checkmk-opnsense-agent's People
Forkers
digitegalde jay2k1 bbathow zerwes remailednet shaul75 fingerlessglov3s bjoernneumann cbatkovic spiritbreaker22 alan7000 katamadone ithanilcheckmk-opnsense-agent's Issues
ignoring openvpn clients after upgrade to OPNsense 23.7.1
Hi !
after upgrading to OPNsense 23.7.1, client connections aren't detected
thanks a lot
how to setup encrypted connection to server
hey thanks for ur work, but i am confused:
how do i setup an encrypted connection to my checkmk server?
check of nginx broken?
Hi,
After a reboot the plugin tells me that nginx is not started but it is and works correctly.
May you help me out of this?
BR
kohly
__VERSION__ naming
Hi,
the version naming shows in checkmk "0.96" but it should be "2.1.0p17" (or similar) as the same of the latest supported checkmk server version.
Reference
Disabled VPN tunnels
After the first try, everything works as expected.
Theres only one Thing: disabled VPN connections are in CRIT state.
Dunno if this is intended or a bug, but can this be fixed or added to exclude the disabled connection?
I'm using the last stable release.
What makes settings like --encrypt and --user stick between reboots?
Hi,
I've just setup this checkmk agent on my OPNsense box and I was looking to see how the settings stick between reboots, and I can't see where it stores the passed arguments, I assume it'll revert to defaults after a reboot?
DHCP Pool Crash Checkmk Raw Edition 2.2.0b8
Hi,
ich hab mein CheckMK auf 2.2.0b8 geupdatet und erhalte bei den DHCP Pools aktuell immer crashes.
Falls weiter Infos benötigt werden, gerne im markieren :)
CheckMK Exception:
AttributeError ('tuple' object has no attribute 'get')
CheckMK Traceback:
File "/omd/sites/home/lib/python3/cmk/base/agent_based/checking/_checking.py", line 413, in get_aggregated_result
consume_check_results(
File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/checking_classes.py", line 494, in consume_check_results
for subr in subresults:
File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/register/check_plugins.py", line 93, in filtered_generator
for element in generator(*args, **kwargs):
File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/register/check_plugins_legacy.py", line 207, in check_result_generator
subresults = _normalize_check_function_return_value(sig_function(**kwargs))
File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/register/check_plugins_legacy.py", line 168, in _normalize_check_function_return_value
return list(subresults)
File "/omd/sites/home/share/check_mk/checks/isc_dhcpd", line 95, in check_isc_dhcpd
for check_result in check_dhcp_pools_levels(
File "/omd/sites/home/lib/python3/cmk/base/check_legacy_includes/dhcp_pools.py", line 21, in check_dhcp_pools_levels
for new_api_object in dhcp_pools.check_dhcp_pools_levels(free, used, pending, size, params):
File "/omd/sites/home/lib/python3/cmk/base/plugins/agent_based/utils/dhcp_pools.py", line 32, in check_dhcp_pools_levels
if (levels := params.get(f"{category}_leases")) is not None:
Not working with dynamic DNS
After new IP Address the IPSEC Item vanishes and a new Service will be found.
Perhaps better to name the IPSEC Service with the Description, if available?
Parsing of section statgrab_net failed
Interfaces aren't visible in checkmk.
checkmk version: 2.1.0p25
agent version: 0.99.2
[root@OPNsense ~]# /usr/bin/netstat -i -b -d -n -W -f link
Name Mtu Network Address Ipkts Ierrs Idrop Ibytes Opkts Oerrs Obytes Coll Drop
igc0 1500 <Link#1> aa:bb:cc:11:22:33 75184337 0 0 98298281886 49062740 0 17215226957 0 0
igc1 1500 <Link#2> aa:bb:cc:11:22:33 31075168 0 0 2172642511 66459418 0 92608725366 0 1033
igc2 1500 <Link#3> aa:bb:cc:11:22:33 20522795 0 0 16530136328 11024261 0 6648523619 0 0
igc3* 1500 <Link#4> aa:bb:cc:11:22:33 0 0 0 0 0 0 0 0 0
lo0 16384 <Link#5> lo0 45528 0 0 8016768 45528 0 8016768 0 0
enc0* 1536 <Link#6> enc0 0 0 0 0 0 0 0 0 0
pflog0* 33160 <Link#7> pflog0 0 0 0 0 1065553 0 75302523 0 0
pfsync0* 1500 <Link#8> pfsync0 0 0 0 0 0 0 0 0 0
vlan0.20 1500 <Link#9> aa:bb:cc:11:22:33 0 0 0 0 1 1 42 0 0
vlan0.30 1500 <Link#10> aa:bb:cc:11:22:33 0 0 0 0 1 1 42 0 0
vlan0.40 1500 <Link#11> aa:bb:cc:11:22:33 28842 0 0 5643954 49795 1 48604978 0 0
vlan0.50 1500 <Link#12> aa:bb:cc:11:22:33 478043 0 0 89660493 741741 2 715774608 0 0
vlan0.7 1500 <Link#13> aa:bb:cc:11:22:33 75180749 0 0 97996973505 49046489 0 17013002403 0 0
pppoe0 1492 <Link#14> pppoe0 75175319 0 0 96342811991 49041059 0 15933936085 0 0
filter rule.
hi. i have:
enable ssh
connect with putty
type 8 to open shell
type a command:
fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent
and all is good.
but the rule for open 6556 on wan not work.
someone explain me how to make this rule?
I created a rule like this in nat / port forward for accept request only for my checkmk public ip server:
https://i.imgur.com/hBcE1tE.png
but in a remote check mk server the test agent go to timeout
Absturz in Check MK Vers. 2.1.0p19
Hallo,
Check MK stürzt beim Versuch das Plugin zu erkunden ab.
Der Absturzbericht beginnt mit:
ValueError (Invalid line in agent section <<>>. Reason: Invalid performance data: ''. First offending line: "2 "OpenVPN Server: rw_OpenVPN_Server" connections_ssl_vpn=0;;63|expire
Ist da was bekannt?
Werden weitere Informationen benötigt?
Service running, but no listening service
Hi and first of all thank you for your great work!
Unfortunatelly I'm not able to get the agent working.
I did all three intsallation steps (downloaded script, made it executable and startet it) and I can see, that the script ist running in the list of services and also the system log tells me the checkmk_agent is starting and running:
<29>1 2022-10-27T20:21:34+00:00 XXXXXXXXXXXX checkmk_agent 10631 - [meta sequenceId="4"] starting checkmk_agent
<29>1 2022-10-27T20:34:06+00:00 XXXXXXXXXXXXX checkmk_agent 10631 - [meta sequenceId="5"] checkmk_agent running
I also created an according rule to allow my checkMK Server to access the Firewall on port 6556 but as I checked with netstat -ln -4
there is absolutely nothing running on Port 6556 :/
Tested with version 0.96 and also 0.99.
What am I doing wrong? :/
OpnSense Version is: 22.7.6
EDIT: Nevermind.. although I first only got ipmi infos in checkmk from opnsense after completing the host adding I got more values..strange anyway...thought that the service should be listed as listening on 6556 with netstat
all the time
Failed to execute phyton plugins: ipsec
Hi,
thank you for this amazing Implementation.
I have the following Problems:
[Check_MK Discovery] [agent] Version: 0.88, OS: OPNsense, Failed to execute python plugins: ipsec, execution time 6.5 sec
This error is flapping (cannot describe exact time intervals) and leads to other errors in IPSec-Tunnel monitoring:
[IPsec Tunnel] UNKNOWN - Item not found in monitoring data
After some minutes, the status is OK again.
Firmware of my device:
Version 21.10 Config changed: 13:05 24.06.2022, update_available: 0.00, last_updated: 22164966.00, apply_finish_time: 258614.00
Thanks in advance for support!
patch: incorrect detection of some 'OpenVPN Server' as 'OpenVPN Connection'
patch to prevent "openvpn servers" with mode p2p_tls or p2p_shared_key from being recognized as non-servers.
thanks a lot !
patch:
737c737
< if _server.get("mode") in ("p2p_shared_key","p2p_tls"):
---
> if _server.get("mode") in ("p2p_shared_key","p2p_tls") and _server.get("type") == "client":
SMART check plugin?
Hello,
I am missing the basic smart check within the checks, but from what I see in the agent feedback, there seems to be a very good and detailed custom check included.
I guess to collect this info with check_mk server I need to have the plugin, right? We can I find it?
And thumbs up for the great work!
Br,
Markus
CARP Demotion Level in Overview
Hello bashclub,
It would be great if the CARP Demoted Level was displayed in the CheckMK overview of the host. You can display the level using the following command. (sysctl net.inet.carp.demotion) Could you please incorporate the feature into the script?
Fehler bei Development Version der OPNSense Firmware
Wenn eine Development-Version von OPNSense benutzt wird, dann läuft das Python Script leider auf einen Fehler beim Auslesen der Firmware Version. In dieser ist ein Buchstabe vor dem Tiefstrich enthalten, welcher leider den korrekten Lauf des ansonsten sehr tollen Scriptes verhindert. Das Script liefert in diesem Fall über den Port 6556 überhaupt kein Ergebnis zurück.
Checkmk < 2.2.0p5 Information Disclosure Vulnerability
Hello,
yesterday we had a Vulnerability Testing and we found an Information Disclosure in our Agent Config.
The Agent is listening AND answering any requests at our WAN-Interfaces/IP's with any informations the agent is gathering. (you can check ist with "telnet ip port")
Worryingly, the port is not even open in the firewall policys.
Today we helped us with one workaround. In /usr/local/etc/checkmk.conf we added the CheckMK-IPs:
onlyfrom: our ipaddresses, comma seperated
So the Output with telnet after starting and stopping the agent is now:
Escape character is '^]'.
Connection closed by foreign host.
Is there anyway to configure listen interfaces or IP-Adresses so that the Agentport is not open at all Interfaces?
Thanks in Advance
Error trying to detect gateway when using DHCP IP on WAN interface
CheckMK says "FailedPythonPlugins: gateway". Running the script with --debug
yields
Traceback (most recent call last):
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 164, in do_checks
_lines += getattr(self,_check)()
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 468, in checklocal_gateway
_gateway_items = self._config_reader().get("gateways").get("gateway_item",[])
AttributeError: 'NoneType' object has no attribute 'get'
And indeed, the config.xml does not seem to contain any gateway (apart from dns3gw
), but there is no <gateway>
key. This might be due to the fact that in my setup, the WAN interface has no static IP but DHCP, so the gateway IP is dynamic.
IPsec monitor problems
Hi,
thank you very much for your agent!
When monitoring IPsec connections it fails with a Traceback:
Traceback (most recent call last): File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 104, in do_checks _lines += getattr(self,_check)() File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 553, in checklocal_ipsec _childsas = next(_childsas) StopIteration
Maybe it's caused by a down IPsec tunnel, here is the corresponding output from /usr/local/opnsense/scripts/ipsec/list_status.py:
"con5":{"local-addrs":"xxx.xxx.xxx.xxx","remote-addrs":"xxx.xxx.xx,0.0.0.0\/0,::\/0","children":{"con5":{"mode":"TUNNEL","rekey_time":"28260","rekey_bytes":"0","rekey_packets":"0","dpd_action":"restart","close_action":"clear","local-ts":["0.0.0.0\/0"],"remote-ts":["0.0.0.0\/0"]}},"local-id":"xxx.xxx.xxx.xxx","remote-id":"xxx.xxx.xx","version":"IKEv2","sas":[],"routed":true,"local-class":"pre-shared key","remote-class":"pre-shared key"}
Can you have a look please?
Thanks,
Christian
ipv6 not working
Hi,
we have a v6 only network setup and would like to use the opnsense agent to communicate with our checkmk server via ipv6. we already looked into the code and tried to get TCPServer to listen to v6 as well - unfortunately without success. maybe someone knows how to activate v6 - would be very appreciated!
Small typo causes labels to not work
Hi,
there is a small typo causing labels to not work right now.
367 _ret.append('{{"cmk/device_type":"vm"}}')
should be
367 _ret.append('{"cmk/device_type":"vm"}')
So there is one { and } to much resulting in check_mk being unable to parse it.
Thank you!
best regards
Mike
Version check is WARN when running a hotfix
I just upgraded to the latest version. The version check is now in warning state:
Version 22.1.1_3 (22.1.1 available February 16, 2022) Config changed: 18:14 23.02.2022
This is because the "hotfix" version tag (denoted by the _3
) does not appear in the changelog, so the strings are not equal.
You already split the version string by _
here and store it in _current_firmware
:
https://github.com/bashclub/check-opnsense/blob/78d92e8c7d1e0cf4b1e0d14dc28f46bb660166e6/opnsense_checkmk_agent.py#L208
However, the string used for the actual check is os_version
which directly uses product_version
instead of _current_firmware
:
https://github.com/bashclub/check-opnsense/blob/78d92e8c7d1e0cf4b1e0d14dc28f46bb660166e6/opnsense_checkmk_agent.py#L216
Probably just an oversight, because despite its declaration, _current_firmware
is not used anywhere in the script, so I'm guessing you planned to do this but forgot ;)
AttributeError: 'str' object has no attribute 'get'
Hello, thanks for this great OPNSense Check - i get the following error (running OPNSense )
Traceback (most recent call last):
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 104, in do_checks
_lines += getattr(self,_check)()
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 589, in checklocal_acmeclient
if _cert_info.get("enabled") != "1":
AttributeError: 'str' object has no attribute 'get'
Running:
OPNSense 21.10-amd64
FreeBSD 12.1
OpenSSL 1.1.1l24
Major upgrades are not reported (e.g. from 23.7 to 24.1)
I had in mind that a major version change was not reported last time. This time (23.7 to 24.1) I did a compare of "/tmp/pkg_upgrade.json" from an opnsense still having 23.7 and a second one already upgraded, but having updates pending.
#1 currently running 24.1.1 (fyi, I have shorten upgrade_packages)
{
"api_version":"2",
"connection":"ok",
"downgrade_packages":[],
"download_size":"92MiB",
"last_check":"Wed Feb 21 08:50:43 CET 2024",
"needs_reboot":"1",
"new_packages":[{"name":"suricata","repository":"OPNsense","version":"7.0.3"}],
"os_version":"FreeBSD 13.2-RELEASE-p9",
"product_id":"opnsense",
"product_target":"opnsense",
"product_version":"24.1.1",
"product_abi":"24.1",
"reinstall_packages":[],
"remove_packages":[],
"repository":"ok",
"upgrade_major_message":"",
"upgrade_major_version":"",
"upgrade_needs_reboot":"0",
"upgrade_packages":[{"name":"vnstat","repository":"OPNsense","current_version":"2.11_1","new_version":"2.12"},{"name":"base","size":"116651300","repository":"OPNsense","current_version":"24.1","new_version":"24.1.2"},{"name":"kernel","size":"32843704","repository":"OPNsense","current_version":"24.1","new_version":"24.1.2"}],
"upgrade_sets":[]
}
#2 currently running 23.7.12
{
"api_version":"2",
"connection":"ok",
"downgrade_packages":[],
"download_size":"",
"last_check":"Wed Feb 21 08:53:24 CET 2024",
"needs_reboot":"0",
"new_packages":[],
"os_version":"FreeBSD 13.2-RELEASE-p7",
"product_id":"opnsense",
"product_target":"opnsense",
"product_version":"23.7.12_5",
"product_abi":"23.7",
"reinstall_packages":[],
"remove_packages":[],
"repository":"ok",
"upgrade_major_message":"
OPNsense 23.7 "Restless Roadrunner" has reached its end of life. As such it will not receive any more updates, but the upgrade to the new 24.1 series is seamless and can be performed right here from the web GUI.
Another method is to import and reinstall using a new installation image, which will retain your settings using "Import Configuration", then reformat the disk and apply a clean system using either "Install (UFS)" or "Install (ZFS)".
You can also upgrade via console / SSH by using option 12 from the menu by typing "24.1" when prompted.
Make sure to read the migration notes and account for possible breaking changes.
Please backup your configuration, preview the new version via live image or in a virtual machine. Create snapshots. If all else fails, report back <a href="https://forum.opnsense.org/\" target="_blank">in the forums for assistance.
","upgrade_major_version":"24.1",
"upgrade_needs_reboot":"1",
"upgrade_packages":[],
"upgrade_sets":[{"name":"packages","size":"737773056","current_version":"23.7","new_version":"24.1","repository":"OPNsense"},{"name":"kernel","size":"32845676","current_version":"23.7.10","new_version":"24.1","repository":"OPNsense"},{"name":"base","size":"116669220","current_version":"23.7.10","new_version":"24.1","repository":"OPNsense"}]
}
The identifier "upgrade_major_version" is reporting the next major version. Is it possible to parse this information with the deamon?
As of now with v1.0.7 there is no information about an existing update if the next major version is already in place:
Br,
Markus
IPSec Monitoring
Hello,
i found a Problem within the IPSec Monitoring. I have 92 Tunnels (phase 1 and 2), but only 2 tunnels are shown in checkmk.
I found out that the 2 Tunnels, that are displayed only have 1 phase 2 entry, all others have more then 1.
Maybe this is the problem
Thank you!
Daniel
Feature request to support apcupsd by agent
Might be intressting for those who have an ups from APC (Schneider). There is a plugin for checkmk with some nice output.
https://exchange.checkmk.com/p/apcaccess
On opnsense side you just need to install the plugin os-apcupsd.
For checkmk there is some mkp to parse the information from the client. https://exchange.checkmk.com/packages/apcaccess/914/apcaccess-5.0.mkp
the only thing missing is a small change in opnsense_checkmk_agent.py
I am not a coding guy, but this is my current solution:
def check_apcupsd(self):
_ret = ["<<<apcaccess:sep(58)>>>"]
_ret.append("[[apcupsd.conf]]")
_ret.append(self._run_prog("apcaccess").strip())
return _ret
The output of the checkmk service looks like this:
Gateways not show in check_mk opnsense 24.1.x
Hello,
as of version opnsense 24.1, the gateways are no longer recognized in opnsense.
Greetings Mario
Gateway check -> RTT value is translated wrong / IPv4 shows always 'None'
Hello,
I really love this agent for opnsene, the only problem I have so far is the fact that RTT conversion seems to be wrong. The agent collects a value in seconds but check_mk assumes a value in milliseconds.
As far as I am able to review the code, the gateway check decides between inet and inet6. Only for inet (IPv4) the gateway IP address should be stored. I don't know why, but the status is always 'None'.
Br,
Markus
patch: avoid error if no dhcp plugin is present (FailedPythonPlugins: dhcp)
avoid error if no dhcp plugin is present
from debug ...
line 583, in check_dhcp
_dhcpconf = open("/var/dhcpd/etc/dhcpd.conf","r").read()
FileNotFoundError: [Errno 2] No such file or directory: '/var/dhcpd/etc/dhcpd.conf'
<<<check_mk>>>
FailedPythonPlugins: dhcp
patch:
< if not os.path.exists("/var/dhcpd/var/db/dhcpd.leases"):
---
> if not os.path.exists("/var/dhcpd/var/db/dhcpd.leases") or not os.path.exists("/var/dhcpd/etc/dhcpd.conf"):
CARP Interfaces in Warn state
Parsing of section statgrab_net failed
Hi,
i have the following problem with client: In check mk it results in an errormessage "Parsing of section statgrab_net failed" when i have vlans in opnsense with the naming "vlan0.10", "vlan0.12" and so on. The othe interfaces ("lan", "wan") in checkmk where shown as vanished services.
Without these named vlans it is all ok.
Referenced to /cmk/base/plugins/agent_based/inventory_statgrab_net.py line 20 there is a split wich will crash with output of the check.
Relevant agent output:
<<<statgrab_net>>>
vtnet0.mtu 1500
vtnet0.ipackets 850605
vtnet0.ierror 0
vtnet0.idrop 0
vtnet0.rx 111443544
vtnet0.opackets 722513
vtnet0.oerror 0
[...]
vlan0.10.mtu 1500
vlan0.10.ipackets 6838
vlan0.10.ierror 0
vlan0.10.idrop 0
vlan0.10.rx 191548
vlan0.10.opackets 215
vlan0.10.oerror 0
[...]
The naming "vlan0.XX" where made in opnsense: interfaces -> other -> VLAN -> Edit vlan0.XX -> device
Thanks a lot!
Service "WireGuard VPN" shows CRIT, with installed kmod
Hi,
The Service "WireGuard VPN" shows up as not running (which it also does in the WebUI), when the WireGuard kmod is installed.
Is there a way to fix this, since the service is OK? Either directly in the check script, or in WATO on the checkmk-instance?
Thank you!
nginx check: Zones vanish after reboot or nginx restart until first call of the site
Service is only shown, if runtime logs or metrics for specific Zone available?
OPNsense, Failed to execute python plugins: ipsec
Hi,
I used to have IPsec tunnel configured but it's been deleted both P1/P2 and IPsec disabled. But the plugin is still trying to execute it's checks for IPsec. Traceback below
Traceback (most recent call last):
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 231, in do_checks
_lines += getattr(self,_check)()
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 918, in checklocal_ipsec
_ikeid = _phase1.get("ikeid")
AttributeError: 'NoneType' object has no attribute 'get'
Memory section missing
Hello,
i was using the default freebsd agent previously and with this agent the memory section is now missing.
I think it is just this section
# Statgrab
# To install: pkg install libstatgrab
if inpath statgrab; then
statgrab_vars="const. disk. general. page. proc. user."
statgrab_vars_mem="mem. swap."
statgrab_sections="proc disk page"
statgrab $statgrab_vars | grep -v md 1> /tmp/statgrab.$$
statgrab $statgrab_vars_mem 1>>/tmp/statgrab.$$
for s in $statgrab_sections
do
echo "<<<statgrab_$s>>>"
grep "^${s}\." /tmp/statgrab.$$ | cut -d. -f2-99 | sed 's/ *= */ /'
done
echo '<<<statgrab_net>>>'
statgrab net. 2>&1 | cut -d. -f2-99 | sed 's/ *= */ /'
echo '<<<statgrab_mem>>>'
egrep "^(swap|mem)\." /tmp/statgrab.$$ | sed 's/ *= */ /'
[ -f /tmp/statgrab.$$ ] && rm -f /tmp/statgrab.$$
fi
Maybe you could add this to the next release?
Thanks and best regards
Mike
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.