Ipset

Overview

The ipset plugin gathers packets and bytes counters from Linux ipset. It uses the output of the command “ipset save”. Ipsets created without the “counters” option are ignored.

Results are tagged with:

  • ipset name
  • ipset entry

There are 3 ways to grant the agent the right to run ipset:

  • Run as root (strongly discouraged)
  • Use sudo
  • Configure systemd to run the agent with CAP_NET_ADMIN and CAP_NET_RAW capabilities.

Using systemd capabilities

You may run systemctl edit circonus-unified-agent.service and add the following:

[Service]
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN

Using sudo

You will need the following in your config:

[[inputs.ipset]]
  use_sudo = true

You will also need to update your sudoers file:

$ visudo
# Add the following line:
Cmnd_Alias IPSETSAVE = /sbin/ipset save
cua  ALL=(root) NOPASSWD: IPSETSAVE
Defaults!IPSETSAVE !logfile, !syslog, !pam_session

Configuration

  [[inputs.ipset]]
    ## By default, we only show sets which have already matched at least 1 packet.
    ## set include_unmatched_sets = true to gather them all.
    include_unmatched_sets = false
    ## Adjust your sudo settings appropriately if using this option ("sudo ipset save")
    ## You can avoid using sudo or root, by setting appropriate privileges for
    ## the circonus-unified-agent.service systemd service.
    use_sudo = false
    ## The default timeout of 1s for ipset execution can be overridden here:
    # timeout = "1s"