Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

Server Monitoring with Munin and Monit on Ubuntu 14.04 LTS


This tutorial will show you how to monitor an Ubuntu 14.04 server with Munin and Monit. Munin produces nice graphs about nearly every aspect of your server, whereas Monit checks the availability of services like  Apache, MySQL, Postfix and takes the appropriate action such as a restart if it finds a service is not behaving as expected. The combination of the two gives you full monitoring: graphics that let you recognize current or upcoming problems, and a watchdog that ensures the availability of the monitored services. This tutorial contains two (optional) chapters about integrating Munin and Monit into ISPConfig.

 

1 Preliminary Note

Our system’s hostname is server1.example.com, and we have a website www.example.com on it with the document root /var/www/www.example.com/web.

The following steps have to be performed as root user. To become root user on your server, run this command:

sudo su

Ensure that the system is up to date before you start to install Munin, run:

apt-get update
apt-get upgrade

Apache is used to show the Munin pages, the apache fcgid module is required for the Munin graph zoom feature. I will install apache and the libapache2-mod-fcgid module with apt.

apt-get install apache2 libcgi-fast-perl libapache2-mod-fcgid

Enable the fcgid module in apache.

a2enmod fcgid

2 Install and Configure Munin

To install Munin on Ubuntu 14.04, run the commands below:

apt-get install munin munin-node munin-plugins-extra

When the server is running MySQL or MariaDB, then enable the a few extra Munin plugins to monitor MySQL:

cd /etc/munin/plugins
ln -s /usr/share/munin/plugins/mysql_ mysql_
ln -s /usr/share/munin/plugins/mysql_bytes mysql_bytes
ln -s /usr/share/munin/plugins/mysql_queries mysql_queries
ln -s /usr/share/munin/plugins/mysql_slowqueries mysql_slowqueries
ln -s /usr/share/munin/plugins/mysql_threads mysql_threads

Next, we must edit the Munin configuration file /etc/munin/munin.conf. Uncomment the dbdir, htmldir, logdir, rundir, and tmpldir lines (the default values are fine). We want Munin to use the name server1.example.com instead of localhost.localdomain in the HTML output, therefore, we replace localhost.localdomain with server1.example.com in the simple host tree section. Without the comments, the changed file looks like this:

nano /etc/munin/munin.conf

# Example configuration file for Munin, generated by 'make build'

# The next three variables specifies where the location of the RRD
# databases, the HTML output, logs and the lock/pid files. They all
# must be writable by the user running munin-cron. They are all
# defaulted to the values you see here.
#
dbdir /var/lib/munin
htmldir /var/cache/munin/www
logdir /var/log/munin
rundir /var/run/munin

# Where to look for the HTML templates
#
tmpldir /etc/munin/templates

# Where to look for the static www files
#
#staticdir /etc/munin/static

# temporary cgi files are here. note that it has to be writable by
# the cgi user (usually nobody or httpd).
#
# cgitmpdir /var/lib/munin/cgi-tmp

# (Exactly one) directory to include all files from.
includedir /etc/munin/munin-conf.d
[...]
# a simple host tree
[server1.example.com]
 address 127.0.0.1
 use_node_name yes
[...]

We should find the Apache configuration file for Munin /etc/munin/apache.conf – it defines an alias called munin to munin’s HTML output directory /var/cache/munin/www which means we can access munin from all websites on this server by using the relative path /munin (e.g. http://www.example.com/munin).

The apache.conf file that ships with Ubuntu 14.04 still contains the old apache 2.2 syntax which is not correct for the apache 2.4, therefore we replace that file with a new one. First we make a backup of the old file.

mv /etc/munin/apache.conf /etc/munin/apache.conf_bak

Open the new file with an editor:

nano /etc/munin/apache.conf

And paste the content below:

Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
 # Require local
 Require all granted
 Options FollowSymLinks SymLinksIfOwnerMatch
 Options None
</Directory>

ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
 # Require local
 Require all granted
 Options FollowSymLinks SymLinksIfOwnerMatch
 <IfModule mod_fcgid.c>
 SetHandler fcgid-script
 </IfModule>
 <IfModule !mod_fcgid.c>
 SetHandler cgi-script
 </IfModule>
</Location>

Restart Apache:

service apache2 restart

Then restart Munin:

service munin-node restart

Now wait a few minutes so that Munin can produce its first output, and then go to http://www.example.com/munin/ in your browser, and you see the first statistics:

munin_ubuntu

(This is just a small excerpt of the many graphics that munin produces…)

 

Now it is a good idea to password-protect the munin output directory unless you want everybody to be able to see every little statistic about your server.

To do this, we must create the password file /etc/munin/munin-htpasswd. We want to login with the username admin, so we do this:

htpasswd -c /etc/munin/munin-htpasswd admin

Enter a password for admin. Then open /etc/munin/apache.conf again…

nano /etc/munin/apache.conf

… comment out “Require all granted and add the lines that I marked in red:

Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
 # Require local
 # Require all granted
 AuthUserFile /etc/munin/munin-htpasswd
 AuthName "Munin"
 AuthType Basic
 Require valid-user
 Options None
</Directory>

ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
 # Require local
 # Require all granted
 AuthUserFile /etc/munin/munin-htpasswd
 AuthName "Munin"
 AuthType Basic
 Require valid-user
 <IfModule mod_fcgid.c>
 SetHandler fcgid-script
 </IfModule>
 <IfModule !mod_fcgid.c>
 SetHandler cgi-script
 </IfModule>
</Location>

Then restart Apache:

service apache2 restart

4 Enable additional modules in Munin

The Munin command “munin-node-configure –suggest” can be used to get recommendations for additional Munin modules that can be enabled on the server. Run:

munin-node-configure –suggest

The output should be similar to this:

munin-suggest-ubuntu

The column “used” shows if a module is enabled, the column “Suggestions” shows if the server runs a service that can be monitored by this module. Create a symlink for the module in /etc/munin/plugins to enable it.

Here I will enable the apache_* modules for example:

cd /etc/munin/plugins
ln -s /usr/share/munin/plugins/apache_accesses
ln -s /usr/share/munin/plugins/apache_processes
ln -s /usr/share/munin/plugins/apache_volume

Restart Munin to load the new configuration.

service munin-node restart

5 Configure Munin in ISPConfig (optional)

The ISPConfig Hosting Control Panel has an option to show Munin data within the ISPConfig Monitor module. The Munin data is loaded in an iframe, as most browsers block content to be loaded from http within a https site, we will have to find a way to access the Munin statistics over SSL. The easiest way is to use the SSL enabled ISPConfig vhost for this by createing a symlink inside the ISPConfig web directory to the Munin www data directory.

ln -s /var/cache/munin/www /usr/local/ispconfig/interface/web/munin

Now we can access Munin in a browser with https://server1.example.com:8080/munin trough the ISPConfig apache vhost.

The next step is to add the configuration in ISPConfig.

Login to ISPConfig as Administrator (admin) user and go to System > Server config, fill in the URL, username and password for Munin as shown below.

ispconfig_munin

6 Install and Configure Monit

To install Monit, we do this:

apt-get install monit

Now we must edit /etc/monit/monitrc. The default /etc/monit/monitrc has lots of examples, and you can find more configuration examples on http://mmonit.com/monit/documentation/. However, in my case I want to monitor proftpd, sshd, mysql, apache, and postfix, I want to enable the Monit web interface on port 2812, I want a https web interface, I want to login to the web interface with the username admin and the password Kreationnext, and I want Monit to send email alerts to root@localhost, so my file looks like this (I’ve added examples for other daemons to the configuration so that you can adjust the file to your needs):

cp /etc/monit/monitrc /etc/monit/monitrc_orig
cat /dev/null > /etc/monit/monitrc
nano /etc/monit/monitrc

set daemon 60
set logfile syslog facility log_daemon
set mailserver localhost
set mail-format { from: monit@server1.example.com }
set alert root@localhost
set httpd port 2812 and
 SSL ENABLE
 PEMFILE /var/certs/monit.pem
 allow admin:Kreationnext

check process sshd with pidfile /var/run/sshd.pid
 start program "/usr/sbin/service ssh start"
 stop program "/usr/sbin/service ssh stop"
 if failed port 22 protocol ssh then restart
 if 5 restarts within 5 cycles then timeout

check process apache with pidfile /var/run/apache2/apache2.pid
 group www
 start program = "/usr/sbin/service apache2 start"
 stop program = "/usr/sbin/service apache2 stop"
 if failed host localhost port 80 protocol http
 and request "/monit/token" then restart
 if cpu is greater than 60% for 2 cycles then alert
 if cpu > 80% for 5 cycles then restart
 if totalmem > 500 MB for 5 cycles then restart
 if children > 250 then restart
 if loadavg(5min) greater than 10 for 8 cycles then stop
 if 3 restarts within 5 cycles then timeout
 
#check process mysql with pidfile /var/run/mysqld/mysqld.pid
# group database
# start program = "/usr/sbin/service mysql start"
# stop program = "/usr/sbin/service mysql stop"
# if failed host 127.0.0.1 port 3306 then restart
# if 5 restarts within 5 cycles then timeout

#check process proftpd with pidfile /var/run/proftpd.pid
# start program = "/usr/sbin/service proftpd start"
# stop program = "/usr/sbin/service proftpd stop"
# if failed port 21 protocol ftp then restart
# if 5 restarts within 5 cycles then timeout
#
#check process postfix with pidfile /var/spool/postfix/pid/master.pid
# group mail
# start program = "/usr/sbin/service postfix start"
# stop program = "/usr/sbin/service postfix stop"
# if failed port 25 protocol smtp then restart
# if 5 restarts within 5 cycles then timeout
#
#check process nginx with pidfile /var/run/nginx.pid
# start program = "/usr/sbin/service nginx start"
# stop program = "/usr/sbin/service nginx stop"
# if failed host 127.0.0.1 port 80 then restart
#
#check process memcached with pidfile /var/run/memcached.pid
# start program = "/usr/sbin/service memcached start"
# stop program = "/usr/sbin/service memcached stop"
# if failed host 127.0.0.1 port 11211 then restart
#
#check process pureftpd with pidfile /var/run/pure-ftpd/pure-ftpd.pid
# start program = "/usr/sbin/service pure-ftpd-mysql start"
# stop program = "/usr/sbin/service pure-ftpd-mysql stop"
# if failed port 21 protocol ftp then restart
# if 5 restarts within 5 cycles then timeout
#
#check process named with pidfile /var/run/named/named.pid
# start program = "/usr/sbin/service bind9 start"
# stop program = "/usr/sbin/service bind9 stop"
# if failed host 127.0.0.1 port 53 type tcp protocol dns then restart
# if failed host 127.0.0.1 port 53 type udp protocol dns then restart
# if 5 restarts within 5 cycles then timeout
#
#check process ntpd with pidfile /var/run/ntpd.pid
# start program = "/usr/sbin/service ntp start"
# stop program = "/usr/sbin/service ntp stop"
# if failed host 127.0.0.1 port 123 type udp then restart
# if 5 restarts within 5 cycles then timeout
#
#check process mailman with pidfile /var/run/mailman/mailman.pid
# group mail
# start program = "/usr/sbin/service mailman start"
# stop program = "/usr/sbin/service mailman stop"
#
#check process amavisd with pidfile /var/run/amavis/amavisd.pid
# group mail
# start program = "/usr/sbin/service amavis start"
# stop program = "/usr/sbin/service amavis stop"
# if failed port 10024 protocol smtp then restart
# if 5 restarts within 5 cycles then timeout
#
#check process courier-imap with pidfile /var/run/courier/imapd.pid
# group mail
# start program = "/usr/sbin/service courier-imap start"
# stop program = "/usr/sbin/service courier-imap stop"
# if failed host localhost port 143 type tcp protocol imap then restart
# if 5 restarts within 5 cycles then timeout
#
#check process courier-imap-ssl with pidfile /var/run/courier/imapd-ssl.pid
# group mail
# start program = "/usr/sbin/service courier-imap-ssl start"
# stop program = "/usr/sbin/service courier-imap-ssl stop"
# if failed host localhost port 993 type tcpssl sslauto protocol imap then restart
# if 5 restarts within 5 cycles then timeout
#
#check process courier-pop3 with pidfile /var/run/courier/pop3d.pid
# group mail
# start program = "/usr/sbin/service courier-pop start"
# stop program = "/usr/sbin/service courier-pop stop"
# if failed host localhost port 110 type tcp protocol pop then restart
# if 5 restarts within 5 cycles then timeout
#
#check process courier-pop3-ssl with pidfile /var/run/courier/pop3d-ssl.pid
# group mail
# start program = "/usr/sbin/service courier-pop-ssl start"
# stop program = "/usr/sbin/service courier-pop-ssl stop"
# if failed host localhost port 995 type tcpssl sslauto protocol pop then restart
# if 5 restarts within 5 cycles then timeout
#
#check process dovecot with pidfile /var/run/dovecot/master.pid
# group mail
# start program = "/usr/sbin/service dovecot start"
# stop program = "/usr/sbin/service dovecot stop"
# if failed host localhost port 143 type tcp protocol imap then restart
# if 5 restarts within 5 cycles then timeout

The configuration file is pretty self-explaining; if you are unsure about an option, take a look at the Monit documentation: http://mmonit.com/monit/documentation/monit.html

In the apache part of the Monit configuration you find this:

   if failed host localhost port 80 protocol http
      and request "/monit/token" then restart

which means that Monit tries to connect to localhost on port 80 and tries to access the file /monit/token which is /var/www/html/monit/token because our web site’s document root is /var/www/html. If Monit doesn’t succeed it means Apache isn’t running, and Monit is going to restart it. Now we must create the file /var/www/html/monit/token and write some random string into it:

mkdir /var/www/html/monit
echo “hello” > /var/www/html/monit/token

Next we create the pem cert (/var/certs/monit.pem) we need for the SSL-encrypted Monit web interface:

mkdir /var/certs
cd /var/certs

We need an OpenSSL configuration file to create our certificate. It can look like this:

nano /var/certs/monit.cnf

# create RSA certs - Server

RANDFILE = ./openssl.rnd

[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = MO

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Monitoria

localityName                    = Locality Name (eg, city)
localityName_default            = Monittown

organizationName                = Organization Name (eg, company)
organizationName_default        = Monit Inc.

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Dept. of Monitoring Technologies

commonName                      = Common Name (FQDN of your server)
commonName_default              = server.monit.mo

emailAddress                    = Email Address
emailAddress_default            = root@monit.mo

[ cert_type ]
nsCertType = server

Now we create the certificate like this:

openssl req -new -x509 -days 365 -nodes -config ./monit.cnf -out /var/certs/monit.pem -keyout /var/certs/monit.pem

openssl gendh 1024 >> /var/certs/monit.pem

openssl x509 -subject -dates -fingerprint -noout -in /var/certs/monit.pem

chmod 600 /var/certs/monit.pem

Finally, we can start Monit:

service monit start

Now point your browser to https://www.example.com:2812/ (make sure port 2812 isn’t blocked by your firewall), log in with admin and Kreationnext, and you should see the Monit web interface. It should look like this:

monit_overview

(Main Screen)

monit_sshd_status

(SSHd Status Page)

Depending on your configuration in /etc/monit/monitrc monit will restart your services if they fail and send notification emails if process IDs of services change, etc.

To get the Monit status on the shell, run the “monit status” command:

monit status

The command will show the status of all monitored services.

monit-status1

7 Configure Monit in ISPConfig

The ISPConfig Server Control Panel can show Monit data within it’s Monitor module. To enable that function in ISPConfig, login to ISPConfig as Administrator (admin) user, go to System > Server config, fill in the URL, username and password for Monit as shown below.

ispconfig_monit

  • munin: http://munin-monitoring.org/
  • monit: http://mmonit.com/monit/

 

 

Comments

comments