• net-snmp 5.3.2.2 filling /var/log/messages - problem description and solution
• Overview
  • Man page of snmpcmd
  • snmpd –help
• Cause of the problem
• Solution

net-snmp 5.3.2.2 filling /var/log/messages - problem description and solution

Overview

In the most recent (as of April 2009) RedHat Enterprise Linux (RHEL) 5 / Centos 5 RPM of net-snmp ( net-snmp-5.3.2.2-5.el5 ) there is a bug affecting the logging functionality of snmpd

The default installation causes messages like the following to fill the syslog

Apr 23 22:35:02 hostname snmpd[25564]: Connection from UDP: [127.0.0.1]:52863
Apr 23 22:35:02 hostname snmpd[25564]: Received SNMP packet(s) from UDP: [127.0.0.1]:52863

The man page and “snmpd –help” output indicate that you can control the priority of the logging messages that you want sent to syslog :

Man page of snmpcmd

...
       -Ls FACILITY
              Log  messages  via  syslog,  using  the  specified  facility  ('d' for
              LOG_DAEMON, 'u'  for  LOG_USER,  or  '0'-'7'  for  LOG_LOCAL0  through
              LOG_LOCAL7).

       There  are  also  "upper case" versions of each of these options, which allow
       the corresponding logging mechanism to be restricted to certain priorities of
       message.  Using standard error logging as an example:

       -LE pri
              will log messages of priority 'pri' and above to standard error.

       -LE p1-p2
              will  log  messages with priority between 'p1' and 'p2' (inclusive) to
              standard error.

       For -LF and -LS the priority specification comes before the file or  facility
       token.  The priorities recognised are:

              0 or !  for LOG_EMERG,
              1 or a for LOG_ALERT,
              2 or c for LOG_CRIT,
              3 or e for LOG_ERR,
              4 or w for LOG_WARNING,
              5 or n for LOG_NOTICE,
              6 or i for LOG_INFO, and
              7 or d for LOG_DEBUG.

       Normal output is (or will be!) logged at a priority level of LOG_NOTICE

snmpd –help

...
  -L <LOGOPTS>          toggle options controlling where to log to
        e:           log to standard error
        o:           log to standard output
        n:           don't log at all
        f file:      log to the specified file
        s facility:  log to syslog (via the specified facility)

        (variants)
        [EON] pri:   log to standard error, output or /dev/null for level 'pri' and above
        [EON] p1-p2: log to standard error, output or /dev/null for levels 'p1' to 'p2'
        [FS] pri token:    log to file/syslog for level 'pri' and above
        [FS] p1-p2 token:  log to file/syslog for levels 'p1' to 'p2'

Cause of the problem

This is caused by a bug which was patched in patch 1806336 and released in net-snmp 5.4.2.1 (changelog here).

As of net-snmp-5.3.2.2-5.el5.i386.rpm this patch has not been backported into the 5.3.2.2 rpm.

Solution

Your options are :

• find an RPM of net-snmp at 5.4.2 or newer with the patch
• turn off all logging by using either the “-Ln” or the “-Lf /dev/null” parameters. This can be done in the /etc/sysconfig/snmpd.options file by changing the default contens of :

  # snmpd command line options
  # OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a"
  

  to

  # snmpd command line options
  # OPTIONS="-Lsd -Lf /dev/null -p /var/run/snmpd.pid -a"
  OPTIONS="Lf /dev/null -p /var/run/snmpd.pid -a"
  

• configure syslog to send all messages of a given facility (facility 0 - 7) to a separate file, then configure net-snmp to send to that facility. This will prevent the messages from filling your /var/log/messages file, but you’ll still be able to look at them if you need to.