Configuring the checks on Nagios XI
This is the third and final part to monitoring pfSense with Nagios XI using SSH. If you missed either of the previous parts, I’ve included them below.
Note: If you’re configuring this on Nagios Core, scroll down to the bottom of this page for the example commands.cfg and services.cfg files.
15Dec2017 – Originally posted
9May2018 – Added uptime and CPU temperature check as well as a Nagios Core example
11May2018 – Modified the check_pf_mem plugin
1June2018 – Added Nagios Core services.cfg and commands.cfg examples
29Oct2018 – check_ping changed to check_icmp
7Jan2019 – added info about ‘username is reserved’ error
16Apr2020 – added info about limiting sudo commands
6Apr2022 – Added check_pf_gw_status (contributed by Manuel Gayer)
Finally, let’s configure the checks on Nagios XI. Go to the SSH Proxy wizard. I like to change the OS to FreeBSD, but all that really does is change the icon in the web interface.
Change the host name to whatever you’d like. In my example, I chose pfSense-home. At this time, take the checkboxes out of the 2 other remote commands and leave it for the check_disk remote command only. Also, change the remote command to the text below. Make sure you pay attention to the path because the default Nagios entry flip flops libexec and nagios! I recommend changing the display name to “Disk – Root” so when you monitor other partitions, they are all in order in the web GUI.
/usr/local/libexec/nagios/check_disk / -w 20% -c 5%
Answer the remaining questions/screens as you see fit. Once the configuration changes are made and the service checks run, you should see something in your Nagios service details.
Great start! But where are the rest of the checks from part 2? In Nagios XI, to add more you can do one of two things. Either a) go to the Core Config Manager and copy configs or b) go *back* through the wizard and copy/paste each of the lines below. I prefer the 2nd method because it is far less mouse clicking. Also, if you opt for the CCM copy method, don’t forget to ‘apply configuration’ at the end!
Obviously, you will need to omit or change lines to meet the needs of your firewall/environment. For instance, if you use a VPN, you will need to change the IP address and name. You will also need to change the interface names if you want to monitor those. If you use a Windows server for DHCP or DNS, don’t add the service monitors for dhcpd or unbound (DNS).
Also note the two entries that have ‘sudo’ before them. If you receive any errors stating there is a problem with “remote command execution failed” or permissions, that is likely the issue. If you need help on configuring sudo on pfSense, refer to part 1 of this series. If you would like a little more details on the individual checks, refer to part 2 of this series.
|/usr/local/libexec/nagios/check_disk /var/run -w 20% -c 5%||Disk – VarRun|
|/usr/local/libexec/nagios/check_icmp -H 184.108.40.206 -w 80,10% -c 150,40%||Ping to OpenDNS|
|/usr/local/libexec/nagios/check_ntp_time -H time.google.com||NTP Variation|
|/usr/local/libexec/nagios/check_load -w 3,2.8,2.6 -c 10,7,5 -r||Load|
|/usr/local/libexec/nagios/check_procs -w 200 -c 400||Total Processes|
|/usr/local/libexec/nagios/check_swap -w 90% -c 40%||Swap Usage|
|/usr/local/libexec/nagios/check_pf_cpu_temp -w 75 -c 90||CPU Temperature|
|/usr/local/libexec/nagios/check_pf_cpu -w 85 -c 95||CPU Usage|
|/usr/local/libexec/nagios/check_pf_mem -w 90 -c 95||Memory Usage|
|/usr/local/libexec/nagios/check_pf_interface -i em1_vlan5 -name DEVICES||Interface DEVICES|
|sudo /usr/local/libexec/nagios/check_pf_ipsec_tunnel -e <IP address> -name DallasTX||VPN to DallasTX|
|sudo /usr/local/libexec/nagios/check_pf_state_table -w 60 -c 90||State Table|
|/usr/local/libexec/nagios/check_pf_services -name snort||Service: snort|
|/usr/local/libexec/nagios/check_pf_services -name pinger||Service: pinger|
|/usr/local/libexec/nagios/check_pf_services -name dhcpd||Service: dhcpd|
|/usr/local/libexec/nagios/check_pf_services -name unbound||Service: unbound-DNS|
|/usr/local/libexec/nagios/check_pf_gw_status -G WAN_DHCP -w 60,5 -c 200,20||Gateway Status|
So what does the final result look like (see below)? Beautiful! Now that is how you monitor a firewall! A reader was kind enough to send me their Nagios Core screenshot as well.
If there are some particular checks you would like to see added, let me know and I’ll add it in. Better yet, write them up and/or add them to the GitHub repo and I’ll give you credit!
I’ve included the Nagios XI services config file so you can download it to compare checks. I’ve also included examples of the Nagios Core services.cfg and commands.cfg files so Core users would have a better idea of how to configure this solution as well.
Nagios XI example
Nagios Core example
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.