How to Set Up SNMP Monitoring on FreeBSD
SNMP (Simple Network Management Protocol) is the backbone of infrastructure monitoring. Every serious monitoring platform -- Zabbix, LibreNMS, Nagios, PRTG, Observium -- uses SNMP to poll system metrics from servers, switches, routers, and appliances. FreeBSD ships with bsnmpd in the base system, but for production monitoring, Net-SNMP provides the full feature set: SNMPv3 authentication, extend scripts, custom MIBs, and broad monitoring platform compatibility.
This guide covers installing and configuring Net-SNMP on FreeBSD, securing it with SNMPv3, extending it with custom OIDs, and integrating it with Zabbix and LibreNMS. For a broader monitoring strategy, see the FreeBSD Server Monitoring guide.
Why Net-SNMP Over bsnmpd
FreeBSD includes bsnmpd in the base system. It is lightweight and works for basic monitoring, but has significant limitations:
- No SNMPv3 authentication. bsnmpd only supports SNMPv1/v2c community strings. In 2026, this is a security risk.
- Limited MIB support. bsnmpd implements a subset of standard MIBs. Many monitoring platforms expect OIDs that bsnmpd does not expose.
- No extend functionality. You cannot run custom scripts and expose their output as SNMP OIDs with bsnmpd.
- Poor monitoring platform compatibility. Zabbix, LibreNMS, and others are tested primarily with Net-SNMP. bsnmpd compatibility issues are common.
Net-SNMP is the standard. Use it.
Prerequisites
- FreeBSD 13.0 or later
- Root access
- A monitoring server (Zabbix, LibreNMS, or similar) to receive SNMP data
Step 1: Install Net-SNMP
shpkg install net-snmp
Disable bsnmpd if it is running, then enable snmpd:
sh# Stop and disable bsnmpd service bsnmpd stop 2>/dev/null sysrc bsnmpd_enable="NO" 2>/dev/null # Enable Net-SNMP sysrc snmpd_enable="YES" sysrc snmptrapd_enable="YES"
Step 2: Basic Configuration (SNMPv2c)
Start with a basic configuration for initial testing. We will upgrade to SNMPv3 in Step 4.
shcat > /usr/local/etc/snmp/snmpd.conf << 'EOF' # System information syslocation "Data Center Rack 5" syscontact "admin@example.com" sysname "freebsd-server01" # SNMPv2c read-only community (temporary -- replace with SNMPv3) rocommunity SecretCommunity123 192.168.1.0/24 # Listening address and port agentAddress udp:161 # System view view systemonly included .1.3.6.1.2.1.1 view systemonly included .1.3.6.1.2.1.25.1 # Full view for monitoring view all included .1 # Disk monitoring disk / 10% disk /var 10% disk /usr 10% # Process monitoring proc sshd proc nginx proc php-fpm # Load average thresholds (1-min, 5-min, 15-min) load 12 10 5 # Extend scripts for custom metrics extend freebsd_version /bin/freebsd-version extend uptime_seconds /usr/bin/uptime EOF
Start snmpd:
shservice snmpd start
Test the Configuration
sh# Query system description snmpwalk -v2c -c SecretCommunity123 localhost .1.3.6.1.2.1.1.1.0 # Query all system information snmpwalk -v2c -c SecretCommunity123 localhost system # Query interface table snmpwalk -v2c -c SecretCommunity123 localhost ifTable # Query disk usage snmpwalk -v2c -c SecretCommunity123 localhost dskTable # Query load averages snmpwalk -v2c -c SecretCommunity123 localhost laTable
If these commands return data, snmpd is working.
Step 3: Expose Standard Metrics
CPU and Memory
Net-SNMP exposes CPU and memory metrics through the UCD-SNMP-MIB:
sh# CPU load (1, 5, 15 minute averages) snmpwalk -v2c -c SecretCommunity123 localhost .1.3.6.1.4.1.2021.10 # Memory usage snmpwalk -v2c -c SecretCommunity123 localhost .1.3.6.1.4.1.2021.4 # CPU statistics (user, system, idle, etc.) snmpwalk -v2c -c SecretCommunity123 localhost .1.3.6.1.4.1.2021.11
Network Interfaces
sh# Interface names and indexes snmpwalk -v2c -c SecretCommunity123 localhost ifDescr # Interface traffic counters (64-bit) snmpwalk -v2c -c SecretCommunity123 localhost ifHCInOctets snmpwalk -v2c -c SecretCommunity123 localhost ifHCOutOctets # Interface speeds snmpwalk -v2c -c SecretCommunity123 localhost ifHighSpeed # Interface errors snmpwalk -v2c -c SecretCommunity123 localhost ifInErrors snmpwalk -v2c -c SecretCommunity123 localhost ifOutErrors
Use the 64-bit HC (High Capacity) counters (ifHCInOctets, ifHCOutOctets) instead of 32-bit counters (ifInOctets, ifOutOctets). The 32-bit counters wrap every ~34 seconds on a saturated 1 Gbps link, making them useless for modern networks.
Disk I/O
sh# Disk I/O statistics snmpwalk -v2c -c SecretCommunity123 localhost .1.3.6.1.4.1.2021.13
TCP/UDP Statistics
sh# TCP connection stats snmpwalk -v2c -c SecretCommunity123 localhost tcp # UDP statistics snmpwalk -v2c -c SecretCommunity123 localhost udp
Step 4: Upgrade to SNMPv3
SNMPv2c sends community strings in plaintext. Anyone capturing network traffic between your monitoring server and the SNMP agent can read the community string and query your server. SNMPv3 adds authentication (authPriv) and encryption.
Stop snmpd Before Creating Users
shservice snmpd stop
Create an SNMPv3 User
sh# Create a user with authentication (SHA) and encryption (AES) net-snmp-create-v3-user -ro -a SHA -A 'AuthPassphrase123!' -x AES -X 'PrivPassphrase456!' monitoruser
This writes the user credentials to /usr/local/etc/snmp/snmpd.conf and the persistent user data to /var/net-snmp/snmpd.conf.
Update snmpd.conf for SNMPv3-Only
Replace the SNMPv2c configuration:
shcat > /usr/local/etc/snmp/snmpd.conf << 'EOF' # System information syslocation "Data Center Rack 5" syscontact "admin@example.com" sysname "freebsd-server01" # Listening address agentAddress udp:161 # SNMPv3 user access (created by net-snmp-create-v3-user) # rouser monitoruser authpriv # REMOVE all SNMPv2c community strings for security # No rocommunity or rwcommunity lines # Views view all included .1 # Access control rouser monitoruser priv -V all # Disk monitoring disk / 10% disk /var 10% disk /tmp 10% # Process monitoring proc sshd proc nginx # Load thresholds load 12 10 5 # Extend scripts extend freebsd_version /bin/freebsd-version extend zfs_arc_hit /usr/local/bin/snmp-zfs-arc-hit.sh extend pkg_updates /usr/local/bin/snmp-pkg-updates.sh EOF
Start snmpd:
shservice snmpd start
Test SNMPv3
sh# Query with SNMPv3 authentication and encryption snmpwalk -v3 -u monitoruser -l authPriv \ -a SHA -A 'AuthPassphrase123!' \ -x AES -X 'PrivPassphrase456!' \ localhost system # Verify SNMPv2c is rejected snmpwalk -v2c -c SecretCommunity123 localhost system # Should return: Timeout (No Response from localhost)
Step 5: Custom SNMP Extensions
Net-SNMP's extend directive runs scripts and exposes their output as SNMP OIDs.
ZFS ARC Hit Rate
shcat > /usr/local/bin/snmp-zfs-arc-hit.sh << 'SCRIPT' #!/bin/sh hits=$(sysctl -n kstat.zfs.misc.arcstats.hits 2>/dev/null) misses=$(sysctl -n kstat.zfs.misc.arcstats.misses 2>/dev/null) if [ -n "$hits" ] && [ -n "$misses" ] && [ $(($hits + $misses)) -gt 0 ]; then echo $(( $hits * 100 / ($hits + $misses) )) else echo "0" fi SCRIPT chmod +x /usr/local/bin/snmp-zfs-arc-hit.sh
Pending Package Updates
shcat > /usr/local/bin/snmp-pkg-updates.sh << 'SCRIPT' #!/bin/sh count=$(pkg version -vRL= 2>/dev/null | wc -l | tr -d ' ') echo "$count" SCRIPT chmod +x /usr/local/bin/snmp-pkg-updates.sh
Jail Count
shcat > /usr/local/bin/snmp-jail-count.sh << 'SCRIPT' #!/bin/sh jls -n 2>/dev/null | wc -l | tr -d ' ' SCRIPT chmod +x /usr/local/bin/snmp-jail-count.sh
Add to snmpd.conf:
shecho 'extend jail_count /usr/local/bin/snmp-jail-count.sh' >> /usr/local/etc/snmp/snmpd.conf service snmpd restart
Query Extended OIDs
Extended scripts are available under the NET-SNMP-EXTEND-MIB:
sh# List all extend outputs snmpwalk -v3 -u monitoruser -l authPriv \ -a SHA -A 'AuthPassphrase123!' \ -x AES -X 'PrivPassphrase456!' \ localhost NET-SNMP-EXTEND-MIB::nsExtendOutput1Table # Query specific extend snmpget -v3 -u monitoruser -l authPriv \ -a SHA -A 'AuthPassphrase123!' \ -x AES -X 'PrivPassphrase456!' \ localhost 'NET-SNMP-EXTEND-MIB::nsExtendOutputFull."zfs_arc_hit"'
Step 6: Firewall Configuration
Allow SNMP traffic only from your monitoring servers:
sh# PF rules for SNMP cat >> /etc/pf.conf << 'PFEOF' # SNMP -- allow only from monitoring servers monitoring_servers = "{ 192.168.1.50, 10.0.0.100 }" pass in on em0 proto udp from $monitoring_servers to any port 161 pass in on em0 proto udp from $monitoring_servers to any port 162 PFEOF pfctl -f /etc/pf.conf
Never expose SNMP to the public internet. Even with SNMPv3, the attack surface is unnecessary.
Step 7: Integration with Zabbix
Zabbix uses SNMP to discover and monitor FreeBSD hosts.
Zabbix SNMPv3 Host Configuration
In the Zabbix web interface:
- Go to Configuration > Hosts > Create Host
- Set the hostname and IP address
- Under "Interfaces", add an SNMP interface (port 161)
- Set SNMP version to SNMPv3
- Security level: authPriv
- Authentication protocol: SHA
- Authentication passphrase:
AuthPassphrase123! - Privacy protocol: AES
- Privacy passphrase:
PrivPassphrase456! - Security name:
monitoruser
Zabbix Template
Link the "Template OS FreeBSD SNMPv2" or "Template Net Network Generic Device SNMPv3" template. For FreeBSD-specific metrics, create custom items:
shell# ZFS ARC hit rate (from extend) OID: NET-SNMP-EXTEND-MIB::nsExtendOutputFull."zfs_arc_hit" Type: Character Preprocessing: Regular expression: ^(\d+)$ -> \1 # Pending updates OID: NET-SNMP-EXTEND-MIB::nsExtendOutputFull."pkg_updates" Type: Numeric (unsigned)
Test from Zabbix Server
From the Zabbix server, verify connectivity:
shsnmpwalk -v3 -u monitoruser -l authPriv \ -a SHA -A 'AuthPassphrase123!' \ -x AES -X 'PrivPassphrase456!' \ freebsd-server-ip system
Step 8: Integration with LibreNMS
LibreNMS auto-discovers FreeBSD hosts via SNMP.
Add the FreeBSD Host
- Navigate to Devices > Add Device
- Enter the hostname or IP
- Set SNMP Version to v3
- Auth Level: authPriv
- Auth User: monitoruser
- Auth Password:
AuthPassphrase123! - Auth Algorithm: SHA
- Crypto Password:
PrivPassphrase456! - Crypto Algorithm: AES
- Click "Add Device"
LibreNMS will poll the device and automatically discover interfaces, storage, processors, and memory. It recognizes FreeBSD as an OS and applies appropriate graphing templates.
Enable SNMP Autodiscovery
On the FreeBSD server, enable LLDP for automatic network discovery:
shpkg install lldpd sysrc lldpd_enable="YES" service lldpd start
LibreNMS uses LLDP data alongside SNMP to map network topology.
Step 9: SNMP Trap Configuration
Configure snmptrapd to receive traps from other devices:
shcat > /usr/local/etc/snmp/snmptrapd.conf << 'EOF' # Accept SNMPv3 traps from the monitoring user authUser log,execute monitoruser # Log traps to syslog traphandle default /usr/bin/logger -p local0.notice -t snmptrap # Or log to a file # traphandle default /usr/local/bin/trap-handler.sh EOF service snmptrapd restart
Send a Test Trap
shsnmptrap -v3 -u monitoruser -l authPriv \ -a SHA -A 'AuthPassphrase123!' \ -x AES -X 'PrivPassphrase456!' \ localhost '' .1.3.6.1.4.1.8072.2.3.0.1 \ .1.3.6.1.4.1.8072.2.3.2.1 s "Test trap from FreeBSD"
Check that the trap was logged:
shgrep snmptrap /var/log/messages
Step 10: Performance Tuning
Cache Timers
Net-SNMP caches certain OID trees to reduce system call overhead. For servers polled frequently (every 30-60 seconds), increase cache times:
Add to snmpd.conf:
sh# Cache interface statistics for 30 seconds nsCacheTimeout 1.3.6.1.2.1.2 30 nsCacheTimeout 1.3.6.1.2.1.31 30 # Cache hrStorage for 60 seconds nsCacheTimeout 1.3.6.1.2.1.25.2 60
Limit OID Access
If your monitoring platform only queries specific OIDs, restrict the view:
sh# Define a restricted view view monitoring included .1.3.6.1.2.1.1 # system view monitoring included .1.3.6.1.2.1.2 # interfaces view monitoring included .1.3.6.1.2.1.25 # host resources view monitoring included .1.3.6.1.4.1.2021 # UCD-SNMP (CPU, memory, disk) view monitoring included .1.3.6.1.4.1.8072.1.3 # NET-SNMP extend # Apply restricted view rouser monitoruser priv -V monitoring
Monitoring snmpd Itself
Verify snmpd is running and healthy:
sh# Check process service snmpd status # Check listening port sockstat -4 -l | grep 161 # Check snmpd log for errors grep snmpd /var/log/messages | tail -20 # SNMP agent uptime snmpget -v3 -u monitoruser -l authPriv \ -a SHA -A 'AuthPassphrase123!' \ -x AES -X 'PrivPassphrase456!' \ localhost sysUpTime.0
FAQ
Should I use bsnmpd or Net-SNMP?
Net-SNMP. It supports SNMPv3, has broader MIB coverage, works reliably with all major monitoring platforms, and supports extend scripts for custom metrics. bsnmpd is adequate only for the simplest monitoring requirements.
Is SNMPv2c acceptable for internal networks?
Technically it works, but SNMPv2c sends community strings in cleartext. Any device on the network segment can capture them. If your internal network is flat (no segmentation), SNMPv2c is a real risk. Use SNMPv3 authPriv.
How often should my monitoring platform poll SNMP?
Every 60 seconds is standard. For interface traffic counters, 30 seconds provides better graph resolution. Polling more frequently than every 15 seconds puts unnecessary load on both the agent and the monitoring server.
Can I monitor ZFS pools via SNMP?
Not natively. Net-SNMP does not include ZFS MIBs. Use extend scripts to expose ZFS metrics (pool status, ARC hit rate, capacity) as custom OIDs. The scripts shown in Step 5 demonstrate this approach.
How do I add SNMP monitoring to a FreeBSD jail?
Install Net-SNMP inside the jail, bind snmpd to the jail's IP address (agentAddress udp:jail-ip:161), and ensure the host's PF firewall allows UDP 161 to the jail IP. Each jail gets its own snmpd instance with its own OID tree.
What MIBs does FreeBSD expose?
With Net-SNMP: SNMPv2-MIB (system), IF-MIB (interfaces), HOST-RESOURCES-MIB (CPU, memory, storage, processes), UCD-SNMP-MIB (load, CPU stats, memory, disk), IP-MIB, TCP-MIB, UDP-MIB, and NET-SNMP-EXTEND-MIB (custom scripts).
How do I rotate SNMP logs?
Add to /usr/local/etc/newsyslog.conf.d/snmpd.conf:
shell/var/log/snmpd.log root:wheel 644 7 * @T00 JB /var/run/snmpd.pid 30
Or configure snmpd to log via syslog (the default) and let newsyslog handle /var/log/messages rotation.