Server monitoring with Munin and Monit on CentOS 7.2 - Page 2

This tutorial exists for these OS versions

On this page

  1. 5 Install and Configure Monit
  2. 6 Links

5 Install and Configure Monit

Next, we will install Monit:

yum -y install monit

Then we create the system startup links for Monit:

systemctl enable monit
systemctl start monit

Monit's default configuration file is /etc/monitrc where you can find some configuration examples (you can find more configuration examples on http://mmonit.com/wiki/Monit/ConfigurationExamples) that are all commented out, but it tells Monit to also look in the directory /etc/monit.d for configuration files.

In this case, I will monitor:

  • proftpd
  • sshd
  • MariaDB
  • apache
  • postfix

Furthermore, I will configure these settings for Monit:

First, I will configure the authentification settings. Open the file /etc/monitrc 

nano /etc/monitrc

And scroll down until you find this section:

set httpd port 2812 and
use address localhost # only accept connection from localhost
allow localhost # allow localhost to connect to the server and
allow admin:monit # require user 'admin' with password 'monit'
allow @monit # allow users of group 'monit' to connect (rw)
allow @users readonly # allow users of group 'users' to connect readonly

Replace it with the following settings:

set httpd port 2812 and
use address 0.0.0.0
SSL ENABLE
PEMFILE /var/certs/monit.pem
allow admin:test

The word "test" is the password, please replace that with a secure password and you might also want to change the username "admin" to a name that can not be guessed easily.

Now we add the configuration for the monitored services. Instead of modifying /etc/monitrc, we create a new configuration file /etc/monit.d/monitrc.

My file looks like this:

nano /etc/monit.d/monitrc

set logfile syslog facility log_daemon

# Send emails trough this mailserver
set mailserver localhost
# Set the From address of the alert emails
set mail-format { from: [email protected] }
# Send alerts to this address
set alert [email protected]
# Monitor the Proftpd service check process proftpd with pidfile /var/run/proftpd/proftpd.pid start program = "/usr/bin/systemctl start proftpd" stop program = "/usr/bin/systemctl stop proftpd" if failed port 21 protocol ftp then restart if 5 restarts within 5 cycles then timeout
# Monitor the SSH service check process sshd with pidfile /var/run/sshd.pid start program "/usr/bin/systemctl start sshd" stop program "/usr/bin/systemctl stop sshd" if failed port 22 protocol ssh then restart if 5 restarts within 5 cycles then timeout
# Monitor MariaDB check process mysql with pidfile /var/run/mariadb/mariadb.pid group database start program = "/usr/bin/systemctl start mariadb" stop program = "/usr/bin/systemctl stop mariadb" if failed host 127.0.0.1 port 3306 then restart if 5 restarts within 5 cycles then timeout
# Monitor the apache webserver check process apache with pidfile /var/run/httpd/httpd.pid group www start program = "/usr/bin/systemctl start httpd" stop program = "/usr/bin/systemctl stop httpd" if failed host localhost port 80 protocol http and request "/monit_token" then restart if cpu is greater than 60% for 2 cycles then alert if cpu > 80% for 5 cycles then restart if totalmem > 500 MB for 5 cycles then restart if children > 250 then restart if loadavg(5min) greater than 10 for 8 cycles then stop if 3 restarts within 5 cycles then timeout
# Monitor postfix mailserver check process postfix with pidfile /var/spool/postfix/pid/master.pid group mail start program = "/usr/bin/systemctl start postfix" stop program = "/usr/bin/systemctl stop postfix" if failed port 25 protocol smtp then restart if 5 restarts within 5 cycles then timeout

(Please make sure that you check processes only that really exist on your server - otherwise monit won't start. I.e., if you tell monit to check Postfix, but Postfix isn't installed on the system, monit won't start.)

The configuration file is pretty self-explaining; if you are unsure about an option, take a look at the Monit documentation: http://mmonit.com/monit/documentation/monit.html

In the apache part of the Monit configuration you find this:

   if failed host localhost port 80 protocol http
      and request "/monit_token" then restart

which means that Monit tries to connect to localhost on port 80 and tries to access the file /monit_token which is /var/www/html/monit_token because our web site's document root is /var/www/html. If Monit doesn't succeed it means Apache isn't running, and Monit is going to restart it. Now we must create the file /var/www/html/monit_token and write some random string into it:

touch /var/www/html/monit_token

Next, we create the SSL (pem) certificate (/var/certs/monit.pem) we need for the SSL-encrypted Monit web interface:

mkdir /var/certs
cd /var/certs

We need an OpenSSL configuration file to create our certificate. It can look like this:

nano /var/certs/monit.cnf

# create RSA certs - Server

RANDFILE = ./openssl.rnd

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = MO

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Monitoria

localityName                    = Locality Name (eg, city)
localityName_default            = Monittown

organizationName                = Organization Name (eg, company)
organizationName_default        = Monit Inc.

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Dept. of Monitoring Technologies

commonName                      = Common Name (FQDN of your server)
commonName_default              = server.monit.mo

emailAddress                    = Email Address
emailAddress_default            = [email protected]

[ cert_type ]
nsCertType = server

Now we create the certificate like this:

openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pemopenssl

openssl gendh 512 >> /var/certs/monit.pem

openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem

chmod 700 /var/certs/monit.pem

Finally, we can start Monit:

systemctl restart monit

Now point your browser to https://www.example.com:2812/ (make sure port 2812 isn't blocked by your firewall), log in with admin and test, and you should see the Monit web interface. It should look like this:

The Monit dashboard.

(Main Screen)

The Monit apache status page.

(Apache Status Page)

Depending on your configuration in /etc/monit.d/monitrc Monit will restart your services if they fail and send notification emails if process IDs of services change, etc.

 

Share this page:

0 Comment(s)

Add comment

Comments

From: Till Brehm at: Jul 05, 2016