Section: Munin Documentation (5)
Updated: 2014-11-24


munin-node.conf - Munin-node configuration file 


munin-node.conf is the configuration file for "munin-node", the agent thatMunin fetches data from.

The format is dictated by the use of "Net::Server". A look at "perldocNet::Server" will give a list of options that the file supports by using themodule. This page mainly covers the Munin-specific extensions.

The following options are of special interest:

allow RE
IP based access list is implemented through this. The statement may berepeated many times. It's important to note that it's actually aregular expression after the keyword so to allow localhost it must bewritten like this:

      allow ^127\.0\.0\.1$
cidr_allow NETWORK/MASK
An alternative to "allow RE". This allows the access list to be specified inCIDR format. For instance, "cidr_allow" would allow connectionsfrom any IP from to

And "cidr_allow" is the equivalent to the example above. Notethat the netmask must be provided, even though it's just "/32".

This option requires that the "Net::CIDR" Perl module be installed.

host IP
The IP number of the interface munin-node should listen on. Bydefault munin-node listens to all interfaces. To make munin-nodelisten only on the localhost interface - making it unavailable fromthe network do this:


Additional options:

host_name <host>
If set, overrides the hostname munin-node uses in its'hello'-negotiation with munin. A ``telnet localhost 4949'' will show thehostname munin-node is currently using. If munin-node and the main munininstallation do not agree on the hostname, munin will skip all theplugins of the machine in question.
paranoia <yes|no|true|false|on|off|1|0>
If set, checks permissions of plugin files, and only tries to run filesowned by root. Default on.
ignore_file <regex>
Files matching <regex> in the node.d/ and node-conf.d/directories will be overlooked.
tls <value>
Can have four values. "paranoid", "enabled", "auto", and"disabled". "Paranoid" and "enabled" require a TLS connection,while "disabled" will not attempt one at all.

The current default is "disabled" because "auto" is broken. "Auto"causes bad interaction between munin-update and munin-node if the nodeis unprepared to go to TLS.

If you see data dropouts (gaps in graphs) please try to disable TLS.

tls_verify_certificate <value>
This directive can be "yes" or "no". It determines if the remotecertificate needs to be signed by a CA that is known locally. Defaultis "no".
tls_private_key <value>
This directive sets the location of the private key to be used forTLS. Default is /etc/munin/munin-node.pem. The private key andcertificate can be stored in the same file.
tls_certificate <value>
This directive sets the location of the TLS certificate to be used forTLS. Default is /etc/munin/munin-node.pem. The private key andcertificate can be stored in the same file.
tls_ca_certificate <value>
This directive sets the CA certificate to be used to verify the node'scertificate, if tls_verify_certificate is set to "yes". Default is/etc/munin/cacert.pem.
tls_verify_depth <value>
This directive sets how many signings up a chain of signatures TLS iswilling to go to reach a known, trusted CA when verifying acertificate. Default is 5.
tls_match <value>
This directive, if defined, searches a dump of the certificate provided by theremote host for the given regex. The dump of the certificate is two lines ofthe form:

        Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email        Issuer  Name: /C=c/ST=st/O=o/OU=ou/CN=cn/emailAddress=email

So, for example, one could match the subject distinguished name by the directive:

        tls_match Subject Name: /C=c/ST=st/L=l/O=o/OU=ou/CN=cn/emailAddress=email

Note that the fields are dumped in the order they appear in the certificate.It's best to view the dump of the certificate by running munin-update in debugmode and reviewing the logs.

Unfortunately, due to the limited functionality of the SSL module in use, it isnot possible to provide finer-grained filtering. By default this value is notdefined.



A pretty normal configuration file:

        log_level 4        log_file /var/log/munin/munin-node.log        port 4949        pid_file /var/run/        background 1        setsid 1        host *        user root        group root        setsid yes        ignore_file \.bak$        ignore_file \.rpm(save|new)$        ignore_file ^README$        allow ^127\.0\.0\.1$        ignore_file \.dpkg-(old|new)$        ignore_file \.rpm(save|new)$

See the documentation or Munin homepage<> for more info. 


Jimmy Olsen. 


Copyright (C) 2002-2006 Audun Ytterdal, Jimmy Olsen, Dagfin IlmariMansXker, Nicolai Langfeldt

This is free software; see the source for copying conditions. There is NOwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULARPURPOSE.

This program is released under the GNU General Public License



Additional options:

This document was created byman2html,using the manual pages.