學習筆記

【Linux】開源監控軟體LibreNMS安裝

by Zoey Gao
librenms_login

最近在公司管理了不少台主機,因此也開始研究了一些監控軟體,像是NagiosZabbix,目前比較讓我有興趣的是LibreNMS,包含了許多功能以及能夠管理多種不同的機器,甚至是思科的網路設備。

LibreNMS 介紹

很多時候我們需要透過監控軟體來幫助我們了解機器的狀況,甚至時能夠及時收到告警的訊息,以至於工程師可以立即處理目前機器的狀況,透過各種訊息來解決問題。

LibreNMS主要以 PHP、MariaDB、SNMP 技術為主進行資料搜集,並提供Web的操作介面、多種警報的發送機制、檢查服務的運行、網路裝置的連線狀態等等,可以針對你所需要的監控項目下去做設定。

LibreNMS 安裝

LibreNMS在官方有很清楚的安裝文件,今天我們要安裝的系統環境是CentOS7,WebServer會使用Apache。

安裝常用資源和功能,這邊提醒一下,MariaDB需要10.5以上的版本


yum install epel-release
yum install git cronie fping jwhois ImageMagick mtr MySQL-python net-snmp net-snmp-utils nmap python-memcached rrdtool policycoreutils-python httpd mariadb mariadb-server unzip python3 python3-pip

安裝PHP,PHP版本需要7.3以上


yum localinstall http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install yum-utils
yum-config-manager --enable remi-php73
yum install mod_php php-cli php-common php-curl php-gd php-mbstring php-process php-snmp php-xml php-zip php-memcached php-mysqlnd

在系統上新增librenms的user


useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms apache

下載LibreNMS


cd /opt
git clone https://github.com/librenms/librenms.git

設定權限


chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ /opt/librenms/cache
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ /opt/librenms/cache

安裝PHP dependencies


su - librenms
./scripts/composer_wrapper.php install --no-dev
exit

設定MySQL


systemctl enable --now mariadb
mysql -u root


CREATE DATABASE librenms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit


vi /etc/my.cnf.d/server.cnf


#server.cnf
[mysqld]
innodb_file_per_table=1
lower_case_table_names=0

設定PHP時區


vi /etc/php.ini


#php.ini
date.timezone = "Asia/Taipei"

設定Apache,新增Vhost的設定檔librenms.conf


vi /etc/httpd/conf.d/librenms.conf


<VirtualHost *:80>
     DocumentRoot /opt/librenms/html/
     ServerName librenms.example.com
     AllowEncodedSlashes NoDecode

     <Directory "/opt/librenms/html/">
          Require all granted
          AllowOverride All
          Options FollowSymLinks MultiViews
     </Directory>
</VirtualHost>


systemctl enable --now httpd

SELinux


yum install policycoreutils-python

semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?' 
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'  
restorecon -RFvv /opt/librenms/logs/  
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'  
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'  
restorecon -RFvv /opt/librenms/rrd/  
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/storage(/.*)?'  
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.*)?'  
restorecon -RFvv /opt/librenms/storage/  
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/bootstrap/cache(/.*)?'  
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.*)?'  
restorecon -RFvv /opt/librenms/bootstrap/cache/  
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/cache(/.*)?'  
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/cache(/.*)?'  
restorecon -RFvv /var/www/opt/librenms/cache/  
setsebool -P httpd_can_sendmail=1  

audit2why < /var/log/audit/audit.log

允許fping,建立http_fping.tt(放哪裡都可以,執行完就可以移除)


touch http_fping.tt


module http_fping 1.0;  
require {  
type httpd_t;  
class capability net_raw;  
class rawip_socket { getopt create setopt write read };  
}  

#============= httpd_t ==============  
allow httpd_t self:capability net_raw;  
allow httpd_t self:rawip_socket { getopt create setopt write read };


checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.ppallow httpd_t self:rawip_socket { getopt create setopt write read };

防火牆設定


firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https

設定Snmp,把字串RANDOMSTRINGGOESHERE,改成自己設定的


cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf
vi /etc/snmp/snmpd.conf
#RANDOMSTRINGGOESHERE > public
curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl enable snmpd
systemctl restart snmpd

設定Cron Job


cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms

Logrotate


cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

接下來就可以進入網頁一步步完成安裝囉!

安裝上遇到的問題

在Web Install結束後會有一些小問題需要解決,我遇到了一個Python3的問題(如下圖所示),解法如下

librenms_python3

yum install gcc python3-devel
pip3 install -r /opt/librenms/requirements.txt

結論

安裝的過程非常的煩瑣,也會遇到一些些的小問題,像是MariaDB、PHP的版本等等,但裝好之後就可以開始新增機器來查看機器的狀況,LibreNMS上有許多的圖表繪製,也可以選擇時間軸來查看,很多異常的狀況都可以一眼就發現,真的滿方便的!希望未來可以多多善用並且加以成為資安的輔助工具!