Skip to content
Learni
View all tutorials
Réseaux

How to Configure SNMP v3 for Network Monitoring in 2026

18 minINTERMEDIATE
PythonMonitoringLinuxSNMPRéseaux
Lire en français

Introduction

SNMP (Simple Network Management Protocol) is the standard protocol for monitoring and managing network devices like routers, switches, and servers. In 2026, amid rising cyber threats, SNMP v3 stands out as the secure choice with authentication and encryption, unlike vulnerable v1/v2c versions susceptible to sniffing attacks.

This intermediate tutorial guides you step by step through configuring an SNMP v3 agent on Ubuntu 24.04, testing MIB queries, and automating monitoring with Python. You'll learn to pull key metrics like CPU usage, system load, and network interfaces—essential for tools like Grafana or Zabbix. Picture your network infrastructure under proactive watch: early failure detection and real-time alerts. By the end, you'll have a production-ready, scalable, secure setup worth bookmarking for any experienced sysadmin. (128 words)

Prerequisites

  • Ubuntu 24.04 LTS server (or Debian equivalent) with root/sudo access
  • Basic Linux admin and networking knowledge (UDP ports 161/162)
  • Python 3.12+ installed
  • Internet access for packages
  • Firewall configured (ufw or firewalld) to allow SNMP

Install net-snmp

terminal-install.sh
#!/bin/bash
apt update
apt install -y snmp snmp-mibs-downloader snmpd snmp-utils
pip install pysnmp

This command updates packages, installs the SNMP agent (snmpd), client tools (snmp-utils), MIBs for decoding OIDs, and pysnmp for Python scripts. Run with sudo to avoid permission errors.

Understand Basic SNMP v2c Configuration

Before SNMP v3, let's test a simple v2c config to validate the installation. SNMP uses OIDs (Object Identifiers) organized in a MIB tree to expose metrics. For example, 1.3.6.1.2.1.1.1.0 (.iso.org.dod.internet.mgmt.mib-2.system.sysDescr) returns the system description. The agent listens on UDP 161, traps on 162.

Basic v2c snmpd.conf Configuration

/etc/snmp/snmpd.conf
rocommunity public localhost
rocommunity public 127.0.0.1
sysLocation "Data Center, Room 1"
sysContact "admin@example.com"

# Autoriser les vues limitées
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1

# Appliquer la vue
rocommunity public localhost view systemview
rocommunity public 127.0.0.1 view systemview

This file restricts 'public' access from localhost with limited views (system and host resources). Back up the original config (/etc/snmp/snmpd.conf.default) before editing. It exposes sysDescr and hrSystemUptime with minimal risk.

Restart and Test SNMP v2c

terminal-test-v2c.sh
#!/bin/bash
systemctl restart snmpd
systemctl enable snmpd
systemctl status snmpd

# Tester
snmpget -v 2c -c public localhost .1.3.6.1.2.1.1.1.0
snmpwalk -v 2c -c public localhost .1.3.6.1.2.1.1

Restarts the agent, enables it at boot, and checks status. snmpget queries a single OID (sysDescr), snmpwalk lists the entire system branch. Output like 'Linux ubuntu 6.x' confirms success.

Upgrade to SNMP v3 for Security

SNMP v3 introduces USM (User-based Security Model) with authNoPriv (HMAC-MD5), authPriv (SHA+AES), and noAuthNoPriv. Create a 'monuser' user with SHA-256 auth and AES-192 encryption. Think of it like a safe with a key plus PIN code, unlike v2c's plaintext password.

Configure SNMP v3 in snmpd.conf

/etc/snmp/snmpd.conf
# Vider config v2c et ajouter v3
rwuser monuser SHA "motdepasseSHA" AES "motdepasseAES"
rouser monuser
ruser monuser

# Groupes et vues
group MonGroup v3 noauth monuser
group MonGroup v3 auth monuser

view all included .1 1.3.6
access MonGroup "" any noauth exact all none none
access MonGroup "" any auth exact all none none

Creates the 'monuser' user with SHA auth and AES encryption. Groups apply 'all' views for read/write. Restart snmpd afterward. Use strong passphrases (min 8 chars, >15 ideal).

Create SNMP v3 User

terminal-create-user.sh
#!/bin/bash
net-snmp-create-v3-user -ro -A "motdepasseSHA" -X "motdepasseAES" -a SHA -x AES192 monuser
systemctl restart snmpd

# Tester v3 noAuth
snmpget -v 3 -u monuser -l noAuthNoPriv localhost .1.3.6.1.2.1.1.1.0

# Tester v3 auth+priv
snmpget -v 3 -u monuser -l authPriv -a SHA -A "motdepasseSHA" -x AES -X "motdepasseAES" localhost .1.3.6.1.2.1.1.1.0

net-snmp-create-v3-user auto-generates USM keys and updates snmpd.conf. Tests validate all three security levels. 'Unknown user' error means bad restart or passphrase mismatch.

Automate Queries with Python

pysnmp is the standard Python library for SNMP. It handles versions, MIBs, and traps. Example: query CPU load (OID .1.3.6.1.4.1.2021.11.11.0) and log in JSON for ELK or InfluxDB.

Python SNMP v3 Monitoring Script

snmp_monitor.py
from pysnmp.hlapi import *

import sys

host = 'localhost'
port = 161
community = 'public'  # Non utilisé en v3
oid_cpu = '1.3.6.1.4.1.2021.11.11.0'

iterator = nextCmd(
    SnmpEngine(),
    CommunityData('monuser', mpModel=3, authKey='motdepasseSHA', authProtocol='HMAC-SHA2-256', privKey='motdepasseAES', privProtocol='AES192'),
    UdpTransportTarget((host, port)),
    ContextData(),
    ObjectType(ObjectIdentity(oid_cpu)),
    lexicographicMode=False
)

for errorIndication, errorStatus, errorIndex, varBinds in iterator:
    if errorIndication:
        print(errorIndication)
        break
    elif errorStatus:
        print('%s at %s' % (errorStatus.prettyPrint(),
                            errorIndex and varBinds[int(errorIndex) - 1][0] or '?'))
        break
    else:
        for varName, varValue in varBinds:
            print('CPU Load: %s' % varValue.prettyPrint())

This script queries the CPU load OID via SNMP v3 authPriv. It handles errors and iterates responses. Run with 'python snmp_monitor.py'. Adapt for multiprocessing or Prometheus exporter.

Configure SNMP Traps

/etc/snmp/snmptrapd.conf
authCommunity log,execute,net public
traphandle default /usr/bin/snmptrap-handler.sh

# Format des traps
format %A %V %h %q %w %t %v

# Démarrer trap receiver
# systemctl enable snmptrapd && systemctl start snmptrapd

Sets up the trap receiver (UDP 162). Traps are async alerts sent by the agent. The handler runs a custom script. Test with 'snmptrap -v 3 ...'.

Best Practices

  • Always use SNMP v3: Avoid v1/v2c in production; opt for authPriv with AES-256.
  • Restricted MIB views: Limit exposed OIDs (e.g., no ifTable for security).
  • Unique passphrases: >20 chars, rotate every 90 days via net-snmp-config.
  • Log monitoring: Watch /var/log/syslog for 'snmpd' and integrate with SIEM.
  • Strict firewall: ufw allow from MONITOR_IP to any port 161 proto udp.

Common Errors to Avoid

  • Forgot to restart snmpd: Changed config? Always run 'systemctl restart snmpd' or get 'No Such Name'.
  • Passphrase mismatch: 'Unknown user name' error; recreate with net-snmp-create-v3-user.
  • MIBs not installed: 'snmptranslate' fails; install snmp-mibs-downloader.
  • Blocked port: Check 'netstat -ulpn | grep 161' and firewall (ufw status verbose).

Next Steps

  • Integrate with Prometheus + SNMP Exporter for Grafana dashboards.
  • Explore NetSNMP Python API for custom agents.
  • Read the official docs: Net-SNMP.
  • Check out our advanced monitoring trainings for Zabbix, Nagios, and cloud observability.