zabbix_agentd: Add OpenVPN certificates items
- Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates. - Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed - Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details. - Adapts lfs install script to install new script and configfile - Adds new script and configfile to rootfiles Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
parent
670e7d6e36
commit
bff53f09ff
|
@ -20,3 +20,6 @@ var/ipfire/zabbix_agentd/zabbix_agentd_ipfire_mandatory.conf
|
|||
var/ipfire/zabbix_agentd/userparameters
|
||||
var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
|
||||
var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
|
||||
var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
|
||||
var/ipfire/zabbix_agentd/scripts
|
||||
var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
|
||||
|
|
|
@ -9,3 +9,4 @@
|
|||
#
|
||||
Defaults:zabbix !requiretty
|
||||
zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log
|
||||
zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
|
||||
|
|
|
@ -9,10 +9,4 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/
|
|||
# Number of currently Active DHCP leases
|
||||
UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l
|
||||
# Number of Captive Portal clients
|
||||
UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
|
||||
# Discovery of configured ovpn clients
|
||||
UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
|
||||
# Get OpenVPN status report
|
||||
UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
|
||||
# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
|
||||
Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
|
||||
UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients
|
|
@ -0,0 +1,13 @@
|
|||
# Parameters for monitoring IPFire OpenVPN specific metrics
|
||||
#
|
||||
# Discovery of configured ovpn clients
|
||||
UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }'
|
||||
# Get OpenVPN status report
|
||||
UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }'
|
||||
# Get OpenVPN client certificate details
|
||||
UserParameter=ipfire.ovpn.clientcert[*],sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/certs/$1cert.pem
|
||||
UserParameter=ipfire.ovpn.cacert,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh /var/ipfire/ovpn/ca/cacert.pem /var/ipfire/ovpn/ca/cacert.pem
|
||||
|
||||
# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active
|
||||
Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get
|
||||
Alias=ipfire.ovpn.cacert[]:ipfire.ovpn.cacert
|
|
@ -110,6 +110,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|||
/var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf
|
||||
install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ipfire.conf \
|
||||
/var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf
|
||||
install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \
|
||||
/var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf
|
||||
|
||||
# Install IPFire-specific Zabbix Agent scripts
|
||||
-mkdir -pv /var/ipfire/zabbix_agentd/scripts
|
||||
install -v -m 755 $(DIR_SRC)/config/zabbix_agentd/ipfire_certificate_detail.sh \
|
||||
/var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh
|
||||
|
||||
# Create directory for additional agent modules
|
||||
-mkdir -pv /usr/lib/zabbix
|
||||
|
|
Loading…
Reference in New Issue