Polling Observium Unix agent with SSH

In this How-To i will tell you how to receive the polling data from the UNIX agent: observium_agent over SSH. Especially if you need to monitor remote machines like amazon ec2 instances or other virtual machines the unix agent xinetd solutions which the project delivers seems not the securest way.

Prerequisites:

On Observium host:

php ssh2 module: libssh2-php
patchset for: unix-agent.inc.php

On target host:

snmpd daemon
/opt/observium/scripts/observium_agent goes to /usr/bin/
/opt/observium/scripts/agent-local goes to target dir see Wiki

Prepare your Target Host

apt-get install snmpd

See config example in:/opt/observium/snmpd.conf.example
And follow the steps as described in UNIX Agent Wiki expect the xinetd part!

Prepare your Observium Server

apt-get install libssh2-php

Patchset

What we now have to do is to modify the php code of the unix agent.
The easiest way doing this is to grab my patchset for the latest svn (tested with Revision: 4167) trunk.

Get it from this: link and unpack it into a directory of your choice.

unpack the archive:

tar xvzf observium.agent_.patch_.tar.gz

and apply the patch diffs to your php code:

patch -p0 < unix-agent.inc.php.diff

Create an authentication key for your remote SSH connection

mkdir /opt/observium/.ssh
ssh-keygen -t dsa -f /opt/observium/.ssh/id_dsa

and hit enter twice.

Set permissions of the ssh folder and transfer your pub key to the remote host:

chmod -R 0400 /opt/observium/.ssh
ssh-copy-id -i /opt/observium/.ssh/id_dsa.pub root@your.target.host.name

Check if SSH auth via newly created auth key works:

ssh -i /opt/observium/.ssh/id_dsa root@your.target.host.name

*Gotcha*

Important notice: Think about how to make the key files and run of the observium_agent
on remote machine more secure by adding an independent user, change access privileges, use of sudo e.g if you are planing to run the observium server on public ip.

Finally we add the SSH Port from your listening remote machine to the config.php

For example:

vi /opt/observium/config.php

and apply this line in the config:

$config['unix-agent']['port'] = 22;

and the polling via secure shell is ready to run.

Final note: I'm aware of that my code is not perfect and probably buggy in special cases. So i would appreciate any suggestions for improvement!

Cheers!

Jules

Jules is the owner and author of ISPIRE.ME. He's a Linux System Engineer, Tech fanatic and an Open Source fan.

Next Cannot find device br-ex fix for openvswitch on openstack »

Previous « Downgrade from Debian SID to Stable from Jessie to Wheezy

View Comments

christopher barry says:

September 20, 2014 at 20:58

Also, on your target webserver (or whatever) host, once keys are working correctly, add this to /etc/ssh/sshd_config:

PasswordAuthentication no

This adds a lot of security against brute force attacks on port 22.

-C