vSphere 6.5 SNMP Configuration

ESXi Config

On an ESXi host SNMP needs to be configured using esxcli to do anything useful.

[[email protected]:~] esxcli system snmp set --help
Usage: esxcli system snmp set [cmd options]

Description:
  set                   This command allows the user to set up ESX SNMP agent.

Cmd options:
  -a|--authentication=<str>
                        Set default authentication protocol. Values: none, MD5, SHA1
  -c|--communities=<str>
                        Set up to ten communities each no more than 64 characters. Format is: community1[,community2,...] (this overwrites previous
                        settings)
  -e|--enable           Start or stop SNMP service. Values: [yes|no, true|false, 0|1]
  -E|--engineid=<str>   Set SNMPv3 engine id. Must be at least 10 to 32 hexadecimal characters. 0x or 0X is stripped if found as well as colons (:)
  -y|--hwsrc=<str>      Where to source hardware events from IPMI sensors or CIM Indications. One of: indications|sensors
  -s|--largestorage     Support large storage for hrStorageAllocationUnits * hrStorageSize. Values: [yes|no, true|false, 0|1]. Control how the agent
                        reports hrStorageAllocationUnits, hrStorageSize and hrStorageUsed in hrStorageTable. Setting this directive to 1 to support large
                        storage with small allocation units, the agent re-calculates these values so they all fit Integer32 and hrStorageAllocationUnits *
                        hrStorageSize gives real size of the storage ( Note: hrStorageAllocationUnits will not be real allocation units if real
                        hrStorageSize won't fit into Integer32 ). Setting this directive to 0 turns off this calculation and the agent reports real
                        hrStorageAllocationUnits, but it might report wrong hrStorageSize for large storage because the value won't fit into Integer32.
  -l|--loglevel=<str>   System Agent syslog logging level: debug|info|warning|error
  -n|--notraps=<str>    Comma separated list of trap oids for traps not to be sent by agent. Use value 'reset' to clear setting
  -p|--port=<long>      Set UDP port to poll snmp agent on. The default is udp/161
  -x|--privacy=<str>    Set default privacy protocol. Values: none, AES128
  -R|--remote-users=<str>
                        Set up to five inform user ids. Format is: user/auth-proto/-|auth-hash/priv-proto/-|priv-hash/engine-id[,...] Where user is 32
                        chars max. auth-proto is none|MD5|SHA1, priv-proto is none|AES. '-' indicates no hash. engine-id is hex string '0x0-9a-f' up to 32
                        chars max.
  -r|--reset            Return agent configuration to factory defaults
  -C|--syscontact=<str> System contact string as presented in sysContact.0. Up to 255 characters
  -L|--syslocation=<str>
                        System location string as presented in sysLocation.0. Up to 255 characters.
  -t|--targets=<str>    Set up to three targets to send SNMPv1 traps to. Format is: ip-or-hostname[@port]/community[,...] The default port is udp/162.
                        (this overwrites previous settings)
  -u|--users=<str>      Set up to five local users. Format is: user/-|auth-hash/-|priv-hash/model[,...] Where user is 32 chars max. '-' indicates no hash.
                        Model is one of (none|auth|priv).
  -i|--v3targets=<str>  Set up to three SNMPv3 notification targets. Format is: ip-or-hostname[@port]/remote-user/security-level/trap|inform[,...].
[[email protected]:~]

First up you'll need to set the SNMP Engine ID to something useful. This needs to be a hexadecimal value between 5 and 32 characters. 32 characters is, incidentally, the length of an MD5 hash. For this reason I'm a big fan of using an MD5 hash for the primary control plane IPv4 address for the system being configured.

You can generate this on the ESXi host itself like so,

[[email protected]:~] echo -n '192.0.2.8' | md5sum
751e3dd87576bdc81d5d8d0a359f044e  -
[[email protected]:~] 

Once you've got that set the engine ID, contact details (optional), location data (optional), and ensure you use SHA1 for authentication and AES128 for encryption. Like so,

[[email protected]:~] esxcli system snmp set -E 751e3dd87576bdc81d5d8d0a359f044e
[[email protected]:~] esxcli system snmp set -C "Root <[email protected]>"
[[email protected]:~] esxcli system snmp set -L "ADDRESS [LAT,LON]"
[[email protected]:~] esxcli system snmp set -a SHA1
[[email protected]:~] esxcli system snmp set -x AES128

To create an SNMPv3 user you'll need to generate an hashes for the auth and encryption keys. esxcli won't accept raw values... for some random and incredibly stupid reason. Use esxcli system snmp hash with the -r option instead; this achieves nothing other than adding an extra step. Thanks VMware.

[[email protected]:~] esxcli system snmp hash
Error: Missing required parameter -A|--auth-hash

Usage: esxcli system snmp hash [cmd options]

Description:
  hash                  Generate localized hash values based on this agents snmp engine id.

Cmd options:
  -A|--auth-hash=<str>  Secret to use when generating authentication hash. This should be a filename unless --raw-secret is specified. The authentication
                        hash is used in the --users option of 'esxcli system snmp set' (required secret)
                        WARNING: Providing secret values on the command line is insecure because it may be logged or preserved in history files. Instead,
                        specify this option with no value on the command line, and enter the value on the supplied prompt.
  -X|--priv-hash=<str>  Secret to use when generating privacy hash. This should be a filename unless --raw-secret is specified. The privacy hash is used in
                        the --users option of 'esxcli system snmp set'. (secret)
                        WARNING: Providing secret values on the command line is insecure because it may be logged or preserved in history files. Instead,
                        specify this option with no value on the command line, and enter the value on the supplied prompt.
  -r|--raw-secret       Make --auth-hash and --priv-hash options read raw secret from command line instead of file.
[[email protected]:~]
[[email protected]:~] esxcli system snmp hash --raw-secret -A example1234 -X example5678
   Authhash: c3baad1460cf7e5d0bded9a6c391ffe377ee4699
   Privhash: b15a608d236582d46d9191e06f52d014aa73b151
[[email protected]:~]

Now that you've got the hash values use them to create an SNMPv3 user,

[[email protected]:~] esxcli system snmp set --users="v3username/c3baad1460cf7e5d0bded9a6c391ffe377ee4699/b15a608d236582d46d9191e06f52d014aa73b151/priv"
[[email protected]:~]

SNMP, even after all of this, is not exactly enabled yet... and you should probably test out the config first using the esxcli system snmp test command.

[[email protected]:~] esxcli system snmp test
Must first configure at least one v1|v2c|v3 trap target

Oh wait... according to VMware, those pesky geniuses, having an SNMP trap or inform target is critical. Otherwise the world will fall to pieces and your virtualization system will eat your brains for dinner.

So, plug a v3 trap/inform or v2c trap destination and community in...

[[email protected]:~] esxcli system snmp set --v3targets="[email protected]/inform_user/priv/inform"
[[email protected]:~]

With that flaming hoop of stupid lept thru, you can now "test" the configuration,

[[email protected]:~] esxcli system snmp test
   Comments: There is 1 target configured, send warmStart requested, test completed normally.
[[email protected]:~]

Looks good, let's actually put it to use and enable SNMP...

[[email protected]:~] esxcli system snmp set --enable true
[[email protected]:~]

Command script template from the above,

esxcli system snmp set -E %{ENGINE_ID}%
esxcli system snmp set -C "Root <[email protected]>"
esxcli system snmp set -L "ADDRESS [LAT,LON]"
esxcli system snmp set -a SHA1
esxcli system snmp set -x AES128
esxcli system snmp set --users="%{USERNAME}%/%{AUTH_HASH}%/%{ENCR_HASH}%/priv"
esxcli system snmp set --v3targets="[email protected]/%{INFORM_USER}%/priv/inform"
esxcli system snmp test && esxcli system snmp set --enable true

Optional, in case your infrastructure is old and poxy, use an SNMPv1/v2c community for polling and a v2c trap target/community,

esxcli system snmp set -c %{COMMUNITY}%
esxcli system snmp set --targets="192.0.2.8/%{TRAP_COMMUNITY}%"

If you've got a Linux box with the Net-SNMP utils handy use snmpget/snmpwalk to check access to the ESXi host using SNMPv3,

[[email protected] ~]# snmpget -v 3 -l authPriv -u V3USERNAME -a SHA -A AUTH_KEY -x AES -X ENCR_KEY 192.0.2.1 SNMPv2-MIB::sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: VMware ESXi 6.5.0 build-5969303 VMware, Inc. x86_64
[[email protected] ~]#

Or if your infrastructure is old and poxy, use the SNMPv1/v2c community,

[[email protected] ~]# snmpget -v 2c -c COMMUNITY 192.0.2.1 SNMPv2-MIB::sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: VMware ESXi 6.5.0 build-5969303 VMware, Inc. x86_64
[[email protected] ~]#

vCenter Server Appliance Config

In true vendor form... vCenter is configured using an extremely similar interface; but a slightly different one. Namely you need to use "vicfg-snmp".

[email protected] [ ~ ]# vicfg-snmp -h
Usage: vicfg-snmp [options]

Options:
  -h, --help            show this help message and exit
  -c COMMUNITIES, --communities=COMMUNITIES
                        Specifies communities, separated by commas. The settings specified using this option overwrite any previous settings. The settings
                        specified using this flag overwrite any previous settings.
  -D, --disable         Stops the SNMP service on the host.
  -e, --enable          Starts the SNMP service on the host.
  -p PORT, --port=PORT  Sets the port used by the SNMP agent. The default is UDP 161. This is the port that the SNMP service uses to listen on for polling
                        requests, such as GET requests. You can also configure the port that the SNMP agent sends data to on the target system using the
                        --targets option. That port is UDP 162 by default.
  -l LOGLEVEL, --loglevel=LOGLEVEL
                        System Agent syslog logging level: debug|info|warning|error|info|debug
  -r, --reset           Clears all previously-specified communities and targets.
  -s, --show            Displays the current SNMP configuration.
  -S, --stats           Displays the current SNMP agent runtime performance metrics.
  -t TARGETS, --targets=TARGETS
                        Sets the destination for (notifications) traps. You can specify multiple targets, separated by commas. The settings specified using
                        this flag overwrite any previous settings.
  -n NOTRAPS, --notraps=NOTRAPS
                        Comma separated list of trap oids for traps not to be sent by agent. Use value 'reset' to clear setting.
  -C SYSCONTACT, --syscontact=SYSCONTACT
                        System contact string as presented in sysContact.0. Up to 255 characters
  -L SYSLOCATION, --syslocation=SYSLOCATION
                        System location string as presented in sysLocation.0. Up to 255 characters.
  -E ENGINEID, --engineid=ENGINEID
                        System location string as presented in sysLocation.0. Up to 255 characters.
  -a AUTHENTICATION, --authentication=AUTHENTICATION
                        Set default authentication protocol. Values: none, MD5, SHA1
  -x PRIVACY, --privacy=PRIVACY
                        Set default privacy protocol. Values: none, AES128
  -u USERS, --users=USERS
                        Set up to five local users. Format is: user/-|auth-hash/-|priv-hash/model[,...] Where user is 32 chars max. '-' indicates no hash.
                        Model is one of (none|auth|priv).
  -i V3TARGETS, --v3targets=V3TARGETS
                        Set up to three SNMPv3 notification targets. Format is: ip-or-hostname[@port]/remote-user/security-level/trap|inform[,...].
  -T, --test            Sends a test notification that can be used to validate the SNMP configuration to the configured target or targets.
  -g, --debug           turn on pdb debugger, for technical support only.
[email protected] [ ~ ]#

Use the template script below, which is basically the same as the ESXi one above,

vicfg-snmp -E %{ENGINE_ID}%
vicfg-snmp -C "Root <[email protected]>"
vicfg-snmp -L "ADDRESS [LAT,LON]"
vicfg-snmp -a SHA1
vicfg-snmp -x AES128
vicfg-snmp --users="%{USERNAME}%/%{AUTH_HASH}%/%{ENCR_HASH}%/priv"
vicfg-snmp --v3targets="[email protected]/%{INFORM_USER}%/priv/inform"
vicfg-snmp --enable true

Optional, in case your infrastructure is old and poxy,

vicfg-snmp -c %{COMMUNITY}%
vicfg-snmp --targets="192.0.2.8/%{TRAP_COMMUNITY}%"

If you've got a Linux box with the Net-SNMP utils handy use snmpget/snmpwalk to check access to the ESXi host using SNMPv3,

[[email protected] ~]# snmpget -v 3 -l authPriv -u V3USERNAME -a SHA -A AUTH_KEY -x AES -X ENCR_KEY 192.0.2.4 SNMPv2-MIB::sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: VMware-vCenter-Server-Appliance 6.5.0.14000 embedded build 7515524 VMware, Inc x86_64
[[email protected] ~]#

Or if your infrastructure is old and poxy, use the SNMPv1/v2c community,

[[email protected] ~]# snmpget -v 2c -c COMMUNITY 192.0.2.4 SNMPv2-MIB::sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: VMware-vCenter-Server-Appliance 6.5.0.14000 embedded build 7515524 VMware, Inc x86_64
[[email protected] ~]#
Author image
About Colin Stubbs
Brisbane, Queensland, Australia
Space monkey meat popsicle with technology and noise addictions.