Libreswan icon

Libreswan

Libreswan

Plugin: charts.d.plugin Module: libreswan

Overview

Monitor Libreswan performance for optimal IPsec VPN operations. Improve your VPN operations with Netdata'’s real-time metrics and built-in alerts.

The collector uses the ipsec command to collect the information it needs.

This collector is supported on all platforms.

This collector supports collecting metrics from multiple instances of this integration, including remote instances.

Default Behavior

Auto-Detection

This integration doesn’t support auto-detection.

Limits

The default configuration for this integration does not impose any limits on data collection.

Performance Impact

The default configuration for this integration is not expected to impose a significant performance impact on the system.

Setup

Prerequisites

Install charts.d plugin

If using our official native DEB/RPM packages, make sure netdata-plugin-chartsd is installed.

Permissions to execute ipsec

The plugin executes 2 commands to collect all the information it needs:

ipsec whack --status
ipsec whack --trafficstatus

The first command is used to extract the currently established tunnels, their IDs and their names. The second command is used to extract the current uptime and traffic.

Most probably user netdata will not be able to query libreswan, so the ipsec commands will be denied. The plugin attempts to run ipsec as sudo ipsec ..., to get access to libreswan statistics.

To allow user netdata execute sudo ipsec ..., create the file /etc/sudoers.d/netdata with this content:

netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --status
netdata ALL = (root) NOPASSWD: /sbin/ipsec whack --trafficstatus

Make sure the path /sbin/ipsec matches your setup (execute which ipsec to find the right path).

Configuration

File

The configuration file name for this integration is charts.d/libreswan.conf.

You can edit the configuration file using the edit-config script from the Netdata config directory.

cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config charts.d/libreswan.conf

Options

The config file is sourced by the charts.d plugin. It’s a standard bash file.

The following collapsed table contains all the options that can be configured for the libreswan collector.

Name Description Default Required
libreswan_update_every The data collection frequency. If unset, will inherit the netdata update frequency. 1 no
libreswan_priority The charts priority on the dashboard 90000 no
libreswan_retries The number of retries to do in case of failure before disabling the collector. 10 no
libreswan_sudo Whether to run ipsec with sudo or not. 1 no

Examples

Run ipsec without sudo

Run the ipsec utility without sudo

# the data collection frequency
# if unset, will inherit the netdata update frequency
#libreswan_update_every=1

# the charts priority on the dashboard
#libreswan_priority=90000

# the number of retries to do in case of failure
# before disabling the module
#libreswan_retries=10

# set to 1, to run ipsec with sudo (the default)
# set to 0, to run ipsec without sudo
libreswan_sudo=0

Metrics

Metrics grouped by scope.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.

Per IPSEC tunnel

Metrics related to IPSEC tunnels. Each tunnel provides its own set of the following metrics.

This scope has no labels.

Metrics:

Metric Dimensions Unit
libreswan.net in, out kilobits/s
libreswan.uptime uptime seconds

Alerts

There are no alerts configured by default for this integration.

Troubleshooting

Debug Mode

To troubleshoot issues with the libreswan collector, run the charts.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn’t working.

  • Navigate to the plugins.d directory, usually at /usr/libexec/netdata/plugins.d/. If that’s not the case on your system, open netdata.conf and look for the plugins setting under [directories].

    cd /usr/libexec/netdata/plugins.d/

  • Switch to the netdata user.

    sudo -u netdata -s

  • Run the charts.d.plugin to debug the collector:

    ./charts.d.plugin debug 1 libreswan

Getting Logs

If you’re encountering problems with the libreswan collector, follow these steps to retrieve logs and identify potential issues:

  • Run the command specific to your system (systemd, non-systemd, or Docker container).
  • Examine the output for any warnings or error messages that might indicate issues. These messages should provide clues about the root cause of the problem.

System with systemd

Use the following command to view logs generated since the last Netdata service restart:

journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep libreswan

System without systemd

Locate the collector log file, typically at /var/log/netdata/collector.log, and use grep to filter for collector’s name:

grep libreswan /var/log/netdata/collector.log

Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.

Docker Container

If your Netdata runs in a Docker container named “netdata” (replace if different), use this command:

docker logs netdata 2>&1 | grep libreswan

The observability platform companies need to succeed

Sign up for free

Want a personalised demo of Netdata for your use case?

Book a Demo