OPNsense Forum

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

Hey !

Well it does DNS and DHCP (look at the attachment).

For other services, you can develop small scripts and use them in Zabbix to monitor your services.
You already saw my other thread but I'll link it for other people : https://forum.opnsense.org/index.php?topic=33481.msg182023#msg182023 (https://forum.opnsense.org/index.php?topic=33481.msg182023#msg182023).

I will work a bit on improving the supervision and if I'm successful I'll drop a tutorial since it seems to be inexistent...

Quote from: gcorre on December 05, 2023, 06:14:31 PM
Hey !

Well it does DNS and DHCP (look at the attachment).

For other services, you can develop small scripts and use them in Zabbix to monitor your services.
You already saw my other thread but I'll link it for other people : https://forum.opnsense.org/index.php?topic=33481.msg182023#msg182023 (https://forum.opnsense.org/index.php?topic=33481.msg182023#msg182023).

I will work a bit on improving the supervision and if I'm successful I'll drop a tutorial since it seems to be inexistent...

Agreed your implementation works somewhat but I really wish we could use the plugin for OPNsense and get it all centralized. It seems nuts to have to support two different SNMP implementations.

Quote from: spetrillo on November 25, 2023, 02:50:13 AM
Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM

Quote from: spetrillo on November 25, 2023, 02:50:13 AM
Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM
OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

Quote from: spetrillo on December 06, 2023, 02:50:01 AM

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM

Quote from: spetrillo on November 25, 2023, 02:50:13 AM
Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

There is a template for OpnSense.

https://www.zabbix.com/integrations/opnsense

Quote from: Patrick M. Hausen on December 06, 2023, 09:23:11 AM

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM
OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

Thanks, I was looking under the packages.

Quote from: cliffwilliams44 on December 06, 2023, 03:44:17 PM
Thanks, I was looking under the packages.

That's just diagnostic information showing the currently installed packages.

But more importantly: why does the "official" integration use SNMP instead of zabbix-agent? And then an unsupported manually activated bsnmpd setup that will probably not survive system updates instead of the official OPNsense SNMP plugin?

Looks like a half hacked together job to me ...  :o

Quote from: cliffwilliams44 on December 06, 2023, 03:42:53 PM

Quote from: spetrillo on December 06, 2023, 02:50:01 AM

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM

Quote from: spetrillo on November 25, 2023, 02:50:13 AM
Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

There is a template for OpnSense.

https://www.zabbix.com/integrations/opnsense

Yes that template uses SNMP but it uses the older snmpd. OPNsense provides a plugin for SNMP use, but it uses the new snmpd. As mentioned I would love to see both merged, so we would have one active plugin for SNMP access.

Quote from: Patrick M. Hausen on December 06, 2023, 04:07:38 PM

Quote from: cliffwilliams44 on December 06, 2023, 03:44:17 PM
Thanks, I was looking under the packages.

That's just diagnostic information showing the currently installed packages.

But more importantly: why does the "official" integration use SNMP instead of zabbix-agent? And then an unsupported manually activated bsnmpd setup that will probably not survive system updates instead of the official OPNsense SNMP plugin?

Looks like a half hacked together job to me ...  :o

Thats not the case. The Zabbix agent connects to the Zabbix server using the FreeBSD template. That is good and it shows all the server stats I like. My comment is about all the other services that this FreeBSD template does not call out.

@spetrillo yes, and the OPNsense template forces an unsupported SNMP service instead of communicating via zabbix agent and collecting the information this way.

Quote from: Patrick M. Hausen on December 06, 2023, 06:59:29 PM
@spetrillo yes, and the OPNsense template forces an unsupported SNMP service instead of communicating via zabbix agent and collecting the information this way.

Are you able to collect stats about the other services on OPNsense via the standard Zabbix agent? I have only seen typical server stats.

Can't the agent call arbitrary external commands and return the results?

I believe that is considered an active check, which is where I was going to look at. I am also considering writing an OPNsense template, that would show the application components running on an OPNsense firewall.

Quote from: spetrillo on December 06, 2023, 07:45:29 PM
I believe that is considered an active check, which is where I was going to look at. I am also considering writing an OPNsense template, that would show the application components running on an OPNsense firewall.

Yes, you can do that. Anything you can script you can use as an active check, just send the results of the script the stdout.

A word of warning, you have to be careful with scripted active checks. The old saying in Quantum Physics "To monitor a quantum phenomenon is to change it" also holds true with monitoring a computer system. You can seriously impact performance if your active check is called to often.

A few version back in Zabbix the SQL template used active checks and if you just accepted the default 1 minute item interval it would bring your SQL server to its knees! That was a hard lesson learned!

Quote from: Patrick M. Hausen on December 06, 2023, 09:23:11 AM

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM
OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

I currently have os-zabbix64-agent installed. If I were to replace that with os-zabbix-agent , will I then automagically get an updated version when 'os-zabbix7-agent' is released?

In other words: which version of zabbix-agent does os-zabbix-agent represent?

Quote from: Evert on June 11, 2024, 09:56:39 AM

Quote from: Patrick M. Hausen on December 06, 2023, 09:23:11 AM

Quote from: cliffwilliams44 on December 06, 2023, 01:54:32 AM
OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

I currently have os-zabbix64-agent installed. If I were to replace that with os-zabbix-agent , will I then automagically get an updated version when 'os-zabbix7-agent' is released?

I dont think so but I could be wrong. v7 agents and proxies for OPNsense are being developed and I would expect them to be available with the next OPNsense update.