Why SNMP monitoring for Linux is not recommended

We have seen how to configure SNMP on Linux before. It is clearly not an impossible task, despite the protocol being over 30 years old and having its quirks. A basic set up of SNMP on a Linux host shouldn’t take more time than with most other internet protocols. The client and daemon are open source and available for virtually any system.

Yet, in many infrastructures, the trend of moving away from SNMP is growing. Leaving behind a ubiquitous protocol, a standardized monitoring tool that has been with us for decades, is not an easy decision. Valid reasons must exist.

And indeed, they do.

As a protocol for managing network devices (the “M” in SNMP stands for “Management”), it made perfect sense to implement it in the 90s. Open, standard and relatively easy to use. Network vendors have been implementing it in routers, switches and firewalls for over 30 years and there is no reason to believe this will stop soon. Nowadays, SNMP is still easily found in networks and among Linux servers in one version or another. This won’t change in the next few years.

SNMP is therefore still an important protocol for network administrators who monitor devices. Especially in older network infrastructures, SNMP may have already been set up by a previous administrator. This doesn’t necessarily mean that we are forced to use its command-line interface, nor the protocol itself. It is not just about the protocol being old and not up to date. There are multiple reasons why SNMP may not be the tool of choice for network monitoring anymore.

Why it is best not to use SNMP on Linux

Although there are indisputable positives, they are outweighed by the negatives. SNMP has been always suffering from poor implementations from networking vendors, which makes monitoring devices suboptimal and prone to unforeseen errors. The lack of keeping up with technological evolution is taking its toll on a protocol that is over 30 years old. The original v1, v2 and v3 came out with minimal improvements that did not change the core functionalities and, more importantly, the shortcomings of SNMP. Therefore, it is of no surprise that two major players like Microsoft and Google have recently declared SNMP deprecated (the latter even went as far to claim that SNMP is dead). SNMP lacks adaptability and security. It was never intended to be secure and modular, and it is especially noticeable today.

Windows has abandoned it in favor of WMI and then WinRM. Recent tools have been implementing easier to parse data structures such as XML and JSON, that are useful for developing scripts and automation. On the other side of the server world, the tools on Linux are far from being advanced: net-snmp is a low level monitoring software, lacking an eagle-eye view of the infrastructure.

SNMP has never been particularly speedy, and in networks with tens or hundreds of hosts every millisecond counts. It is hardly possible to cross-monitor a device: it will end up occupying most of the CPU’s cycles. The laudable improvements in terms of security and privacy of v3 have added a new burden on the already slow protocol underneath. And neither of those can be considered optimal since their support depends on the agents and has been lackluster so far. The use of UDP packets is unreliable as no confirmation of receipt is included.

A series of poor choices have led SNMP to lag behind other monitoring solutions on Linux and everywhere else for a while now. The main reason SNMP wasn’t already been abandoned is because of the support of legacy devices on many networks. Not a good advertisement for a protocol that should make monitoring and configuring hosts simple and reliable.

Even if Linux itself hasn’t abandoned SNMP as Windows did, there is a sheer number of better alternatives than SNMP monitoring that make it unnecessary. Nowadays, REST and SOAP APIs on many network devices and applications allow a level of granularity that SNMP simply is not able to offer. Cisco’s NetFlow and its successors largely best SNMP in terms of analyzing the what and where of network traffic. SSH is everywhere these days, allowing much more than an SNMP agent can with improved security and lower overhead.

Even in instances where it is not possible to switch over from SNMP, for example when a Linux server is connected to routers or switches that can only support SNMP, a different tool with better UI and more options can be utilized.

Agent-based monitoring instead of SNMP?

Agent-based monitoring solutions give administrators plenty of configuration flexibility and a host of monitoring options that SNMP simply can’t match. There is a reason for their popularity, after all. These types of tools can boast some advantages that make them a solid choice compared to SNMP.

First, performance-wise, there is next to no competition. Agents are optimized for the hardware they run on and have been developed in modern languages, so they are able to exploit the modern hardware’s power. They run on the device itself and take care of collecting metrics to expose externally when requested. They are more resource-efficient.

While it is true that SNMP for raw data has comparable performances, it clearly loses when compared to the amount of information that an agent-based solution like Checkmk can return. Data from containers, databases, clusters, cloud services are well within the realm of what an agent-based monitoring tool can provide. SNMP is just a protocol and can only supply basic info. Agent-based monitoring tools collect as many details as desired, within the limits of what they were developed for. There are virtually no limits to what an agent can cover.

Which brings us to the next advantage: extensibility. While SNMP is a stable and fixed set of commands, agent-based monitoring solutions can be extended. A newer version of an agent can bring more possibilities, enlarge the coverage, improve performances and so on. As the development is, usually, in the hands of a single company, it does not have to go through the approval of a committee, like an internet protocol has to. Thus, changes happen faster, newer versions are released multiple times per year. Most agent-based monitoring tools allow you to extend them with plug-ins and even, like with Checkmk, write your own to customize what you want to monitor and how. This is something that SNMP can’t replicate, ever.

Checkmk and SNMP

Checkmk supports SNMP in both the Raw and Enterprise Edition. Not only can it substitute SNMP in all aspects with its own agents, it can also interact through SNMP with devices you may not have complete control over. Queries and monitoring are done from the Checkmk interface without requiring any specific knowledge of the SNMP protocol. It is even easier than configuring SNMP.

Administrators that can’t or won’t move on from SNMP-based monitoring on Linux can still use it through Checkmk, having a plethora of other hosts under control that use other monitoring agents that aren’t SNMP. While we recommend using newer methods for monitoring on Linux, you don't have to get rid of SNMP immediately if a solution that circumvents some of its pains is available (like Checkmk). Administrators shouldn't have to compromise on usability, security, and performance by using SNMP directly or configuring snmpd on their Linux servers. Better options are out there.