Snmptrapd Could not connect to database, check logs/librenms.log

Hello all,

I’m trying to set up SNMP Trap Handling. I followed the instructions, and used Option 2 for configuring snmptrapd. Traps are logging to /var/log/snmptrap/traps.log, but /var/log/messages is filling up with an error:

snmptrapd[2017268]: Could not connect to database, check logs/librenms.log.

For some reason, /opt/librenms/snmptrap.php cannot connect to the database.

Is there something I’m likely missing in my setup, or any suggestions on debugging?

Thanks in advance,

The modified files are my doing.



Component Version
LibreNMS 21.1.0-27-g4fa7993e2
DB Schema 2021_02_08_224355_fix_invalid_dates (199)
PHP 7.3.20
Python 3.6.8
MySQL 10.3.27-MariaDB
RRDTool 1.7.0


[OK] Composer Version: 2.0.9
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct
[WARN] Your local git contains modified files, this could prevent automatic updates.
You can fix this with ./scripts/github-remove
Modified Files:

Odd, could be permissions or something as the snmptrapd daemon will execute snmptrap.php

That’s what it looks like to me too. To test, I commented out the if statement that was causing the error and got another error:

In StreamHandler.php line 111:
The stream or file “/opt/librenms/logs/librenms.log” could not be opened in
append mode: failed to open stream: Permission denied

The snmptrapd service runs under root, and it has to because port 162 is a privileged port.

Any suggestions?

It seems to be working now.

TLDR; try disabling SELinux.

setenforce 0

The long answer.

I tried to get the PHP running under the librenms user.

vi /etc/snmp/snmptrapd.conf
# edit traphandle line
# traphandle default su - librenms -c /opt/librenms/snmptrap.php
systemctl restart snmptrapd.service

I checked /var/log/messages. It was blowing up with errors, like:

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running’ failed.

Temporarily disabled SELinux:

setenforce 0

The snmptrapd service was working, but new errors were appearing in /var/log/messages:

systemd[1]: [email protected]: Start request repeated too quickly.

Tried to fix SELinux:

audit2allow -a
#============= snmpd_t ==============
allow snmpd_t faillog_t:file { open read };
allow snmpd_t httpd_sys_rw_content_t:file { append getattr open read };
allow snmpd_t lastlog_t:file { open read write };

#!!! This avc can be allowed using the boolean ‘daemons_enable_cluster_mode’
allow snmpd_t mysqld_t:unix_stream_socket connectto;
allow snmpd_t mysqld_var_run_t:sock_file write;
allow snmpd_t security_t:security compute_av;
allow snmpd_t self:capability { audit_write dac_override };
allow snmpd_t self:netlink_audit_socket { create nlmsg_relay };
allow snmpd_t self:netlink_selinux_socket { bind create };
allow snmpd_t self:passwd rootok;
allow snmpd_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t snmpd_t:dbus send_msg;

# audit2allow -a -M snmpd_t
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i snmpd_t.pp

semodule -i snmpd_t.pp
setenforce 1

Running tail -f /var/log/messages:

snmptrapd[3541543]: su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running’ failed.

Traps are working by this point, but /var/log/messages is a mess. The selinux commands didn’t seem to help before. Leaving it disabled still gave us other weird messages, like the issue with starting up too fast.

I rolled back some of the changes to simplify things and see if it would still work.
Edited /etc/snmp/snmptrapd.conf the original traphandle instead of calling it through su - librenms.
No funky errors coming up in /var/log/messages. Better than I would have expected.

Then I re-enabled selinux with setenforce 1. Still no error messages, for a while. Soon, ./ was complaining that the PHP version was too low. Updates only made things worse. PHP was unable to load dynamic libraries. I gave up for the day.

Today, everything is working. No funky messages in logs, SNMP traps are coming in, ./ works, validation looks good. The main thing different right now is SELinux is still set with setenforce 0.