Monitoring

NRPE

It is possible to monitor Baruwa Enterprise Edition systems using the NRPE protocol from Nagios. To enable monitoring check the Enable Monitoring checkbox on the System Settings screen of the baruwa-setup utility.

Monitoring points

Depending on the system profile, the following points are available via NRPE.

  • Disk space
  • Uwsgi process
  • Database process
  • Database proxy process
  • Indexer process
  • Cache process
  • Message Queue process
  • Baruwa celery process
  • Baruwa Logging process
  • Mail Scanning process
  • Anti Virus Engine process
  • Mail queue status
  • System Load
  • Security Updates
  • Database cluster status
  • Message queue cluster status
  • TLS/SSL certificate expiry
Name Description Profiles Cluster only
yumupdates Security updates all No
check_diskn Disk partition space check all No
uwsgi Uwsgi service status standalone, web, web and mail No
pgsql Postgresql service status standalone, backend, database No
fabio Fabio service status database, backend, mail, web, web and mail No
patroni Patroni service status database, backend Yes
patroni_lag Patroni member lag database, backend Yes
pgbouncer Pgbouncer service status standalone, database, backend No
sphinx Searchd service status standalone, search index, backend No
memcached Memcached service status standalone, cache, backend No
rabbitmq Rabbitmq service status standalone, message queue, backend No
check_rabbitmq_cluster Rabbitmq cluster status message queue, backend Yes
baruwa Baruwa service status standalone, mail, web and mail No
bsql Baruwa logger process status standalone, mail, web and mail No
mailscanner MailScanner service status standalone, mail, web and mail No
clamd ClamAV service status standalone, mail, web and mail No
exim_queue MTA inbound queue status standalone, mail, web and mail No
exim_scan_queue MTA inbound queue status standalone, mail, web and mail No
exim_outbound_queue MTA outbound queue status standalone, mail, web and mail No
stunnel Stunnel service status backend, cache, search index, mail, web, web and mail No
consul Consul service status backend, database, mail, web, web and mail No
cacert CA certificate expiry all No
databasecacert Database CA cert expiry check configuration [1] No
stunnelcacert Stunnel CA cert expiry check configuration [1] No
frontendcacert Frontend CA cert expiry check configuration [1] No
certbotcacert Certbot CA cert expiry all No
mailcert Mail TLS cert expiry check configuration [1] No
webcert Web TLS cert expiry check configuration [1] No
databasecert Database TLS cert expiry check configuration [1] No
databaseclientcert Database client cert expiry check configuration [1] No

Adding your own monitoring points

You can add your own NRPE monitoring points by placing a .cfg file in /etc/nrpe.d then reload the nrpe service to activate the monitoring points.

Monitoring services

You can monitor the services by connecting to the actual port, most monitoring systems are able to do this.

Firewall

The firewall port 5666 inbound is open to all, you need to restrict this by allowing access only from your monitoring IP addresses.

SNMP

With BaruwaOS >= 6.7.4 it is possible to monitor Baruwa Enterprise Edition systems using the SNMP protocol. To enable SNMP monitoring check the Enable SNMP Agent checkbox on the Management Other Settings screen of the baruwa-setup utility.

Authentication

BaruwaOS only exposes an SNMPv3 interface. The username is baruwa, the password is autogenerated when the system is setup.

To obtain the password run the following command, (you need to provide the passphrase):

baruwa-setup -e snmp_password

Monitoring points

The monitoring points available are the same as the ones exposed via NRPE. The OIDs to walk are UCD-SNMP-MIB::dskTable, UCD-SNMP-MIB::prTable and UCD-SNMP-MIB::extTable

The snmpwalk cmd can be used to walk and discover the OIDs as follows

“UCD-SNMP-MIB::dskTable”:

snmpwalk -v3 -u baruwa -A _password_ -a SHA -X _password_ -x AES -l authPriv -On _servername_ UCD-SNMP-MIB::dskTable

“UCD-SNMP-MIB::prTable”:

snmpwalk -v3 -u baruwa -A _password_ -a SHA -X _password_ -x AES -l authPriv -On _servername_ UCD-SNMP-MIB::prTable

“UCD-SNMP-MIB::extTable”:

snmpwalk -v3 -u baruwa -A _password_ -a SHA -X _password_ -x AES -l authPriv -On _servername_ UCD-SNMP-MIB::extTable

The following table shows the common OID mappings, these may vary on your system depending on configuration so use snmpwalk to confirm.

OID Description Profiles Cluster only
.1.3.6.1.4.1.2021.8.1.102.5 Security updates all No
.1.3.6.1.4.1.2021.9.1.100.1 Disk partition space check all No
.1.3.6.1.4.1.2021.2.1.100.4 Uwsgi service status standalone, web, web and mail No
.1.3.6.1.4.1.2021.2.1.100.2 Postgresql service status standalone, backend, database No
.1.3.6.1.4.1.2021.2.1.100.3 Nginx service status standalone, web, web and mail No
.1.3.6.1.4.1.2021.2.1.100.3 Fabio service status database, backend, mail, web, web and mail No
.1.3.6.1.4.1.2021.8.1.102.1 Patroni service status database, backend Yes
.1.3.6.1.4.1.2021.8.1.102.2 Patroni member lag database, backend Yes
.1.3.6.1.4.1.2021.2.1.100.1 Pgbouncer service status standalone, database, backend No
.1.3.6.1.4.1.2021.2.1.100.5 Searchd service status standalone, search index, backend No
  Memcached service status standalone, cache, backend No
.1.3.6.1.4.1.2021.2.1.100.6 Rabbitmq service status standalone, message queue, backend No
  Rabbitmq cluster status message queue, backend Yes
.1.3.6.1.4.1.2021.8.1.102.4 Baruwa service status standalone, mail, web and mail No
  Baruwa logger process status standalone, mail, web and mail No
.1.3.6.1.4.1.2021.2.1.100.7 MTA process status all  
.1.3.6.1.4.1.2021.2.1.100.9 MailScanner service status standalone, mail, web and mail No
.1.3.6.1.4.1.2021.2.1.100.8 ClamAV service status standalone, mail, web and mail No
.1.3.6.1.4.1.2021.8.1.102.1 MTA inbound queue status standalone, mail, web and mail No
.1.3.6.1.4.1.2021.8.1.102.2 MTA inbound queue status standalone, mail, web and mail No
.1.3.6.1.4.1.2021.8.1.102.3 MTA outbound queue status standalone, mail, web and mail No
.1.3.6.1.4.1.2021.2.1.100.6 Stunnel service status backend, cache, search index, mail, web, web and mail No
.1.3.6.1.4.1.2021.2.1.100.7 Consul service status backend, database, mail, web, web and mail No
  CA certificate expiry all No
  Database CA cert expiry check configuration [2] No
  Stunnel CA cert expiry check configuration [2] No
  Frontend CA cert expiry check configuration [2] No
  Certbot CA cert expiry all No
  Mail TLS cert expiry check configuration [2] No
  Web TLS cert expiry check configuration [2] No
  Database TLS cert expiry check configuration [2] No
  Database client cert expiry check configuration [2] No

Adding your own monitoring points

You can add your own SNMP monitoring points by placing a .conf file in /etc/snmp/conf.d then reload the snmpd service to activate the monitoring points.

Firewall

The firewall port 161 inbound is open to all, you need to restrict this by allowing access only from your monitoring IP addresses.

Footnotes

[1](1, 2, 3, 4, 5, 6, 7) The NRPE configuration file is /etc/nrpe.d/baruwa.cfg
[2](1, 2, 3, 4, 5, 6, 7) The SNMP configuration file is /etc/snmp/snmpd.conf