I setup the global variable.
> :global testvalue 100
Then I add a script to output the value of variable.
> /system script add dont-require-permissions=no name=test-result owner=madi policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":put \$testvalue"
> /system script environment print
# NAME VALUE
2 testvalue 100
I want to get the value with monitor software by SNMP oid
snmpwalk -v 2c -c community 192.168.1.1 1.3.6.1.4.1.14988.1.1.8
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.5 = STRING: "AliDnsploss"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.2.7 = STRING: "AliDnsavgRtt"
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.5 = INTEGER: 0
SNMPv2-SMI::enterprises.14988.1.1.8.1.1.3.7 = INTEGER: 0
But there is no any value for variable .
From wiki , I found that
----------------------------------------------------------------------------
https://wiki.mikrotik.com/wiki/Manual:SNMP
Runing scripts with GET
It is possible to run /system scripts via SNMP GET request of the script OID (since 6.37). For this to work SNMP community with write permission is required. OIDs for scripts can be retrieved via SNMPWALK command as the table is dynamic.
Add script:
/system script
add name=script1 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"/sy reboot "
add name=script2 owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"[:put output]"
Get the script OID table
$ snmpwalk -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.8
iso.3.6.1.4.1.14988.1.1.8.1.1.2.1 = STRING: "script1"
iso.3.6.1.4.1.14988.1.1.8.1.1.2.2 = STRING: "script2"
iso.3.6.1.4.1.14988.1.1.8.1.1.3.1 = INTEGER: 0
iso.3.6.1.4.1.14988.1.1.8.1.1.3.2 = INTEGER: 0
To run script use table 18
$ snmpget -v2c -cpublic 192.168.88.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
iso.3.6.1.4.1.14988.1.1.18.1.1.2.2 = STRING: "output"
--------------------------------------------------------------------------------------------------
When I snmpwalk the device , I can't find the SNMP oid 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
snmpget -v 2c -c community 192.168.1.1 1.3.6.1.4.1.14988.1.1.18
SNMPv2-SMI::enterprises.14988.1.1.18 = No Such Object available on this agent at this OID
snmpget -v 2c -c community 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
SNMPv2-SMI::enterprises.14988.1.1.18 = No Such Object available on this agent at this OID
Why I can't get the value of variable ?
The SNMP oid 1.3.6.1.4.1.14988.1.1.18 is correct ?
Re: Script global variable get from SNMP OID
I solved this problem.
It was cause by the SNMP read access.
When I set the community read access permission , snmpwalk adn snmpget would not output the value.
When I set add the community write access permission , then snmpwalk adn snmpget would output the value.
Why the community read access can not get the value , and write access could?
The SNMP server just read the snmp oid , didn't change it. Why this action need write permission ?
Set the SNMP read permission
# snmpget -v 2c -c COMMUNITY 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
Error in packet
Reason: (readOnly) The two parties used do not have access to use the specified SNMP PDU.
Set the SNMP write permission
# snmpwalk -v 2c -c COMMUNITY 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
SNMPv2-SMI::enterprises.14988.1.1.18.1.1.2.2 = STRING: "47"
It was cause by the SNMP read access.
When I set the community read access permission , snmpwalk adn snmpget would not output the value.
When I set add the community write access permission , then snmpwalk adn snmpget would output the value.
Why the community read access can not get the value , and write access could?
The SNMP server just read the snmp oid , didn't change it. Why this action need write permission ?
Set the SNMP read permission
# snmpget -v 2c -c COMMUNITY 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
Error in packet
Reason: (readOnly) The two parties used do not have access to use the specified SNMP PDU.
Set the SNMP write permission
# snmpwalk -v 2c -c COMMUNITY 192.168.1.1 1.3.6.1.4.1.14988.1.1.18.1.1.2.2
SNMPv2-SMI::enterprises.14988.1.1.18.1.1.2.2 = STRING: "47"
Re: Script global variable get from SNMP OID
I agree with this, Somehow we should have the ability to only allow read access to the results of scripts (queried by an snmp oid).
The main reason: the combination of the script -> oid being dynamic + requiring snmp-write access enabled on a snmp-community (ie ability to execute a script that does more than just return a value) = dangerous! (dangerous in the sense that the snmp monitoring engine could start triggering a script, repeatedly, that you do not want to have run)!
Example, i have 2x scripts;
ros Script-#1- which i use to quickly create (loop) N number of: Vlans , ip addresses, dhcp-servers (+ ip-pool, dhcp-networks), and queues.
ros Script-#2- a simple script of only: "/ip firewall connection print count-only" (which allows me to retrieve/monitor the current nat table count , via snmp).
if i have snmp set to query 1.3.6.1.4.1.14988.1.1.18.1.1.2.2 every 10minutes, and one day i clone/move the scripts around, that every 10min OID query could keep triggering my #1 script (ie creating vlans, ips, ect).
If we could use read-only to pull values returned by scripts, this would avoid the above issue.
Another solution might be to add a new policy/option to the scripts policies check-boxes, called "SNMP" - if it is checked off, then the script is available via a SNMP oid, if its NOT checked off, then the script does NOT appear in a snmpwalk of OID: 1.3.6.1.4.1.14988.1.1.8 (nor is that script accessible at all via snmp)
(for now, the above scenario has me scared enough that i have stopped using snmp to retrieve script output , and ive also removed snmp-write permissions from any/all my snmp communities)
or maybe im missing something here?
thanks
The main reason: the combination of the script -> oid being dynamic + requiring snmp-write access enabled on a snmp-community (ie ability to execute a script that does more than just return a value) = dangerous! (dangerous in the sense that the snmp monitoring engine could start triggering a script, repeatedly, that you do not want to have run)!
Example, i have 2x scripts;
ros Script-#1- which i use to quickly create (loop) N number of: Vlans , ip addresses, dhcp-servers (+ ip-pool, dhcp-networks), and queues.
ros Script-#2- a simple script of only: "/ip firewall connection print count-only" (which allows me to retrieve/monitor the current nat table count , via snmp).
if i have snmp set to query 1.3.6.1.4.1.14988.1.1.18.1.1.2.2 every 10minutes, and one day i clone/move the scripts around, that every 10min OID query could keep triggering my #1 script (ie creating vlans, ips, ect).
If we could use read-only to pull values returned by scripts, this would avoid the above issue.
Another solution might be to add a new policy/option to the scripts policies check-boxes, called "SNMP" - if it is checked off, then the script is available via a SNMP oid, if its NOT checked off, then the script does NOT appear in a snmpwalk of OID: 1.3.6.1.4.1.14988.1.1.8 (nor is that script accessible at all via snmp)
(for now, the above scenario has me scared enough that i have stopped using snmp to retrieve script output , and ive also removed snmp-write permissions from any/all my snmp communities)
or maybe im missing something here?
thanks
Re: Script global variable get from SNMP OID
I was looking at this as well.
My goal was to read a global variable from the router using SNMP directly, but there seems to not be any OID to do that.
And even better if you could set a global variable on the router using write SNMP.
My goal was to read a global variable from the router using SNMP directly, but there seems to not be any OID to do that.
And even better if you could set a global variable on the router using write SNMP.
-
-
lwaclawiak
just joined
- Posts: 12
- Joined:
Re: Script global variable get from SNMP OID
I spent a few years with this dilemma of how to query via SNMP some global variables generated by custom scripts with indicators that I would like to display in The Dude and in other monitoring systems like Zabbix.
In fact, it is possible to do this using remote execution of scripts via snmp and returning their values, but this did not really please me, as the OID for the same script on different routers could be different, as the scripts are executed by their indexes and not by their names.
This makes configuration in the monitoring system very difficult, but worse than that, a wrong configuration could simply cause another script to be executed in place of the one that only had the function of returning information, which is really very bad.
Using a fake disabled bridge to look for its name that could be changed by the script to the content of the variable was one of the ways I saw other members suggested.
This approach solves the problem of executing an inappropriate script, but does not solve the issue of the OID being different between different routers.
The solution I found that solved my problem was to use the "system note" function, which is a space where you can create a complete text with several lines and you can consult it by OID ("1.3.6.1.4.1. 14988.1.1.7.5.0").
So just create a script that brings together all the variables you want to use and writes them to the "system note", putting this script to run through the scheduler from time to time as needed.
It is possible to consult it with the read-only public community, the OID will always be the same regardless of the router, we do not run the risk of executing a script by mistake and it is possible to store a lot of information in this field.
On the monitoring side, simply create functions to filter with regular expressions and extract only the variable you want for that specific query.
And "Voilá" we have it resolved.
In fact, it is possible to do this using remote execution of scripts via snmp and returning their values, but this did not really please me, as the OID for the same script on different routers could be different, as the scripts are executed by their indexes and not by their names.
This makes configuration in the monitoring system very difficult, but worse than that, a wrong configuration could simply cause another script to be executed in place of the one that only had the function of returning information, which is really very bad.
Using a fake disabled bridge to look for its name that could be changed by the script to the content of the variable was one of the ways I saw other members suggested.
This approach solves the problem of executing an inappropriate script, but does not solve the issue of the OID being different between different routers.
The solution I found that solved my problem was to use the "system note" function, which is a space where you can create a complete text with several lines and you can consult it by OID ("1.3.6.1.4.1. 14988.1.1.7.5.0").
So just create a script that brings together all the variables you want to use and writes them to the "system note", putting this script to run through the scheduler from time to time as needed.
Code: Select all
:global LinkAtivo
:global PercentLossPrincipal
:global MPLoss
:global PercentLossBackup
:global MBLoss
system note set note="Link: $LinkAtivo
Perda Prin: $PercentLossPrincipal
Media Prin: $MPLoss
Perda Back: $PercentLossBackup
Media Back: $MBLoss"
Code: Select all
root@Syslog:~# snmpget -v1 -cpublic 10.100.203.1 1.3.6.1.4.1.14988.1.1.7.5.0
iso.3.6.1.4.1.14988.1.1.7.5.0 = STRING: "Link: PRINCIPAL
Perda Prin: 0
Media Prin: 0
Perda Back: 0
Media Back: 0"
And "Voilá" we have it resolved.