How-To: Monitoring a Server with Munin

Munin is a simple to configure tool that make real nice graph about your server status. It can actually deal with almost any aspect of your server (load average, network cards status, CPU usage, memory usage, postfix, exim4, mysql ...) without spending much time in configuring it.

Munin produce MRTG likes graph so you can easily see how your server health is going.

munin cpu graphmunin ethernet graph
This tutorial will show you how to set up Munin to gather statistics of a single server, but keep in mind that Munin can be deployed throughout a whole network, but beware that there is no real no security measure (such as authentication ...) taken by munin.
To be able to access the datas gathered by munin, we are going to set up a virtual apache server. Those datas will only be accessible to authenticated users using apache mod_auth_digest (a more secure authetication protocol).

1. Installing and Configuring Munin

munin is composed of a master and client nodes. What happens basically, is that every client (node) runs munin-node and then the master regularly query the different node to gather and process datas.

1.1. Installing Munin

In our case, wa are going to run the master and the client on the same computer. The packages we need to install are munin and munin-node, so here we go, open a shell and type:

$sudo apt-get install munin munin-node

Now that it is installed, it is about time to go and tweak up some files so we get a proper configuration.

1.2. Configuring the Master

First of all, we are going to edit the master file: /etc/munin/munin.conf. This is in this file that you define every clients the master is going to gather information from. As we use a simple model here, the only client the master is going to query information from is example.com which is accessible on adress 127.0.0.1.
So go and edit /etc/munin/munin.conf and make it look like:

dbdir       /var/lib/munin/
htmldir     /var/www/munin/
logdir      /var/log/munin
rundir      /var/run/munin/

[example.com]
        address 127.0.0.1
        use_node_name yes

So, what we have done here is to define munin working directories. htmldir for instance is the place where munin is going to store its graphs. Later on, we will have to set up an apache virtual server to be able to access those datas.

1.3. Configuring the Node

There is some basic security actions you can do while configuring the node.
Even though, by default, the node is configured to only authorized localhost to gather data from it, the nodes are listening on any networking interfaces.
As a security measure, we are going to change so the node bind itself to the loopback interface.
So go and edit /etc/munin/munin-node.conf and make sure the host value looks like this:

#host *
host 127.0.0.1

This is about all you need to do in order to get munin working.
As we modified the configuration, we need to restart the service with:

$sudo /etc/init.d/munin-node restart

Next, we are going to set up apache in such a way that munin results are going to be accessible through web pages. But because we do not want everybody to access the stats, we are going to require authentication.

How-To: Monitoring a Server with Munin -- page 2

2. Setting up apache

Okie, now we are going to set up an apache virtual host called monitoring.example.com in order to be able to access our statistics through http://monitoring.example.com url.

To do so, you need to have a working apache server. If you do not yet. Please install apache with:

$sudo apt-get install apache2

The settings given below should be enough to get you running. If you need more information on apache virtual host, you might want to check How-to virtual hosting with apache2.

2.1. the virtual host

Okie, first of all, go to the virtual host configuration directory:

$cd /etc/apache2/sites-available

create and edit file monitoring and make it look like:

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName      monitoring.example.com
        DocumentRoot /var/www/munin
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
        LogLevel notice
        CustomLog /var/log/apache2/access.log combined
        ErrorLog /var/log/apache2/error.log
        ServerSignature On
</VirtualHost>

Make sure DocumentRoot has the same value as htmldir from /etc/munin/munin.conf

Now, enable that virtual host:

$sudo a2ensite monitoring

check that the syntax is correct:

$sudo apache2ctl -t
Syntax OK

If the syntax is correct, reload apache:

$sudo /etc/init.d/apache2 force-reload

Open your favorite web browser and start accessing your stats from http://monitoring.example.com

Munin generate stats every 5 minutes. You might have to wait 5 minutes in order to start having your first result

Well this is great, we can now access our server statistics. But actually everybody can :s. If you don't want that, you can control the access by using apache built-in authentication methods.

2.2. Enabling Authentication

There is actually 2 different ways of getting authenticated with apache.

Basic Authentication: password is passed from client to server in plain text across the network
Digest Authentication: password is transmitted as a MD5 digest which is more secure

In order to avoid to have our password transmitted as clear text, we are going to use the Digest Authentication.
This kind of authentication actually relies on an apache module which is not enable by default: auth_digest. To enable it, simply run:

$sudo a2enmod auth_digest

Now that apache can handle Digest Authentication, we need to set up a user/password/realm using:

htdigest -c /var/www/munin/.htpasswd munin foo

default apache configuration forbid access to files like ".ht*", therefore this file won't be readable though HTTP

Where munin is the realm and foo the username. htdigest will prompt you for "foo" user password. Supply it and go back to /etc/apache2/sites-available/monitoring.
We are going to add a few lines to this file in order to make authentication required.

The modifications we are going to make are between the <Directory />....</Directory> tags. This bit should look like this to enable authentication:

<Directory />
       Options FollowSymLinks
       AllowOverride None
       #authentification
       AuthType Digest
       AuthName "munin"
       AuthDigestFile /var/www/munin/.htpasswd
       #people using apache 2.2 will use instead:
       #AuthUserFile  /var/www/munin/.htpasswd
       require valid-user
</Directory>

Make sure that the AuthName value is the one from the htdigest realm

And that's it! We just need to make the change effectives by reloading apache configuration. As usual, we check that the syntax is right and if it is, we reload apache configuration.

$sudo apache2ctl -t
Syntax OK
$sudo /etc/init.d/apache2 force-reload

Now, go to http://monitoring.example.com with your browser. A box should prompt you for a username and password. Supply the one you define above and you should be given access to munin statistics.

3. Conclusion

Munin is simple to install and yet gives nice graph from your server health which will allow you to easily spot out if you are going to run out of memory, disk space and resource.

If you have only one machine to monitor, it is not worth the trouble setting up tools like cacti which require snmp in order to get the same result.