Messages

1

General Discussion / Re: SNMP, router status updates available

« on: April 19, 2024, 02:54:58 pm »

Old topic, but i have a solution. Writing it down so i also have instructions myself, should i need it later

I was also looking for something like this. I monitor various statistics of my OPNsense box over SNMP with PRTG Network Monitor.
A sensor to see if OPNsense has an update available was still on my wishlist. I managed to create one. Here's how i did it:

I found this script a good base for monitoring if there is an update available. It seems like a clever way (grabbing version from release notes (being already downloaded every day at 10pm, see crontab -l) and comparing it to the running version.

I asked ChatGPT to help me create a script UpdateStatusSNMP.sh

Code: (sh) [Select]

#!/bin/sh

#
# Script inspired by https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-checkmk/blob/main/files/firmware_status.py
#

installed_version=$(/usr/local/sbin/opnsense-version -v | cut -d'_' -f1)

# Fetch the most recent version from the changelog
most_recent_version=$(tail -n 2 /usr/local/opnsense/changelog/index.json | tr -d '\n' | grep -o '"version":"[^"]*' | awk -F '"' '{print $4}' | tail -n 1)

if [ "$installed_version" != "$most_recent_version" ]; then
    update_available=true
else
    update_available=false
fi

echo "$update_available"This will return true/false depending if there is an update available or not.

Don't forget to chmod +x  UpdateStatusSNMP.sh to make it executable.

Then we add it to the SNMP values by putting the following line at the bottom of /usr/local/share/snmp/snmpd.conf

Code: [Select]

extend SystemUpdateAvailable /root/UpdateStatusSNMP.sh
Restart SNMPD with service snmpd restart
Now we have to find out which snmp OID we need to retrieve the value. We can do this with the command

Code: [Select]

snmpwalk -c public -v 2c 127.0.0.1 nsExtendOutLine
(You might have to change 127.0.0.1 to the IP's you have SNMP configured to listen on)

This will give the following output (if your system is up to date, otherwise it will be 'true'):
NET-SNMP-EXTEND-MIB::nsExtendOutLine."SystemUpdateAvailable".1 = STRING: false

Now we want to have the corresponding numerical OID so we can configure it in our SNMP software. First we need the base OID for the extended sensors, find it like this:

Code: [Select]

snmptranslate -On NET-SNMP-EXTEND-MIB::nsExtendOutLine

Result:
.1.3.6.1.4.1.8072.1.3.2.4.1.2

Then we can do an snmpwalk starting on that address, which will give us the (very long!) OID we can use:

Code: [Select]

snmpwalk -c public -v 2c -On 127.0.0.1 .1.3.6.1.4.1.8072.1.3.2.4.1.2
.1.3.6.1.4.1.8072.1.3.2.4.1.2.21.83.121.115.116.101.109.85.112.100.97.116.101.65.118.97.105.108.97.98.108.101.1 = STRING: false

I have this configured in PRTG as SNMP Custom String sensor and have it check every 24h. I have configured the sensor to go into warning state by putting 'false' in the value "Response Must Include (Warning Status If Not Included)"

Should you reboot OPNsense, the modification tosnmpd.conf will disappear and you have to put it back in. You can make it persistent by reconfiguring SNMP, see these steps.

2

23.7 Legacy Series / snmpd.conf reset back to defaults when rebooting

« on: September 12, 2023, 10:47:23 am »

I have some custom SNMP sensors configured, so i can read CPU temperature of my OPNsense appliance with PRTG. This works good, but i noticed that each time when i reboot OPNsense, the config file /usr/local/share/snmp/snmpd.conf is being reverted to default, resulting in my custom SNMP sensors not working anymore.

Is there a way i can make my settings to snmpd.conf persistent?

3

Tutorials and FAQs / Re: Script to send emails for updates

« on: August 24, 2023, 01:29:45 pm »

Unfortunately the above didn't seem to work, i wasn't notified of the most recent update. I think the POST-request and such works, but ChangeDetection.io is not playing nice with it.

I now configured changedetection to look at the URL https://forum.opnsense.org/index.php?board=11.0&action=.xml with the filter

Code: [Select]

//recent-post[1]/subject to only return the first topic in the list. This seems to work better.

Edit: The above XPath also returns the 'Re:" topics. I changed my XPath to this (thanks ChatGPT so that i only get notified about new releases ):

Code: [Select]

//recent-post[not(contains(subject, 'Re:'))]/subject

4

Tutorials and FAQs / Re: Script to send emails for updates

« on: July 26, 2023, 03:38:10 pm »

I used the ChangeDetection.io Docker container i am running to monitor if my OPNsense has updates available. Configure a watch like this:

General > URL: https://hostnameofrouter/api/core/firmware/status
Request > Request method: POST
Request > Request headers: Authorization: Basic PUTBASE64HERE
Filters & Triggers > CSS/JSONPath/JQ/XPath Filters > json:$.status

You can create the PUTBASE64HERE with some PowerShell:

Code: [Select]

$key="xxxxxxxxx"
$secret="xxxxxxxxxx"

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("$($key):$($secret)"))
Write-Host $base64AuthInfo

As my OPNsense is currently updated, i haven't been able to check if it works completely right. But the JSON is displayed in ChangeDetection, so changes will be picked up if the 'status' field changes.

Or if you want to do it completely in PowerShell you could create a script yourself and use this as a start:

Code: [Select]

<#
  This script retrieves the update status of OPNsense, to monitor if the system needs an update.
#>


$key="xxxxxx"
$secret="xxxxxx"

$hostname = 'puthostnamehere'

<#
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

#>
$user = $key
$pass = $secret
$pair = "$($user):$($pass)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$basicAuthValue = "Basic $encodedCreds"
$Headers = @{
    Authorization = $basicAuthValue
}

$url = "https://$hostname/api/core/firmware/status"
Invoke-RestMethod -Uri $url -Method Post -Headers $Headers
You could then acces the JSON endpoints like so:

Code: [Select]

$status = $apiResponse.status
$statusMsg = $apiResponse.status_msg
$newPackages = $apiResponse.new_packages
$upgradePackages = $apiResponse.upgrade_packages
$reinstallPackages = $apiResponse.reinstall_packages
$needsReboot = $apiResponse.needs_reboot

I commented out the TrustAllCertsPolicy stuff as it wasn't needed (i use a self-signed certificate on OPNsense which is also present on my computer).