Install monit and configure services for monitoring

In this tutorial we will:

  • Install monit
  • Configure Alerts
  • Enable administration via web interface
  • Configure services for monitoring

Assumptions

  • Monit installed in /etc/monit directory (if this is not where your monit installation installed, commands below may need to be slightly modified to match the correct path)
  • This installation should be OS agnostic for the most part, but be aware that the steps were performed on Ubuntu 18.04

Install Monit

Ubuntu / Debain

apt install -y monit

CentOS / RHEL / Fedora

yum install -y monit

Start monit and enable monit at boot

systemctl start monit
systemctl enable monit

Configure settings via monitrc config file

Please take not that we will use automated commands to perform these tasks. If you look at the echo commands we are just adding text listed in quotes “” . to our /etc/monit/monitrc file.

Set Alerts

We are defaulting to 127.0.0.1 as our mail server, but make sure to change that if necessary. Also, change the email “youremail@domain.com” to your email address.

echo "" >> /etc/monit/monitrc
echo "" >> /etc/monit/monitrc
echo "#***********************************************************" >> /etc/monit/monitrc
echo "# # Set Email Alerts" >> /etc/monit/monitrc
echo "#***********************************************************" >> /etc/monit/monitrc
echo "set mailserver 127.0.0.1" >> /etc/monit/monitrc
echo "set alert youremail@domain.com" >> /etc/monit/monitrc
echo "" >> /etc/monit/monitrc
echo "" >> /etc/monit/monitrc

Enable Web interface

In this step, we will be adding the necessary settings to enable the web interface Make sure to change username “myadmin” and password “passw0rd27” to match your desired username and password

echo "" >> /etc/monit/monitrc
echo "" >> /etc/monit/monitrc
echo "#***********************************************************" >> /etc/monit/monitrc
echo "# # Enable Web Interface" >> /etc/monit/monitrc
echo "#***********************************************************" >> /etc/monit/monitrc
echo "set httpd port 2812" >> /etc/monit/monitrc
echo "allow myadmin:passw0rd27" >> /etc/monit/monitrc

Add services for monitoring

Let’s add services for monitoring. There are two different methods for monitoring services. We can directly monitor the pid file, which gives you the opptunity to start and stop the service. Or we can monitory by searching for process name. I prefer the pid method, but in the case of wazuh, we must monitor it by process name. Either way we will get email alerts if the service stops or starts. We just wont be able to fire off the service from monit or the web interface.

You can tweak this to meet your needs. I used cat for this step instead of echo because it is easier to edit since everyone’s needs vary and this will probably be the only part of your script that changes as needed

cat > /etc/monit/services.txt <<\EOF

#***********************************************************
# Monitoring Auditd
#***********************************************************

check process auditd with pidfile /var/run/auditd.pid
        start program = "/etc/init.d/auditd start" with timeout 60 seconds
        stop program  = "/etc/init.d/auditd stop"


#***********************************************************
# Monitoring Suricata
#***********************************************************

check process suricata with pidfile /var/run/suricata.pid
        start program = "/etc/init.d/suricata start" with timeout 60 seconds
        stop program  = "/etc/init.d/suricata stop"


#***********************************************************
# Monitoring wazuh agent
#***********************************************************

check process wazuh-execd
        matching "ossec-execd"

check process wazuh-agentd
        matching "ossec-agentd"

check process wazuh-syscheckd
        matching "ossec-syscheckd"

check process wazuh-logcollector
        matching "ossec-logcollector"

check process wazuh-modulesd
        matching "wazuh-modulesd"

EOF
cat /etc/monit/services.txt >> /etc/monit/monitrc
rm /etc/monit/services.txt

Restart monit

systemctl restart

Test and enjoy!

Let’s test our alerts by stopping suricata

There is our email alert!

0 Points


Leave a Reply

Your email address will not be published. Required fields are marked *