Monit
Monit est utilisé pour surveiller les processus "daemon" - démons en français, programme qui tournent en arrière plan - ou des programmes similaires sur votre serveur local.
Monit est particulièrement utile pour les processus démons lancés au démarrage du système à partir de /etc/init.d/ (sendmail, sshd, apache, mysql...)
A la différence de nombreux systèmes de surveillance, Monit peut en plus agir en cas de situation d'erreur; Par exemple, si sendmail s'arrête, Monit peut le relancer; Si Apache utilise trop de ressources (en cas d'attaque DoS est en cours) Monit peut arrêter et/ou redémarrer Apache puis vous envoyer un message d'alerte.
Monit peut également surveiller l'état des processus et détecter par exemple les processus zombie ou qui utilisent trop de CPU.
Vous pouvez également utiliser Monit pour surveiller des fichiers, répertoires et systèmes de fichiers sur votre serveur local. Vous pouvez aussi contrôler le checksum MD5 de fichiers qui ne devraient pas changer...
Même s'il n'est pas fait pour ça Monit peut surveiller des hôtes distants.
Vous pouvez suivre l'état de votre système (utilisation du CPU, la mémoire et la charge moyenne)
Installation
# apt-get install monit
Pour les impatients
Nous allons activer monit et accéder tout de suite à l'interface Web
root@vanille:~# nano /etc/default/monit
# You must set this variable to for monit to start startup=1
root@vanille:~# mn /etc/monit/monitrc /etc/monit/monitrc.ori
set daemon 60
set httpd port 2812 and
allow admin:test
root@vanille:~# service monit start Starting daemon monitor: monit.
Bien entendu cette configuration est très insufisante; A part savoir que votre serveur est en fonction, vous n'avez pas beaucoup d'autres informations... De plus l'interface n'est pas sécurisée...
Explication des règles
- Surveillance d'un processus;
- Règles pour arrêter et démarrer les processus surveillés;
- Règles pour surveiller éventuellement les interfaces et ports ou ces processus doivent écouter (par défaut localhost si vous ne précisez rien);
- Règles pour surveiller la charge du CPU par service;
- Règles pour surveiller des fichiers (s'ils existent, leur checksum...).
Pensez à surveiller les services sur les bonnes interfaces... Inutile par exemple de surveiller ssh sur localhost alors que vous en avez besoin sur eth0...
Les possibilités sont très grandes, et la finesse de la surveillance tout autant. N'hésitez pas à lire les documentations elles regorgent d'astuces.
Plus de services
Voici quelques exemples de services à surveiller. Les fichiers sont à placer dans /etc/monit/conf.d
amavis
# cat /etc/monit/conf.d/amavis check process Amavisd-new with pidfile /var/run/amavis/amavisd.pid group mail start program = "/etc/init.d/amavis start" stop program = "/etc/init.d/amavis stop" if failed port 10024 protocol smtp then restart if 5 restarts within 5 cycles then timeout depends on amavisd_bin check file amavisd_bin with path /usr/sbin/amavisd-new group mail if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor
apache2
# cat /etc/monit/conf.d/apache2
check process Apache2 with pidfile /var/run/apache2.pid
start program = "/etc/init.d/apache2 start" with timeout 60 seconds
stop program = "/etc/init.d/apache2 stop"
if failed port 80 then restart
if failed port 443 with timeout 15 seconds then restart
bind9
# cat /etc/monit/conf.d/bind9
check process Bind9 with pidfile /var/run/named/named.pid
start program = "/etc/init.d/bind9 start"
stop program = "/etc/init.d/bind9 stop"
if failed port 53 use type udp protocol dns then restart
if 3 restarts within 5 cycles then timeout
clamav
# cat /etc/monit/conf.d/clamav check process ClamAV with pidfile /var/run/clamav/clamd.pid group virus start program = "/etc/init.d/clamav-daemon start" stop program = "/etc/init.d/clamav-daemon stop" if 5 restarts within 5 cycles then timeout depends on clamavd_bin check file clamavd_bin with path /usr/sbin/clamd group virus if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor
dovecot
# cat /etc/monit/conf.d/dovecot check process Dovecot with pidfile /var/run/dovecot/master.pid start program = "/etc/init.d/dovecot start" stop program = "/etc/init.d/dovecot stop" group mail if failed host mail.zehome.org port 993 type tcpssl sslauto protocol imap for 5 cycles then restart if 3 restarts within 5 cycles then timeout depends dovecot_init depends dovecot_bin check file dovecot_init with path /etc/init.d/dovecot group mail check file dovecot_bin with path /usr/sbin/dovecot group mail
fail2ban
# cat /etc/monit/conf.d/fail2ban
check process Fail2ban with pidfile /var/run/fail2ban/fail2ban.pid
start program = "/etc/init.d/fail2ban start" with timeout 60 seconds
stop program = "/etc/init.d/fail2ban stop"
fetchmail
# cat /etc/monit/conf.d/fetchmail
check process Fetchmail with pidfile /var/run/fetchmail/fetchmail.pid
start program = "/etc/init.d/fetchmail start" with timeout 60 seconds
stop program = "/etc/init.d/fetchmail stop"
freeradius
# cat /etc/monit/conf.d/freeradius
check process Freeradius with pidfile /var/run/freeradius/freeradius.pid
start program = "/etc/init.d/freeradius start" with timeout 60 seconds
stop program = "/etc/init.d/freeradius stop"
if failed host 10.9.8.3 port 1812 type udp then restart
if failed host 10.9.8.3 port 1813 type udp then restart
if failed host 10.9.8.3 port 1814 type udp then restart
imapproxyd
# cat /etc/monit/conf.d/imapproxyd
check process Imapproxy with pidfile /var/run/imapproxy.pid
start program = "/etc/init.d/imapproxy start" with timeout 60 seconds
stop program = "/etc/init.d/imapproxy stop"
if failed port 1143 then restart
mysql
# cat /etc/monit/conf.d/mysql # MYSQL check process MySql with pidfile /var/run/mysqld/mysqld.pid group mysql start program = "/etc/init.d/mysql start" stop program = "/etc/init.d/mysql stop" if failed host localhost port 3306 protocol mysql then restart if 5 restarts within 5 cycles then timeout depends on mysql_bin depends on mysql_rc check file mysql_bin with path /usr/sbin/mysqld group mysql if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor check file mysql_rc with path /etc/init.d/mysql group mysql if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor
postfix
# cat /etc/monit/conf.d/postfix # Postfix check process Postfix with pidfile /var/spool/postfix/pid/master.pid group mail start program = "/etc/init.d/postfix start" stop program = "/etc/init.d/postfix stop" if failed host 10.9.8.3 port 25 protocol smtp then restart if 5 restarts within 5 cycles then timeout depends on postfix_rc check file postfix_rc with path /etc/init.d/postfix group mail if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor
rsyslogd
# cat /etc/monit/conf.d/rsyslogd # Syslogd check process Rsyslogd with pidfile /var/run/rsyslogd.pid start program = "/etc/init.d/rsyslog start" stop program = "/etc/init.d/rsyslog stop" if 5 restarts within 5 cycles then timeout check file rsyslogd_file with path /var/log/syslog
spamassassin
# cat /etc/monit/conf.d/spamassassin check process Spamassassin with pidfile /var/run/spamd.pid group mail start program = "/etc/init.d/spamassassin start" stop program = "/etc/init.d/spamassassin stop" if 5 restarts within 5 cycles then timeout if cpu usage > 99% for 5 cycles then alert if mem usage > 99% for 5 cycles then alert depends on spamd_bin depends on spamd_rc check file spamd_bin with path /usr/bin/spamassassin group mail if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor check file spamd_rc with path /etc/init.d/spamassassin group mail if failed checksum then unmonitor if failed permission 755 then unmonitor if failed uid root then unmonitor if failed gid root then unmonitor
sshd
cat /etc/monit/conf.d/sshd
check process SSH with pidfile /var/run/sshd.pid
start program = "/etc/init.d/ssh start" with timeout 60 seconds
stop program = "/etc/init.d/ssh stop"
if failed host 10.9.8.3 port 22 then restart
Logging
Vous pouvez archiver les logs dans /var/log/syslog: Ajoutez ceci à /etc/monit/monitrc
set logfile syslog facility log_daemon
Si comme moi vous préférez séparer les logs, insérez ceci:
set logfile /var/log/monit.log
Et n'oubliez pas de prévoir une rotation...
nano /etc/logrotate.d/monit
/var/log/monit.log {
missingok
notifempty
size 100k
create 0644 root root
postrotate
/bin/kill -HUP `cat /var/run/monit.pid 2>/dev/null` 2> /dev/null || true
endscript
}
Les alertes par email
Ajoutez ceci à /etc/monit/monitrc:
set mailserver vanille.zehome.org
set alert admin@zehome.org
set mail-format { from: monit@vanille.zehome.org }
Au redémarrage de monit vous recevrez un message dans votre boite mail:
monit alert -- Monit instance changed vanille.zehome.org
Monit instance changed Service vanille.zehome.org Date: Tue, 23 Aug 2011 14:55:10 +0300 Action: start Host: vanille.zehome.org Description: Monit started Your faithful employee, monit
En cas de service qui s'arrêterais...
Objet: monit alert -- Does not exist Freeradius
Does not exist Service Freeradius Date: Tue, 23 Aug 2011 14:59:35 +0300 Action: restart Host: vanille.zehome.org Description: process is not running Your faithful employee, monit
Puis peu de temps plus tard...
Objet: monit alert -- Exists Freeradius
Les options sont très nombreuses, vous pouvez par exemple décider d'être averti de façon différente service par service.
Vous pouvez aussi décider ne n'être averti que pour certaines alertes:
En voici la liste:
alert foo@bar on { action
checksum
content
data
exec
gid
icmp
invalid
fsflags
nonexist
permission
pid
ppid
size
timeout
timestamp }
Et avec ssl
root@vanille:~# openssl req -new -x509 -days 365 -nodes -out /etc/ssl/private/monit.pem -keyout /etc/ssl/private/monit.pem Generating a 1024 bit RSA private key ..............++++++ ..............++++++ writing new private key to '/etc/ssl/private/monit.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:MG State or Province Name (full name) [Some-State]:Ihorombe Locality Name (eg, city) []:Ranohira Organization Name (eg, company) [Internet Widgits Pty Ltd]:Net Organizational Unit Name (eg, section) []:SHI Common Name (eg, YOUR name) []:vanille.zehome.org Email Address []:admin@zehome.org
root@vanille:~# openssl gendh 512 >> /etc/ssl/private/monit.pem Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ............++*++*++*++*++*++*
root@vanille:~# openssl x509 -subject -dates -fingerprint -noout -in /etc/ssl/private/monit.pem subject= /C=MG/ST=Ihorombe/L=Ranohira/O=Net/OU=SHI/CN=vanille.zehome.org/emailAddress=admin@zehome.org notBefore=Aug 23 09:04:36 2011 GMT notAfter=Aug 22 09:04:36 2012 GMT SHA1 Fingerprint=15:DF:66:74:4C:B2:58:FF:0B:AF:1C:8B:D2:9A:63:65:5A:06:E5:D8
root@vanille:~# chmod 700 /etc/ssl/private/monit.pem
root@vanille:~# nano /etc/monit/monitrc
set daemon 60
set httpd port 2812
ssl enable
pemfile /etc/ssl/private/monit.pem
allow admin:test
include /etc/monit/conf.d/*
Ecran final
Rendez-vous sur
https://votre.domaine.org:2812/
ou
https://votre_ip:2812/
Sources
- (en) Site officiel
- (en) Manuel
- (en) Exemples de services
- (en) Installation sur une etch - c'est pas jeune...