Monitoring pfSense with Nagios XI Using SSH – part 3

Monitoring pfSense with Nagios XI Using SSH – part 3

Configuring the checks on Nagios XI

This is the third and final part to monitoring pfSense with Nagios XI using SSH. If you missed either of the previous parts, I’ve included them below.

Part 1: Setting up password-less SSH

Part 2: Downloading and testing the checks

Finally, let’s configure the checks on Nagios XI! Go to the SSH Proxy wizard. I like to change the OS to FreeBSD, but all that really does is change the icon in the web interface.

Nagios pfSense SSH Proxy

Change the host name to whatever you’d like. In my example, I chose pfSense-home. At this time, take the checkboxes out of the 2 other remote commands and leave it for the check_disk remote command only. Also, change the remote command to the text below. Make sure you pay attention to the path because the default Nagios entry flip flops libexec and nagios! I recommend changing the display name to “Disk – Root” so when you monitor other partitions, they are all in order in the web GUI.

/usr/local/libexec/nagios/check_disk / -w 20% -c 5%


Nagios pfSense SSH Proxy Step 2

Answer the remaining questions/screens as you see fit. Once the configuration changes are made and the service checks run, you should see something in your Nagios service details.

Nagios pfSense initial service detail

Great start! But where are the rest of the checks from part 2? In Nagios XI, to add more you can do one of two things. Either a) go to the Core Config Manager and copy configs or b) go *back* through the wizard and copy/paste each of the lines below. I prefer the 2nd method because it is far less mouse clicking.

Obviously, you will need to omit or change lines to meet the needs of your firewall/environment. For instance, if you use a VPN, you will need to change the IP address and name. You will also need to change the interface names if you want to monitor those. If you use a Windows server for DHCP or DNS, don’t add the service monitors for dhcpd or unbound (DNS).

Also note the two entries that have ‘sudo’ before them. If you receive any errors stating there is a problem with “remote command execution failed” or permissions, that is likely the issue. If you need help on configuring sudo on pfSense, refer to part 1 of this series. If you would like a little more details on the individual checks, refer to part 2 of this series.

/usr/local/libexec/nagios/check_disk /var/run -w 20% -c 5% Disk – VarRun
/usr/local/libexec/nagios/check_ping -H -w 80,10% -c 150,40% Ping to OpenDNS
/usr/local/libexec/nagios/check_ntp_time -H NTP Variation
/usr/local/libexec/nagios/check_load -w 3,2.8,2.6 -c 10,7,5 -r Load
/usr/local/libexec/nagios/check_procs -w 200 -c 400 Total Processes
/usr/local/libexec/nagios/check_swap -w 90% -c 40% Swap Usage
/usr/local/libexec/nagios/check_pf_cpu -w 85 -c 95 CPU Usage
/usr/local/libexec/nagios/check_pf_mem -w 90 -c 95 Memory Usage
/usr/local/libexec/nagios/check_pf_interface -i em1_vlan5 -name DEVICES Interface DEVICES
sudo /usr/local/libexec/nagios/check_pf_ipsec_tunnel -e <IP address> -name DallasTX VPN to DallasTX
sudo /usr/local/libexec/nagios/check_pf_state_table -w 60 -c 90 State Table
/usr/local/libexec/nagios/check_pf_services -name snort Service: snort
/usr/local/libexec/nagios/check_pf_services -name pinger Service: pinger
/usr/local/libexec/nagios/check_pf_services -name dhcpd Service: dhcpd
/usr/local/libexec/nagios/check_pf_services -name unbound Service: unbound-DNS
/usr/local/libexec/nagios/check_pf_version Version


So what does the final result look like (see below)? Beautiful! Now that is how you monitor a firewall! I’m going to add more services to monitor at some point soon. If there are some particular checks you would like to see added, let me know and I’ll add it in. Better yet, write them up and/or add them to the GitHub repo and I’ll give you credit! I’ve also included the services config file below so Nagios Core users would have a better idea of how to configure it.

Nagios pfSense services detail

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

Leave a Reply

Your email address will not be published.