Monitor Configuration

The Monitor configuration file is a stripped down version of the Director configuration file, mixed with a Console configuration file. It simply contains the information necessary to contact Directors, Clients, and Storage daemons you want to monitor.

For a general discussion of configuration file and resources including the data types recognized by Bareos, please see the Configuration chapter of this manual.

The following Monitor Resource definition must be defined:

Monitor – to define the Monitor’s name used to connect to all the daemons and the password used to connect to the Directors. Note, you must not define more than one Monitor resource in the Monitor configuration file.
At least one Client, Storage or Director resource, to define the daemons to monitor.

Monitor Resource

The Monitor resource defines the attributes of the Monitor running on the network. The parameters you define here must be configured as a Director resource in Clients and Storages configuration files, and as a Console resource in Directors configuration files.

configuration directive name	type of data	default value	remark
`Description (Console->Monitor)`	= `STRING`
`Dir Connect Timeout (Console->Monitor)`	= `TIME`	10
`Enable kTLS (Console->Monitor)`	= `BOOLEAN`	no
`FD Connect Timeout (Console->Monitor)`	= `TIME`	10
`Name (Console->Monitor)`	= `NAME`		required
`Password (Console->Monitor)`	= `MD5PASSWORD`		required
`Refresh Interval (Console->Monitor)`	= `TIME`	60
`SD Connect Timeout (Console->Monitor)`	= `TIME`	10
`TLS Allowed CN (Console->Monitor)`	= `STRING_LIST`
`TLS Authenticate (Console->Monitor)`	= `BOOLEAN`	no
`TLS CA Certificate Dir (Console->Monitor)`	= `DIRECTORY`
`TLS CA Certificate File (Console->Monitor)`	= `DIRECTORY`
`TLS Certificate (Console->Monitor)`	= `DIRECTORY`
`TLS Certificate Revocation List (Console->Monitor)`	= `DIRECTORY`
`TLS Cipher List (Console->Monitor)`	= `DIRECTORY`
`TLS Cipher Suites (Console->Monitor)`	= `DIRECTORY`
`TLS DH File (Console->Monitor)`	= `DIRECTORY`
`TLS Enable (Console->Monitor)`	= `BOOLEAN`	yes
`TLS Key (Console->Monitor)`	= `DIRECTORY`
`TLS Protocol (Console->Monitor)`	= `STRING`
`TLS Require (Console->Monitor)`	= `BOOLEAN`	yes
`TLS Verify Peer (Console->Monitor)`	= `BOOLEAN`	no

Description

Type:: STRING

Dir Connect Timeout

Type:: TIME
Default value:: 10

Enable kTLS

Type:: BOOLEAN
Default value:: no

If set to “yes”, Bareos will allow the SSL implementation to use Kernel TLS.

FD Connect Timeout

Type:: TIME
Default value:: 10

Name

Required:: True
Type:: NAME

Specifies the Director name used to connect to Client and Storage, and the Console name used to connect to Director. This record is required.

Password

Required:: True
Type:: MD5PASSWORD

Where the password is needed for Directors to accept the Console connection. This password must be identical to the Password specified in the Console resource of the Director’s configuration file. This record is required if you wish to monitor Directors.

Refresh Interval

Type:: TIME
Default value:: 60

Specifies the time to wait between status requests to each daemon. It can’t be set to less than 1 second or more than 10 minutes.

SD Connect Timeout

Type:: TIME
Default value:: 10

TLS Allowed CN

Type:: STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate

Type:: BOOLEAN
Default value:: no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir

Type:: DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File

Type:: DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate

Type:: DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List

Type:: DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List

Type:: DIRECTORY

List of valid TLSv1.2 and lower Ciphers; see openssl ciphers

TLS Cipher Suites

Type:: DIRECTORY

Colon separated list of valid TLSv1.3 Ciphers; see openssl ciphers -s -tls1_3. Leftmost element has the highest priority. Currently only SHA256 ciphers are supported.

TLS DH File

Type:: DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable

Type:: BOOLEAN
Default value:: yes

Enable TLS support.

TLS Key

Type:: DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Protocol

Type:: STRING
Since Version:: 20.0.0

OpenSSL Configuration: Protocol

TLS Require

Type:: BOOLEAN
Default value:: yes

If set to “no”, Bareos can fall back to use unencrypted connections.

TLS Verify Peer

Type:: BOOLEAN
Default value:: no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Director Resource

The Director resource defines the attributes of the Directors that are monitored by this Monitor.

As you are not permitted to define a Password in this resource, to avoid obtaining full Director privileges, you must create a Console resource in the Director’s configuration file, using the Console Name and Password defined in the Monitor resource. To avoid security problems, you should configure this Console resource to allow access to no other daemons, and permit the use of only two commands: status and .status (see below for an example).

You may have multiple Director resource specifications in a single Monitor configuration file.

configuration directive name	type of data	default value	remark
`Address (Console->Director)`	= `STRING`		required
`Description (Console->Director)`	= `STRING`
`Dir Port (Console->Director)`	= `PINT32`	9101
`Enable kTLS (Console->Director)`	= `BOOLEAN`	no
`Name (Console->Director)`	= `NAME`		required
`TLS Allowed CN (Console->Director)`	= `STRING_LIST`
`TLS Authenticate (Console->Director)`	= `BOOLEAN`	no
`TLS CA Certificate Dir (Console->Director)`	= `DIRECTORY`
`TLS CA Certificate File (Console->Director)`	= `DIRECTORY`
`TLS Certificate (Console->Director)`	= `DIRECTORY`
`TLS Certificate Revocation List (Console->Director)`	= `DIRECTORY`
`TLS Cipher List (Console->Director)`	= `DIRECTORY`
`TLS Cipher Suites (Console->Director)`	= `DIRECTORY`
`TLS DH File (Console->Director)`	= `DIRECTORY`
`TLS Enable (Console->Director)`	= `BOOLEAN`	yes
`TLS Key (Console->Director)`	= `DIRECTORY`
`TLS Protocol (Console->Director)`	= `STRING`
`TLS Require (Console->Director)`	= `BOOLEAN`	yes
`TLS Verify Peer (Console->Director)`	= `BOOLEAN`	no

Address

Required:: True
Type:: STRING

Where the address is a host name, a fully qualified domain name, or a network address used to connect to the Director. This record is required.

Description

Type:: STRING

Dir Port

Type:: PINT32
Default value:: 9101

Specifies the port to use to connect to the Director. This port must be identical to the DIRport specified in the Director resource of the Director Configuration file.

Enable kTLS

Type:: BOOLEAN
Default value:: no

If set to “yes”, Bareos will allow the SSL implementation to use Kernel TLS.

Name

Required:: True
Type:: NAME

The Director name used to identify the Director in the list of monitored daemons. It is not required to be the same as the one defined in the Director’s configuration file. This record is required.

TLS Allowed CN

Type:: STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate

Type:: BOOLEAN
Default value:: no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir

Type:: DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File

Type:: DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate

Type:: DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List

Type:: DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List

Type:: DIRECTORY

List of valid TLSv1.2 and lower Ciphers; see openssl ciphers

TLS Cipher Suites

Type:: DIRECTORY

Colon separated list of valid TLSv1.3 Ciphers; see openssl ciphers -s -tls1_3. Leftmost element has the highest priority. Currently only SHA256 ciphers are supported.

TLS DH File

Type:: DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable

Type:: BOOLEAN
Default value:: yes

Enable TLS support.

Bareos can be configured to encrypt all its network traffic. See chapter TLS Configuration Directives to see how the Bareos Director (and the other components) have to be configured to use TLS.

TLS Key

Type:: DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Protocol

Type:: STRING
Since Version:: 20.0.0

OpenSSL Configuration: Protocol

TLS Require

Type:: BOOLEAN
Default value:: yes

If set to “no”, Bareos can fall back to use unencrypted connections.

TLS Verify Peer

Type:: BOOLEAN
Default value:: no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Client Resource

The Client resource defines the attributes of the Clients that are monitored by this Monitor.

You must create a Director resource in the Client’s configuration file, using the Director Name defined in the Monitor resource. To avoid security problems, you should set the Monitor directive to Yes in this Director resource.

You may have multiple Director resource specifications in a single Monitor configuration file.

configuration directive name	type of data	default value	remark
`Address (Console->Client)`	= `STRING`		required
`Description (Console->Client)`	= `STRING`
`Enable kTLS (Console->Client)`	= `BOOLEAN`	no
`FD Port (Console->Client)`	= `PINT32`	9102
`Name (Console->Client)`	= `NAME`		required
`Password (Console->Client)`	= `MD5PASSWORD`		required
`TLS Allowed CN (Console->Client)`	= `STRING_LIST`
`TLS Authenticate (Console->Client)`	= `BOOLEAN`	no
`TLS CA Certificate Dir (Console->Client)`	= `DIRECTORY`
`TLS CA Certificate File (Console->Client)`	= `DIRECTORY`
`TLS Certificate (Console->Client)`	= `DIRECTORY`
`TLS Certificate Revocation List (Console->Client)`	= `DIRECTORY`
`TLS Cipher List (Console->Client)`	= `DIRECTORY`
`TLS Cipher Suites (Console->Client)`	= `DIRECTORY`
`TLS DH File (Console->Client)`	= `DIRECTORY`
`TLS Enable (Console->Client)`	= `BOOLEAN`	yes
`TLS Key (Console->Client)`	= `DIRECTORY`
`TLS Protocol (Console->Client)`	= `STRING`
`TLS Require (Console->Client)`	= `BOOLEAN`	yes
`TLS Verify Peer (Console->Client)`	= `BOOLEAN`	no

Address

Required:: True
Type:: STRING

Where the address is a host name, a fully qualified domain name, or a network address in dotted quad notation for a Bareos File daemon. This record is required.

Description

Type:: STRING

Enable kTLS

Type:: BOOLEAN
Default value:: no

If set to “yes”, Bareos will allow the SSL implementation to use Kernel TLS.

FD Port

Type:: PINT32
Default value:: 9102

Where the port is a port number at which the Bareos File daemon can be contacted.

Name

Required:: True
Type:: NAME

The Client name used to identify the Director in the list of monitored daemons. It is not required to be the same as the one defined in the Client’s configuration file. This record is required.

Password

Required:: True
Type:: MD5PASSWORD

This is the password to be used when establishing a connection with the File services, so the Client configuration file on the machine to be backed up must have the same password defined for this Director. This record is required.

TLS Allowed CN

Type:: STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate

Type:: BOOLEAN
Default value:: no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir

Type:: DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File

Type:: DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate

Type:: DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List

Type:: DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List

Type:: DIRECTORY

List of valid TLSv1.2 and lower Ciphers; see openssl ciphers

TLS Cipher Suites

Type:: DIRECTORY

Colon separated list of valid TLSv1.3 Ciphers; see openssl ciphers -s -tls1_3. Leftmost element has the highest priority. Currently only SHA256 ciphers are supported.

TLS DH File

Type:: DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable

Type:: BOOLEAN
Default value:: yes

Enable TLS support.

TLS Key

Type:: DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Protocol

Type:: STRING
Since Version:: 20.0.0

OpenSSL Configuration: Protocol

TLS Require

Type:: BOOLEAN
Default value:: yes

If set to “no”, Bareos can fall back to use unencrypted connections.

TLS Verify Peer

Type:: BOOLEAN
Default value:: no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Storage Resource

The Storage resource defines the attributes of the Storages that are monitored by this Monitor.

You must create a Director resource in the Storage’s configuration file, using the Director Name defined in the Monitor resource. To avoid security problems, you should set the Monitor directive to Yes in this Director resource.

You may have multiple Director resource specifications in a single Monitor configuration file.

configuration directive name	type of data	default value	remark
`Address (Console->Storage)`	= `STRING`		required
`Description (Console->Storage)`	= `STRING`
`Enable kTLS (Console->Storage)`	= `BOOLEAN`	no
`Name (Console->Storage)`	= `NAME`		required
`Password (Console->Storage)`	= `MD5PASSWORD`		required
`SD Address (Console->Storage)`	= `STRING`
`SD Password (Console->Storage)`	= `MD5PASSWORD`
`SD Port (Console->Storage)`	= `PINT32`	9103
`TLS Allowed CN (Console->Storage)`	= `STRING_LIST`
`TLS Authenticate (Console->Storage)`	= `BOOLEAN`	no
`TLS CA Certificate Dir (Console->Storage)`	= `DIRECTORY`
`TLS CA Certificate File (Console->Storage)`	= `DIRECTORY`
`TLS Certificate (Console->Storage)`	= `DIRECTORY`
`TLS Certificate Revocation List (Console->Storage)`	= `DIRECTORY`
`TLS Cipher List (Console->Storage)`	= `DIRECTORY`
`TLS Cipher Suites (Console->Storage)`	= `DIRECTORY`
`TLS DH File (Console->Storage)`	= `DIRECTORY`
`TLS Enable (Console->Storage)`	= `BOOLEAN`	yes
`TLS Key (Console->Storage)`	= `DIRECTORY`
`TLS Protocol (Console->Storage)`	= `STRING`
`TLS Require (Console->Storage)`	= `BOOLEAN`	yes
`TLS Verify Peer (Console->Storage)`	= `BOOLEAN`	no

Address

Required:: True
Type:: STRING

Where the address is a host name, a fully qualified domain name, or a network address in dotted quad notation for a Bareos Storage daemon. This record is required.

Description

Type:: STRING

Enable kTLS

Type:: BOOLEAN
Default value:: no

If set to “yes”, Bareos will allow the SSL implementation to use Kernel TLS.

Name

Required:: True
Type:: NAME

The Storage name used to identify the Director in the list of monitored daemons. It is not required to be the same as the one defined in the Storage’s configuration file. This record is required.

Password

Required:: True
Type:: MD5PASSWORD

This is the password to be used when establishing a connection with the Storage services. This same password also must appear in the Director resource of the Storage daemon’s configuration file. This record is required.

SD Address

Type:: STRING

SD Password

Type:: MD5PASSWORD

SD Port

Type:: PINT32
Default value:: 9103

Where port is the port to use to contact the storage daemon for information and to start jobs. This same port number must appear in the Storage resource of the Storage daemon’s configuration file.

TLS Allowed CN

Type:: STRING_LIST

“Common Name”s (CNs) of the allowed peer certificates.

TLS Authenticate

Type:: BOOLEAN
Default value:: no

Use TLS only to authenticate, not for encryption.

TLS CA Certificate Dir

Type:: DIRECTORY

Path of a TLS CA certificate directory.

TLS CA Certificate File

Type:: DIRECTORY

Path of a PEM encoded TLS CA certificate(s) file.

TLS Certificate

Type:: DIRECTORY

Path of a PEM encoded TLS certificate.

TLS Certificate Revocation List

Type:: DIRECTORY

Path of a Certificate Revocation List file.

TLS Cipher List

Type:: DIRECTORY

List of valid TLSv1.2 and lower Ciphers; see openssl ciphers

TLS Cipher Suites

Type:: DIRECTORY

Colon separated list of valid TLSv1.3 Ciphers; see openssl ciphers -s -tls1_3. Leftmost element has the highest priority. Currently only SHA256 ciphers are supported.

TLS DH File

Type:: DIRECTORY

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications.

TLS Enable

Type:: BOOLEAN
Default value:: yes

Enable TLS support.

TLS Key

Type:: DIRECTORY

Path of a PEM encoded private key. It must correspond to the specified “TLS Certificate”.

TLS Protocol

Type:: STRING
Since Version:: 20.0.0

OpenSSL Configuration: Protocol

TLS Require

Type:: BOOLEAN
Default value:: yes

If set to “no”, Bareos can fall back to use unencrypted connections.

TLS Verify Peer

Type:: BOOLEAN
Default value:: no

If disabled, all certificates signed by a known CA will be accepted. If enabled, the CN of a certificate must the Address or in the “TLS Allowed CN” list.

Traymonitor

Traymonitor Security

There is no security problem in relaxing the permissions on Bareos Traymonitor configuration files as long as Bareos File Daemon, Bareos Storage Daemon and Bareos Director are configured properly, so the passwords contained in this file only gives access to the status of the daemons. It could be a security problem if you consider the status information as potentially dangerous (most people consider this as not being dangerous).

Concerning Director’s configuration: In the Bareos Traymonitor configuration files the password in the Monitor resource must point to a restricted console in Bareos Director configuration. So, if you use this password with :command:` bconsole`, you’ll only have access to the status of the director (commands status and .status). It could be a security problem if there is a bug in the ACL code of the director.

Concerning File and Storage Daemons’ configuration: In the Bareos Traymonitor configuration files the Name in the Monitor resource must point to a Director resource in the Bareos File Daemon respectively Bareos Storage Daemon configuration, with the Monitor directive set to Yes.

Example Traymonitor configuration

An example Traymonitor configuration file might be the following:

#
# Bareos Tray Monitor Configuration File
#
Monitor {
  Name = rufus-mon        # password for Directors
  Password = "GN0uRo7PTUmlMbqrJ2Gr1p0fk0HQJTxwnFyE4WSST3MWZseR"
  RefreshInterval = 10 seconds
}

Client {
  Name = rufus-fd
  Address = rufus
  FDPort = 9102           # password for FileDaemon
  Password = "FYpq4yyI1y562EMS35bA0J0QC0M2L3t5cZObxT3XQxgxppTn"
}
Storage {
  Name = rufus-sd
  Address = rufus
  SDPort = 9103           # password for StorageDaemon
  Password = "9usxgc307dMbe7jbD16v0PXlhD64UVasIDD0DH2WAujcDsc6"
}
Director {
  Name = rufus-dir
  DIRport = 9101
  address = rufus
}

Example File daemon’s Director record

Example Monitor resource

#
# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
  Name = rufus-mon
  Password = "FYpq4yyI1y562EMS35bA0J0QC0M2L3t5cZObxT3XQxgxppTn"
  Monitor = yes
}

Example Storage daemon’s Director record

Example Monitor resource

#
# Restricted Director, used by tray-monitor to get the
#   status of the storage daemon
#
Director {
  Name = rufus-mon
  Password = "9usxgc307dMbe7jbD16v0PXlhD64UVasIDD0DH2WAujcDsc6"
  Monitor = yes
}

Example Director’s Console record

Example Monitor resource

#
# Restricted console used by tray-monitor to get the status of the director
#
Console {
  Name = Monitor
  Password = "GN0uRo7PTUmlMbqrJ2Gr1p0fk0HQJTxwnFyE4WSST3MWZseR"
  CommandACL = status, .status
}