Server monitoring with Munin and Monit on CentOS 7 - Page 2
5 Install and Configure Monit
Next we will install Monit:
yum install monit
Then we create the system startup links for monit:
systemctl enable monit
systemctl start monit
Monit's default configuration file is /etc/monitrc where you can find some configuration examples (you can find more configuration examples on http://mmonit.com/wiki/Monit/ConfigurationExamples) that are all commented out, but it tells monit to also look in the directory /etc/monit.d for configuration files.
In this case I want to monitor:
- proftpd
- sshd
- mysql
- apache
- postfix
Furthermore, I will configure these settings for Monit:
- Enable the Monit web interface on port 2812.
- Use HTTPS for the web interface instead of HTTP.
- Configure a password protected Login for the web interface.
- Monit shall send email alerts to root@localhost
First I will configure the authentification settings. Open the file /etc/monit.d/monitrc
nano /etc/monit.d/monitrc
And scroll down until you find this section:
set httpd port 2812 and
use address localhost # only accept connection from localhost
allow localhost # allow localhost to connect to the server and
allow admin:monit # require user 'admin' with password 'monit'
allow @monit # allow users of group 'monit' to connect (rw)
allow @users readonly # allow users of group 'users' to connect readonly
Replace it with the following settings:
set httpd port 2812 and
use address 0.0.0.0
SSL ENABLE
PEMFILE /var/certs/monit.pem
allow admin:test
The word "test" is the password, please replace that with a secure password and you might also want to change the username "admin" to a name that can not be guessed easily.
Now we add the configuration for the monitored services. Instead of modifying /etc/monitrc, we create a new configuration file /etc/monit.d/monitrc.
My file looks like this:
nano /etc/monit.d/monitrc
set logfile syslog facility log_daemon
# Send emails trough this mailserver
set mailserver localhost
# Set the From address of the alert emails
set mail-format { from: [email protected] }
# Send alerts to this address
set alert root@localhost
# Monitor the Proftpd service check process proftpd with pidfile /var/run/proftpd/proftpd.pid start program = "/usr/bin/systemctl start proftpd" stop program = "/usr/bin/systemctl stop proftpd" if failed port 21 protocol ftp then restart if 5 restarts within 5 cycles then timeout
# Monitor the SSH service check process sshd with pidfile /var/run/sshd.pid start program "/usr/bin/systemctl start sshd" stop program "/usr/bin/systemctl stop sshd" if failed port 22 protocol ssh then restart if 5 restarts within 5 cycles then timeout
# Monitor MySQL check process mysql with pidfile /var/run/mysqld/mysqld.pid group database start program = "/usr/bin/systemctl start mysqld" stop program = "/usr/bin/systemctl stop mysqld" if failed host 127.0.0.1 port 3306 then restart if 5 restarts within 5 cycles then timeout
# Monitor the apache webserver check process apache with pidfile /var/run/httpd/httpd.pid group www start program = "/usr/bin/systemctl start httpd" stop program = "/usr/bin/systemctl stop httpd" if failed host localhost port 80 protocol http and request "/monit_token" then restart if cpu is greater than 60% for 2 cycles then alert if cpu > 80% for 5 cycles then restart if totalmem > 500 MB for 5 cycles then restart if children > 250 then restart if loadavg(5min) greater than 10 for 8 cycles then stop if 3 restarts within 5 cycles then timeout
# Monitor postfix mailserver check process postfix with pidfile /var/spool/postfix/pid/master.pid group mail start program = "/usr/bin/systemctl start postfix" stop program = "/usr/bin/systemctl stop postfix" if failed port 25 protocol smtp then restart if 5 restarts within 5 cycles then timeout
(Please make sure that you check processes only that really exist on your server - otherwise monit won't start. I.e., if you tell monit to check Postfix, but Postfix isn't installed on the system, monit won't start.)
The configuration file is pretty self-explaining; if you are unsure about an option, take a look at the monit documentation: http://mmonit.com/monit/documentation/monit.html
In the apache part of the Monit configuration you find this:
if failed host localhost port 80 protocol http and request "/monit_token" then restart
which means that monit tries to connect to localhost on port 80 and tries to access the file /monit_token which is /var/www/html/monit_token because our web site's document root is /var/www/html. If Monit doesn't succeed it means Apache isn't running, and Monit is going to restart it. Now we must create the file /var/www/html/monit_token and write some random string into it:
touch /var/www/html/monit_token
Next we create the pem cert (/var/certs/monit.pem) we need for the SSL-encrypted Monit web interface:
mkdir /var/certs
cd /var/certs
We need an OpenSSL configuration file to create our certificate. It can look like this:
nano /var/certs/monit.cnf
# create RSA certs - Server RANDFILE = ./openssl.rnd [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type [ req_dn ] countryName = Country Name (2 letter code) countryName_default = MO stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Monitoria localityName = Locality Name (eg, city) localityName_default = Monittown organizationName = Organization Name (eg, company) organizationName_default = Monit Inc. organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Dept. of Monitoring Technologies commonName = Common Name (FQDN of your server) commonName_default = server.monit.mo emailAddress = Email Address emailAddress_default = [email protected] [ cert_type ] nsCertType = server
Now we create the certificate like this:
openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pem
openssl gendh 512 >> /var/certs/monit.pem
openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem
chmod 700 /var/certs/monit.pem
Finally, we can start monit:
systemctl restart monit
Now point your browser to https://www.example.com:2812/ (make sure port 2812 isn't blocked by your firewall), log in with admin and test, and you should see the Monit web interface. It should look like this:
(Main Screen)
(Apache Status Page)
Depending on your configuration in /etc/monit.d/monitrc Monit will restart your services if they fail and send notification emails if process IDs of services change, etc.
6 Links
- munin: http://munin.projects.linpro.no
- monit: http://mmonit.com/monit
- CentOS: http://www.centos.org