OPNsense CheckMK Agent

FingerlessGlovesOPNsense1 Comment on OPNsense CheckMK Agent

I’ve recently moved to CheckMK Host/Service monitoring from LibreNMS, as it gives me better control over service check intervals, alerts and better integrations via the CheckMK agent the graphing is also better in my opinion. So far I’ve really liked using it, the Linux agent works really well, but when it came to OPNsense using SNMP for monitoring like I did for LibreNMS, I thought there must be a FreeBSD or OPNsense specific agent I could be running.

It took some searching but eventually I came across this python based agent for OPNsense.
check-opnsense is it’s name on Github, very easy to install and you set it up just like any other host in CheckMK. Thank you thorstenspille, for your hard work.

Supports monitoring at least the following.

  • CPU Usage
  • DHCP Pool
  • File System
  • Firmware Version
  • Gateway
  • Interfaces
  • Memory
  • Unbound
  • Uptime
  • WireGuard Clients

If you run --help argument on the agent, towards the bottom it lists the checks it supports.

Install

fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent --start

Now the agent is running you just need to allow your CheckMK server to reach the checkmk agent port, via a Firewall rule. Default port is 6556, you can change this with the config file (see towards the bottom of this page).

When OPNsense reboots it’ll automatically runs the checkmk agent, so if you do not require it anymore, remember to remove the file and firewall rule otherwise it’ll start every time you boot your OPNsense system.

Upgrade

fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent --stop
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent --start

Configuration

The custom agent has a handful of settings you can set, unfortunately the README on the repo doesn’t explain the config file exists 😢, but I’ve worked it out by reading the code.
An example of all configuration settings are as follows; (/usr/local/etc/checkmk.conf)

onlyfrom: 192.0.2.22,192.168.0.33,10.0.0.44
skipcheck: gateway,acmeclient
port: 6556
encrypt: encryptPassphrase

onlyfrom: comma separated IPs of your CheckMK servers.
skipcheck: comma separated checks to skip, you can get the list of checks from --help argument.
port: port you wish to run the agent on.
encrypt: password to encrypt the check data with.
If you don’t need the setting set, don’t include it in the config file.
Once you set the settings you are after, you just need to stop and start the agent, for changes to apply.

/usr/local/etc/rc.syshook.d/start/99-checkmk_agent --stop
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent --start

One thought on “OPNsense CheckMK Agent

Leave a Reply

Your email address will not be published. Required fields are marked *