Sunday, February 3, 2013

Splunk Howto - Splunk for Netfilter Iptables, get a great Iptables Multi-host frontend with Splunk! (Iptables log parser)

*** Updated June 14, 2013  ***

Current Version = 2.04

Major changes:
14/06/2013 - Details completion
03/06/2013 - New major release V2.0
29/05/2013 - Typo correction

To install this addon, follow this link on Splunkbase or install it through the standard Splunk application process search online:

Splunk pre-requirements:

Ensure to install requirements Splunk addons:

Splunk For Netfilter Iptables:

Home application page:

Centralized Home page including Real time alert trend and majors stats:

Page Details:

1. Realtime view menu with statically defined time window

Access to following views in Realtime data analysis mode with major time window:
  • Activity Overview: Complete analysis of Iptables activity with charts and stats
  • Google Map: World map overview of identified origin connections

2. View menu with TimeRange button access

Access to following views:
  • Activity Overview: Complete analysis of Iptables activity with charts and stats
  • Google Map: World map overview of identified origin connections
  • Event Search: Event search interface using various filters

3. Quick Activity Overview

  • Total number of connections denied in Realtime mode with a 24 hours time window
  • Date and hour of the first event indexed in Iptables index
  • Date and hour of the last event indexed in Iptables index

4. Alert trend:

Alert trend of denied connection activity in Realtime mode using a 24 hours time window: (Area chart)

5. Top Offenser stats:

Major stats about Top offenser in Realtime 24 hours time window mode:
  • Client IP: IP with the higher number of connections denied
  • Last Event Time: Date and hour of last connection occurence
  • Connections denied: Total number of connections denied for this host
  • Country origin: Identified country origin of this host (Unknown of unidentified)
  • Last destination IP: Last event destination IP
  • Last protocol: Last event protocol
  • Last source port: Last event source port
  • Last destination port: Last event destination port
  • Last service: Last event network service name (Unknown if non IANA reserved port)
  • Reporting server: Last event reporting server for this host

6. Last connections denied stats:

Major stats about last connection denied in Realtime 24 hours time window mode:
  • Client IP: IP of the last denied connection
  • Event Time: Date and hour of last connection denied
  • Interface: Logical interface name reported by Iptables
  • Country origin: Identified country origin of this host (Unknown of unidentified)
  • Destination IP: Destination IP of this event
  • Protocol: Protocol reported of this event
  • Source port: Source connection port
  • Destination port: Destination connection port
  • Service: Network service name (Unknown if non IANA reserved port)
  • Reporting server: Reporting server for this connection

Iptables Activity Overview Dashboard (Realtime/Timerange):

Dashboard details

1. Timerange overview:

  • Span Time value:
The span time value is dynamically defined using a Macro to get the best chart granularity, this is being used in chart command using "span=$Span$"

In Realtime mode, this is statically defined to 1 minute, in Timerange mode the range value can be automatically set from 5 minutes to several hours depending of the time range width.

  • Begin Time Analysis: Date and hour of the begining of the selected time range
  • End Time Analysis: Date and hour ot the end of the selected time range

2. Activity Summary:

This section presents various stats about more important informations of Iptables activity:

  • Number of connections denied: Total number of connections denied within the time range
  • Top offenser: Client IP with the highest number of connections denied
  • Denied for Top offenser: Total number of connections denied for the Top offenser host
  • Country origin for Top Offenser: Country origin for this host, Unknown if can't be identified
  • Top Protocol: Protocol most often attempted within the selected time range
  • Top Source port: Source port most often attempted
  • Top Destination port: Destination port most often attempted
  • Top Identified network service: Network service most often attempted
  • Top Destination IP: Destination IP most often reported
  • Top Country origin: Identified country most often reported
  • Top Reporting Host: Iptables host with the highest number of denied connections

3. Alert trend chart and peak load identification:

This sections shows:

- Alert trend by Iptables reporting host:

For Realtime, the span value (eg. span=) is statically defined in the XML hard code

For Timerange, the span value is dynamically defined by a macro (see Macro.conf) depending on the width of the time range itself, the goal here is to get the better chart granularity possible

- Peak load identification:

We identify here the peak load within the selected time range, how many connections were refused (drop and deny) and when.

Then this is being represented inside inside a gauge where the range (green, yellow, red range) will dynamically be defnied by a subsearch inside the global query.

These gauge range values will depend on the arithmetical mean result of denied connections for past 48 hours, the goal is to represent a potentil abnormal Iptables activity. (eg. being under attack)

The analysis result here should always equivalent between the chart and peak load. (both are cumulated results for all reporting hosts)

4. Last Events:

Last 100 events represented by major type of data, click on show result to export them or change the request.

4. TOP Source IP and Country Origin:

- Top 10 pie chart and Top 100 data client IP with country origin identification

- Top 10 pie chart and Top 100 country origin of denied connections

5. TOP Network Services and Destination Port:

Data is being represented by:

- Top 10 pie chart and Top 100 data Network Services attempted:

Network services are identified whenever they are destination port known as reserved (for most of theme IANA ports reserved) using a csv input lookup.

See props.conf and transform.conf, Networking services are automatically defined for any event under the field called "Service", when the destination port is not known as reserved or standard port, the service name will defined under the value "Unknown".

- Top 10 pie chart and Top 100 destination port attempted with Network Service name identification

6. TOP Reporting Servers:

Data being represented by:

- Top 10 pie chart ad top 100 data Iptables Reporting Servers

Real-Time and Time-Range Google Maps view:

Real-Time and Time-Range Google Maps Dashboard, identify the source of connexion attempts

Event Search Interfaces:

Raw-Data and Charts Dedicated Event search interfaces:

And associated saved Searches...

System Dashboard, Iptables Index Activity:

Installation and utilization


Installing and configuring Splunk is out of the scope of this post, installing Splunk is really easy and well done, in 10 minutes you'll be done ^^

As a brieve description, here is how Splunk for Iptables works:

- Configure Iptables to log dropped or rejected packets using Syslog
- Splunk collects our data and produces the IT intelligence


Please note that this application intends to analyse denied or dropped connections, any event containing following pattern will not be analysed by Splunk:

- "ACCEPT" OR "Accept" OR "ALLOW" OR "Allow"

Even if indexed by Splunk, if an event contains one of these patterns, it will be expected to be tagged as an accepted connection. If you need to adapt this general configuration to your own situation, please create a local Macro.conf containing the macro customized to your needs:

If you need custom settings, create your local Macro.conf:

### Iptables sourcetype
definition = sourcetype="iptables_source" NOT "ACCEPT" OR "Accept" OR "ALLOW" OR "Allow"
iseval = 0
Save your local/Macro.conf file and restart Splunk.

Installation and configuration will be done in a few steps:


Iptables / Syslog Configurations steps:

1. Set each Iptables reporting host to log events using SYSLOG

2. Configure SYSLOG to trap these events and put them in a dedicated log file of your choice

3. Test your Iptables / Syslog configuration to ensure events are being sucessfully trapped by your centralized Syslog

Splunk configuration steps:

4. Add Input source log file(s) in Splunk corresponding to the log file where your Syslog is trapping events

7. Open Splunk for Iptables and observe the magical power of Splunk ^^

Part 1 : Configuration of Iptables and Syslog

1. Set each Iptables reporting host to log dropped or rejected packets

Configuring Iptables is far away from the scope of this guide, the only thing required is to configure Iptables to log inbound dropped and rejected packets. (by default, Iptables logs its events to Syslog)

Iptables shall use a prefix pattern to log, this will be used first to manually recognize Iptables events in main syslog file, and then it shall be used to catched these events into a dedicated log file. (not obligatory but recommended)

Part 2 : Configuration of Syslog

In 2 steps:

- if you want to manage different Iptables reporting hosts servers from Splunk, then read the Multiple Iptables client configuration note
- If you just have one host to manage (Iptables and Splunk are installed in the same host), then just follow the common configuration section

MULTIPLE IPTABLES CLIENT CONFIGURATION NOTE: Remote and centralized Syslog configuration:

Configuring Syslog to send events from a Syslog host to a a remote Syslog server is out of the scope of this guide.
Therefore, if you want to send Iptables events of different hosts, you can choose between different solutions, as:

- Sending events using Syslog to a remote centralized Syslog
- Sending events from local log file using Splunk forwarder module
- Others (homemade scripts...)

I would recommend using "Rsyslog" (Enhanced Syslog version that comes with many modern Linux OS) to achieve this, which is indeed easy enough.

Here is in 2 steps a quick syslog centralized configuration: (remember to restart rsyslog after each modification)

1. In client rsyslog host, modify "/etc/rsyslog.conf" and add a section to send any events to your Syslog server: (adapt the example IP) 

*.* @ 

2. In syslog server configuration, create a configuration file that will catch any remote client Syslog events and put them into a dedicated per host log file:
Ensure your configuration name will be read after the iptables syslog config file. (see above, use numbered prefix)

Create "/etc/rsyslog.d/10-remotehosts.conf" with the following content: (Note: The iptables config we will create after will be called 08 to be read before this and intercept messages 

$template PerHostLog,"/var/log/%HOSTNAME%.log"
$template RemoteHostFileFormat,"%TIMESTAMP% %HOSTNAME% %syslogfacility-text% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::space-cc,drop-last-lf%\n" 
:inputname, isequal, "imudp" ?PerHostLog;RemoteHostFileFormat
& ~

Finally, achieve the rest to the configuration above to be able to intercept remote Syslog client events containing the iptables event tag and put them in a dedicated log file for all hosts.

COMMON CONFIGURATION for Single and Multiple Iptables installations: 

1. Set Syslog to trap iptables events to a dedicated logfile

This configuration part will depend on your system and needs, i recommend the use of "rsyslog"

The goal is to configure syslog to trap any event containing a key word set as the iptables prefix into a dedicated log file

For example, with UFW you will have "[UFW BLOCK]" as a prefix.

If you set manually configure Iptables, just choose and report your log prefix. (eg. example "DROP(wan)"

In Debian/Ubuntu systems for example, create an rsyslog configuration file, example:

Create "/etc/rsyslog.d/08-iptables.conf" with the following content: (adapt with your log prefix) 

:msg, contains, "DROP(wan)" /var/log/iptables.log
& ~

Restart rsyslog to take effect.

Part 3 : Configuration of Splunk (the easy part!)

Configure input file using Splunk Manager interface:

Go to "manager", "Data Input", and configure MANUALLY a new input file pointing to your iptables log file.

With settings by part configuration:


You can let the default settings, it does not mind as we don't use it to recognize the iptables reporting server.

Source type:

- Set the source Type: Manual
- Source type: iptables_source


- Set the destination Index: iptables_index

Configure input manually:

You can also add your input file manually, create a new file in "${APP_HOME}/local/inputs.conf" with the following content: (adapt to your case)

disabled = 0
followTail = 0
index = iptables_index
sourcetype = iptables_source

disabled = 0
followTail = 0
index = iptables_index
sourcetype = iptables_source

And restart Splunk.

Good news, you're done!!!
Just wait a few minutes to let Splunk get the content of your iptables log file, then go to the splunk application

Saturday, January 26, 2013

Howto Raspberry Pi - Use your Pi as a secure Reverse Proxy gateway to your Web internal Sites and Services

Last update 02/01/2013

The Goal: 

You have a Raspberry Pi and want to use it as your secure Web reverse proxy gateway to access to your various Internal services through your main fully qualified domain name or IP.

Let's say:
  • You have a main router or ISP Box
  • Your Rpi will be in front of the Internet by redirecting http/https por
  • For this configuration to work from both inside and outside your home network, your domain name (here "") must be associated with your public IP
  • ts from your router to your Rpi
  • You have or not internal servers providing Web sites or services your want to access from your public IP / domain name
We will use:
  • nginx as the great secure reverse proxy instance
  • SSL with auto signed or officially signed certificate to secure our web traffic
  • htpasswd to password protect your shellinbox from being visible and accessible whitout credentials
  • shellinabox to host a nice Web SSH frontend

Summary of steps: 

Step 1: OPTIONAL - Get a fully Qualified Domain Name (FQDN)
Step 2: Manage your SSL certificate
Step 3: Put a Shellinabox in your Pi ^^
Step 4: Install and configure Nginx

Step 1: OPTIONAL - Get a Fully Qualified Domain Name  

This is absolutely optional, but you could think about getting a qualified domain name to access to your home network. (a domain costs very few per year, and your can dynamically associate it with your public IP)

In many cases, when you connect from secure places (such as your company site), trying to access to a web site using its public IP will be prohibited by internals web proxies and firewalls.
By using a fqdn to associate your public IP to a real Internal domain name, your site is as official as any Internet company web site :-)

As an alternative to buy your own domain name, you can also use dynamic free domain name services such as, but most of company proxy will also block them.

And finally, this is just clean and beautiful ^^

In this post, i will assume for the example purpose that your domaine name is "". (still the fqdn is optional)
Step 2: Manage your SSL certificate

Off course, we will want to secure our Web traffic using an SSL certificate, there is 2 ways to achieve this:

1. Generating an "auto-signed" SSL certificate

You can very easily generate an auto-signed SSL certificate, you will have exactly the same security and encrypting level than any official certificate but this certificate won't be officially recognized over the Internet.

That means that when connecting to your site, your Web browser will warn you about the impossibility to guaranty your security connecting to this site, and you have to accept this.

I personally prefer having an official SSL certificate :-)

2. Buy and generate an Officially signed SSL certificate

You can also buy an official SSL certificate for very few, in this case your browser will automatically recognize your certificate as valid and you won't get any warn.

There is some places where you can get a free official SSL certificate for personal use. (look for "startssl")

In both cases, Google is your friend ^^

How to generate an auto signed certificate:

Install OpenSSL:
$ sudo apt-get install openssl

Generate your self signed certificate:
sudo mkdir -p /etc/ssl/localcerts
openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/localcerts/autosigned.crt -keyout /etc/ssl/localcerts/autosigned.key
chmod 600 /etc/ssl/localcerts/*

Note: Respond to OpenSSL questions as you wish, it does not really mind as your certificate is a self-signed anyway

Step 3: Put a shellinabox in your Pi ^^

As explained before, shellinabox is a wonderfull web frontend to SSH, this way you will access to your SSH server without having to deal with an SSH client.

By the past, i wrote an article about an other SSH web frontend "ajaxterm" which is nice too, but in my opinion much more limited and low.
So i recommend to use shellinabox instead.

You will be able to access to your SSH server using standard Web ports even when connecting from places where external SSH traffic is prohibited :-) 

To install:
# sudo apt-get install shellinabox

By default, shellinabox uses the port "4200" to listen to, you can let that as it is as your nginx reverse proxy take care about redirecting our request to this internal service. 

If you want to manage your shellinabox configuration, take a look at main config files:
  • /etc/default/shellinabox
  • /etc/shellinabox/*
Default configuration is ok for us, test your shellinabox by connecting from a browser inside your network: http://<mypiserver>:4200

Note that even if we won't use it, shellinabox comes with embeded SSL auto-signed certificate configuration to redirect http to https and secure your web traffic.

Step 4: Install and configure Nginx

Ok, serious things now, let's install and configure nginx.

Nginx is an extremely powerful Opensource Web server, light secure and fast, that can be used as reverse proxy instance gateway to your internal Web services.

It is more and more used by many companies web site with high load Web Sites, do not hesitate to take a look at official sites:
I used by the past Apache running as a reverse proxy to do this job, but nginx assumes this job with great success, it's very modular and easy to maintain, this is why i recommend your Nginx.

To install:
# sudo apt-get install nginx-full

Now let's configure the beast:

First, some configuration in main config file "/etc/nginx/nginx.conf", here is a sample config file:
# /etc/nginx/nginx.conf

user www-data;
worker_processes 4;
pid /var/run/;

events {
 worker_connections 768;

http {

 sendfile on;
 tcp_nopush on;
 tcp_nodelay on;
 keepalive_timeout 65;
 types_hash_max_size 2048;

 include /etc/nginx/mime.types;
 default_type application/octet-stream;

 access_log /var/log/nginx/access.log;
 error_log /var/log/nginx/error.log;

 gzip on;
 gzip_disable "msie6";

 include /etc/nginx/conf.d/*.conf;
 include /etc/nginx/sites-enabled/*;

Please note that as Apache configuration style under Debian/Ubuntu, any configuration file (for site or module) included in conf.d or sites-enabled will be loaded at Nginx start

A good practice is to create a symbolic link from "sites-available" to "sites-enabled".

Let's deactivate the default web site we won't use by removing its symbolic link:
$ sudo rm /etc/nginx/sites-enable/default 

Create an htpasswd file that will contain your credentials (adapt <username>)
$ sudo htpasswd -c /etc/nginx/.htpasswd <username>

Now create your main web site configuration file, example:
  • /etc/nginx/sites-available/main
Here is a sample secured configuration:
access_log off;
add_header Cache-Control public;
server_tokens off;

# HTTP 80
server {
 listen         80;
 server_name _;
 rewrite ^$request_uri? permanent;

# HTTPS 443
server  {

 include    /etc/nginx/proxy.conf;

 listen 443 ssl;
 keepalive_timeout 70;


 # SSL config
 ssl on;
 ssl_certificate /etc/ssl/localcerts/autosigned.crt;
 ssl_certificate_key /etc/ssl/localcerts/autosigned.key;

 ssl_session_timeout 5m;
 ssl_protocols SSLv3 TLSv1.2;
 ssl_ciphers RC4:HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;

 add_header X-Frame-Options DENY;

 # DDOS protection - Tune Values or deactivate in case of issue
 # limit_conn conn_limit_per_ip 20;
 # limit_req zone=req_limit_per_ip burst=20 nodelay;

 # status for ngxin auditing
 location /nginx-status {
      stub_status on;
      access_log off;
      deny all;

 location / {
  rewrite ^ permanent;

 location /shellinabox/ {
  proxy_pass http://localhost:4200;
                auth_basic            "Access Restricted";
                auth_basic_user_file  "/etc/nginx/.htpasswd";
                access_log /var/log/nginx/shellinabox.access.log;
                error_log /var/log/nginx/shellinabox.error.log;

Create the file "/etc/nginx/proxy.conf" with following content:
proxy_redirect          off;
proxy_set_header        Host            $host;
proxy_set_header        X-Real-IP       $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size    10m;
client_body_buffer_size 128k;
proxy_connect_timeout   90;
proxy_send_timeout      90;
proxy_read_timeout      90;
proxy_buffers           32 4k;

Activate your nginx web site and restart:
sudo ln -s /etc/nginx/sites-enables/main /etc/nginx/sites-available/main
sudo service nginx restart


For this configuration to work from both inside and outside your home network, your domain name (here "") must be associated with your public IP

Now test accessing to your Web site from both internal and external access :-)

As you understood, you can manage as many internal Web sites as you need through a unique Web instance and virtual hosts. (called location in Nginx)

In the sample config, shellinabox is the default site accessible with your domain name, but you change it and/or add any other internal web sites very easily.

Just add a new location related to your internal Web site you want to be able to access and you're done :-)

Friday, January 18, 2013

Howto Raspberry Pi: Monitor your Raspberry Pi with Observium!

The Goal: 

With Observium associated with Unix agent check_mk the goal will be to monitor any available indicator (CPU, Mem, Traffic interface...) and most of all, specific Raspberry Pi main indicators dynamically allocated when running Overclocked with Turbo mode:
  • CPU Frequency
  • CORE Frequency
  • CORE Voltage
  • BCM2835 Soc Temperature

Corresponding "vgencmd" commands:
# CPU Frequency
vcgencmd measure_clock arm

# CORE Frequency
vcgencmd measure_clock core

# CORE Voltage
vcgencmd measure_volts core

# SoC Temp
vcgencmd measure_temp

There are also other indicators you may want to monitor, even i don't feed it myself useful.
The present article will take care of these 4 indicators.

Take a look here:

Global list of indicators available through "vgencmd":
vcgencmd measure_clock arm
vcgencmd measure_clock core
vcgencmd measure_clock h264
vcgencmd measure_clock isp
vcgencmd measure_clock v3d
vcgencmd measure_clock uart
vcgencmd measure_clock pwm
vcgencmd measure_clock emmc
vcgencmd measure_clock pixel
vcgencmd measure_clock vec
vcgencmd measure_clock hdmi
vcgencmd measure_clock dpi
vcgencmd measure_volts core
vcgencmd measure_volts sdram_c
vcgencmd measure_volts sdram_i
vcgencmd measure_volts sdram_p

Installing Observium is out of the scope of this article, Observium installations documentations and well known and easy to read, see above.

Main sources:

I recommend to install Observium and Mysql into a central server which will request our Rpi to generate graphs and so on.

We will use an additional agent called "check_mk" to request the Rpi, system load generated by snmp and Unix agent are very limited which is very great, the Rpi is a small power device and you don't want monitoring to generate high system load!

One time you have Observium up and running, follow this guide to integrate any Raspberry Pi you want to monitor :-)

Summary of steps: 

Step 1: Install and configure snmpd
Step 2: Install check_mk agent (Unix Agent)
Step 3: Add the custom Raspberry agent script
Step 4: Observium custom application configuration
Step 5: Configure your Rpi in Observium, the easy part!


Step 1: Install and configure snmpd

First thing, we will begin by installing the snmpd daemon, to do so:
$ sudo apt-get install snmpd snmp-mibs-downloader
Let's configure some little things:

Edit "/etc/default/snmpd" and:
  • set: export MIBS=UCD-SNMP-MIB
  • Replace the line "SNMPDOPTS=" with the following values to prevent snmpd to log each connection (default behavior):
SNMPDOPTS='-LS 0-4 d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/'

Edit "/etc/snmp/snmpd.conf" and:
  • Comment with "#" the default line "agentaddress udp:" which only allows connections from the localhost itself
  • Comment out the line "agentaddress udp:161,udp6:[::1]:161" to allow remote connections
  • Comment out the line "rocommunity secret <LANSUBNET>" (adapt <LANSUBNET> to the CIDR value of your LAN subnet, example: 192.168.0/24" 

Note: "secret" will the name of the snmp community, only accessible through your local network) 

  • Configure "sysLocation" and "sysContact"
  • Look for the section "EXTENDING THE AGENT" and add the following line:
extend . distro /usr/bin/distro
  • Install the "distro" script coming from observium (to recognize the remote OS)
$ sudo wget -O /usr/bin/distro
$ sudo chmod 755 /usr/bin/distro

Finally restart snmpd daemon:
$ sudo service snmpd restart

Step 2: Install check_mk agent (Unix agent)

We will used the great Unix agent "check_mk" called Unix agent by Observium.

If you want more information about this very cool tool, check its main Web site:

Install Xinetd requirement:
$ sudo apt-get install xinetd

Download and install check_mk:
$ wget
$ sudo dpkg -i check-mk-agent_1.2.0p3-2_all.deb

Verify that the package installation generated the xinetd configuration file called "

If not (it seems this part fails under Rpi), create the file with the following content:
# +------------------------------------------------------------------+
# |             ____ _               _        __  __ _  __           |
# |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
# |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
# |           | |___| | | |  __/ (__|   <    | |  | | . \            |
# |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
# |                                                                  |
# | Copyright Mathias Kettner 2012    |
# +------------------------------------------------------------------+
# This file is part of Check_MK.
# The official homepage is at
# check_mk is free software;  you can redistribute it and/or modify it
# under the  terms of the  GNU General Public License  as published by
# the Free Software Foundation in version 2.  check_mk is  distributed
# in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
# out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
# PARTICULAR PURPOSE. See the  GNU General Public License for more de-
# ails.  You should have  received  a copy of the  GNU  General Public
# License along with GNU Make; see the file  COPYING.  If  not,  write
# to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
# Boston, MA 02110-1301 USA.

service check_mk
 type           = UNLISTED
 port           = 6556
 socket_type    = stream
 protocol       = tcp
 wait           = no
 user           = root
 server         = /usr/bin/check_mk_agent

 # If you use fully redundant monitoring and poll the client
 # from more then one monitoring servers in parallel you might
 # want to use the agent cache wrapper:
 #server         = /usr/bin/check_mk_caching_agent

 # configure the IP address(es) of your Nagios server here:
 #only_from      =

 # Don't be too verbose. Don't log every check. This might be
 # commented out for debugging. If this option is commented out
 # the default options will be used for this service.
 log_on_success =

 disable        = no

Restart xinetd:

$ sudo service xinetd restart

Finally, ensure your Observium machine willbe authorized to access to the Rpi check_mk service running on port TCP/6556.

Step 3: Add the custom Raspberry agent script

Create a new file "/usr/lib/check_mk_agent/local/raspberry":
#set -x
echo "<<<app-raspberry>>>"
# CPU Frequency
expr `vcgencmd measure_clock arm|cut -f 2 -d "="` / 1000000
# CORE Frequency
expr `vcgencmd measure_clock core|cut -f 2 -d "="` / 1000000
# CORE Voltage
vcgencmd measure_volts core|cut -f 2 -d "="|cut -f 1 -d "V"
# SoC Temp
vcgencmd measure_temp|cut -f 2 -d "="| cut -f 1 -d "'"

Add execution right:
$ sudo chmod a+rx /usr/lib/check_mk_agent/local/raspberry

This script will be called by Observium at each poller time.

Step 4: Observium custom application configuration

Ok now a bigger part, we need to configure Observium to add our custom application has any other.
By this way, we could run this with as many Rpi as you want ;-)

To do so, we need to create and/or modify different configuration files.

Go into your Observium root directory, usually "/opt/observium"

1. "./includes/polling/" (modify)

Look for the section containing:
      if ($section == "apache") { $sa = "app"; $sb = "apache"; }

And add new one just under :
      if ($section == "raspberry") { $sa = "app"; $sb = "raspberry"; }

2. "./includes/polling/applications/" (create)

Create with following content:

if (!empty($agent_data['app']['raspberry']))
  $raspberry = $agent_data['app']['raspberry'];

$raspberry_rrd  = $config['rrd_dir'] . "/" . $device['hostname'] . "/app-raspberry-".$app['app_id'].".rrd";

echo(" raspberry statistics\n");

list($cpufreq, $corefreq, $corevoltage, $soctemp) = explode("\n", $raspberry);
if (!is_file($raspberry_rrd))
  rrdtool_create ($raspberry_rrd, "--step 300 \
        DS:cpufreq:GAUGE:600:0:125000000000 \
        DS:corefreq:GAUGE:600:0:125000000000 \
        DS:corevoltage:GAUGE:600:0:125000000000 \
        DS:soctemp:GAUGE:600:0:125000000000 ".$config['rrd_rra']);

print "cpufreq: $cpufreq corefreq: $corefreq corevoltage: $corevoltage soctemp: $soctemp";
rrdtool_update($raspberry_rrd, "N:$cpufreq:$corefreq:$corevoltage:$soctemp");

// Unset the variables we set here



3. "./html/includes/graphs/application/" (create)

Create with following content:

$scale_min = 0;


$raspberry_rrd   = $config['rrd_dir'] . "/" . $device['hostname'] . "/app-raspberry-".$app['app_id'].".rrd";

if (is_file($raspberry_rrd))
  $rrd_filename = $raspberry_rrd;

$ds = "soctemp";

$colour_area = "F0E68C";
$colour_line = "FF4500";

$colour_area_max = "FFEE99";

$graph_max = 1;

$unit_text = "°C";



4. "./html/includes/graphs/application/" (create)

Create with following content:

$scale_min = 0;


$raspberry_rrd   = $config['rrd_dir'] . "/" . $device['hostname'] . "/app-raspberry-".$app['app_id'].".rrd";

if (is_file($raspberry_rrd))
  $rrd_filename = $raspberry_rrd;

$ds = "corevoltage";

$colour_area = "CDEB8B";
$colour_line = "006600";

$colour_area_max = "FFEE99";

$graph_max = 1;

$unit_text = "Volts";



5. "./html/includes/graphs/application/" (create)

Create with following content:

$scale_min = 0;


$raspberry_rrd   = $config['rrd_dir'] . "/" . $device['hostname'] . "/app-raspberry-".$app['app_id'].".rrd";

if (is_file($raspberry_rrd))
  $rrd_filename = $raspberry_rrd;

$ds = "corefreq";

$colour_area = "B0C4DE";
$colour_line = "191970";

$colour_area_max = "FFEE99";

$graph_max = 1;

$unit_text = "Mhz";



6. "./html/includes/graphs/application/" (create)

Create with following content:

$scale_min = 0;


$raspberry_rrd   = $config['rrd_dir'] . "/" . $device['hostname'] . "/app-raspberry-".$app['app_id'].".rrd";

if (is_file($raspberry_rrd))
  $rrd_filename = $raspberry_rrd;

$ds = "cpufreq";

$colour_area = "B0C4DE";
$colour_line = "191970";

$colour_area_max = "FFEE99";

$graph_max = 1;

$unit_text = "Mhz";



7. "./html/pages/device/apps/" (create)

Create with following content:

global $config;

$graphs = array('raspberry_cpufreq' => 'CPU Frequency',
                'raspberry_corefreq' => 'CORE Frequency',
                'raspberry_corevoltage' => 'CORE Voltage',
                'raspberry_soctemp' => 'BCM2835 SoC Temperature',


foreach ($graphs as $key => $text)

  $graph_array['to']     = $config['time']['now'];
  $graph_array['id']     = $app['app_id'];
  $graph_array['type']   = "application_".$key;


  echo("<tr bgcolor='$row_colour'><td colspan=5>");




8. "./html/pages/" (modify)

Look for the section containing:
$graphs['apache']     = array('bits', 'hits', 'scoreboard', 'cpu');

And add new one just under :
$graphs['raspberry']  = array('cpufreq', 'corefreq', 'corevoltage', 'soctemp');

Ok, we're done!

Step 5: Configure your Rpi in Observium, the easy part!

Now the easiest, add your Rpi into Observium, go to the menu <Devices>, <Add device>.

In our case:
  • Hostname: Enter the hostname or IP of your Rpi
  • snmp Community: secret

Let all the rest by default.

The Rpi shall be detected with sucess, and the Debian logo appears:

Now enter the device and go to device settings:

Go to "Applications" and activate the box corresponding to our Raspberry application:

Then, Go to "Modules" and Activate the Unix agent (disabled by default):

Great, you're done will all configuration parts, wait for a view poller execution (by default Observium proposes a cron task every 5 minutes)

You can run manually the poller under the host running Observium:
$ sudo /opt/observium/poller.php -h all

And if you want to run it into debug mode to get more details:
$ sudo /opt/observium/poller.php -h all -d

In my experience, you have to wait for 10-15 minutes before getting data being graphed.

Some screenshots with application data:

CPU Frequency:

CORE Frequency:

CORE Voltage:

BCM2835 Soc Temperature:

Great :-)