LibreNMS Error “.sock: rrd_fetch_r failed:”

The following error showed up after adding a new device to LibreNMS.

.sock:rrd_fetch_r failed: 

It was not displaying any graph data, but the device was up and connected.

Looks like the error is SELinux related. You can fix the error by resetting the security context with the following command.

sudo restorecon -RFv /opt/librenms

LibreNMS Devices Disappeared from Web Interface

What do you do when all your devices disappear from the web interface?

Everything still appears to be working. Alerts work.

Running a MySQL command to check if the devices are in the database returns all the devices

mysql -u librenms -p librenms -e 'use librenms ; select hostname,sysName,status from devices where status=1'

If we try going to /addhost we are greeted with an Error You have insuffecient permissions to view this page.

Running ./validate.php returns everything good

Potentially it could be an issue with SElinux or with Apache/NGinx

Running

audit2why < /var/log/audit/audit.log

Doesn’t return anything

No errors pop up in the Logs

Could be something happened with the LibreNMS user.

Test a different LibreNMS user and all the devices show up.

We’ve now isolated the issue to being something with out user.

Server Logs not Showing up in LibreNMS

The problem: Linux servers have been configured to send their local syslogs to LibreNMS, but are not showing up under the LibreNMS -> DEVICE -> Logs-> Syslog

After a bit of troubleshooting, found that the issue is the hostname being sent with the logs is different than what LibreNMS has for the device. It appears that some Linux distributions will or can use an abbreviated system hostname. There is a section in the LibreNMS docs about this

https://docs.librenms.org/Extensions/Syslog/#matching-syslogs-to-hosts-with-different-names

We can either do what the docs say, or we can set the host name in the rsyslog.conf file on each of the servers.

Log into the server and open up

sudo vi /etc/rsyslog.conf

At the very top, add the following line to set the hostname

$LocalHostName host.server_name_fqdn.com

Save the file and restart rsyslog

sudo systemctl restart rsyslog

Refresh the page to verify the logs are showing up in LibreNMS.

If you are still having issues, you may want to check the following

  1. SELinux on LibreNMS SELinux Audit Commands and Links, Setup LibreNMS as Syslog Server
  2. Firewall on LibreNMS FrDual Zones in Firewalld (Public/Private or External/Internal), Install LibreNMS on CentOS
  3. Read the documentation entirely through

Setup LibreNMS as Syslog Server

Using the LibreNMS documentation for setting up syslog-ng so LibreNMS can ingest logs from Cisco, Mikrotik, Ubiquiti etc. equipment.

https://docs.librenms.org/Extensions/Syslog/

Enable Syslog in LibreNMS settings

First thing we need to do is enable syslog for LibreNMS. Edit the /opt/librenms/config.php and add or enable

$config['enable_syslog'] = 1;

Install and Configure syslog-ng

Install syslog-ng with dnf or yum.

sudo dnf install -y syslog-ng

Create a config file for LibreNMS

vi /etc/syslog-ng/conf.d/librenms.conf

Put the following in the config file

source s_net {
        tcp(port(514) flags(syslog-protocol));
        udp(port(514) flags(syslog-protocol));
};

destination d_librenms {
        program("/opt/librenms/syslog.php" template ("$HOST||$FACILITY||$PRIORITY||$LEVEL||$TAG||$R_YEAR-$R_MONTH-$R_DAY $R_HOUR:$R_MIN:$R_SEC||$MSG||$PROGRAM\n") template-escape(yes));
};

log {
        source(s_net);
        source(s_sys);
        destination(d_librenms);
};

Restart and enable syslog-ng

sudo systemctl restart syslog-ng
sudo systemctl enable syslog-ng

SELinux

If we are running SELinux, we’ll need to make and apply a module to let the logs show up in the web interface.

vi librenms-rsyslog.te

Put the following in the file

module mycustom-librenms-rsyslog 1.0;

require {
        type syslogd_t;
        type httpd_sys_rw_content_t;
        type ping_exec_t;
        class process execmem;
        class dir { getattr search write };
        class file { append getattr execute open read };
}

#============= syslogd_t ==============
allow syslogd_t httpd_sys_rw_content_t:dir { getattr search write };
allow syslogd_t httpd_sys_rw_content_t:file { open read append getattr };
allow syslogd_t self:process execmem;
allow syslogd_t ping_exec_t:file execute;

Now run the following commands to make and apply our SELinux module.

checkmodule -M -m -o librenms-rsyslog.mod librenms-rsyslog.te
semodule_package -o librenms-rsyslog.pp -m librenms-rsyslog.mod
sudo semodule -i librenms-rsyslog.pp

LibreNMS – Could not ping 192.168.1.20 (192.168.1.20)

LibreNMS uses fping to check if devices are up or not. So if something is broken with fping, say a SELinux permission, you can receive the “Could not ping” error, while trying to add a new device.

LibreNMS unable to ping device

First we need to verify that fping is working. SSH into the LibreNMS server and try pinging an address.

fping 192.168.1.20

There was an issue with fping working if ipv6 was disabled. If fping is not working at all, check out this thread.

If you get an alive or unreachable message, then we know fping is working and can move on to the next stage of troubleshooting.

If you are using SELinux, then there is a good chance the problems has to do with that. You can try rerunning all the SELinux commands from the install guide. Note that it has a specific portion for fping.

https://docs.librenms.org/Installation/Install-LibreNMS/#selinux

If it is still not working, we can take a look at the issue with the audit2why command and feed in the audit log.

audit2why < /var/log/audit/audit.log

Here is some example output.

[root@librenms ~]#
type=AVC msg=audit(1676192040.183:404404): avc:  denied  { bind } for  pid=128555 comm="fping" lport=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

[root@librenms ~]#

Another, perhaps more effective way to check the log is to follow it using the “tail -f” command.

tail -f /var/log/audit/audit.log | grep denied

And then in the web browser, try adding a new device. If SELinux is blocking it, it should throw a denied entry.

Example output

type=AVC msg=audit(1676192040.183:404404): avc:  denied  { bind } for  pid=128555 comm="fping" lport=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=0

Now we have verified that the issue is SELinux permissions related. We can create a module to allow it.

audit2allow -a -M fping_http < /var/log/audit/audit.log

And apply the module with

semodule -i fping_http.pp

You may need to do this a couple times. Check the audit log again to see if anything new shows up. Notice the slight difference in this error compared to the above error.

# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1676192613.121:404409): avc: denied { node_bind } for pid=153257 comm="fping" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=0

We’ll create a new module for this and apply it

audit2allow -a -M node_http < /var/log/audit/audit.log
semodule -i node_http.pp

Not sure that is the best way to fix the problem. But it appears that SELinux is keeping Apache “httpd” from running fping which is why we need to create and load the modules.

LibreNMS Error – Renaming of 192.168.1.20 failed. Does your web server have permission to modify the rrd files?

Renaming of 192.168.1.20 failed . Does your web server have permission to modify the rrd files?

First thing to check is verify that the IP address is not already being monitored.

If you are getting the above error while trying to rename a device in LibreNMS, you may need to rerun some of the SELinux commands from the installation.

SSH into the server and run

restorecon -RFvv /opt/librenms

Now try renaming the device. Note that you can’t rename the device if the name/ip to a name that is being used by a different device.

If you continue to have issues, check the permissions from the installation guide (Official guide here)

You can also check for SELinux errors with

audit2why < /var/log/audit/audit.log

More SELinux info here

Oxidized Error “OpenSSL::PKey::PKeyError with msg “dh#set_pqg= is incompatible with OpenSSL 3.0”

Looks like the issue has something to do with net-ssh. There are some other similar errors people were having.

https://github.com/ytti/oxidized/issues/2642
https://github.com/ytti/oxidized/pull/2570

The easy way to resolve the issue is to install oxidized using git.

Prerequisites

Make sure rake is installed

sudo dnf install rake
 or 
sudo apt install rake

Install Oxidized from Git

Steps were copied from here. https://github.com/ytti/oxidized#build-from-git

You should be able to copy and paste these commands in the users home directory.

git clone https://github.com/ytti/oxidized.git
cd oxidized/
gem install bundler
rake install

After it is installed, restart the service

systemctl restart oxidized

Or continue on installing and with LibreNMS

Setting up RRDReST on CentOS 8 or AlmaLinux 9

There are some differences on setting up RRDReST on CentOS 8, Almalinux 9 vs CentOS 7

If you are setting this up to use with LibreNMS and Grafana, check out the rest of the this article. https://www.incredigeek.com/home/setting-up-grafana-on-librenms/

Installing RRDReST

All the docker commands have been swapped out for podman.

  1. Install Docker
  2. Create a compose file
  3. Run compose file to create container

Install docker

Podman is default on CentOS 8 and later and is, for the most part, a drop in replacement for Docker.

sudo yum install -y podman podman-compose
sudo systemctl enable podman

Create a Podman / Docker network to use. We’ll use this to assign a static IP address to the container. We’ll call the network rrdnet, and we’ll use the 10.89.2.0/24 range.

sudo podman network create --subnet=10.89.2.0/24 rrdnet

Create podman-compose file

Create a docker compose file

vi podman-compose.yml

Add the following

version: "3.5"
services:
  rrdrest:
    image: michaelwadman/rrdrest:latest
    container_name: rrdrest
    restart: always
    volumes:
      - "/opt/librenms/rrd:/opt/librenms/rrd:Z"
    environment:
      - TZ=America/Denver
    networks:
      rrdnet:
        ipv4_address: 10.89.2.2
        ipam:
          driver: default
          config:
            - subnet: 10.89.2.0/24
networks:
  rrdnet:
    external: true

Change the TZ to your time zone. If you have issues with the graphs, most likely something is off with the time zone between this container and Grafana/LibreNMS server

Note that the :Z is needed for SELinux to allow RRDReST to access the sub folders. AKA. the rrd files.

The container should have a 10.89.2.2 IP address. You can take all the networking sections out, and the container will receive DHCP. The problem is that the IP can change, breaking our graphs in Grafana.

Run RRDReST Container

Save the file. Then start and setup the container with

sudo podman-compose up -d

You will need your docker container IP address to setup the connection in Grafana. If you used the above docker-compose config, then it should be 10.89.2.2.

sudo docker exec -it rrdrest ip addr | grep eth0

Configure RRDRest to start on system boot with systemd

The “restart: always” option does not appear to work on systems with podman. We can create a systemd service instead.

Use the following command to automatically create a systemd file.

sudo podman generate systemd rrdrest

Copy the contents to a new file in /etc/systemd/system/

/etc/systemd/system/rrdrest.service

If you end up deleting the rrdrest container, you’ll need to update the systemd file again. You may need also need to run “systemctl daemon-reload”

Enable the new service with

systemctl enable rrdrest

Congratulations. RRDReST is now setup and running.

You can verify it’s running by checking with Podman / Docker.

sudo podman ps

You can also ping it

ping 10.89.2.2

Bulk Update SNMP v3 Settings for Devices in LibreNMS

With support for DES being dropped, you may be faced with having to upgrade device settings to AES. In this post we’ll explore changing the settings in LibreNMS for all Mikrotik devices and then touch on making changes to a group of Mikrotik devices.

Upgrading SNMP Settings for Devices in LibreNMS

In LibreNMS, we can go to Device -> Device Settings (Gear on the right hand side) -> SNMP, to set the SNMP settings for that device.

Since this would get rather boring to change on multiple devices, and these settings are all in a MySQL database, we can skip using the mouse and use a few MySQL commands to update multiple devices at once.

Log into the LibreNMS server over ssh and then connect to the MySQL database

mysql -u librenms -p librenms

First we can get a list of all the devices (Mikrotik routers in this example) and show the hostname with the SNMP authentication and cryptography algorithms.

select hostname,authalgo,cryptoalgo from devices where os="routeros";

Now if we want to update the cryptography settings for all of our Mikorotik devices, we can do the following.

update devices cryptoalgo set cryptoalgo="AES"  where os="routeros";

This will set all of the devices to use AES for the cryptography algorithm.

We can also change the authentication algorithm to SHA with this

update devices authalgo set authalgo="SHA"  where os="routeros";
LibreNMS update device SNMP settings

Bulk updating of Network Devices

The bottom “script” can be used for changing SNMP settings on multiple Mikrotik devices.

Create a mikrotik.lst file with all the IP addresses of all the devices you need to update. Can you use the above MySQL commands to get a list from LibreNMS.

Change the following options in the script

  • routerpassword to the Mikrotik password
  • admin to your username
  • encryptionpassword to your SNMP encryption password
  • authpassword to your authentication password
  • addresses=192.168.0.0/16 to the list of IP addresses that should be able to access SNMP info on the mikrotik device. AKA your LibreNMS server.
  • SNMPname to your SNMP username
for ip in `cat mikrotik.lst` 
do 
echo $ip 
timeout 15 sshpass -p 'routerpassword' ssh -o StrictHostKeyChecking=no admin@${ip} -p1022 '/snmp community set addresses=192.168.0.0/16 authentication-protocol=SHA1 authentication-password=authpassword encryption-protocol=AES encryption-password=encryptionpassword security=private read-access=yes write-access=no SNMPname'
done

Copy and paste the above “code” in a shell script file.

nano mikrotik.sh
chmod +x mikrotik.sh 
./mikrotik.sh

The script should run and update all the SNMP settings on all the devices in mikrotik.lst