Icinga check command for OPNsense firewall monitoring
This check command depends on the following python modules:
- enum
- requests
- argparse
Installation on Debian / Ubuntu
apt install python3 python3-requests Installation on Rocky / Alma Linux 9
yum install python3 python3-requests Installation on FreeBSD
pkg install python3 py39-requests The icinga2 folder contains the command defintion and service examples for use with Icinga2.
usage: check_opnsense.py [-h] -H HOSTNAME [-p PORT] --api-key API_KEY --api-secret API_SECRET [-k] -m {updates,ipsec,hastatus,interfaces,services,wireguard} [-w TRESHOLD_WARNING] [-c TRESHOLD_CRITICAL] Check command OPNsense firewall monitoring options: -h, --help show this help message and exit API Options: -H HOSTNAME, --hostname HOSTNAME OPNsense hostname or ip address -p PORT, --port PORT OPNsense https-api port --api-key API_KEY API key (See OPNsense user manager) --api-secret API_SECRET API key (See OPNsense user manager) -k, --insecure Don't verify HTTPS certificate -v, --verbose Print verbose output (helpful at filtering) -f, --filter String Option to filter some objects (Example --filter 'wg0,wg1') Check Options: -m {updates,ipsec,hastatus,interfaces,services,wireguard}, --mode {updates,ipsec,hastatus,interfaces,services,wireguard} Mode to use. -w TRESHOLD_WARNING, --warning TRESHOLD_WARNING Warning treshold for check value -c TRESHOLD_CRITICAL, --critical TRESHOLD_CRITICAL Critical treshold for check value Go to the user manager and select the user you want to use for API access. Click the + icon in the API keys section to add a new API key, which triggers a download of a tex file containing the key and secret.
This file should look similar to this one:
key=w86XNZob/8Oq8aC5r0kbNarNtdpoQU781fyoeaOBQsBwkXUt secret=XeD26XVrJ5ilAc/EmglCRC+0j2e57tRsjHwFepOseySWLM53pJASeTA3 For further information have a look at the opnsense documentation.
Check for updates
./check_opnsense.py -H <OPNSENSE_HOSTNAME> --api-key <API_KEY> --api-secret <API_SECRET> -m updates [CRITICAL] There are 43 updates available, total download size is 199.1MiB. This update requires a reboot.|upgrade_packages=42 reinstall_packages=1 remove_packages=0 available_updates=43 ./check_opnsense.py -H <OPNSENSE_HOSTNAME> --api-key <API_KEY> --api-secret <API_SECRET> -m updates [WARNING] There are 14 updates available, total download size is 64.8MiB.|upgrade_packages=14 reinstall_packages=0 remove_packages=0 available_updates=14 ./check_opnsense.py -H <OPNSENSE_HOSTNAME> --api-key <API_KEY> --api-secret <API_SECRET> -m updates [OK] - System up to date|upgrade_packages=0 reinstall_packages=0 remove_packages=0 available_updates=0Check ipsec tunnel status
./check_opnsense.py -H <OPNSENSE_HOSTNAME> --api-key <API_KEY> --api-secret <API_SECRET> -m updates [WARNING] IPsec tunnels not connected: headquarter ./check_opnsense.py -H <OPNSENSE_HOSTNAME> --api-key <API_KEY> --api-secret <API_SECRET> -m updates [OK] IPsec tunnels connected: remote-office, headquarterCheck wireguard tunnel status
./check_opnsense.py -H <OPNSENSE_HOSTNAME> --api-key <API_KEY> --api-secret <API_SECRET> -m wireguard [OK] 2/2 Wireguard peers are online [OK] Peer host1 is online (8.8.8.4:35376) [OK] Peer host2 is online (8.8.8.5:34376)