bashclub / checkmk-opnsense-agent Goto Github PK

Hi !
after upgrading to OPNsense 23.7.1, client connections aren't detected
thanks a lot

hey thanks for ur work, but i am confused:
how do i setup an encrypted connection to my checkmk server?

Hi,

After a reboot the plugin tells me that nginx is not started but it is and works correctly.

May you help me out of this?

BR
kohly

Hi,

the version naming shows in checkmk "0.96" but it should be "2.1.0p17" (or similar) as the same of the latest supported checkmk server version.
Reference

After the first try, everything works as expected.
Theres only one Thing: disabled VPN connections are in CRIT state.
Dunno if this is intended or a bug, but can this be fixed or added to exclude the disabled connection?
I'm using the last stable release.

Hi,

I've just setup this checkmk agent on my OPNsense box and I was looking to see how the settings stick between reboots, and I can't see where it stores the passed arguments, I assume it'll revert to defaults after a reboot?

Hi,

ich hab mein CheckMK auf 2.2.0b8 geupdatet und erhalte bei den DHCP Pools aktuell immer crashes.
Falls weiter Infos benötigt werden, gerne im markieren :)

CheckMK Exception:

AttributeError ('tuple' object has no attribute 'get')

CheckMK Traceback:

  File "/omd/sites/home/lib/python3/cmk/base/agent_based/checking/_checking.py", line 413, in get_aggregated_result
    consume_check_results(
  File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/checking_classes.py", line 494, in consume_check_results
    for subr in subresults:
  File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/register/check_plugins.py", line 93, in filtered_generator
    for element in generator(*args, **kwargs):
  File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/register/check_plugins_legacy.py", line 207, in check_result_generator
    subresults = _normalize_check_function_return_value(sig_function(**kwargs))
  File "/omd/sites/home/lib/python3/cmk/base/api/agent_based/register/check_plugins_legacy.py", line 168, in _normalize_check_function_return_value
    return list(subresults)
  File "/omd/sites/home/share/check_mk/checks/isc_dhcpd", line 95, in check_isc_dhcpd
    for check_result in check_dhcp_pools_levels(
  File "/omd/sites/home/lib/python3/cmk/base/check_legacy_includes/dhcp_pools.py", line 21, in check_dhcp_pools_levels
    for new_api_object in dhcp_pools.check_dhcp_pools_levels(free, used, pending, size, params):
  File "/omd/sites/home/lib/python3/cmk/base/plugins/agent_based/utils/dhcp_pools.py", line 32, in check_dhcp_pools_levels
    if (levels := params.get(f"{category}_leases")) is not None:

After new IP Address the IPSEC Item vanishes and a new Service will be found.
Perhaps better to name the IPSEC Service with the Description, if available?

Interfaces aren't visible in checkmk.

checkmk version: 2.1.0p25
agent version: 0.99.2

[root@OPNsense ~]# /usr/bin/netstat -i -b -d -n -W -f link
Name       Mtu Network            Address              Ipkts Ierrs Idrop     Ibytes    Opkts Oerrs     Obytes  Coll  Drop
igc0      1500 <Link#1>           aa:bb:cc:11:22:33 75184337     0     0 98298281886 49062740     0 17215226957     0     0
igc1      1500 <Link#2>           aa:bb:cc:11:22:33 31075168     0     0 2172642511 66459418     0 92608725366     0  1033
igc2      1500 <Link#3>           aa:bb:cc:11:22:33 20522795     0     0 16530136328 11024261     0 6648523619     0     0
igc3*     1500 <Link#4>           aa:bb:cc:11:22:33        0     0     0          0        0     0          0     0     0
lo0      16384 <Link#5>           lo0                  45528     0     0    8016768    45528     0    8016768     0     0
enc0*     1536 <Link#6>           enc0                     0     0     0          0        0     0          0     0     0
pflog0*  33160 <Link#7>           pflog0                   0     0     0          0  1065553     0   75302523     0     0
pfsync0*  1500 <Link#8>           pfsync0                  0     0     0          0        0     0          0     0     0
vlan0.20  1500 <Link#9>           aa:bb:cc:11:22:33        0     0     0          0        1     1         42     0     0
vlan0.30  1500 <Link#10>          aa:bb:cc:11:22:33        0     0     0          0        1     1         42     0     0
vlan0.40  1500 <Link#11>          aa:bb:cc:11:22:33    28842     0     0    5643954    49795     1   48604978     0     0
vlan0.50  1500 <Link#12>          aa:bb:cc:11:22:33   478043     0     0   89660493   741741     2  715774608     0     0
vlan0.7   1500 <Link#13>          aa:bb:cc:11:22:33 75180749     0     0 97996973505 49046489     0 17013002403     0     0
pppoe0    1492 <Link#14>          pppoe0            75175319     0     0 96342811991 49041059     0 15933936085     0     0

hi. i have:
enable ssh
connect with putty
type 8 to open shell
type a command:
fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent

and all is good.

but the rule for open 6556 on wan not work.
someone explain me how to make this rule?

I created a rule like this in nat / port forward for accept request only for my checkmk public ip server:

https://i.imgur.com/hBcE1tE.png

but in a remote check mk server the test agent go to timeout

https://i.imgur.com/8Vi67OL.png

Hallo,
Check MK stürzt beim Versuch das Plugin zu erkunden ab.
Der Absturzbericht beginnt mit:
ValueError (Invalid line in agent section <<>>. Reason: Invalid performance data: ''. First offending line: "2 "OpenVPN Server: rw_OpenVPN_Server" connections_ssl_vpn=0;;63|expire
Ist da was bekannt?
Werden weitere Informationen benötigt?

Hi and first of all thank you for your great work!
Unfortunatelly I'm not able to get the agent working.

I did all three intsallation steps (downloaded script, made it executable and startet it) and I can see, that the script ist running in the list of services and also the system log tells me the checkmk_agent is starting and running:

<29>1 2022-10-27T20:21:34+00:00 XXXXXXXXXXXX checkmk_agent 10631 - [meta sequenceId="4"] starting checkmk_agent
<29>1 2022-10-27T20:34:06+00:00 XXXXXXXXXXXXX checkmk_agent 10631 - [meta sequenceId="5"] checkmk_agent running

I also created an according rule to allow my checkMK Server to access the Firewall on port 6556 but as I checked with netstat -ln -4 there is absolutely nothing running on Port 6556 :/

Tested with version 0.96 and also 0.99.
What am I doing wrong? :/

OpnSense Version is: 22.7.6

EDIT: Nevermind.. although I first only got ipmi infos in checkmk from opnsense after completing the host adding I got more values..strange anyway...thought that the service should be listed as listening on 6556 with netstat all the time

Hi,

thank you for this amazing Implementation.

I have the following Problems:
[Check_MK Discovery] [agent] Version: 0.88, OS: OPNsense, Failed to execute python plugins: ipsec, execution time 6.5 sec

This error is flapping (cannot describe exact time intervals) and leads to other errors in IPSec-Tunnel monitoring:

[IPsec Tunnel] UNKNOWN - Item not found in monitoring data

After some minutes, the status is OK again.

Firmware of my device:
Version 21.10 Config changed: 13:05 24.06.2022, update_available: 0.00, last_updated: 22164966.00, apply_finish_time: 258614.00

Thanks in advance for support!

patch to prevent "openvpn servers" with mode p2p_tls or p2p_shared_key from being recognized as non-servers.
thanks a lot !

patch:

737c737
<             if _server.get("mode") in ("p2p_shared_key","p2p_tls"):
---
>             if _server.get("mode") in ("p2p_shared_key","p2p_tls") and _server.get("type") == "client":

Hello,

I am missing the basic smart check within the checks, but from what I see in the agent feedback, there seems to be a very good and detailed custom check included.

I guess to collect this info with check_mk server I need to have the plugin, right? We can I find it?

And thumbs up for the great work!

Br,
Markus

Hello bashclub,

It would be great if the CARP Demoted Level was displayed in the CheckMK overview of the host. You can display the level using the following command. (sysctl net.inet.carp.demotion) Could you please incorporate the feature into the script?

Wenn eine Development-Version von OPNSense benutzt wird, dann läuft das Python Script leider auf einen Fehler beim Auslesen der Firmware Version. In dieser ist ein Buchstabe vor dem Tiefstrich enthalten, welcher leider den korrekten Lauf des ansonsten sehr tollen Scriptes verhindert. Das Script liefert in diesem Fall über den Port 6556 überhaupt kein Ergebnis zurück.

Hello,

yesterday we had a Vulnerability Testing and we found an Information Disclosure in our Agent Config.

The Agent is listening AND answering any requests at our WAN-Interfaces/IP's with any informations the agent is gathering. (you can check ist with "telnet ip port")
Worryingly, the port is not even open in the firewall policys.

Today we helped us with one workaround. In /usr/local/etc/checkmk.conf we added the CheckMK-IPs:

onlyfrom: our ipaddresses, comma seperated

So the Output with telnet after starting and stopping the agent is now:

Escape character is '^]'.
Connection closed by foreign host.

Is there anyway to configure listen interfaces or IP-Adresses so that the Agentport is not open at all Interfaces?

Thanks in Advance

CheckMK says "FailedPythonPlugins: gateway". Running the script with --debug yields

Traceback (most recent call last):
  File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 164, in do_checks
    _lines += getattr(self,_check)()
  File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 468, in checklocal_gateway
    _gateway_items = self._config_reader().get("gateways").get("gateway_item",[])
AttributeError: 'NoneType' object has no attribute 'get'

And indeed, the config.xml does not seem to contain any gateway (apart from dns3gw), but there is no <gateway> key. This might be due to the fact that in my setup, the WAN interface has no static IP but DHCP, so the gateway IP is dynamic.

Hi,

thank you very much for your agent!

When monitoring IPsec connections it fails with a Traceback:

Traceback (most recent call last): File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 104, in do_checks _lines += getattr(self,_check)() File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 553, in checklocal_ipsec _childsas = next(_childsas) StopIteration

Maybe it's caused by a down IPsec tunnel, here is the corresponding output from /usr/local/opnsense/scripts/ipsec/list_status.py:

"con5":{"local-addrs":"xxx.xxx.xxx.xxx","remote-addrs":"xxx.xxx.xx,0.0.0.0\/0,::\/0","children":{"con5":{"mode":"TUNNEL","rekey_time":"28260","rekey_bytes":"0","rekey_packets":"0","dpd_action":"restart","close_action":"clear","local-ts":["0.0.0.0\/0"],"remote-ts":["0.0.0.0\/0"]}},"local-id":"xxx.xxx.xxx.xxx","remote-id":"xxx.xxx.xx","version":"IKEv2","sas":[],"routed":true,"local-class":"pre-shared key","remote-class":"pre-shared key"}

Can you have a look please?

Thanks,
Christian

Hi,
we have a v6 only network setup and would like to use the opnsense agent to communicate with our checkmk server via ipv6. we already looked into the code and tried to get TCPServer to listen to v6 as well - unfortunately without success. maybe someone knows how to activate v6 - would be very appreciated!

Hi,

there is a small typo causing labels to not work right now.

367             _ret.append('{{"cmk/device_type":"vm"}}')

should be
367 _ret.append('{"cmk/device_type":"vm"}')

So there is one { and } to much resulting in check_mk being unable to parse it.

Thank you!

best regards
Mike

I just upgraded to the latest version. The version check is now in warning state:

Version 22.1.1_3 (22.1.1 available February 16, 2022) Config changed: 18:14 23.02.2022

This is because the "hotfix" version tag (denoted by the _3) does not appear in the changelog, so the strings are not equal.

You already split the version string by _ here and store it in _current_firmware:
https://github.com/bashclub/check-opnsense/blob/78d92e8c7d1e0cf4b1e0d14dc28f46bb660166e6/opnsense_checkmk_agent.py#L208

However, the string used for the actual check is os_version which directly uses product_version instead of _current_firmware:
https://github.com/bashclub/check-opnsense/blob/78d92e8c7d1e0cf4b1e0d14dc28f46bb660166e6/opnsense_checkmk_agent.py#L216

Probably just an oversight, because despite its declaration, _current_firmware is not used anywhere in the script, so I'm guessing you planned to do this but forgot ;)

Hello, thanks for this great OPNSense Check - i get the following error (running OPNSense )

Traceback (most recent call last):
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 104, in do_checks
_lines += getattr(self,_check)()
File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 589, in checklocal_acmeclient
if _cert_info.get("enabled") != "1":
AttributeError: 'str' object has no attribute 'get'

Running:
OPNSense 21.10-amd64
FreeBSD 12.1
OpenSSL 1.1.1l24

I had in mind that a major version change was not reported last time. This time (23.7 to 24.1) I did a compare of "/tmp/pkg_upgrade.json" from an opnsense still having 23.7 and a second one already upgraded, but having updates pending.

#1 currently running 24.1.1 (fyi, I have shorten upgrade_packages)

{
"api_version":"2",
"connection":"ok",
"downgrade_packages":[],
"download_size":"92MiB",
"last_check":"Wed Feb 21 08:50:43 CET 2024",
"needs_reboot":"1",
"new_packages":[{"name":"suricata","repository":"OPNsense","version":"7.0.3"}],
"os_version":"FreeBSD 13.2-RELEASE-p9",
"product_id":"opnsense",
"product_target":"opnsense",
"product_version":"24.1.1",
"product_abi":"24.1",
"reinstall_packages":[],
"remove_packages":[],
"repository":"ok",
"upgrade_major_message":"",
"upgrade_major_version":"",
"upgrade_needs_reboot":"0",
"upgrade_packages":[{"name":"vnstat","repository":"OPNsense","current_version":"2.11_1","new_version":"2.12"},{"name":"base","size":"116651300","repository":"OPNsense","current_version":"24.1","new_version":"24.1.2"},{"name":"kernel","size":"32843704","repository":"OPNsense","current_version":"24.1","new_version":"24.1.2"}],
"upgrade_sets":[]
}

#2 currently running 23.7.12

{
"api_version":"2",
"connection":"ok",
"downgrade_packages":[],
"download_size":"",
"last_check":"Wed Feb 21 08:53:24 CET 2024",
"needs_reboot":"0",
"new_packages":[],
"os_version":"FreeBSD 13.2-RELEASE-p7",
"product_id":"opnsense",
"product_target":"opnsense",
"product_version":"23.7.12_5",
"product_abi":"23.7",
"reinstall_packages":[],
"remove_packages":[],
"repository":"ok",
"upgrade_major_message":"

OPNsense 23.7 "Restless Roadrunner" has reached its end of life. As such it will not receive any more updates, but the upgrade to the new 24.1 series is seamless and can be performed right here from the web GUI.

Another method is to import and reinstall using a new installation image, which will retain your settings using "Import Configuration", then reformat the disk and apply a clean system using either "Install (UFS)" or "Install (ZFS)".

You can also upgrade via console / SSH by using option 12 from the menu by typing "24.1" when prompted.

Make sure to read the migration notes and account for possible breaking changes.

Please backup your configuration, preview the new version via live image or in a virtual machine. Create snapshots. If all else fails, report back <a href="https://forum.opnsense.org/\" target="_blank">in the forums for assistance.

The identifier "upgrade_major_version" is reporting the next major version. Is it possible to parse this information with the deamon?

As of now with v1.0.7 there is no information about an existing update if the next major version is already in place:

Br,
Markus

Hello,

i found a Problem within the IPSec Monitoring. I have 92 Tunnels (phase 1 and 2), but only 2 tunnels are shown in checkmk.

I found out that the 2 Tunnels, that are displayed only have 1 phase 2 entry, all others have more then 1.

Maybe this is the problem

Thank you!
Daniel

Might be intressting for those who have an ups from APC (Schneider). There is a plugin for checkmk with some nice output.
https://exchange.checkmk.com/p/apcaccess

On opnsense side you just need to install the plugin os-apcupsd.

For checkmk there is some mkp to parse the information from the client. https://exchange.checkmk.com/packages/apcaccess/914/apcaccess-5.0.mkp

the only thing missing is a small change in opnsense_checkmk_agent.py

I am not a coding guy, but this is my current solution:

def check_apcupsd(self):
        _ret = ["<<<apcaccess:sep(58)>>>"]
        _ret.append("[[apcupsd.conf]]")
        _ret.append(self._run_prog("apcaccess").strip())
        return _ret

The output of the checkmk service looks like this:

Hello,

as of version opnsense 24.1, the gateways are no longer recognized in opnsense.

Greetings Mario

Hello,

I really love this agent for opnsene, the only problem I have so far is the fact that RTT conversion seems to be wrong. The agent collects a value in seconds but check_mk assumes a value in milliseconds.

As far as I am able to review the code, the gateway check decides between inet and inet6. Only for inet (IPv4) the gateway IP address should be stored. I don't know why, but the status is always 'None'.

Br,
Markus

avoid error if no dhcp plugin is present
from debug ...

line 583, in check_dhcp
    _dhcpconf = open("/var/dhcpd/etc/dhcpd.conf","r").read()
FileNotFoundError: [Errno 2] No such file or directory: '/var/dhcpd/etc/dhcpd.conf'
<<<check_mk>>>
FailedPythonPlugins: dhcp

patch:

<         if not os.path.exists("/var/dhcpd/var/db/dhcpd.leases"):
---
>         if not os.path.exists("/var/dhcpd/var/db/dhcpd.leases") or not os.path.exists("/var/dhcpd/etc/dhcpd.conf"):

Hi,

i have the following problem with client: In check mk it results in an errormessage "Parsing of section statgrab_net failed" when i have vlans in opnsense with the naming "vlan0.10", "vlan0.12" and so on. The othe interfaces ("lan", "wan") in checkmk where shown as vanished services.
Without these named vlans it is all ok.

Referenced to /cmk/base/plugins/agent_based/inventory_statgrab_net.py line 20 there is a split wich will crash with output of the check.

Relevant agent output:

<<<statgrab_net>>>
vtnet0.mtu 1500
vtnet0.ipackets 850605
vtnet0.ierror 0
vtnet0.idrop 0
vtnet0.rx 111443544
vtnet0.opackets 722513
vtnet0.oerror 0
[...]
vlan0.10.mtu 1500
vlan0.10.ipackets 6838
vlan0.10.ierror 0
vlan0.10.idrop 0
vlan0.10.rx 191548
vlan0.10.opackets 215
vlan0.10.oerror 0
[...]

The naming "vlan0.XX" where made in opnsense: interfaces -> other -> VLAN -> Edit vlan0.XX -> device

Thanks a lot!

Hi,

The Service "WireGuard VPN" shows up as not running (which it also does in the WebUI), when the WireGuard kmod is installed.
Is there a way to fix this, since the service is OK? Either directly in the check script, or in WATO on the checkmk-instance?

Thank you!

Service is only shown, if runtime logs or metrics for specific Zone available?

Hi,

I used to have IPsec tunnel configured but it's been deleted both P1/P2 and IPsec disabled. But the plugin is still trying to execute it's checks for IPsec. Traceback below

Traceback (most recent call last):
  File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 231, in do_checks
    _lines += getattr(self,_check)()
  File "/usr/local/etc/rc.syshook.d/start/99-checkmk_agent", line 918, in checklocal_ipsec
    _ikeid = _phase1.get("ikeid")
AttributeError: 'NoneType' object has no attribute 'get'

Hello,

i was using the default freebsd agent previously and with this agent the memory section is now missing.

I think it is just this section

# Statgrab
# To install: pkg install libstatgrab

if inpath statgrab; then

    statgrab_vars="const. disk. general. page. proc. user."
    statgrab_vars_mem="mem. swap."
    statgrab_sections="proc disk page"

    statgrab $statgrab_vars | grep -v md 1> /tmp/statgrab.$$
    statgrab $statgrab_vars_mem 1>>/tmp/statgrab.$$


    for s in $statgrab_sections
    do
        echo "<<<statgrab_$s>>>"
        grep "^${s}\." /tmp/statgrab.$$ | cut -d. -f2-99 | sed 's/ *= */ /'
    done

    echo '<<<statgrab_net>>>'
    statgrab net. 2>&1 | cut -d. -f2-99 | sed 's/ *= */ /'

    echo '<<<statgrab_mem>>>'
    egrep "^(swap|mem)\." /tmp/statgrab.$$ | sed 's/ *= */ /'

    [ -f /tmp/statgrab.$$ ] && rm -f /tmp/statgrab.$$
fi

Maybe you could add this to the next release?

Thanks and best regards
Mike