How to Use Prometheus Blackbox Exporter for Endpoint Monitoring on RHEL 8

The Prometheus Blackbox Exporter probes external endpoints over HTTP, HTTPS, TCP, ICMP, and DNS and exposes the results as Prometheus metrics. Unlike Node Exporter, which reports host-level statistics, the Blackbox Exporter answers the question “can this URL be reached right now?” — making it the right tool for synthetic uptime monitoring and SLA measurement. This tutorial covers downloading and installing the exporter on RHEL 8, writing a module configuration file, wiring it into Prometheus, and creating Grafana alerts that fire when a probe fails.

Prerequisites

• RHEL 8 server with a non-root sudo user
• Prometheus already installed and running (see the Prometheus on RHEL 8 guide)
• Grafana installed and connected to the Prometheus data source
• Port 9115 open in the firewall for the Blackbox Exporter metrics endpoint
• curl and tar available on the system

Step 1 — Download and Install the Blackbox Exporter Binary

Download the latest release from the official Prometheus GitHub releases page and install the binary under /usr/local/bin.

BLACKBOX_VERSION="0.25.0"
cd /tmp
curl -LO "https://github.com/prometheus/blackbox_exporter/releases/download/v${BLACKBOX_VERSION}/blackbox_exporter-${BLACKBOX_VERSION}.linux-amd64.tar.gz"
tar xzf "blackbox_exporter-${BLACKBOX_VERSION}.linux-amd64.tar.gz"
sudo cp "blackbox_exporter-${BLACKBOX_VERSION}.linux-amd64/blackbox_exporter" /usr/local/bin/
sudo chmod +x /usr/local/bin/blackbox_exporter
blackbox_exporter --version

Create a dedicated system user so the exporter runs without root privileges.

sudo useradd --no-create-home --shell /bin/false blackbox_exporter

Step 2 — Write the blackbox.yml Module Configuration

The module configuration file defines how the exporter probes each target. Place it in /etc/blackbox_exporter/ and configure the four most common probe types.

sudo mkdir -p /etc/blackbox_exporter
cat <<'EOF' | sudo tee /etc/blackbox_exporter/blackbox.yml
modules:
  http_2xx:
    prober: http
    timeout: 10s
    http:
      valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
      valid_status_codes: []   # defaults to 2xx
      method: GET
      follow_redirects: true
      preferred_ip_protocol: ip4

  http_post_2xx:
    prober: http
    timeout: 10s
    http:
      method: POST
      headers:
        Content-Type: application/json
      body: '{}'
      valid_status_codes: [200, 201, 204]

  tcp_connect:
    prober: tcp
    timeout: 10s

  icmp:
    prober: icmp
    timeout: 5s
    icmp:
      preferred_ip_protocol: ip4
EOF

sudo chown -R blackbox_exporter:blackbox_exporter /etc/blackbox_exporter

Step 3 — Create the systemd Service

Run the Blackbox Exporter as a managed systemd service so it starts automatically after a reboot.

cat <<'EOF' | sudo tee /etc/systemd/system/blackbox_exporter.service
[Unit]
Description=Prometheus Blackbox Exporter
After=network.target

[Service]
User=blackbox_exporter
Group=blackbox_exporter
Type=simple
ExecStart=/usr/local/bin/blackbox_exporter 
  --config.file=/etc/blackbox_exporter/blackbox.yml 
  --web.listen-address=:9115
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now blackbox_exporter
sudo systemctl status blackbox_exporter

Open the firewall port and test the metrics endpoint locally.

sudo firewall-cmd --permanent --add-port=9115/tcp
sudo firewall-cmd --reload
curl "http://localhost:9115/probe?target=https://example.com&module=http_2xx" | grep probe_success

A value of probe_success 1 confirms the exporter is working.

Step 4 — Add a Probe Job to prometheus.yml

The Blackbox Exporter uses a relabeling pattern where Prometheus passes the target URL as a query parameter. Add the following job block to your prometheus.yml scrape configuration.

scrape_configs:
  - job_name: blackbox
    metrics_path: /probe
    params:
      module: [http_2xx]
    static_configs:
      - targets:
          - https://example.com
          - https://myapp.internal/health
          - tcp://db.internal:5432    # use tcp_connect module for this
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 127.0.0.1:9115   # Blackbox Exporter address
      - target_label: job
        replacement: blackbox

Reload Prometheus to apply the change.

sudo systemctl reload prometheus
# Verify targets appear in the Prometheus UI
curl http://localhost:9090/api/v1/targets | python3 -m json.tool | grep "blackbox"

Step 5 — Key Blackbox Exporter Metrics

Once Prometheus is scraping the exporter, the following metrics are available for building dashboards and alerts.

• probe_success — 1 if the probe succeeded, 0 if it failed
• probe_duration_seconds — total time taken for the probe
• probe_http_status_code — the HTTP status code returned
• probe_http_ssl — 1 if TLS was used
• probe_ssl_earliest_cert_expiry — Unix timestamp of the nearest TLS certificate expiry
• probe_dns_lookup_time_seconds — DNS resolution latency

Step 6 — Create Grafana Alerts on Probe Failures

In Grafana, navigate to Alerting → Alert Rules → New Alert Rule. Use the Prometheus data source and enter the following PromQL expressions as alert conditions.

# Alert when any endpoint goes down
probe_success == 0

# Alert when HTTP probe latency exceeds 2 seconds
probe_duration_seconds{job="blackbox"} > 2

# Alert when a TLS certificate expires within 14 days
(probe_ssl_earliest_cert_expiry - time()) / 86400 < 14

Set the evaluation interval to 1m, the pending period to 2m (to avoid flapping), and attach a notification policy pointing to your preferred contact point (email, PagerDuty, Slack). Save the rule and confirm it appears in Normal state on the alert list.

Conclusion

You have installed the Prometheus Blackbox Exporter on RHEL 8, defined HTTP, TCP, and ICMP probe modules, wired it into your Prometheus scrape pipeline using the relabeling pattern, and built Grafana alert rules that notify you the moment an endpoint becomes unreachable or a TLS certificate nears expiry. This synthetic monitoring layer complements host-level metrics from Node Exporter by measuring the actual user-facing availability of your services rather than only the health of the underlying server.

Next steps: How to Configure SNMP Monitoring on RHEL 8, How to Build Grafana Dashboards for Linux Server Metrics on RHEL 8, and How to Install and Configure cAdvisor for Container Monitoring on RHEL 8.