Introduction

MRTG is a wonderful tool. You can use it to monitor traffic on your router or leased server located at remote IDC. Since it is written in Perl and some code in C language, it is portable and high performance tool.

What is MRTG?
From the mrtg(1) man page: The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic. Please note following discussion based upon Red Hat Linux Enterprise version 3 update 2 and RHEL v4.0.

What is SNMP and why should I care?

SNMP is Simple Network Management Protocol. It is used to manage IP network devices such as servers, routers, switches and more. Sysadmin can find or manage network performance, solve the problem or even optimize network further with MRTG. For more information on official UNIX/Linux SNMP please see UCD-SNMP/NET-SNMP Tutorials and an excellent resource at Snmplink.org

Assumptions of Knowledge
I have made the following assumptions about your knowledge before reading thtutorial and discussing the hardware/software you will need to use:

Linux distribution - RHEL 3.x/ 4.x+. If you are using CentOS or RHEL 6.x, please see this updated tutorial here. Install MRTG using rpm command. If you are looking for source installation then visit author's web site here. This page has an excellent set of information on installing mrtg from source. Required RPMs o mrtg o snmp o snmp-utils Installations were tested on Red Hat Enterprise Linux version 3 update 2.

Configuration
Make sure snmp server is working. Without proper working snmp server, mrtg will not work. Therefore, first step is making sure snmp up and running. Following steps will take you gradually to configure it.

Step # 1: Make sure snmp server installed Step # 2: Determine if snmp server is running or not Step # 3 Make sure snmp server configured properly Step # 4 Install mrtg if not installed Step # 5 Configure mrtg Step # 6 First test run of mrtg Step # 7: Create crontab entry so that mrtg graph / images get generated every 5 minutes Step # 8: Block ports 161, 162 udp at firewall. Step # 9: Optional protect your MRTG graphs/html pages with password protected directory

Step # 1 : Make sure snmp server installed

Please note that snmpd configuration does not require using mrtg with remote network devices such as Routers and switches. If you just want mrtg graphs for router or switch then please refer to step # 4 (as all these devices comes preconfigured with snmpd software). Type the following rpm command to find out, if snmp server installed or not: # rpm -qa | grep snmp If snmp installed then please refer step # 2; otherwise snmp server and utils were not present and your need to install them using the following commands as a root user: (a) Visit rpmfind.net to get snmp server and utilities rpms. If you are fedora user (OR RHEL v5.x+ user), use the yum command as follows to install the same:

# yum install net-snmp-utils net-snmp (b) If you are older RHEL v4.x/v.3.x subscriber, use up2date command as follows: # up2date -v -i net-snmp-utils net-snmp

Step # 2 : Determine if snmp server is running or not

Run 'ps' command to see if snmp server is running or not: # ps -aux | grep snmp Output:
root 5512 0.0 2.3 5872 3012 pts/0 S 22:04 0:00 /usr/sbin/snmpd

Alternatively, you can try any one of the following commands: # lsof -i :199 Output:
COMMAND snmpd PID USER 5512 root FD 4u TYPE DEVICE SIZE NODE NAME IPv4 34432 TCP *:smux (LISTEN)

OR try out netstat command: # netstat -natv | grep ':199' Output:

tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN

If you found snmp service is running or listing on port 199, see step #3; otherwise start the snmp service using the following command: # service snmpd start Make sure snmpd service starts automatically, when linux comes us (add snmpd service): # chkconfig --add snmpd Turn on snmpd service, enter: # chkconfig snmpd on

Step # 3 : Make sure snmp server configured properly

Run the snmpwalk command to request for tree of information about network entity. In simple words, query the snmp server for your IP address (assigned to your eth0, eth1, lo interface by Linux):

# snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex Sample outputs:

ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1 ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2

If you see your IP address, proceed to step 4; else it is a time to configure snmp server as follows (by default RHEL and older Redhat v8/9 are not configured for snmp server for security reason):

Configure SNMP
(1) Edit the file /etc/snmp/snmpd.conf using a text editor such as vi, enter: # vi /etc/snmp/snmpd.conf Change/Modify line(s) as follows: Find the following Line: com2sec notConfigUser default public

Replace with (make sure you replace 192.168.0.0/24 with your network/subnet) the following lines: com2sec local localhost public public

com2sec mynetwork 192.168.0.0/24

Scroll down a bit and change: Find Lines: group group Replace with: group group group group group group MyRWGroup MyRWGroup MyRWGroup MyROGroup MyROGroup MyROGroup v1 v2c usm v1 v2c usm local local local mynetwork mynetwork mynetwork notConfigGroup v1 notConfigGroup v2c notConfigUser notConfigUser

Again scroll down a bit and locate the following line: Find line: view Replace with: view all included .1 80 systemview included system

Again scroll down a bit and change the following line: Find line: access notConfigGroup "" any noauth exact systemview

none none Replace with:

access MyROGroup "" access MyRWGroup ""

any any

noauth noauth

exact exact

all all

none all

none none

Scroll down a bit and change the following lines: Find lines: syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root (configure /etc/snmp/snmp.local.conf)

Replace with (make sure you supply appropriate values): syslocation Linux (RH3_UP2), Home Linux Router. syscontact YourNameHere <you@example.com> For your convenient, here is my /etc/snmp/snmpd.conf file. Feel free to use this file. Make sure you make a backup of your existing file. Start your snmp server and test it: (a) Make sure when linux comes up snmpd always starts after the system reboot: # chkconfig snmpd on (b) Start the snmpd service: # service snmpd start (c) Finally, test your snmp server: # snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

Step # 4 : Install mrtg if not installed

Mrtg software may install during initial installation; you can verify if MRTG installed or not with the following RPM command:

rpm -qa | grep mrtg If mrtg already installed, see step # 5; else use rpmfind.net to find MRTG rpm or up2date command to install MRTG software:

# up2date -v -i mrtg Fedora / RHEL v.5+/ Centos v.5.x+ Linux user can use the yum command as follows to install MRTG:

# yum install mrtg

Step # 5 : Commands to Configure mrtg

(a) Create a document root to store mrtg graphs/html pages for Apache web-server, enter: # mkdir -p /var/www/html/mymrtg/ (b) Run any one of the following cfgmaker command to create mrtg configuration file: # cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg.cfg public@localhost OR (make sure FQDN resolves. In the following example I'm using rh9.test.com i.e. my router's FQDN address)

# cfgmaker --global 'WorkDir: /var/www/html/mymrtg' --output /etc/mrtg/mymrtg1.cfg public@rh9.test.com (c) Create a default index page for your MRTG configuration, run: # indexmaker --output=/var/www/html/mymrtg/index.html /etc/mrtg/mymrtg.cfg (d) Copy all tiny png files to your mrtg path, run: # cp -av /var/www/html/mrtg/*.png /var/www/html/mymrtg/

Step # 6 First test run for mrtg

(a) Run mrtg command from command line with your configuration file, enter: # mrtg /etc/mrtg/mymrtg.cfg Note: You may get few warning message for the first time; please ignore them. (b) Fire your favorite web browser (like FireFox ) and type the url http://www.your-name.com/mymrtg/ or http://your-ip-here/mymrtg/

Step # 7 Create crontab entry so that mrtg graph / images get generated every 5 minutes
(a) Login as a root user or login as a mrtg user and type the following command: # crontab -e (b) Add mrtg cron job entry to configuration file (append following line to it): */5 * * * * /usr/bin/mrtg /etc/mrtg/mymrtg.cfg --logging /var/log/mrtg.log Close and save file. You are done with MRTG configuration. See how to add jobs to cron Under Linux or UNIX for more info.

Step # 8 Block ports 161 & 162 at the firewall level

You do not want to give access to everyone to your snmp server for security reasons. SNMP server uses UDP port # 161 and 162 for communication. Use Linux IPTABLES firewall command to restrict access to your SNMP server. (a) Allow outgoing SNMP server request from your Linux computer. This is useful when you query remote host/router (replace SERVER IO with your real IP):

SERVER="xxx.xxx.xxx.xxx" iptables -A OUTPUT -p udp -s $SERVER --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 0/0 --sport 161:162 -d $SERVER --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT (b ) Allow incoming SNMP client request via iptables. This is useful when you wish to accept queries for rest of the world (replace SERVER IP with your real IP):

SERVER="xxx.xxx.xxx.xxx" iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SERVER --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT Pleae note that above two are just SNMP specific iptables rules. Please consult iptables(8) man page or our CentOS / Redhat Iptables Firewall Configuration Tutorial for complete information on iptables.

tep # 9 Optional: Protect your MRTG graphs/html pages with password protected directory
Once again, you would like to restrict access to your MRTG reports. This can easily accomplished with Apache webserver's .htaccess file. If you are on webhosting server with control panel (such as ensim or plesk) then you can use control panel itself to create password-protected directory. Steps to protect graphs using apache's .htaccess file and htpasswd command: Step # 1: Create .htaccess file in /var/www/html/mymrtg/ directory and append the following directives: vi /var/www/html/mymrtg/.htaccess Add following text to file: AuthName "MRTG Graphs/Html restricted access" AuthType Basic AuthUserFile /var/members/.htpasswd require user mrtgadmin Step # 2: Create a user account and password. The -c option assumes that you are creating .htpasswd file first time: # htpasswd -c /var/members/.htpasswd mrtgadmin For more information please see our Apache Webserver Authentication and access control minihowto.

MRTG: References and further readings

Use the following resources to find out more Linux help, links to general information and help for MRTG, snmp under Linux/UNIX/Windows OSes:

MRTG home page: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ SNMP home page: http://net-snmp.sourceforge.net/ MRTG authors installation by compiling source code: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/mrtg-unix-guide.html SNMP How-to: http://www.rescomp.berkeley.edu/about/training/senior/progs/SNMPHOWTO/SNMP-HOWTO.html Linux (UNIX) Man pages : snmpd.conf(5), snmpwalk(1), cfgmaker(1), indexmaker(1), mrtg(1), rpm(8), crontab(1) Other MRTG tutorial: Links to tons of mrtg config docs & tutorial Special Case: MRTG Red hat enterprise Linux Virtuozzo VPS configuration See Recommend books for SNMP & MRTG

Problem with MRTG configuration issues

When you come across a problem with MRTG and SNMP configurations, I would like to hear about it. You can send all your questions regarding snmp and mrtg configuration, problem to nixCraft forum for further discussion. It is true that MRTG is for network monitoring and it can be used to see how much traffic your server/router or ADSL router actually generated, however it will not tell you how much megabytes or gigabytes the daily traffic was. For all such home user and people having dedicated single Linux box hosted somewhere remote at IDC/ISP there is a tool called vnStat (see image below), see Special configuration: Keeping a log of daily network traffic for ADSL or dedicated remote Linux box vnstat - Display traffic for each day:

vnstat - Displays traffic for each month: