Configuring SNMP on ESXi is actually easy, so long as you can either login to the console or enable SSH on your host. The steps enable SSH are as follows:
- Login to your preferred vSphere client
- Select your host and click ‘Manage’, ensure you’re on the ‘Settings’ tab
- Click ‘Security Profile’
- In the ‘Services’ section, click Edit
- Select SSH: To temporarily start or stop the service, click the Start or Stop button or to change the Startup policy across reboots, select Start and stop with host and reboot the host.
- Click OK
Now that you have SSH access, determine if you want to use SNMP v2 and SNMP v3. If you are a security minded individual as you should be in today’s IT world, you should use SNMP v3 as it offers authentication and encryption whereas SNMP v2 does not.
Once you have access to the command-line, if from the console you’ll need to type this out manually. If using SSH, you can simply copy/paste the below code block. Ensure to replace ‘YOUR_STRING’ with your desired SNMP community string.
esxcli system snmp set --communities YOUR_STRING esxcli system snmp set --targets [email protected]/YOUR_STRING esxcli system snmp set --enable true esxcli network firewall ruleset set --ruleset-id snmp --allowed-all true esxcli network firewall ruleset set --ruleset-id snmp --enabled true /etc/init.d/snmpd restart
If you want to use SNMP v3 for it’s encryption and authentications capabilities, then follow these steps. Note that, the engine id specified below is a sample. The engine id must be a hexadecimal string between 5 and 32 characters long. If you’re unfamiliar with hexadecimal, simply open Calculator application on Windows. (Start > Run > calc) and switch the view to ‘Programmer’. By default, ‘Dec’ is selected on the left side. Feel free to type in some random string of numbers and then hit ‘Hex’ on the left side. The sample below is based off entering ‘123456789’ in the calculator and then converting to Hex.
Once you have your engine ID worked out, next you’ll want to determine the authentication and privacy protocols. For authentication protocols, the accepted values are: none (no authentication), SHA1, or MD5. For privacy protocols, the accepted values are: none or AES128. I suggest using SHA1 and AES128 and that is what will be in the sample below.
esxcli system snmp set --engineid 75BCD15 esxcli system snmp set --authentication SHA1 esxcli system snmp set --privacy AES128
Now that we’re done setting this piece up, we need to also configure a SNMP v3 user. Run the command below to create an authentication and privacy hash. Replace ‘YourPassword’ with your desired passwords nothing that they do not have to match.
esxcli system snmp hash --auth-hash YourPassword --priv-hash YourPassword --raw-secret
This will give you an output that looks similar to this:
Authhash: 08248c6eb8b333e75a29ca0af06b224faa7d22d6 Privhash: 232ba5cbe8c55b8f979455d3c9ca8b48812adb97
Now that you have your authhash and privhash, we can create the SNMP v3 user itself using these hashes. Replace userid, authhash, and privhash with your desired username, and the authhash and privhash from your previously run command. In my example, I will use wugninja and the hashes from above. The last portion accepts the following values: auth (for authentication only), priv (for authentication and privacy), or none (for no authentication or privacy). Obviously we want to use priv, since we went through the trouble of doing it right from the start!
esxcli system snmp set --users wugninja/08248c6eb8b333e75a29ca0af06b224faa7d22d6/232ba5cbe8c55b8f979455d3c9ca8b48812adb97/priv esxcli system snmp set --v3targets [email protected]/wugninja/priv/trap
We should be all set now, but to make sure you can test your user from command-line as well. Replace the command below with your created username and password(s). I will use my example from above again.
esxcli system snmp test --users wugninja --auth-hash 08248c6eb8b333e75a29ca0af06b224faa7d22d6 --priv-hash 232ba5cbe8c55b8f979455d3c9ca8b48812adb97
If the configuration is correct, this command returns the message, “User username validated correctly using engine id and security level: protocols,” where protocols indicates the security protocols configured. And our very last step is ensuring SNMP is enabled and allowed through the firewall
esxcli system snmp set --enable true esxcli network firewall ruleset set --ruleset-id snmp --allowed-all true esxcli network firewall ruleset set --ruleset-id snmp --enabled true /etc/init.d/snmpd restart
WhatsUp® Gold Credential
From the WhatsUp® Gold end, we would now add our credential to the credential library. Noting that there are different credential types for SNMP v2 and SNMP v3. Ensure to select the appropriate one! Once all is set and done, you can test SNMP by using the ‘SNMP MIB Walker’ included with WhatsUp® Gold. Just point the MIB Walker to the IP of your ESXi host, specify the credential you just added, use 1. for your OID and hit ‘Walk’. If everything is working as expected, the MIB walker will start showing you some SNMP values.
A side note to all of this is that not all of the VMware related MIBs are loaded to WhatsUp® Gold by default. Although it is not required in order to monitor ESXi, if you plan to make some custom monitors based off SNMP values or traps then loading the MIBs will simplify this process for you. You can easily add the MIBs to WhatsUp® Gold by downloading the latest ones from VMware here: https://kb.vmware.com/s/article/1013445 and then copying the file to InstallDirectory\Ipswitch\WhatsUp\Data\mibs and restarting your WhatsUp® Gold services. If you can’t find the download on the KB article above, try the link here: Direct Download