authPriv security level, and rotate authentication passphrases quarterly to maintain compliance with most security frameworks.
