"monit" package for pfSense part 2

Legion

I was looking for a nice monitoring package and the internet told me about monit. It's been discussed before and there's a feature request on the pfsense redmine thing. I thought I'd have a go at installing it manually, see how it works.

I found the appropriate package file on freebsd for my pfSense 2.1 install:

• pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/monit-5.3.2.tbz
• the monit start script installs in /usr/local/etc/rc.d/monit. I created a symlink to make it run at boot: ln -s /usr/local/etc/rc.d/monit /usr/local/etc/rc.d/monit.sh. Or you could just rename the original or copy it or whatever.
• I use the Filer package, suggested in another thread by marcelloc, to modify an /etc/rc.conf.local to include the line monit_enable="YES". This is an environment variable that monit requires to fire up. /usr/local/etc/rc.d/monit has a few details about that.
• there's a sample file called /usr/local/etc/monitrc.sample. Copy that to /usr/local/etc/monitrc and modify it to suit your purposes. I commented out the unnecessary stuff (to me), like the web server for monitoring monit and whatever else. I then added stuff to monitor lighttpd, which was my main motivator for installing the package. If you google monit lighttpd there are examples that are super simple to set up.

Mine looks a bit like this:

set daemon 60
# with start delay 60 # While testing I initially had to set this otherwise for some reason it didn't seem to start lighttpd.
# Working now with no delay though.
set logfile /var/log/monit.log # Standalone log file instead of syslog.
set idfile /var/.monit.id # This seems to be the default anyway
set statefile /var/.monit.state # --""--
...
check process lighttpd with pidfile /var/run/lighty-proxy-wpad.pid
start program = "/usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad.conf start"
stop program = "/usr/local/sbin/lighttpd -f /usr/local/www/wpad/lighty-proxy-wpad.conf stop"
if failed host my_pfSense_private_ip_address port 80
protocol http then restart
if 5 restarts within 5 cycles then timeout

So basically just the first google result modified to my box. My lighty conf writes to that pidfile and serves to my private ip address.

I use this to keep lighttpd running to serve wpad.dat over http, while pfSense webgui runs on https via the regular instance of lighttpd. I guess I could put another entry in to keep the https webgui running too but it's no big deal.

I've been having issues with a few other services stopping randomly as I get to know pfSense so I might think about adding them to my monitrc too, not sure.

Works well.

Legion

Since installing this package, I did allow the monit web server. It's actually pretty cool and I could see it being useful. You can start and stop services from the web page and get information on which services are running and their status. I also slightly modified my lighttpd entry to make it work better but I don't recall offhand exactly what I did. Can dig it up if anyone's interested.

Cino

I've been using monit for a few years now to restart services that have failed. Works great!

rajbps

Is there any way to get it as a package on pfsense.

Also does anyone know how to set it so that it can restart open vpn site to site link pls?

Legion

I get the feeling that it's not worth installing as a package since so much of the config is going to be custom for each monitored process. The general overall options are fairly sparse (at least the ones I've used) so it's not worth creating a gui interface for them. The documentation is pretty good from monit's website, so you don't need to wrap things up in a simpler interface - it's already simple enough. You'd have to have just a big edit box for each process and let the user enter in there what they'd otherwise enter in the config file. Just seems like duplicating what's already there.

As to your OpenVPN question, something like this:

http://nongnu.13855.n7.nabble.com/openvpn-config-td4614.html

rajbps

This package is a 32 bit one (If I am right)

• pkg_add -r http://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/All/monit-5.3.2.tbz

Shuld I install the 64 bit on the pfsense as its a 64 bit distro or this one will do?

Cheers,

Raj

rajbps

A gui would be much better as the configs could be added from there and the server config also as email server and email from and to.

I am trying to see if anyone is willing to make that happen for £100.00 as i do not have much money. I do understand that its not very much but that all what I can afford.  Maybe others will want to contribute and we could have this as a package for everyone to use.

Also the config link for openvpn that you pointed me to is for debian and its not the same for freebsd.  Still struggling :-(

Cheers,

Raj

Legion

Well, you have to extrapolate for your installation. On my machine:

So, from that link I gave you I'd have something like:

check process openvpn with pidfile /var/run/openvpn_server1.pid 
        start program = "/usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf start" 
        stop  program = "/usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf stop" 
        if failed host x.x.x.x port xxxx type udp then restart 

And I'd probably have to find where openvpn is started by pfsense and disable it there and let monit take over starting/stopping instead.

I still can't see how a package would be useful since each entry in the config file is unique and a package gui interface can't handle all the unique cases.

rajbps

Hiya,

Sorry for the very late reply.

A gui that could simplify the config would be a good thing and an email notification to let the administrator know that a service was restarted.

I do understand that its not the same for everyone as it depends on what you have on your box but maybe allowing to add config from the gui itself might resolve that.

On another note could you advise how you been able to sort this bit out pls?

"- I use the Filer package, suggested in another thread by marcelloc, to modify an /etc/rc.conf.local to include the line monit_enable="YES". This is an environment variable that monit requires to fire up. /usr/local/etc/rc.d/monit has a few details about that."

Again thanks for all the help.

Cheers,

Raj

Legion

Like this:

Or you could probably edit /usr/local/etc/rc.d/monit directly to set monit_enable="YES", but I'm not very good at shell scripting, never was, so I can only read enough to get the gist of what a script does, not write my own.

Legion

Filer is one of the standard pfSense packages and once you install it it lives under the Diagnostics -> Filer menu.

rajbps

Thanks again for the reply :-)

Now in the config, you just modify the line:

Monit has an embedded web server which can be used to view status of

services monitored and manage services from a web interface. See the

Monit Wiki if you want to enable SSL for the web server.

set httpd port 2812 and
    use address localhost  # only accept connection from localhost
    allow X.X.X.X        # allow localhost to connect to the server and
    allow admin:monit      # require user 'admin' with password 'monit'
    allow @monit          # allow users of group 'monit' to connect (rw)
    allow @users readonly  # allow users of group 'users' to connect readonly

Where the X.X.X.X would be the ip of the pfsense box is that correct?

Cheers,

Raj

rajbps

Sorry sorted it out you just modify one line:

set httpd port 2812 and
    use address localhost  # only accept connection from localhost
    allow X.X.X.X      # allow localhost to connect to the server and
    allow admin:monit      # require user 'admin' with password 'monit'
    allow @monit          # allow users of group 'monit' to connect (rw)
    allow @users readonly  # allow users of group 'users' to connect readonly

where X.X.X.X is the machine from which you are trying to connect.

Do you have a 32 bit or 64 bit pfsense as the package is in both flavours and I am running 64 bit pfsense.

Cheers,

Raj

Legion

Mine is slightly different. I allow localhost and some of my private subnets. No users, no passwords. There is plenty of information if you search the internet of different configurations.

I am running 32-bit

rajbps

Ok,

I manage to get monit working well on pfsense fingers cross.

Now if I reboot pfsense, I need to start monit via shell to be able to access the gui.

Is there a way to get monit started without any input from me pls.

I made a wee install doc with a lot of help from this forum and google that I am posting here.

The work in there is not mine, I just gathered it in that doc

Hope it can help someone also and thanks to everyone for the help.

Cheers,

raj

[monit pfsense install for forum.txt](/public/imported_attachments/1/monit pfsense install for forum.txt)

rajbps

Sorry forgot to ask another question,

When I do a backup of the firewall via the diag => Backup and restore will it also backup this custom install of monit and the config of it.

Cheers,

Raj

Legion

@rajbps:

Is there a way to get monit started without any input from me pls.

Read my first post again. I use etc/rc.d, but there are other methods.

rajbps

Hi Legion,

I did that as per your post
"/usr/local/etc/rc.d/monit
There duplicate the monit and rename it to monit.sh
So you will have the following in that directory:
/usr/local/etc/rc.d/monit
/usr/local/etc/rc.d/monit.sh

Now we need to modify /etc/rc.conf.local to include the line monit_enable="YES"
So install the filer package from the normal package manager.

Then go to Diagnostics -> Filer menu
There you can modify /etc/rc.conf.local

Now we need to modify :
/usr/local/etc/monitrc.sample
So that we have :
/usr/local/etc/monitrc

So just duplicate it so that folder will have both
/usr/local/etc/monitrc.sample
/usr/local/etc/monitrc"

Now when i reboot pfsense, monit does not start by itself.

:-(

rajbps

Ok rebooted pfsense and on the bootup console, i can see :
Starting /usr/local/etc/rc.d/monit.sh…done

But when I try to connect nothing.

If i log on the console and run the following command :

monit

This returns the following :

Starting monit daemon with http interface at [x.x.x.x:yyyy]

x is the ip
y is the port

So the startup script runs but without typing "monit" on the pfsense shell, it does not start the server.

Any ideas why.

My config file is attached here.

Cheers for any ideas/help.

Raj

[monit pfsense install for forum.txt](/public/imported_attachments/1/monit pfsense install for forum.txt)

rajbps

Hi Legion,

Can you show me a copy of you monit.sh file pls.

I am thinking that the issue might be in there.

Or do you have any other ideas.

Cheers,

Raj