[Tip] Monitor OpenWRT behind NAT

Community Knowledge
1

Hi,

just for your information:

I’m monitoring an old OpenWRT Router behind NAT by just regurlarly calling the agent locally and pushing the output to the check-mk-server:

a) copy the agent to the OpenWRT device

In my case the agent is being copied to /root/bin/check_mk_agent.openwrt

b) Edit /etc/rc.local on OpenWRT

...
/root/bin/push-checkmk-agent-data

c) Add /root/bin/push-checkmk-agent-data

#!/bin/sh

SSH_USER=remote_ssh_user
SSH_PORT=12345
SSH_TARGET=my.remote.server
REMOTE_FILE=check_mk.data.thisrouter
UPDATE_INTERVAL_SECONDS=60

# It's important to first copy the output to a temporary file and
# then move it into the final location. Else check_mk may occasionally get
# only a partial output of the agent, which will result in very annoying
# false positive state changes

while :;do 
        /root/bin/check_mk_agent.openwrt \
            | ssh -l $SSH_USER \
                  -i /root/.ssh/openssh.key \
                  -p $SSH_PORT $SSH_TARGET \
                   'cat >${REMOTE_FILE}.tmp ; mv ${REMOTE_FILE}.tmp ${REMOTE_FILE}'
        sleep $UPDATE_INTERVAL_SECONDS
done >/dev/null 2>&1 &

I’m using a restricted ssh target account on the check_mk_server, just for being allowed to copy the agent data there. Make this script executable (chmod a+rx /root/bin/push-checkmk-agent-data

d) Set up the ssh keys

Set up key-based ssh-authentication access to the monitoring server for the openwrt device. OpenWRT uses Dropbear-SSH by default, so you have to convert the keys to OpenSSH here.

Do not forget to test it manually, so the confirmation for the key is acknowledged.

e) Configure Check_MK

Now go to CheckMK and create a rule: “Other Integrations” → “Individual program call instead of agent access” and put in the command “cat /home/remote_ssh_user/check_mk.data.thisrouter”. (Of course this needs to be adapted for your specific values). Use the hostname you plan to use on your OpenWRT router as explicit host or some other means that this rule matches your device.

f) Add Host to Check-MK

Now you can add the host to Check-MK and Service Discovery should find all services reported by the agent. As Host IP-Address for the device I filled in 127.0.0.1 - so I’m ignoring the host state. You can put a rule with a custom host check command in, like this one: Check the age of the written check-mk-data file. If this is older than $UPDATE_INTERVAL_SECONDS (= 60 seconds here, add some grace seconds for the network data transfer) then the device may be considered as down.

Update:

Here’s a host command, which would report the openwrt device down if the agent-content-file is not updated within 5 minutes:

bash -c '[ $(( $(date +%s) - $(stat -c %Y /path/to/check_mk_data.thisrouter) )) -lt 300 ]'

6 Likes