munin-node.conf - Munin-node configuration file
is the configuration file for "munin-node", the
agent that Munin fetches data from.
The format is dictated by the use of "Net::Server". A look at
"perldoc Net::Server" will give a list of options that the file
supports by using the module. This page mainly covers the Munin-specific
The following options are of special interest:
- allow RE
- IP based access list is implemented through this. The
statement may be repeated many times. It's important to note that it's
actually a regular expression after the keyword so to allow localhost it
must be written like this:
- cidr_allow NETWORK/MASK
- An alternative to "allow RE". This allows the
access list to be specified in CIDR format. For instance, "cidr_allow
192.0.2.0/24" would allow connections from any IP from 192.0.2.1 to
And "cidr_allow 127.0.0.1/32" is the equivalent to the example
above. Note that the netmask must be provided, even though it's
This option requires that the "Net::CIDR" Perl module be
- host IP
- The IP number of the interface munin-node should listen on.
By default munin-node listens to all interfaces. To make munin-node listen
only on the localhost interface - making it unavailable from the network
- host_name <host>
- If set, overrides the hostname munin-node uses in its
'hello'-negotiation with munin. A "telnet localhost 4949" will
show the hostname munin-node is currently using. If munin-node and the
main munin installation do not agree on the hostname, munin will skip all
the plugins of the machine in question.
- paranoia <yes|no|true|false|on|off|1|0>
- If set, checks permissions of plugin files, and only tries
to run files owned by root. Default on.
- ignore_file <regex>
- Files matching <regex> in the node.d/ and
node-conf.d/ directories will be overlooked.
- tls <value>
- Can have four values. "paranoid",
"enabled", "auto", and "disabled".
"Paranoid" and "enabled" require a TLS connection,
while "disabled" will not attempt one at all.
The current default is "disabled" because "auto" is
broken. "Auto" causes bad interaction between munin-update and
munin-node if the node is unprepared to go to TLS.
If you see data dropouts (gaps in graphs) please try to disable TLS.
- tls_verify_certificate <value>
- This directive can be "yes" or "no". It
determines if the remote certificate needs to be signed by a CA that is
known locally. Default is "no".
- tls_private_key <value>
- This directive sets the location of the private key to be
used for TLS. Default is /etc/munin/munin-node.pem. The private key and
certificate can be stored in the same file.
- tls_certificate <value>
- This directive sets the location of the TLS certificate to
be used for TLS. Default is /etc/munin/munin-node.pem. The private key and
certificate can be stored in the same file.
- tls_ca_certificate <value>
- This directive sets the CA certificate to be used to verify
the node's certificate, if tls_verify_certificate is set to
"yes". Default is /etc/munin/cacert.pem.
- tls_verify_depth <value>
- This directive sets how many signings up a chain of
signatures TLS is willing to go to reach a known, trusted CA when
verifying a certificate. Default is 5.
- tls_match <value>
- This directive, if defined, searches a dump of the
certificate provided by the remote host for the given regex. The dump of
the certificate is two lines of the form:
Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
Issuer Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email
So, for example, one could match the subject distinguished name by the
tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
Note that the fields are dumped in the order they appear in the certificate.
It's best to view the dump of the certificate by running munin-update in
debug mode and reviewing the logs.
Unfortunately, due to the limited functionality of the SSL module in use, it
is not possible to provide finer-grained filtering. By default this value
is not defined.
A pretty normal configuration file:
See the documentation or Munin homepage <http://munin-monitoring.org/> for
Copyright (C) 2002-2006 Audun Ytterdal, Jimmy Olsen, Dagfin Ilmari MansXker,
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This program is released under the GNU General Public License