Contributors: Glenn Chisholm.
True SNMP support is available in squid 2 and above. A significant change in the implimentation occured starting with the development 2.2 code. Therefore there are two sets of instructions on how to configure SNMP in squid, please make sure that you follow the correct one.
To use SNMP, it must first be enabled with the configure script, and squid rebuilt. To enable is first run the script:
./configure --enable-snmp [ ... other configure options ]Next, recompile after cleaning the source tree :
make clean make all make installOnce the compile is completed and the new binary is installed the squid.conf file needs to be configured to allow access; the default is to deny all requests. The instructions on how to do this have been broken into two parts, the first for all versions of Squid from 2.2 onwards and the second for 2.1 and below.
To configure SNMP first specify a list of communities that you would like to allow access by using a standard acl of the form:
acl aclname snmp_community stringFor example:
acl snmppublic snmp_community public acl snmpjoebloggs snmp_community joebloggsThis creates two acl's, with two different communities, public and joebloggs. You can name the acl's and the community strings anything that you like.
To specify the port that the agent will listen on modify the "snmp_port" parameter, it is defaulted to 3401. The port that the agent will forward requests that can not be furfilled by this agent to is set by "forward_snmpd_port" it is defaulted to off. It must be configured for this to work. Remember that as the requests will be originating from this agent you will need to make sure that you configure your access accordingly.
To allow access to Squid's SNMP agent, define an snmp_access ACL with the community strings that you previously defined. For example:
snmp_access allow snmppublic localhost snmp_access deny allThe above will allow anyone on the localhost who uses the community public to access the agent. It will deny all others access.
If you do not define any snmp_access ACL's, then SNMP access is denied by default.
Finally squid allows to you to configure the address that the agent will bind to for incomming and outgoing traffic. These are defaulted to 0.0.0.0, changing these will cause the agent to bind to a specific address on the host, rather than the default which is all.
snmp_incoming_address 0.0.0.0 snmp_outgoing_address 0.0.0.0
Prior to Squid 2.1 the SNMP code had a number of issues with the ACL's. If you are a frequent user of SNMP with Squid, please upgrade to 2.2 or higher.
A sort of default, working configuration is:
snmp_port 3401 snmp_mib_path /local/squid/etc/mib.txt snmp_agent_conf view all .1.3.6 included snmp_agent_conf view squid .1.3.6 included snmp_agent_conf user squid - all all public snmp_agent_conf user all all all all squid snmp_agent_conf community public squid squid snmp_agent_conf community readwrite all all
Note that for security you are advised to restrict SNMP access to your caches. You can do this easily as follows:
acl snmpmanagementhosts 220.127.116.11/255.255.255.255 18.104.22.168/255.255.255.0 snmp_acl public deny all !snmpmanagementhosts snmp_acl readwrite deny allYou must follow these instructions for 2.1 and below exactly or you are likely to have problems. The parser has some issues which have been corrected in 2.2.
You can test if your Squid supports SNMP with the snmpwalk program (snmpwalk is a part of the UCD-SNMP project). Note that you have to specify the SNMP port, which in Squid defaults to 3401.
snmpwalk -p 3401 hostname communitystring .22.214.171.124.4.1.3495.1.1If it gives output like:
enterprises.nlanr.squid.cacheSystem.cacheSysVMsize = 7970816 enterprises.nlanr.squid.cacheSystem.cacheSysStorage = 2796142 enterprises.nlanr.squid.cacheSystem.cacheUptime = Timeticks: (766299) 2:07:42.99then it is working ok, and you should be able to make nice statistics out of it.
For an explanation of what every string (OID) does, you should refer to the Cache SNMP web pages.
There are a lot of things you can do with SNMP and Squid. It can be useful in some extent for a longer term overview of how your proxy is doing. It can also be used as a problem solver. For example: how is it going with your filedescriptor usage? or how much does your LRU vary along a day. Things you can't monitor very well normally, aside from clicking at the cachemgr frequently. Why not let MRTG do it for you?
There are a number of tools that you can use to monitor Squid via SNMP. A very popular one is MRTG, there are however a number of others. To learn what they are and to get additional documentation, please visit the Cache SNMP web pages.
We use MRTG to query Squid through its SNMP interface.
To get instruction on using MRTG with Squid please visit the Cache SNMP web pages.
General Discussion: firstname.lastname@example.org These messages are archived.
Subscriptions should be sent to: email@example.com.