Linux Server Performance Monitoring with Netdata

Netdata is an open-source real-time Linux server performance monitoring tool with a beautiful web front-end. With netdata, you can monitor CPU, RAM usage, disk I/O, network traffic, Postfix, among many others.  Written in C, netdata is super fast and resources efficient.

Netdata Features:

  • It helps you instantly diagnose slowdowns and anomalies in your infrastructure with thousands of metrics, interactive visualizations, and insightful health alarms.
  • 1s granularity – Netdata updates system statistics per second.
  • Fast and lighweight – By default it uses only 1% CPU of a single core and 25 MB RAM.
  • It collects thousands of metrics.

In this tutorial, we are going to look at how to install netdata on Debian/Ubuntu and Redhat/CentOS/Fedora servers. We will also discuss how to enable password authentication on the netdata web interface so that only authorized users can have access to it.

Install netdata on Linux Server

Netdata is included in many Linux distributions’ repository. However, it’s probably out of date. To get the latest version, you can use the official script to install. Simply run the following command on your Linux system.

bash <(curl -Ss https://my-netdata.io/kickstart.sh)

It might ask you to enter your password if you are not root.

install netdata on linux server

Then it will try to install dependencies, if they are not already installed on your system. Next, it gives you a nice hint about where files will be installed to your system. Press Enter to start building and installation.

netdata ubuntu

Once it’s installed, it should be automatically started and enabled auto start on system boot. As you can see with systemctl status.

systemctl status netdata

Sample output:

 netdata.service - Real time performance monitoring
   Loaded: loaded (/lib/systemd/system/netdata.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-11-22 09:52:13 CET; 2min 21s ago
  Process: 23647 ExecStartPre=/bin/chown -R netdata:netdata /var/run/netdata (code=exited, status=0/SUCCESS)
  Process: 23646 ExecStartPre=/bin/mkdir -p /var/run/netdata (code=exited, status=0/SUCCESS)
  Process: 23645 ExecStartPre=/bin/chown -R netdata:netdata /var/cache/netdata (code=exited, status=0/SUCCESS)
  Process: 23644 ExecStartPre=/bin/mkdir -p /var/cache/netdata (code=exited, status=0/SUCCESS)
 Main PID: 23648 (netdata)

Netdata by default listens on port 19999. Now enter server-ip/19999 in your browser address bar to access the netdata web interface. It doesn’t have authentication mechanism. Anyone knows your IP address can have access.

Linux server performance monitoring netdata dashboard

Netdata Dashboard

Set Up Nginx Reverse Proxy

To access the web interface through domain name instead of IP address and port number, we can set up Nginx as reverse proxy for netdata. First Install Nginx on Linux server.

Debian/Ubuntu

sudo apt install nginx

Redhat/CentOS/Fedora

sudo yum install nginx

OpenSUSE

sudo zypper install nginx

Arch Linux/Manjaro

sudo pacman -S nginx

After nginx is installed, create a virtual host config file for netdata under /etc/nginx/conf.d/ directory.

sudo nano /etc/nginx/conf.d/netdata.conf

Put the following text into the file. Replace the red-colored text with your actual domain name, and don’t forget to set DNS A record for this subdomain.

upstream backend {
   server 127.0.0.1:19999;
   keepalive 64;
}

server {
   listen 80;
   server_name netdata.example.com;

   location / {
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Server $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass http://backend;
     proxy_http_version 1.1;
     proxy_pass_request_headers on;
     proxy_set_header Connection "keep-alive";
     proxy_store off;
   }
}

Save and close this file. Then test Nginx configuration.

sudo nginx -t

If the config test is successful, reload Nginx.

sudo service nginx reload

or

sudo systemctl reload nginx

Now the netdata web interface is available at http://netdata.example.com.

Listen on Localhost Only

By default, netdata listens on the public IP address. Now that netdata can be accessed via the Nginx reverse proxy, it’s a good security measure to make netdata listen only on 127.0.0.1 .  Open the netdata config file.

sudo nano /etc/netdata/netdata.conf

Go to the [web] section and find the following line:

# bind to = *

Remove the # sign and set its value to 127.0.0.1.

bind to = 127.0.0.1

Save and close the file. Then restart netdata for the change to take effect.

sudo systemctl restart netdata

Please note that if you set the bind to value to the IPv6 address ::1. Then in Nginx virtual host config file. You should also specify an IPv6 address in the upstream section like below.

upstream backend {
   server [::1]:19999;
   keepalive 64;
}

Enable HTTPS

It’s highly recommended that you use TLS to encrypt HTTP traffic. We can enable HTTPS by installing a free TLS certificate issued from Let’s Encrypt. Run the following command to install Let’s Encrypt client (certbot) on Ubuntu 18.04 server.

sudo apt install certbot

If you use Nginx, then you also need to install the Certbot Nginx plugin.

sudo apt install python3-certbot-nginx

Next, run the following command to obtain and install TLS certificate.

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d netdata.example.com

Where

  • --nginx: Use the nginx plugin.
  • --agree-tos: Agree to terms of service.
  • --redirect: Force HTTPS by 301 redirect.
  • --hsts: Add the Strict-Transport-Security header to every HTTP response. Forcing browser to always use TLS for the domain. Defends against SSL/TLS Stripping.
  • --staple-ocsp: Enables OCSP Stapling. A valid OCSP response is stapled to the certificate that the server offers during TLS.

The certificate should now be obtained and automatically installed.

Enable Password Authentication

If you installed netdata on a production Linux server, it’s important to enable access control so only authorized users can see what applications are running on your system.

Generate a password file with the following command. Replace the red-colored text with your preferred username and password. The password will created at /etc/nginx/password.

printf "yourusername:$(openssl passwd -crypt 'yourpassword')" | sudo tee -a /etc/nginx/passwords

Then edit the Nginx virtual host config file for netdata.

sudo nano /etc/nginx/conf.d/netdata.conf

Add the auth directives in server section. auth_basic enables basic password authentication. auth_basic_user_file directive specifies the password file.

server {
.....

auth_basic "Protected";
auth_basic_user_file /etc/nginx/passwords;

....

Save and close the file. Then reload Nginx.

sudo systemctl reload nginx

Now your browser will ask you to enter the username and password.

Netdata Linux Server Performance Monitoring Screenshot Tour

CPU Usage

netdata monitor CPU usage

RAM Usage

Linux server performance monitoring RAM usage

Disk I/O

Linux server performance monitoring disk io

Network Traffic

Linux server performance monitoring network traffic

Memory De-duplication

If kernel memory de-duper (called Kernel Same-page Merging, or KSM) is available on your system, you can enable it to save 40-60% of netdata memory. To enable KSM, run the following command as root (sudo won’t work).

echo 1 >/sys/kernel/mm/ksm/run

echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs

How to Uninstall Netdata

The uninstall script is available at /usr/libexec/netdata/netdata-uninstaller.sh.

How to Update Netdata

The update script is available at /usr/libexec/netdata/netdata-updater.sh.  And a cron job (/etc/cron.daily/netdata-updater) is added to update Netdata daily.

Wrapping Up

Hope you like this Linux server performance monitoring tool. Comments, questions or suggestions are always welcome. As always, if you found this post useful,  subscribe to our free newsletter to get more tips and tricks 🙂

Rate this tutorial
[Total: 6 Average: 4.5]

4 Responses to “Linux Server Performance Monitoring with Netdata

  • Dennis Keefe
    3 years ago

    Great tutorial, thank you!

  • Dennis Keefe
    3 years ago

    FYI: If you install on a DigitalOcean lamp server, the firewall is on by default. You must allow the port using command “ufw allow 19999”

  • Do you know how to get NetData running on opnSense? Thank you

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.