OP5 Monitor ["OP5 Monitor"]

Additional server and software setup

Overview

The setup tasks below include the following:

  • Recommended Server setup tasks to perform before you can use OP5 Monitor.
  • Recommended Software setup tasks you need to perform in the OP5 Monitor software before giving access to other users.

Note: For all tasks requiring access as root, the default password is monitor.

Server setup

Install your licence

These steps explain how to install the OP5 Monitor licence provided by ITRS.

  1. Copy your licence file to your OP5 Monitor server, using an FTP tool such as FileZilla, or through the terminal.
  2. Log on to your OP5 Monitor server as root, with default password monitor.

  3. Copy the licence to /etc/op5license and name it op5license.lic:

    cp <path_to_your_licence> /etc/op5license/op5license.lic
  4. Set ownership and permissions: 
    chmod 640 /etc/op5license/op5license.lic
chown apache:apache /etc/op5license/op5license.lic
  5. Verify that the licence can pass the licence days left check: 
    asmonitor /opt/plugins/check_op5_license -T d -w 30 -c 15

Change the default password for root

Caution: You must keep the root password safe for future use. Losing it will compromise access to the system.

  1. Log on to the server using SSH or the console as root, with default password monitor.
  2. Type the following command: 
    passwd
  3. Follow the on-screen instructions to change the password.

Enable change of root password for MySQL and MariaDB

Note: OP5 Monitor does not need the MySQL root user, and therefore the password can be set for the user without impact.

  1. Stop the current MariaDB server instance, then restart it with an option to not ask for a password.

    2. $ sudo systemctl stop mariadb
$ sudo mysqld_safe --skip-grant-tables &

  2. Reconnect to the MariaDB server with the MariaDB root account.

    3. $ mysql -u root

  3. Use the following commands to reset the root password. It is recommended to replace the previous password with a stronger password.

    4. flush privileges;
set password for 'root'@localhost = PASSWORD("password");
exit;

  4. Shut down MySQL admin.

    5. $ mysqladmin -u root shutdown

  5. Restart MariaDB.

    6. $ sudo systemctl start mariadb

  6. Reboot server.

    7. $ sudo reboot

Set the hostname

You need to set a unique hostname to identify the host internally.

  1. Set the hostname: 
    hostnamectl set-hostname <FQDN>
  2. Check the hostname: 
    hostname

Install NTP and synchronise servers

To install NTP and synchronise servers:

  1. Install NTP, if it is not installed: 
    yum install chrony
  2. Check your current time zone setting:
    timedatectl
         Local time: Fri 2018-09-14 10:54:38 CEST
     Universal time: Fri 2018-09-14 08:54:38 UTC(...)
  3. If you need to update your time zone:
    1. Check the list of possible time zones:
      timedatectl list-timezones
    2. Update your time zone to the required value, for example:
      timedatectl set-timezone Europe/Madrid
  4. Enable and start the service:
    systemctl enable chronyd --now
  5. Check your time synchronisation works correctly:
    timedatectl
  NTP enabled: yes
  NTP synchronized: yes

Check the time zone used by PHP

If you want to check which time zone PHP is using, run the following command:

cat /etc/php.d/00_op5_timezone.ini

Configure Postfix

Postfix is the Mail Transfer Agent (MTA) that comes with OP5 Monitor. It is used primarily to send out notification and support emails.

To make changes to the default behaviour of Postfix, edit the following parameters in file /etc/postfix/main.cf:

  • myhostname — the FQDN of your OP5 Monitor system.

If you want the MTA to use a relay host to forward all emails to a specific mail server, edit the following parameters:

  • relay_host — the hostname of your mail server; this variable is optional.
  • fallback_relay — the hostname of your fallback relay, in case your primary mail server is down; this variable is optional.
  • myOrigin — the sender address; by default, this is op5monitor@hostname.localdomain.

Note: You must change relay_host if you change hostname or IP address on your email server.

For example:

 echo "myorigin = test.com" >> /etc/postfix/main.cf

Or, to run it on all nodes and then restart Postfix on all nodes:

mon node ctrl --all --self -- 'echo "myorigin = test.com" >> /etc/postfix/main.cf && systemctl restart postfix && echo "Config updated, Postfix restarted."'

This results in emails appearing to come from op5monitor@test.com instead.

Configure an SMS modem

You only need to configure an SMS modem if you want to send SMS messages and your system is equipped with a GSM or GPRS modem.

To configure your SMS modem:

  1. Edit file /etc/smsd.conf.
  2. Uncomment and edit the pin variable: 
    pin=1234

    3. If you do not update this value, then you need to disable the PIN-code control on your SIM card.

  3. Add the event handler option for SMS acknowledgements to work:

    4. eventhandler = /opt/monitor/op5/smsreceive/smsreceiver/smsreceiver.php

  4. Update the baud rate, if needed. Recommended values are 38400 for TC35 and 115200 for TC65: 
    baudrate=38400
  5. Test your settings: 
    monitor!root:~# sendsms
Destination: 46733123456
Text: Testing send SMS.
  6. Show the conversation between the SMS programme and the GSM modem: 
    tail -f /var/log/smsd.log

Update your certificate for WebUI

OP5 Monitor installation creates OP5 Monitor with a self-signed SSL certificate. Browsing a website that is using a self-signed SSL certificate causes an SSL error message in the web browser, which you can only bypass by accepting the certificate to access the website.

To get rid of these error messages, you need to set up a current SSL certificate for your OP5 Monitor server which has been signed by a trusted Certificate Authority (CA).

Before you begin, you need the following:

  • A CA, to sign your certificate.
  • Your OP5 Monitor server FQDN.
  • Command-line access to the OP5 Monitor server, as root.
  • A web browser to check the new certificate.

You can skip straight to Install the certificate if you already have a certificate to install.

Create a certificate signing request (CSR)

  1. Log on to the OP5 Monitor server as root, using SSH.
  2. Create a CSR based on the private key that is already installed: 
    openssl req -new -key /etc/pki/tls/private/localhost.key -out ~/localhost.csr
  3. Complete the on-screen information about the name and location of your organisation, such as in the following example: 
    openssl req -new -key /etc/pki/tls/private/localhost.key -out ~/localhost.csrCountry Name (2 letter code) [GB]:SEState or Province Name (full name) [Berkshire]:Vastra Gotalands LanLocality Name (for example, city) [Newbury]:GothenburgOrganization Name (for example, company) [My Company Ltd]:op5 ABOrganizational Unit Name (for example, section) []:Common Name (for example, your name or your server's hostname) []:monitor.op5.comEmail Address []:itadmin@op5.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []:An optional company name []:

    Notes:
    It is very important to set the common name to the domain name used to browse your OP5 Monitor server. For instance, if you access OP5 Monitor by browsing to https://op5.your-company.com/, then set the common name to op5.your-company.com.
    You must complete all the important information. Otherwise, the CA will reject your request.
    All details entered can be viewed by anyone who can browse the OP5 Monitor server, so be careful not to include any sensitive information.

Sign the request

  1. Download file ~/localhost.csr from your OP5 Monitor server using SFTP.
  2. Send the CSR file to your CA and follow their instructions to obtain a certificate file.

Install the certificate

  1. Once you have received the certificate file from your CA, upload it to your OP5 Monitor server using SFTP. Name the file localhost.crt and place it in root's home directory.
  2. Log on to the OP5 Monitor server as root, using SSH.
  3. Create a backup of the old certificate: 
    cp -pv /etc/pki/tls/certs/localhost.crt{,.old}
  4. Install the new certificate: 
    cp -pv ~/localhost.crt /etc/pki/tls/certs/localhost.crt
  5. Restart the web server: 
    systemctl restart httpd
  6. Check that the SSL errors no longer appear:
    • On the client side, by accessing your OP5 Monitor user interface through a browser.
    • On the server side, by checking /var/log/httpd/ssl_error_log.

Schedule a full backup

Configure a full backup to run on a schedule:

  1. Edit the main backup settings in the file /etc/op5-backup/main.conf.
  2. Create the cron schedule and the cron rotate schedule, as in the examples below: 
    cat << EOF > /etc/cron.d/op5backup
59 1 * * * root /usr/sbin/op5-backup >/dev/null 2>&1
EOF
    cat << EOF > /etc/cron.d/op5backup-rotate
59 2 * * * root /usr/bin/find /root/op5backups/ -mtime +7 -name "op5*.????-??-??.backup" -exec rm -rf {} \; >/dev/null 2>&1
EOF

For more details of OP5 Monitor backup, see Manage backup and restore.

Secure your OP5 Monitor server

By default OP5 Monitor comes configured for use with the following versions of SNMP: v1, v2c, and v3.

Take note of the following security considerations:

  • SNMP v1 and v2c versions can be used with the default community string public or the OP5 Monitor specific community string OP5, with OP5 having a wider read-access than public.

  • SNMP v3 is set up with unique user details stored as custom variables on the host in OP5 Monitor.

  • All self-monitoring checks that OP5 Monitor itself uses are configured for SNMP v3 and do not require SNMP v1 or v2c to function.

If SNMP v1 and v2c are not required, then it is recommended that you remove the community strings public and OP5 from the SNMP configuration for better security:

  1. Edit the /etc/snmp/snmpd.conf file and put a # character in front of the line com2sec notConfigUser default public.

  2. Edit the /usr/share/snmp/snmpd.conf and put a # character in front of the line rocommunity OP5 and the line com2sec op5User localhost OP5.

  3. Restart snmpd: systemctl restart snmpd.

Disable SNMPv1 and SNMPv2c

As explained above, SNMP version 1 has limitations both in terms of performance and the data it can deliver, which make it unsuitable for monitoring.

It also comes pre-configured with the default community of publicfor read-only access. We strongly recommend disabling it to prevent malicious users from gaining information about the server.

To do this, you need to remove or comment out all lines in your snmpd configuration file that start with rocommunity or rwcommunity.

Note: This also prevents these community string from working with SNMP version 2c access.

Set up a monitoring agent on your host servers

These steps explain how to set up a monitoring agent on Windows and Unix host servers.

If you are not sure if you need a monitoring agent or which one to choose, see Monitoring agents in Key concepts of OP5 Monitor.

Set up a Windows agent

The recommended agent for Windows monitoring is NSClient++.

To install NSClient++, download the latest stable release from the NSClient++ website and install it on your Windows hosts, with the following options:

  • OP5 Monitor configuration for NSClient++ as your monitoring tool.
  • 127.0.0.1 and your OP5 Monitor server IP addresses as Allowed Hosts, separated by commas.

For more information on NSClient++, see docs.nsclient.org.

In OP5 Monitor 9.x, all NSClient checks are using check_nrpe version 4 since version 2 does not work on EL8 operating systems. When using check_nrpe version 4, you are required to have a 2048-bit Diffie-Hellman key on the target host.

Since NSClient only provides a 512-bit key, all servers with NSClient that are still using the 512-bit key for their NRPE SSL encryption must be updated to use 2048-bit keys. To avoid issues during the update, you must generate a new key and use it instead of the previously generated key. For more information, see the check_nrpe article.

Set up a Unix SNMP agent

SNMP versions

SNMP version 3 (SNMPv3) is the most secure solution for Unix monitoring. You do not need to install anything to use SNMPv3 for monitoring, but you do need to configure the SNMPv3 daemon on all of your hosts.

SNMP versions 1 and 2c are unencrypted. SNMP version 1 also has limits in terms of both performance and the data types it offers, making it highly unsuitable for monitoring.

SNMPv3 and 2c both provide the same data, and although v3 has a slight performance overhead because it encrypts the traffic, the ease of management of using the same protocol across the network makes it the preferred choice.

Configure an SNMPv3 user

This section describes how to configure SNMPv3 for use in the most widely used mode (authPriv), with configuration of other modes briefly described.

Note: We strongly advise against using SNMPv3 without authentication and encryption.

SNMPv3 has three separate options for security and privacy (secLevel):

  • noAuthNoPriv — no authentication, no privacy.
  • authNoPriv — authentication but no privacy.
  • authPriv — authentication and privacy.

SNMPv3 provides two different authentication mechanisms:

  • sha1 — recommended, a strong cryptographic algorithm that is fast to compute.
  • md5 — not recommended, now mostly supported for backward compatibility.

SNMPv3 also provides two different encryption algorithms:

  • AES — recommended.
  • DES — not recommended, has known security issues and provides weak encryption.

Before you begin, you must ensure the following:

  • net-snmp is installed on the host server.
  • The host server is reachable on port 161, TCP, and UDP.

Password tips:

  • You can construct safe passwords that are still easy to work with from a few words strung together, like horse.eats.bananas.
  • Shell meta-characters are best avoided in passwords and community names. The most common problematic characters are $, ~, !, ;, ?, *, (, ), [, ], \, ", and '.

To add a new SNMP v3 user you need to edit two files:

  • /var/lib/net-snmp/snmpd.conf — includes the createuser commands.
  • /etc/snmp/snmpd.conf — includes access configuration.

Perform the following steps to grant user op5user, authenticated with authPass and submitting privPass as a communication encryption key, read access to the SNMP tree.

  1. Stop the SNMP daemon:
    systemctl stop snmpd.service
  2. Add the following line to /var/lib/net-snmp/snmpd.conf, ensuring that you set the user name op5user and passwords authPass and privPass to secure ones of your choosing: 
    createUser op5user SHA authPass AES privPass

    Note that when you restart the SNMP daemon at the end of this procedure, the createUser command line in /var/lib/net-snmp/snmpd.conf changes to look like this:

    usmUser 1 3 0x80001f88801fe67e4b048e4d5500000000 0x6b616b6100 0x6b616b6100 NULL .1.3.6.1.6.3.10.1.1.2 0xcab3cb478072eef2df19c0403f030678 .1.3.6.1.6.3.10.1.2.4 0x0f6c0d5d2e521c53630039b1f04354d8 0x
  3. At the end of file /etc/snmp/snmpd.conf, add the following line to give the new user read-only access to the full tree: 
    rouser op5user priv .1
  4. Start the SNMP daemon back up again:
    5. systemctl start snmpd.service

  5. Verify the configuration by running command snmpwalk:

    snmpwalk -v 3 -l authPriv -u op5user -a sha -A authPass -x aes -X privPass localhost .1

    If the configuration is correct, the command results in a lot of output. If this is not the case, check your snmpd configuration for errors, restart snmpd, and make sure that you have configured your firewalls correctly.

Below are other examples of ways to create SNMPv3 users and enable them for read-only access.

/var/lib/net-snmp/snmpd.conf 

# Create users with varying levels and types of authentication credentials
# If a password or hash/encryption type is omitted, requiring those credentials
# for queries will result in a configuration error when starting snmpd.
# username authProto authPass privProto privPasscreateUser auth_nonecreateUser auth_md5 MD5 md5_passcreateUser auth_md5_des MD5 md5_pass DES des_cryptcreateUser auth_md5_aes MD5 md5_pass AES aes_cryptcreateUser auth_sha SHA sha_passcreateUser auth_sha_des SHA sha_pass DES des_cryptcreateUser auth_sha_aes SHA sha_pass AES aes_crypt

/etc/snmp/snmpd.conf 

# Allow user 'auth_none' read-only access to the entire SNMP tree
# user mode subtreerouser auth_none noauth .1rouser auth_sha auth .1rouser auth_md5 auth .1rouser auth_sha_des priv .1rouser auth_sha_aes priv .1rouser auth_md5_des priv .1rouser auth_md5_aes priv .1

Note: After configuring SNMPv3 user access, you must disable unencrypted access to the server to prevent unauthorised access, by commenting out all lines starting with com2sec, access, rocommunity, or rwcommunity in your snmpd configuration file.

Configure an SNMP version 2c user

This section explains how to configure a user with SNMP version 2c. Note that we recommend using SNMPv3 whenever possible.

Enabling SNMP version 2c while keeping SNMP version 1 disabled means you have to configure specific access groups. This allows you fine control over which areas of the SNMP tree to allow a specific user to access.

The following example configures community name everything to have read-only access to everything, while community disks only has read access to storage information. Neither community has write access to the SNMP tree.

# Map 'disks' community to the 'disksOnly' user
# Map 'everything' community to the 'allThings' user
# sec.name   source    communitycom2sec   disksOnly  default   diskscom2sec   allThings  default   everything
# Map 'disksOnly' to 'diskGroup' for SNMP Version 2c
# Map 'allThings' to 'allGroup' for SNMP Version 2c
# sec.model sec.namegroup diskGroup   v2c      disksOnlygroup allGroup    v2c      allThings
# Define 'diskView', which includes everything under .1.3.6.1.2.1.25.2.3.1
# Define 'allView', which includes everything under .1 (which is everything)
# incl/excl   subtreeview    diskView   included    .1.3.6.1.2.1.25.2.3view    allView    included    .1
# Give 'diskGroup' read access to objects in the view 'diskView'
# Give 'allGroup' read access to objects in the view 'allView'
# group     context   model   level    prefix  read       write   notifyaccess    diskGroup   ""      any     noauth   exact   diskView   none    noneaccess    allGroup    ""      any     noauth   exact   allView    none    none
Extend the SNMP daemon to run local scripts and plugins

You can extend the SNMP daemon to run local scripts and plugins. You can find more information on extending net-snmp on the ITRS Support pages and on the Red Hat customer portal.

Set up a Unix NRPE agent

To install and configure NRPE:

  1. Download and install the NRPE package using the package repository for your operating system, such as:
    • RPM packages for Linux distributions based on Red Hat Enterprise, such as RHEL and CentOS.
    • DEB packages for Linux distributions based on Debian and its family of derivatives that use dpkg.
    • Portable source code for local compiling.
  2. Update the settings in configuration file /etc/nrpe.conf, based on the table below.
    Setting DefaultDescription
    server_port 5666 The port where NRPE will listen.
    allowed_hosts 127.0.0.1 The IP address of your OP5 Monitor server. Separate multiple addresses with commas, but avoid using whitespace. For example: 
    allowed_hosts=98.139.180.149,98.139.180.150
    nrpe_user nobody The user that executes the NRPE daemon .
    nrpe_group nobody The group that executes the NRPE daemon.
    debug 0 (zero) Set this value to 1 if you need to debug NRPE.
    command_timeout 60 (sixty) The default timeout for a check command. Increments are in seconds.

    dont_blame_nrpe

    		0 (zero)

    Set this value to 1 to send arguments to NRPE from OP5 Monitor.

NRPE commands

NRPE comes with a few predefined commands, located in file /etc/nrpe.d/op5_commands.cfg.

You can add your own commands in your own file in directory /etc/nrpe.d/. You must add file extension .cfg to configuration files, otherwise they are not loaded into NRPE when the daemon restarts.

NRPE commands have the following syntax:

command[foo]=/opt/foo --args

There are two sides to NRPE command definitions, with an equals sign (=) as their separator:

Syntax segment Description
command[foo] The string between the square brackets, which in this case is foo, is the name of this command. Typically this gets passed as the first argument to the plugin. Do not use white space in command names.
/opt/foo --args The command-line syntax you want to execute. The executable needs to be available on the local host. This also applies to any plugins you want to call remotely.

The following steps add a command that looks for a process named smsd using plugin check_procs:

  1. Log into the host where NRPE is installed, as root.
  2. Create a new configuration file in directory /etc/nrpe.d/new_file.cfg.
  3. Edit the new file to add a command definition: 
    command[proc_smsd]=/opt/plugins/check_procs -w 1: -c 2:2 -C smsd
  4. Save the file and restart NRPE.
Plugins used with NRPE

The only plugin used with NRPE is check_nrpe. To use the plugin with an NRPE command, use the following syntax in your service definition:

/opt/plugins/check_nrpe -H $HOSTADDRESS$ -C proc_smsd

For more information on specifying commands in service definitions, see Manage commands.

Bastion mode

The NRPE agent is designed to listen to messages from allowed hosts, then run the selected commands on its host target. By default it listens to itself over the network through allowed_hosts, a common configuration for Unix agents.

NRPE can also listen for OP5 Monitor commands run against targets without NRPE installed. Such checks are called indirect checks, therefore using this approach is known as indirect mode, or bastion mode. The host with the NRPE agent installed becomes a bastion, able to talk to outpost targets on its side of a firewall, otherwise incapable of talking directly to the OP5 Monitor server.

For example, if a web server on the other side of a firewall from the OP5 Monitor infrastructure needs to take requests, the firewall only allows access to OP5 Monitor through one port to a bastion server running NRPE. You can create an NRPE check_http command to run against the outpost.

Note: While this works, it is much more convenient to use an OP5 Monitor poller. If you use a bastion server, you need to configure every check command for the outpost targets nested inside another check_nrpe. Using a poller makes better use of parent-child relationships and allows easy swapping between hostgroups. For more information on setting up pollers, see Scale up your monitoring environment.

To set up bastion mode:

  1. Determine the processes and the ports that are open on the final target.
  2. Create a host in OP5 Monitor for the bastion server, adding it to host groups and services based on NRPE configuration. For guidance, see Add new hosts in Manage hosts and services.
  3. Create a host in OP5 Monitor for the outpost server. For guidance, see Add new hosts in Manage hosts and services.
  4. Configure the bastion server as a parent of the output server. For guidance, see Add new hosts in Manage hosts and services.
  5. Configure the outpost server as a child of the bastion server. For guidance, see Add new hosts in Manage hosts and services.
  6. Create an NRPE command to run against the final target.
  7. Add the command to nrpe.cfg on the bastion server.
  8. Set the command as a check_nrpe command argument value for the bastion host. For guidance, see Configure a host in Manage hosts and services.

Software setup

Listed below are the recommended setup tasks for an administrator to perform in the OP5 Monitor software before giving access to other users. For more information on OP5 Monitor configuration, see Introduction to configuration.

Create the OP5 Monitor administrator account

You need an administrator account to perform certain configuration tasks in the OP5 Monitor user interface. The first time you access OP5 Monitor after installation, you are prompted to create the administrator user.

  1. Enter your OP5 Monitor URL into a browser.
  2. Click Log in to ITRS OP5 Monitor.
  3. Enter the new administrator user name and password.
  4. Click Create account.

Success: You can now log in and use the new administrator account in OP5 Monitor.

Configure new local users

Before your users can get started with OP5 Monitor, you need to perform basic user administration tasks:

  • Create new local user accounts.
  • Manage user groups.
  • Update group permissions.
  • Create a contact profile and group so they can receive notifications.

For guidance, see Manage users, contacts, and permissions.

Create new hosts and services

You need to add new hosts and services for the OP5 Monitor users to monitor.

For guidance, see Manage hosts and services.

Restrict shell access to nodes

When logged in to the server, an unprivileged user can read sensitive files, or even read and write to databases used by OP5 Monitor. It is also possible for unprivileged users to affect the monitoring process directly, thereby circumventing any access control by the OP5 Monitor software.

Check that only users with full administrative privileges have shell access (for example, via SSH) to ITRS OP5 Monitor nodes.

Caution: Granting user permissions for Test this host and Test this service effectively grants shell access to the monitoring host. For more information, see Update user permissions in Manage users, contacts, and permissions.