Configuration¶
The OPNsense Exporter follows standard Prometheus ecosystem conventions. It can be configured using command-line flags, environment variables, or a combination of both. Environment variables take the prefix OPNSENSE_EXPORTER_ unless noted otherwise.
The flag tables on this page are generated from the exporter's own flag definitions by make docs, so they always match the binary.
OPNsense connection¶
These settings control how the exporter connects to the OPNsense API.
| Flag | Env Var | Default | Description |
|---|---|---|---|
--opnsense.address |
OPNSENSE_EXPORTER_OPS_API |
-- | Required. Hostname or IP address of OPNsense API |
--opnsense.api-key |
OPNSENSE_EXPORTER_OPS_API_KEY |
-- | API key to use to connect to OPNsense API. This flag/ENV or the OPS_API_KEY_FILE may be set. |
--opnsense.api-secret |
OPNSENSE_EXPORTER_OPS_API_SECRET |
-- | API secret to use to connect to OPNsense API. This flag/ENV or the OPS_API_SECRET_FILE may be set. |
--opnsense.insecure |
OPNSENSE_EXPORTER_OPS_INSECURE |
false |
Disable TLS certificate verification |
--opnsense.protocol |
OPNSENSE_EXPORTER_OPS_PROTOCOL |
-- | Required. Protocol to use to connect to OPNsense API. One of: [http, https] |
Note
--opnsense.api-key / --opnsense.api-secret are not marked required because the
file-based secrets below are an alternative source — but one of the two must be set
for each credential. See Security: File-based secrets.
File-based secrets¶
For secure credential management in containers and orchestrated environments, credentials can be read from files:
| Env Var | Description |
|---|---|
OPS_API_KEY_FILE |
Path to a file containing the API key (first line is read) |
OPS_API_SECRET_FILE |
Path to a file containing the API secret (first line is read) |
Note
These environment variables do not use the OPNSENSE_EXPORTER_ prefix. They are checked first -- if a file-based secret is set and non-empty, it takes precedence over the flag/env var value.
Exporter settings¶
| Flag | Env Var | Default | Description |
|---|---|---|---|
--exporter.instance-label |
OPNSENSE_EXPORTER_INSTANCE_LABEL |
-- | Label to use to identify the instance in every metric. If you have multiple instances of the exporter, you can differentiate them by using different value in this flag, that represents the instance of the target OPNsense. If left empty, it defaults to the OPNsense hostname reported by the API (falling back to the configured OPNsense address if that lookup fails). |
--exporter.scrape-timeout-offset |
OPNSENSE_EXPORTER_SCRAPE_TIMEOUT_OFFSET |
500ms |
Duration subtracted from Prometheus' X-Prometheus-Scrape-Timeout-Seconds header when deriving the scrape deadline, so the exporter finishes and responds before Prometheus gives up. If the offset would consume the whole budget, the raw header timeout is used. |
--log.format |
-- | logfmt |
Output format of log messages. One of: [logfmt, json] |
--log.level |
-- | info |
Only log messages with the given severity or above. One of: [debug, info, warn, error] |
--web.config.file |
-- | -- | Path to configuration file that can enable TLS or authentication. See: https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md |
--web.disable-exporter-metrics |
OPNSENSE_EXPORTER_DISABLE_EXPORTER_METRICS |
-- | Exclude metrics about the exporter itself (promhttp_, process_, go_*). |
--web.listen-address |
-- | :8080 |
Addresses on which to expose metrics and web interface. Repeatable for multiple addresses. Examples: :9100 or [::1]:9100 for http, vsock://:9100 for vsock |
--web.systemd-socket |
-- | -- | Use systemd socket activation listeners instead of port listeners (Linux only). |
--web.telemetry-path |
-- | /metrics |
Path under which to expose metrics. |
Health endpoints & scrape filtering¶
The exporter serves two probe endpoints alongside /metrics:
| Path | Behavior |
|---|---|
/-/healthy |
Liveness: always 200 OK while the process is serving. No upstream dependency. |
/-/ready |
Readiness: 200 OK when the OPNsense API health check succeeds, 503 otherwise. Results (including failures) are cached for 10 seconds so Kubernetes probes cannot hammer the firewall API; each upstream probe is bounded to 5 seconds and detached from the prober's own request timeout. |
Kubernetes: do not gate readiness on the firewall
/-/ready depends on the OPNsense API. If Prometheus discovers the exporter via Kubernetes Service endpoints, a not-ready pod drops out of the endpoints list — so an unreachable firewall would stop the exporter being scraped and you would lose the opnsense_up=0 signal exactly when the firewall is down. Do not use /-/ready as a readinessProbe in that setup — use /-/healthy for both probes (as the bundled deploy/k8s/deployment.yaml does). /-/ready is intended for ordered startup and manual/external checks.
Note: if you configure basic_auth_users in the exporter-toolkit web config file (--web.config.file), authentication applies to all endpoints including /-/healthy and /-/ready — Kubernetes probes cannot easily send basic-auth credentials, so prefer network-level protection over basic auth when probes are in use.
/metrics supports node_exporter-style per-scrape collector filtering:
curl 'http://localhost:8080/metrics?collect[]=gateways&collect[]=interfaces'
curl 'http://localhost:8080/metrics?exclude[]=firewall_rule'
collect[] and exclude[] are mutually exclusive (400 if both are given); unknown collector names return 400 listing the valid names (the subsystem names of the collectors enabled in this instance). The always-on metrics (opnsense_up, health/status, opnsense_exporter_*) are emitted regardless of filtering.
The exporter also honors the X-Prometheus-Scrape-Timeout-Seconds header sent by Prometheus: the collector fan-out runs under a deadline of the header value minus --exporter.scrape-timeout-offset, so a slow firewall endpoint produces a partial-but-successful scrape (with the affected collector's opnsense_exporter_scrape_collector_success = 0) instead of a wholesale scrape failure.
Continuous profiling (Pyroscope)¶
The exporter can push continuous profiles to Grafana Cloud Pyroscope using the
pyroscope-go SDK. Profiling is disabled by default and activates only when
--pyroscope.server-address (env OPNSENSE_EXPORTER_PYROSCOPE_SERVER_ADDRESS)
is set. There are no unauthenticated /debug/pprof/* endpoints.
| Flag | Env Var | Default | Description |
|---|---|---|---|
--pyroscope.application-name |
OPNSENSE_EXPORTER_PYROSCOPE_APPLICATION_NAME |
opnsense-exporter |
Pyroscope application name profiles are reported under. |
--pyroscope.auth-password |
OPNSENSE_EXPORTER_PYROSCOPE_AUTH_PASSWORD |
-- | HTTP basic auth password for Pyroscope (Grafana Cloud Access Policy token). This flag/ENV or PYROSCOPE_AUTH_PASSWORD_FILE may be set. |
--pyroscope.auth-user |
OPNSENSE_EXPORTER_PYROSCOPE_AUTH_USER |
-- | HTTP basic auth user for Pyroscope (Grafana Cloud stack/instance ID). This flag/ENV or PYROSCOPE_AUTH_USER_FILE may be set. |
--pyroscope.enable-mutex-block |
OPNSENSE_EXPORTER_PYROSCOPE_ENABLE_MUTEX_BLOCK |
false |
Enable goroutine/mutex/block profiling (adds minor runtime overhead). |
--pyroscope.server-address |
OPNSENSE_EXPORTER_PYROSCOPE_SERVER_ADDRESS |
-- | Grafana Cloud Pyroscope endpoint URL. When empty, continuous profiling is disabled. |
--pyroscope.tenant-id |
OPNSENSE_EXPORTER_PYROSCOPE_TENANT_ID |
-- | Pyroscope tenant ID (only needed for multi-tenancy; unused for Grafana Cloud). |
File-based secrets¶
Like the OPNsense API credentials, the auth user and password can be read from
files instead of flags/env vars: set PYROSCOPE_AUTH_USER_FILE and/or
PYROSCOPE_AUTH_PASSWORD_FILE to a path whose first line holds the value. The
file value takes precedence over the corresponding flag/env var when present
and non-empty.
Profiles are tagged with instance (the resolved instance label) and version.
OTLP metrics export¶
In addition to the /metrics pull endpoint, the exporter can push the exact
same metrics to an OpenTelemetry (OTLP) endpoint. A Prometheus-bridge producer reads
the existing registry on each export tick, so OTLP metric names, labels and values
are identical to what /metrics exposes (no native renaming) — existing dashboards
keep working against either backend. Export is disabled by default and activates
only when --otlp.enabled (env OPNSENSE_EXPORTER_OTLP_ENABLED) is set. The pull
endpoint is unaffected whether or not OTLP is enabled.
Any field left empty falls through to the corresponding standard OpenTelemetry
environment variable (OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS,
OTEL_EXPORTER_OTLP_PROTOCOL, OTEL_METRIC_EXPORT_INTERVAL, OTEL_SERVICE_NAME,
OTEL_RESOURCE_ATTRIBUTES, …) read natively by the OTEL SDK. Explicit --otlp.*
flags take precedence over those env vars.
| Flag | Env Var | Default | Description |
|---|---|---|---|
--otlp.enabled |
OPNSENSE_EXPORTER_OTLP_ENABLED |
false |
Enable pushing metrics to an OTLP endpoint (in addition to the /metrics pull endpoint). Off by default. |
--otlp.endpoint |
OPNSENSE_EXPORTER_OTLP_ENDPOINT |
-- | OTLP endpoint URL. When empty, the standard OTEL_EXPORTER_OTLP_ENDPOINT env var is used. |
--otlp.export-interval |
OPNSENSE_EXPORTER_OTLP_EXPORT_INTERVAL |
60s |
Interval between OTLP metric exports (independent of Prometheus scrapes). |
--otlp.grafana-cloud-endpoint |
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_ENDPOINT |
-- | Grafana Cloud OTLP gateway base URL (required when using the Grafana Cloud shortcut). |
--otlp.grafana-cloud-instance-id |
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_INSTANCE_ID |
-- | Grafana Cloud OTLP instance ID. With --otlp.grafana-cloud-token, synthesizes basic-auth. This flag/ENV or OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_INSTANCE_ID_FILE may be set. |
--otlp.grafana-cloud-token |
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_TOKEN |
-- | Grafana Cloud Access Policy token. This flag/ENV or OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_TOKEN_FILE may be set. |
--otlp.headers |
OPNSENSE_EXPORTER_OTLP_HEADERS |
-- | OTLP headers as comma-separated key=value pairs (e.g. X-Scope-OrgID=1,Authorization=Bearer x). When set, replaces OTEL_EXPORTER_OTLP_HEADERS entirely; when empty, that env var is used. |
--otlp.insecure |
OPNSENSE_EXPORTER_OTLP_INSECURE |
false |
Disable TLS for the OTLP connection (plaintext). |
--otlp.protocol |
OPNSENSE_EXPORTER_OTLP_PROTOCOL |
http/protobuf |
OTLP transport protocol: grpc or http/protobuf. When empty, OTEL_EXPORTER_OTLP_PROTOCOL is used. |
--otlp.service-name |
OPNSENSE_EXPORTER_OTLP_SERVICE_NAME |
opnsense-exporter |
service.name resource attribute for exported metrics. |
--otlp.tls-ca-file |
OPNSENSE_EXPORTER_OTLP_TLS_CA_FILE |
-- | Path to a CA certificate file used to verify the OTLP server. |
--otlp.tls-cert-file |
OPNSENSE_EXPORTER_OTLP_TLS_CERT_FILE |
-- | Path to a client certificate file for OTLP mutual TLS (requires --otlp.tls-key-file). |
--otlp.tls-key-file |
OPNSENSE_EXPORTER_OTLP_TLS_KEY_FILE |
-- | Path to a client key file for OTLP mutual TLS (requires --otlp.tls-cert-file). |
The metric set exported over OTLP is byte-for-byte the same as the Prometheus catalogue (see the metrics reference); enabling OTLP adds no new metric names.
Grafana Cloud shortcut¶
Setting --otlp.grafana-cloud-instance-id, --otlp.grafana-cloud-token and
--otlp.grafana-cloud-endpoint together synthesizes the
Authorization: Basic base64(instanceID:token) header and uses the gateway URL as
the endpoint, so you do not have to assemble the basic-auth header yourself. An
explicit --otlp.endpoint or Authorization header always wins over the shortcut.
The instance ID and token also support *_FILE secret variants
(OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_INSTANCE_ID_FILE,
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_TOKEN_FILE), whose file contents take
precedence over the flag/env value, mirroring the OPNsense API credentials.
Temporality¶
Exported metrics are always cumulative, and this is not configurable. They are sourced from the Prometheus registry via a bridge producer, so they arrive already aggregated as cumulative (Prometheus' model) and are exported as-is — exactly the temporality Grafana Cloud's metrics backend (Mimir) and Prometheus' OTLP ingest require. An exporter-side temporality selector cannot re-aggregate producer-supplied metrics, so no delta option is offered.
Collector switches¶
All collectors are enabled by default unless noted otherwise. Each can be individually disabled or enabled using CLI flags or environment variables.
Enabled by default (disable with flag)¶
| Flag | Env Var | Collector | Description |
|---|---|---|---|
--exporter.disable-acme |
OPNSENSE_EXPORTER_DISABLE_ACME |
ACME Client | Disable the scraping of ACME client certificate renewal status and expiry metrics (silent when the os-acme-client plugin is absent) |
--exporter.disable-apcupsd |
OPNSENSE_EXPORTER_DISABLE_APCUPSD |
APC UPS (apcupsd) | Disable the scraping of APC UPS (apcupsd) metrics (silent when the os-apcupsd plugin is absent) |
--exporter.disable-arp-table |
OPNSENSE_EXPORTER_DISABLE_ARP_TABLE |
ARP Table | Disable the scraping of the ARP table |
--exporter.disable-activity |
OPNSENSE_EXPORTER_DISABLE_ACTIVITY |
Activity | Disable the scraping of system activity metrics (CPU percentages, thread counts) |
--exporter.disable-bpf |
OPNSENSE_EXPORTER_DISABLE_BPF |
BPF Statistics | Disable the scraping of BPF listener statistics |
--exporter.disable-carp |
OPNSENSE_EXPORTER_DISABLE_CARP |
CARP | Disable the scraping of CARP/VIP status metrics |
--exporter.disable-captiveportal |
OPNSENSE_EXPORTER_DISABLE_CAPTIVEPORTAL |
Captive Portal | Disable the scraping of captive portal zone/session metrics (silent when no zones are configured) |
--exporter.disable-certificates |
OPNSENSE_EXPORTER_DISABLE_CERTIFICATES |
Certificates | Disable the scraping of certificate expiry metrics |
--exporter.disable-chrony |
OPNSENSE_EXPORTER_DISABLE_CHRONY |
Chrony | Disable the scraping of chrony NTP tracking/source metrics (silent when the os-chrony plugin is absent) |
--exporter.disable-cron-table |
OPNSENSE_EXPORTER_DISABLE_CRON_TABLE |
Cron | Disable the scraping of the cron table |
--exporter.disable-crowdsec |
OPNSENSE_EXPORTER_DISABLE_CROWDSEC |
CrowdSec | Disable the scraping of CrowdSec alert/decision/bouncer/machine counts (silent when the os-crowdsec plugin is absent) |
--exporter.disable-dnsmasq |
OPNSENSE_EXPORTER_DISABLE_DNSMASQ |
Dnsmasq DHCP | Disable the scraping of Dnsmasq DHCP leases |
--exporter.disable-dyndns |
OPNSENSE_EXPORTER_DISABLE_DYNDNS |
DynDNS | Disable the scraping of DynDNS (ddclient) account update status metrics (silent when the os-ddclient plugin is absent) |
--exporter.disable-frr |
OPNSENSE_EXPORTER_DISABLE_FRR |
FRR Routing (BGP/OSPF/BFD) | Disable the scraping of FRR routing metrics (BGP/OSPF/BFD; silent when the os-frr plugin is absent) |
--exporter.disable-firewall |
OPNSENSE_EXPORTER_DISABLE_FIREWALL |
Firewall | Disable the scraping of the firewall (pf) metrics |
--exporter.disable-alias |
OPNSENSE_EXPORTER_DISABLE_ALIAS |
Firewall Aliases | Disable the scraping of firewall alias table sizes |
--exporter.disable-firewall-rules |
OPNSENSE_EXPORTER_DISABLE_FIREWALL_RULES |
Firewall Rules | Disable the scraping of firewall rule statistics |
--exporter.disable-firmware |
OPNSENSE_EXPORTER_DISABLE_FIRMWARE |
Firmware | Disable the scraping of the firmware metrics |
--exporter.disable-gateways |
OPNSENSE_EXPORTER_DISABLE_GATEWAYS |
Gateways | Disable the scraping of gateway status metrics (RTT, packet loss, gateway state) |
--exporter.disable-haproxy |
OPNSENSE_EXPORTER_DISABLE_HAPROXY |
HAProxy | Disable the scraping of HAProxy statistics (silent when the os-haproxy plugin is absent) |
--exporter.disable-ipsec |
OPNSENSE_EXPORTER_DISABLE_IPSEC |
IPsec | Disable the scraping of IPSec service |
--exporter.disable-dhcpv4 |
OPNSENSE_EXPORTER_DISABLE_DHCPV4 |
ISC DHCPv4 | Disable the scraping of ISC DHCPv4 leases (silent when the legacy ISC DHCP backend is absent) |
--exporter.disable-dhcpv6 |
OPNSENSE_EXPORTER_DISABLE_DHCPV6 |
ISC DHCPv6 | Disable the scraping of ISC DHCPv6 leases and delegated prefixes (silent when the legacy ISC DHCP backend is absent) |
--exporter.disable-kea |
OPNSENSE_EXPORTER_DISABLE_KEA |
Kea DHCP | Disable the scraping of Kea DHCP lease metrics |
--exporter.disable-mbuf |
OPNSENSE_EXPORTER_DISABLE_MBUF |
Mbuf | Disable the scraping of mbuf statistics |
--exporter.disable-monit |
OPNSENSE_EXPORTER_DISABLE_MONIT |
Monit | Disable the scraping of Monit service check status (silent when Monit is not running) |
--exporter.disable-ndp |
OPNSENSE_EXPORTER_DISABLE_NDP |
NDP | Disable the scraping of the NDP (IPv6 neighbor discovery) table |
--exporter.disable-ntp |
OPNSENSE_EXPORTER_DISABLE_NTP |
NTP | Disable the scraping of NTP peer metrics |
--exporter.disable-nut |
OPNSENSE_EXPORTER_DISABLE_NUT |
NUT UPS | Disable the scraping of NUT UPS metrics (silent when the os-nut plugin is absent) |
--exporter.disable-nginx |
OPNSENSE_EXPORTER_DISABLE_NGINX |
Nginx | Disable the scraping of nginx VTS statistics (silent when the os-nginx plugin is absent) |
--exporter.disable-openvpn |
OPNSENSE_EXPORTER_DISABLE_OPENVPN |
OpenVPN | Disable the scraping of OpenVPN service |
--exporter.disable-pf-stats |
OPNSENSE_EXPORTER_DISABLE_PF_STATS |
PF Statistics | Disable the scraping of PF statistics (state table, counters, memory limits, timeouts) |
--exporter.disable-qfeeds |
OPNSENSE_EXPORTER_DISABLE_QFEEDS |
Q-Feeds | Disable the scraping of Q-Feeds threat intelligence statistics (silent when the os-q-feeds-connector plugin is absent) |
--exporter.disable-smart |
OPNSENSE_EXPORTER_DISABLE_SMART |
SMART Disk Health | Disable the SMART disk health collector (per-disk POST fanout; silent when the os-smart plugin is absent) |
--exporter.disable-syslog |
OPNSENSE_EXPORTER_DISABLE_SYSLOG |
Syslog | Disable the scraping of syslog-ng statistics |
--exporter.disable-system |
OPNSENSE_EXPORTER_DISABLE_SYSTEM |
System | Disable the scraping of system resource metrics (memory, uptime, disk, swap) |
--exporter.disable-tailscale |
OPNSENSE_EXPORTER_DISABLE_TAILSCALE |
Tailscale | Disable the scraping of Tailscale node-local metrics (silent when the os-tailscale plugin is absent; complementary to tailscale2otel) |
--exporter.disable-temperature |
OPNSENSE_EXPORTER_DISABLE_TEMPERATURE |
Temperature | Disable the scraping of temperature metrics |
--exporter.disable-trafficshaper |
OPNSENSE_EXPORTER_DISABLE_TRAFFICSHAPER |
Traffic Shaper | Disable the scraping of traffic shaper pipe/queue/rule statistics (silent when the shaper is unconfigured) |
--exporter.disable-unbound |
OPNSENSE_EXPORTER_DISABLE_UNBOUND |
Unbound DNS | Disable the scraping of Unbound service |
--exporter.disable-wireguard |
OPNSENSE_EXPORTER_DISABLE_WIREGUARD |
Wireguard | Disable the scraping of Wireguard service |
Always-on collectors
The Interfaces, Protocol Statistics, Services, and built-in health-check collectors are always enabled and have no disable flag.
Disabled by default (opt-in with flag)¶
These collectors are disabled by default because they make additional API calls per scrape. Enable them only if you need the data.
| Flag | Env Var | Collector | Description |
|---|---|---|---|
--exporter.enable-hasync |
OPNSENSE_EXPORTER_ENABLE_HASYNC |
HA Sync Status | Enable the HA sync status collector (performs a live XML-RPC call to the CARP peer on every scrape). Disabled by default. |
--exporter.enable-netflow |
OPNSENSE_EXPORTER_ENABLE_NETFLOW |
NetFlow | Enable the netflow collector (enabled status, service status, cache stats). Disabled by default. |
--exporter.enable-network-diagnostics |
OPNSENSE_EXPORTER_ENABLE_NETWORK_DIAGNOSTICS |
Network Diagnostics | Enable the network diagnostics collector (netisr, sockets, routes). Disabled by default. |
High-cardinality detail options¶
These flags enable per-item detail metrics that can produce a large number of time series. Each unique label combination creates a separate time series in Prometheus.
Evaluate before enabling
On a firewall with hundreds of DHCP leases or firewall rules, enabling detail metrics can produce thousands of time series. Monitor your Prometheus storage and ingestion rate after enabling.
| Flag | Env Var | Collector | Description |
|---|---|---|---|
--exporter.enable-dnsmasq-details |
OPNSENSE_EXPORTER_ENABLE_DNSMASQ_DETAILS |
Dnsmasq DHCP | Enable per-lease detail metrics for Dnsmasq DHCP (high cardinality on large networks) |
--exporter.enable-alias-details |
OPNSENSE_EXPORTER_ENABLE_ALIAS_DETAILS |
Firewall Aliases | Enable per-table pf evaluation/packet/byte counters for firewall aliases (~10 series per alias table) |
--exporter.enable-firewall-rules-details |
OPNSENSE_EXPORTER_ENABLE_FIREWALL_RULES_DETAILS |
Firewall Rules | Enable per-rule detail metrics for firewall rules (high cardinality on large rulesets) |
--exporter.enable-firmware-package-details |
OPNSENSE_EXPORTER_ENABLE_FIRMWARE_PACKAGE_DETAILS |
Firmware | Enable per-package firmware detail metrics (pending package updates and installed plugin inventory; adds one extra API call per scrape) |
--exporter.enable-dhcpv4-details |
OPNSENSE_EXPORTER_ENABLE_DHCPV4_DETAILS |
ISC DHCPv4 | Enable per-lease detail metrics for ISC DHCPv4 (high cardinality on large networks) |
--exporter.enable-dhcpv6-details |
OPNSENSE_EXPORTER_ENABLE_DHCPV6_DETAILS |
ISC DHCPv6 | Enable per-lease detail metrics for ISC DHCPv6 (high cardinality on large networks) |
--exporter.enable-kea-details |
OPNSENSE_EXPORTER_ENABLE_KEA_DETAILS |
Kea DHCP | Enable per-lease detail metrics for Kea DHCP (high cardinality on large networks) |
--exporter.enable-openvpn-details |
OPNSENSE_EXPORTER_ENABLE_OPENVPN_DETAILS |
OpenVPN | Enable per-session detail metrics for OpenVPN (exposes usernames and per-client tunnel addresses) |
--exporter.enable-tailscale-peer-details |
OPNSENSE_EXPORTER_ENABLE_TAILSCALE_PEER_DETAILS |
Tailscale | Enable per-peer detail metrics for Tailscale (per-peer cardinality; peer hostname labels) |
--exporter.enable-unbound-infra |
OPNSENSE_EXPORTER_ENABLE_UNBOUND_INFRA |
Unbound DNS | Enable per-upstream infra cache RTT metrics from Unbound (cardinality scales with the resolver's infra cache; one series pair per upstream ip/host) |
Full flag reference¶
Every flag the exporter accepts, generated from the binary's own flag definitions
(--help shows the same set):
| Flag | Env Var | Default | Description |
|---|---|---|---|
--exporter.disable-acme |
OPNSENSE_EXPORTER_DISABLE_ACME |
false |
Disable the scraping of ACME client certificate renewal status and expiry metrics (silent when the os-acme-client plugin is absent) |
--exporter.disable-activity |
OPNSENSE_EXPORTER_DISABLE_ACTIVITY |
false |
Disable the scraping of system activity metrics (CPU percentages, thread counts) |
--exporter.disable-alias |
OPNSENSE_EXPORTER_DISABLE_ALIAS |
false |
Disable the scraping of firewall alias table sizes |
--exporter.disable-apcupsd |
OPNSENSE_EXPORTER_DISABLE_APCUPSD |
false |
Disable the scraping of APC UPS (apcupsd) metrics (silent when the os-apcupsd plugin is absent) |
--exporter.disable-arp-table |
OPNSENSE_EXPORTER_DISABLE_ARP_TABLE |
false |
Disable the scraping of the ARP table |
--exporter.disable-bpf |
OPNSENSE_EXPORTER_DISABLE_BPF |
false |
Disable the scraping of BPF listener statistics |
--exporter.disable-captiveportal |
OPNSENSE_EXPORTER_DISABLE_CAPTIVEPORTAL |
false |
Disable the scraping of captive portal zone/session metrics (silent when no zones are configured) |
--exporter.disable-carp |
OPNSENSE_EXPORTER_DISABLE_CARP |
false |
Disable the scraping of CARP/VIP status metrics |
--exporter.disable-certificates |
OPNSENSE_EXPORTER_DISABLE_CERTIFICATES |
false |
Disable the scraping of certificate expiry metrics |
--exporter.disable-chrony |
OPNSENSE_EXPORTER_DISABLE_CHRONY |
false |
Disable the scraping of chrony NTP tracking/source metrics (silent when the os-chrony plugin is absent) |
--exporter.disable-cron-table |
OPNSENSE_EXPORTER_DISABLE_CRON_TABLE |
false |
Disable the scraping of the cron table |
--exporter.disable-crowdsec |
OPNSENSE_EXPORTER_DISABLE_CROWDSEC |
false |
Disable the scraping of CrowdSec alert/decision/bouncer/machine counts (silent when the os-crowdsec plugin is absent) |
--exporter.disable-dhcpv4 |
OPNSENSE_EXPORTER_DISABLE_DHCPV4 |
false |
Disable the scraping of ISC DHCPv4 leases (silent when the legacy ISC DHCP backend is absent) |
--exporter.disable-dhcpv6 |
OPNSENSE_EXPORTER_DISABLE_DHCPV6 |
false |
Disable the scraping of ISC DHCPv6 leases and delegated prefixes (silent when the legacy ISC DHCP backend is absent) |
--exporter.disable-dnsmasq |
OPNSENSE_EXPORTER_DISABLE_DNSMASQ |
false |
Disable the scraping of Dnsmasq DHCP leases |
--exporter.disable-dyndns |
OPNSENSE_EXPORTER_DISABLE_DYNDNS |
false |
Disable the scraping of DynDNS (ddclient) account update status metrics (silent when the os-ddclient plugin is absent) |
--exporter.disable-firewall |
OPNSENSE_EXPORTER_DISABLE_FIREWALL |
false |
Disable the scraping of the firewall (pf) metrics |
--exporter.disable-firewall-rules |
OPNSENSE_EXPORTER_DISABLE_FIREWALL_RULES |
false |
Disable the scraping of firewall rule statistics |
--exporter.disable-firmware |
OPNSENSE_EXPORTER_DISABLE_FIRMWARE |
false |
Disable the scraping of the firmware metrics |
--exporter.disable-frr |
OPNSENSE_EXPORTER_DISABLE_FRR |
false |
Disable the scraping of FRR routing metrics (BGP/OSPF/BFD; silent when the os-frr plugin is absent) |
--exporter.disable-gateways |
OPNSENSE_EXPORTER_DISABLE_GATEWAYS |
false |
Disable the scraping of gateway status metrics (RTT, packet loss, gateway state) |
--exporter.disable-haproxy |
OPNSENSE_EXPORTER_DISABLE_HAPROXY |
false |
Disable the scraping of HAProxy statistics (silent when the os-haproxy plugin is absent) |
--exporter.disable-ipsec |
OPNSENSE_EXPORTER_DISABLE_IPSEC |
false |
Disable the scraping of IPSec service |
--exporter.disable-kea |
OPNSENSE_EXPORTER_DISABLE_KEA |
false |
Disable the scraping of Kea DHCP lease metrics |
--exporter.disable-mbuf |
OPNSENSE_EXPORTER_DISABLE_MBUF |
false |
Disable the scraping of mbuf statistics |
--exporter.disable-monit |
OPNSENSE_EXPORTER_DISABLE_MONIT |
false |
Disable the scraping of Monit service check status (silent when Monit is not running) |
--exporter.disable-ndp |
OPNSENSE_EXPORTER_DISABLE_NDP |
false |
Disable the scraping of the NDP (IPv6 neighbor discovery) table |
--exporter.disable-nginx |
OPNSENSE_EXPORTER_DISABLE_NGINX |
false |
Disable the scraping of nginx VTS statistics (silent when the os-nginx plugin is absent) |
--exporter.disable-ntp |
OPNSENSE_EXPORTER_DISABLE_NTP |
false |
Disable the scraping of NTP peer metrics |
--exporter.disable-nut |
OPNSENSE_EXPORTER_DISABLE_NUT |
false |
Disable the scraping of NUT UPS metrics (silent when the os-nut plugin is absent) |
--exporter.disable-openvpn |
OPNSENSE_EXPORTER_DISABLE_OPENVPN |
false |
Disable the scraping of OpenVPN service |
--exporter.disable-pf-stats |
OPNSENSE_EXPORTER_DISABLE_PF_STATS |
false |
Disable the scraping of PF statistics (state table, counters, memory limits, timeouts) |
--exporter.disable-qfeeds |
OPNSENSE_EXPORTER_DISABLE_QFEEDS |
false |
Disable the scraping of Q-Feeds threat intelligence statistics (silent when the os-q-feeds-connector plugin is absent) |
--exporter.disable-smart |
OPNSENSE_EXPORTER_DISABLE_SMART |
false |
Disable the SMART disk health collector (per-disk POST fanout; silent when the os-smart plugin is absent) |
--exporter.disable-syslog |
OPNSENSE_EXPORTER_DISABLE_SYSLOG |
false |
Disable the scraping of syslog-ng statistics |
--exporter.disable-system |
OPNSENSE_EXPORTER_DISABLE_SYSTEM |
false |
Disable the scraping of system resource metrics (memory, uptime, disk, swap) |
--exporter.disable-tailscale |
OPNSENSE_EXPORTER_DISABLE_TAILSCALE |
false |
Disable the scraping of Tailscale node-local metrics (silent when the os-tailscale plugin is absent; complementary to tailscale2otel) |
--exporter.disable-temperature |
OPNSENSE_EXPORTER_DISABLE_TEMPERATURE |
false |
Disable the scraping of temperature metrics |
--exporter.disable-trafficshaper |
OPNSENSE_EXPORTER_DISABLE_TRAFFICSHAPER |
false |
Disable the scraping of traffic shaper pipe/queue/rule statistics (silent when the shaper is unconfigured) |
--exporter.disable-unbound |
OPNSENSE_EXPORTER_DISABLE_UNBOUND |
false |
Disable the scraping of Unbound service |
--exporter.disable-wireguard |
OPNSENSE_EXPORTER_DISABLE_WIREGUARD |
false |
Disable the scraping of Wireguard service |
--exporter.enable-alias-details |
OPNSENSE_EXPORTER_ENABLE_ALIAS_DETAILS |
false |
Enable per-table pf evaluation/packet/byte counters for firewall aliases (~10 series per alias table) |
--exporter.enable-dhcpv4-details |
OPNSENSE_EXPORTER_ENABLE_DHCPV4_DETAILS |
false |
Enable per-lease detail metrics for ISC DHCPv4 (high cardinality on large networks) |
--exporter.enable-dhcpv6-details |
OPNSENSE_EXPORTER_ENABLE_DHCPV6_DETAILS |
false |
Enable per-lease detail metrics for ISC DHCPv6 (high cardinality on large networks) |
--exporter.enable-dnsmasq-details |
OPNSENSE_EXPORTER_ENABLE_DNSMASQ_DETAILS |
false |
Enable per-lease detail metrics for Dnsmasq DHCP (high cardinality on large networks) |
--exporter.enable-firewall-rules-details |
OPNSENSE_EXPORTER_ENABLE_FIREWALL_RULES_DETAILS |
false |
Enable per-rule detail metrics for firewall rules (high cardinality on large rulesets) |
--exporter.enable-firmware-package-details |
OPNSENSE_EXPORTER_ENABLE_FIRMWARE_PACKAGE_DETAILS |
false |
Enable per-package firmware detail metrics (pending package updates and installed plugin inventory; adds one extra API call per scrape) |
--exporter.enable-hasync |
OPNSENSE_EXPORTER_ENABLE_HASYNC |
false |
Enable the HA sync status collector (performs a live XML-RPC call to the CARP peer on every scrape). Disabled by default. |
--exporter.enable-kea-details |
OPNSENSE_EXPORTER_ENABLE_KEA_DETAILS |
false |
Enable per-lease detail metrics for Kea DHCP (high cardinality on large networks) |
--exporter.enable-netflow |
OPNSENSE_EXPORTER_ENABLE_NETFLOW |
false |
Enable the netflow collector (enabled status, service status, cache stats). Disabled by default. |
--exporter.enable-network-diagnostics |
OPNSENSE_EXPORTER_ENABLE_NETWORK_DIAGNOSTICS |
false |
Enable the network diagnostics collector (netisr, sockets, routes). Disabled by default. |
--exporter.enable-openvpn-details |
OPNSENSE_EXPORTER_ENABLE_OPENVPN_DETAILS |
false |
Enable per-session detail metrics for OpenVPN (exposes usernames and per-client tunnel addresses) |
--exporter.enable-tailscale-peer-details |
OPNSENSE_EXPORTER_ENABLE_TAILSCALE_PEER_DETAILS |
false |
Enable per-peer detail metrics for Tailscale (per-peer cardinality; peer hostname labels) |
--exporter.enable-unbound-infra |
OPNSENSE_EXPORTER_ENABLE_UNBOUND_INFRA |
false |
Enable per-upstream infra cache RTT metrics from Unbound (cardinality scales with the resolver's infra cache; one series pair per upstream ip/host) |
--exporter.instance-label |
OPNSENSE_EXPORTER_INSTANCE_LABEL |
-- | Label to use to identify the instance in every metric. If you have multiple instances of the exporter, you can differentiate them by using different value in this flag, that represents the instance of the target OPNsense. If left empty, it defaults to the OPNsense hostname reported by the API (falling back to the configured OPNsense address if that lookup fails). |
--exporter.scrape-timeout-offset |
OPNSENSE_EXPORTER_SCRAPE_TIMEOUT_OFFSET |
500ms |
Duration subtracted from Prometheus' X-Prometheus-Scrape-Timeout-Seconds header when deriving the scrape deadline, so the exporter finishes and responds before Prometheus gives up. If the offset would consume the whole budget, the raw header timeout is used. |
--log.format |
-- | logfmt |
Output format of log messages. One of: [logfmt, json] |
--log.level |
-- | info |
Only log messages with the given severity or above. One of: [debug, info, warn, error] |
--opnsense.address |
OPNSENSE_EXPORTER_OPS_API |
-- | Required. Hostname or IP address of OPNsense API |
--opnsense.api-key |
OPNSENSE_EXPORTER_OPS_API_KEY |
-- | API key to use to connect to OPNsense API. This flag/ENV or the OPS_API_KEY_FILE may be set. |
--opnsense.api-secret |
OPNSENSE_EXPORTER_OPS_API_SECRET |
-- | API secret to use to connect to OPNsense API. This flag/ENV or the OPS_API_SECRET_FILE may be set. |
--opnsense.insecure |
OPNSENSE_EXPORTER_OPS_INSECURE |
false |
Disable TLS certificate verification |
--opnsense.protocol |
OPNSENSE_EXPORTER_OPS_PROTOCOL |
-- | Required. Protocol to use to connect to OPNsense API. One of: [http, https] |
--otlp.enabled |
OPNSENSE_EXPORTER_OTLP_ENABLED |
false |
Enable pushing metrics to an OTLP endpoint (in addition to the /metrics pull endpoint). Off by default. |
--otlp.endpoint |
OPNSENSE_EXPORTER_OTLP_ENDPOINT |
-- | OTLP endpoint URL. When empty, the standard OTEL_EXPORTER_OTLP_ENDPOINT env var is used. |
--otlp.export-interval |
OPNSENSE_EXPORTER_OTLP_EXPORT_INTERVAL |
60s |
Interval between OTLP metric exports (independent of Prometheus scrapes). |
--otlp.grafana-cloud-endpoint |
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_ENDPOINT |
-- | Grafana Cloud OTLP gateway base URL (required when using the Grafana Cloud shortcut). |
--otlp.grafana-cloud-instance-id |
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_INSTANCE_ID |
-- | Grafana Cloud OTLP instance ID. With --otlp.grafana-cloud-token, synthesizes basic-auth. This flag/ENV or OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_INSTANCE_ID_FILE may be set. |
--otlp.grafana-cloud-token |
OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_TOKEN |
-- | Grafana Cloud Access Policy token. This flag/ENV or OPNSENSE_EXPORTER_OTLP_GRAFANA_CLOUD_TOKEN_FILE may be set. |
--otlp.headers |
OPNSENSE_EXPORTER_OTLP_HEADERS |
-- | OTLP headers as comma-separated key=value pairs (e.g. X-Scope-OrgID=1,Authorization=Bearer x). When set, replaces OTEL_EXPORTER_OTLP_HEADERS entirely; when empty, that env var is used. |
--otlp.insecure |
OPNSENSE_EXPORTER_OTLP_INSECURE |
false |
Disable TLS for the OTLP connection (plaintext). |
--otlp.protocol |
OPNSENSE_EXPORTER_OTLP_PROTOCOL |
http/protobuf |
OTLP transport protocol: grpc or http/protobuf. When empty, OTEL_EXPORTER_OTLP_PROTOCOL is used. |
--otlp.service-name |
OPNSENSE_EXPORTER_OTLP_SERVICE_NAME |
opnsense-exporter |
service.name resource attribute for exported metrics. |
--otlp.tls-ca-file |
OPNSENSE_EXPORTER_OTLP_TLS_CA_FILE |
-- | Path to a CA certificate file used to verify the OTLP server. |
--otlp.tls-cert-file |
OPNSENSE_EXPORTER_OTLP_TLS_CERT_FILE |
-- | Path to a client certificate file for OTLP mutual TLS (requires --otlp.tls-key-file). |
--otlp.tls-key-file |
OPNSENSE_EXPORTER_OTLP_TLS_KEY_FILE |
-- | Path to a client key file for OTLP mutual TLS (requires --otlp.tls-cert-file). |
--pyroscope.application-name |
OPNSENSE_EXPORTER_PYROSCOPE_APPLICATION_NAME |
opnsense-exporter |
Pyroscope application name profiles are reported under. |
--pyroscope.auth-password |
OPNSENSE_EXPORTER_PYROSCOPE_AUTH_PASSWORD |
-- | HTTP basic auth password for Pyroscope (Grafana Cloud Access Policy token). This flag/ENV or PYROSCOPE_AUTH_PASSWORD_FILE may be set. |
--pyroscope.auth-user |
OPNSENSE_EXPORTER_PYROSCOPE_AUTH_USER |
-- | HTTP basic auth user for Pyroscope (Grafana Cloud stack/instance ID). This flag/ENV or PYROSCOPE_AUTH_USER_FILE may be set. |
--pyroscope.enable-mutex-block |
OPNSENSE_EXPORTER_PYROSCOPE_ENABLE_MUTEX_BLOCK |
false |
Enable goroutine/mutex/block profiling (adds minor runtime overhead). |
--pyroscope.server-address |
OPNSENSE_EXPORTER_PYROSCOPE_SERVER_ADDRESS |
-- | Grafana Cloud Pyroscope endpoint URL. When empty, continuous profiling is disabled. |
--pyroscope.tenant-id |
OPNSENSE_EXPORTER_PYROSCOPE_TENANT_ID |
-- | Pyroscope tenant ID (only needed for multi-tenancy; unused for Grafana Cloud). |
--web.config.file |
-- | -- | Path to configuration file that can enable TLS or authentication. See: https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md |
--web.disable-exporter-metrics |
OPNSENSE_EXPORTER_DISABLE_EXPORTER_METRICS |
-- | Exclude metrics about the exporter itself (promhttp_, process_, go_*). |
--web.listen-address |
-- | :8080 |
Addresses on which to expose metrics and web interface. Repeatable for multiple addresses. Examples: :9100 or [::1]:9100 for http, vsock://:9100 for vsock |
--web.systemd-socket |
-- | -- | Use systemd socket activation listeners instead of port listeners (Linux only). |
--web.telemetry-path |
-- | /metrics |
Path under which to expose metrics. |