I’ve recently moved to CheckMK Host/Service monitoring from LibreNMS, as it gives me better control over service check intervals, alerts and better integrations via the CheckMK agent the graphing is also better in my opinion. So far I’ve really liked using it, the Linux agent works really well, but when it came to OPNsense using SNMP for monitoring like I did for LibreNMS, I thought there must be a FreeBSD or OPNsense specific agent I could be running.
It took some searching but eventually I came across this python based agent for OPNsense.
check-opnsense is it’s name on Github, very easy to install and you set it up just like any other host in CheckMK. Thank you thorstenspille, for your hard work.
Supports monitoring at least the following.
- CPU Usage
- DHCP Pool
- File System
- Firmware Version
- WireGuard Clients
If you run
--help argument on the agent, towards the bottom it lists the checks it supports.
fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent /usr/local/etc/rc.syshook.d/start/99-checkmk_agent --start
Now the agent is running you just need to allow your CheckMK server to reach the checkmk agent port, via a Firewall rule. Default port is 6556, you can change this with the config file (see towards the bottom of this page).
When OPNsense reboots it’ll automatically runs the checkmk agent, so if you do not require it anymore, remember to remove the file and firewall rule otherwise it’ll start every time you boot your OPNsense system.
fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py /usr/local/etc/rc.syshook.d/start/99-checkmk_agent --stop /usr/local/etc/rc.syshook.d/start/99-checkmk_agent --start
The custom agent has a handful of settings you can set, unfortunately the README on the repo doesn’t explain the config file exists 😢, but I’ve worked it out by reading the code.
An example of all configuration settings are as follows; (
onlyfrom: 192.0.2.22,192.168.0.33,10.0.0.44 skipcheck: gateway,acmeclient port: 6556 encrypt: encryptPassphrase
onlyfrom: comma separated IPs of your CheckMK servers.
skipcheck: comma separated checks to skip, you can get the list of checks from
port: port you wish to run the agent on.
encrypt: password to encrypt the check data with.
If you don’t need the setting set, don’t include it in the config file.
Once you set the settings you are after, you just need to stop and start the agent, for changes to apply.
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent --stop /usr/local/etc/rc.syshook.d/start/99-checkmk_agent --start
One thought on “OPNsense CheckMK Agent”
Loving the OPNSense doc