Monitoring Zabbix

[spetrillo]

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

[gcorre]

Hey !

Well it does DNS and DHCP (look at the attachment).

For other services, you can develop small scripts and use them in Zabbix to monitor your services.
You already saw my other thread but I'll link it for other people : https://forum.opnsense.org/index.php?topic=33481.msg182023#msg182023.

I will work a bit on improving the supervision and if I'm successful I'll drop a tutorial since it seems to be inexistent...

[spetrillo]

Hey !

Well it does DNS and DHCP (look at the attachment).

For other services, you can develop small scripts and use them in Zabbix to monitor your services.
You already saw my other thread but I'll link it for other people : https://forum.opnsense.org/index.php?topic=33481.msg182023#msg182023.

I will work a bit on improving the supervision and if I'm successful I'll drop a tutorial since it seems to be inexistent...

Agreed your implementation works somewhat but I really wish we could use the plugin for OPNsense and get it all centralized. It seems nuts to have to support two different SNMP implementations.

[cliffwilliams44]

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

[spetrillo]

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

[Patrick M. Hausen]

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

[cliffwilliams44]

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

There is a template for OpnSense.

https://www.zabbix.com/integrations/opnsense

[cliffwilliams44]

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI [...]

os-zabbix-agent, os-zabbix6-agent, and os-zabbix64-agent are all available right in System > Firmware > Plugins.

Thanks, I was looking under the packages.

[Patrick M. Hausen]

Thanks, I was looking under the packages.

That's just diagnostic information showing the currently installed packages.

But more importantly: why does the "official" integration use SNMP instead of zabbix-agent? And then an unsupported manually activated bsnmpd setup that will probably not survive system updates instead of the official OPNsense SNMP plugin?

Looks like a half hacked together job to me ...  :o

[spetrillo]

Hello all,

I would like to monitor my OPNsense firewalls from an external tool. I was trying out Zabbix but it does not seem to support services like DNS, DHCP, and other daemons. Has anyone used an external monitoring solution to handle the full monitoring of the whole firewall?

Thanks,
Steve

OPNsense is FreeBSD, there is a zabbix client for freeBSD. It's not available as a package from the GUI but I don't see why you could not configure the repo in the OS and install it.

There are also templates for freeBSD, it will give you all the OS monitoring. This should be what you are looking for mostly.

The standard Zabbix template for FreeBSD treats OPNsense as a server and reports on things like CPU usage, memory usage, and storage usage. It does not treat OPNsense from an application platform perspective, so there is nothing around DNS services, DHCP services, IDS/IPS services, and other services that can be run on OPNsense. The SNMP template that I found: https://www.zabbix.com/integrations/opnsense#opnsense_snmp, has some of this support but its not done in a standard way. It does not utilize the SNMP daemon plug-in that OPNsense supports, but uses the older SNMPD process.

I would love to see OPNsense treated as an application platform. I am looking into writing my own template but that will be a longer term prospect. If I missed a template that does this please let me know.

There is a template for OpnSense.

https://www.zabbix.com/integrations/opnsense

Yes that template uses SNMP but it uses the older snmpd. OPNsense provides a plugin for SNMP use, but it uses the new snmpd. As mentioned I would love to see both merged, so we would have one active plugin for SNMP access.

[spetrillo]

Thanks, I was looking under the packages.

That's just diagnostic information showing the currently installed packages.

But more importantly: why does the "official" integration use SNMP instead of zabbix-agent? And then an unsupported manually activated bsnmpd setup that will probably not survive system updates instead of the official OPNsense SNMP plugin?

Looks like a half hacked together job to me ...  :o

Thats not the case. The Zabbix agent connects to the Zabbix server using the FreeBSD template. That is good and it shows all the server stats I like. My comment is about all the other services that this FreeBSD template does not call out.

[Patrick M. Hausen]

@spetrillo yes, and the OPNsense template forces an unsupported SNMP service instead of communicating via zabbix agent and collecting the information this way.

[spetrillo]

@spetrillo yes, and the OPNsense template forces an unsupported SNMP service instead of communicating via zabbix agent and collecting the information this way.

Are you able to collect stats about the other services on OPNsense via the standard Zabbix agent? I have only seen typical server stats.

[Patrick M. Hausen]

Can't the agent call arbitrary external commands and return the results?

[spetrillo]

I believe that is considered an active check, which is where I was going to look at. I am also considering writing an OPNsense template, that would show the application components running on an OPNsense firewall.