Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MUNIN-NODE.CONF(5)	      Munin Documentation	    MUNIN-NODE.CONF(5)

       munin-node.conf - Munin-node configuration file

       munin-node.conf is the configuration file for "munin-node", the agent
       that Munin fetches data from.

       The format is dictated by the use of "Net::Server". A look at "perldoc
       Net::Server" will give a	list of	options	that the file supports by
       using the module.  This page mainly covers the Munin-specific

       The following options are of special interest:

       allow RE
	    IP based access list is implemented	through	this. The statement
	    may	be repeated many times.	 It's important	to note	that it's
	    actually a regular expression after	the keyword so to allow
	    localhost it must be written like this:

		  allow	^127\.0\.0\.1$

       cidr_allow NETWORK/MASK
	    An alternative to "allow RE".  This	allows the access list to be
	    specified in CIDR format.  For instance, "cidr_allow"
	    would allow	connections from any IP	from to

	    And	"cidr_allow" is the equivalent to the example
	    above.  Note that the netmask must be provided, even though	it's
	    just "/32".

	    This option	requires that the "Net::CIDR" Perl module be

       host IP
	    The	IP number of the interface munin-node should listen on.	 By
	    default munin-node listens to all interfaces.  To make munin-node
	    listen only	on the localhost interface - making it unavailable
	    from the network do	this:


   Additional options:
       host_name <host>
	    If set, overrides the hostname munin-node uses in its
	    'hello'-negotiation	with munin. A "telnet localhost	4949" will
	    show the hostname munin-node is currently using. If	munin-node and
	    the	main munin installation	do not agree on	the hostname, munin
	    will skip all the plugins of the machine in	question.

       paranoia	<yes|no|true|false|on|off|1|0>
	    If set, checks permissions of plugin files,	and only tries to run
	    files owned	by root. Default on.

       ignore_file <regex>
	    Files matching <regex> in the node.d/ and node-conf.d/ directories
	    will be overlooked.

       tls <value>
	    Can	have four values. "paranoid", "enabled", "auto", and
	    "disabled".	 "Paranoid" and	"enabled" require a TLS	connection,
	    while "disabled" will not attempt one at all.

	    The	current	default	is "disabled" because "auto" is	broken.
	    "Auto" causes bad interaction between munin-update and munin-node
	    if the node	is unprepared to go to TLS.

	    If you see data dropouts (gaps in graphs) please try to disable

       tls_verify_certificate <value>
	    This directive can be "yes"	or "no".  It determines	if the remote
	    certificate	needs to be signed by a	CA that	is known locally.
	    Default is "no".

       tls_private_key <value>
	    This directive sets	the location of	the private key	to be used for
	    TLS.  Default is /usr/local/etc/munin/munin-node.pem.  The private
	    key	and certificate	can be stored in the same file.

       tls_certificate <value>
	    This directive sets	the location of	the TLS	certificate to be used
	    for	TLS.  Default is /usr/local/etc/munin/munin-node.pem.  The
	    private key	and certificate	can be stored in the same file.

       tls_ca_certificate <value>
	    This directive sets	the CA certificate to be used to verify	the
	    node's certificate,	if tls_verify_certificate is set to "yes".
	    Default is /usr/local/etc/munin/cacert.pem.

       tls_verify_depth	<value>
	    This directive sets	how many signings up a chain of	signatures TLS
	    is willing to go to	reach a	known, trusted CA when verifying a
	    certificate.  Default is 5.

       tls_match <value>
	    This directive, if defined,	searches a dump	of the certificate
	    provided by	the remote host	for the	given regex.  The dump of the
	    certificate	is two lines of	the form:

		    Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email
		    Issuer  Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email

	    So,	for example, one could match the subject distinguished name by
	    the	directive:

		    tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email

	    Note that the fields are dumped in the order they appear in	the
	    certificate.  It's best to view the	dump of	the certificate	by
	    running munin-update in debug mode and reviewing the logs.

	    Unfortunately, due to the limited functionality of the SSL module
	    in use, it is not possible to provide finer-grained	filtering.  By
	    default this value is not defined.

       A pretty	normal configuration file:

	       log_level 4
	       log_file	/var/log/munin/munin-node.log
	       port 4949
	       pid_file	/var/run/
	       background 1
	       setsid 1

	       host *
	       user root
	       group root
	       setsid yes

	       ignore_file \.bak$
	       ignore_file \.rpm(save|new)$
	       ignore_file ^README$

	       allow ^127\.0\.0\.1$

	       ignore_file \.dpkg-(old|new)$
	       ignore_file \.rpm(save|new)$

       See the documentation or	Munin homepage <>
       for more	info.

       Jimmy Olsen.

       Copyright (C) 2002-2006 Audun Ytterdal, Jimmy Olsen, Dagfin Ilmari
       MansXker, Nicolai Langfeldt

       This is free software; see the source for copying conditions. There is
       NO warranty; not	even for MERCHANTABILITY or FITNESS FOR	A PARTICULAR

       This program is released	under the GNU General Public License

2.0.64				  2020-07-08		    MUNIN-NODE.CONF(5)


Want to link to this manual page? Use this URL:

home | help