reading openvpn server socket with zabbix user
-
Hi all.
I am trying to monitor active openvpn connections in a pfSense system from zabbix. To do that I have to read the openvpn server socket with netcat as explained in other thread in this forum.
I created a bash script with the commands to get that list. I am able to execute that script from a local shell session successfully. I also can get the connections list using zabbix_get from that same local shell thus confirming that the zabbix local agent is correctly configured.
But when I try to get that same data from the remote zabbix server (issuing the same zabbix_get command in the remote system) I get no data at all. An empty string. The command I am trying to execute is
echo 'status 1' | nc -Uw 1 /var/etc/openvpn/server1.sock
Fiddling with the script to check what is going wrong and if what I have is a comms problem or not, I only put the echo part I got the echo reply. Then If I put 'nc -h' I get the help reply from the nc command so everything seems to be working excluding the reading of the socket.
The full command works fine when executed from the shell (as admin user, root privileges) as told before but does not work if executed as zabbix user that is the one the agent runs under.
How can I do to make this work if possible?. Thanks in advance.
-
Sounds like a permissions problem then if the Zabbix user can't execute it. Can you use the sudo package to grant it that permission?
-
Thanks for your reply.
Yes I tried. I made a test.sh file with this inside:
su -m root -c echo 'status 1' | nc -Uw 1 /var/etc/openvpn/server1.sock
Reply
[root@zabbix ~]# zabbix_get -s xxx.xxx.xxx.xxx -k ovpnserver.test
su: Sorry -
You can't run su like that but you shouldnlt have to if you've given the user permissions to run nc and echo as root.
Seems like it's either not got permission to access that socket, but no permission errors are shown, or it's just not seeing the result. That seems more likely.
Hmm
-
Hi Stephen. Thanks for your reply and interest.
How can I give the zabbix user rights to run nc? Anyway it looks like it already has permissions for that as I am able to get the nc help screen from the zabbix server. What I am not able to is to read the openvpn server socket. It also has permission to echo data as I am able to get the echo output from there too.
Is there any way to give the zabbix user limited permissions to the openvpn server socket? making zabbix root equivalent is not a good idea for a firewall so we should avoid this approach.