zabbix
/
omni-lchen-zabbix-ssl
mirror of https://github.com/omni-lchen/zabbix-ssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Initial commit.

pull/1/head
Long Chen 2017-05-03 15:28:43 +01:00
parent 567e03baff
commit 8570421917
5 changed files with 270 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -1 +1,15 @@
# zabbix-ssl
# Zabbix-SSL
SSL certificates expiry date monitoring separated by groups.
**Installation**
Pre-requisite: Zabbix Sender, Openssl Client, JQ - https://stedolan.github.io/jq/
1. Copy the scripts and SSL configuration to zabbix external scripts directory: /usr/lib/zabbix/externalscripts
2. Add domains to the configuration file: ssl/sslCertDomains.json
3. Create zabbix host and link with SSL template, add macro to the host: {$DOMAIN_GROUP}, macro value should match the group name in the SSL configuration file.
4. Create a cron job to send data to the zabbix host, see description in "sslCertExpiryCheck.sh"

189
Templates/SSL_Certificates.xml Normal file
View File

@ -0,0 +1,189 @@
<?xml version="1.0" encoding="UTF-8"?>
<zabbix_export>
<version>3.2</version>
<date>2017-05-03T14:19:38Z</date>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<templates>
<template>
<template>SSL_Certificates</template>
<name>SSL_Certificates</name>
<description>Check ssl certificate expire date</description>
<groups>
<group>
<name>Templates</name>
</group>
</groups>
<applications>
<application>
<name>SSL Certificate</name>
</application>
</applications>
<items/>
<discovery_rules>
<discovery_rule>
<name>Domain discovery</name>
<type>10</type>
<snmp_community/>
<snmp_oid/>
<key>sslDomainsDiscovery.sh[{$DOMAIN_GROUP}]</key>
<delay>3600</delay>
<status>0</status>
<allowed_hosts/>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<delay_flex/>
<params/>
<ipmi_sensor/>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<filter>
<evaltype>0</evaltype>
<formula/>
<conditions/>
</filter>
<lifetime>1</lifetime>
<description/>
<item_prototypes>
<item_prototype>
<name>SSLCert::$1::expiry date</name>
<type>2</type>
<snmp_community/>
<multiplier>0</multiplier>
<snmp_oid/>
<key>ssl.cert.expirydate[{#DOMAIN}]</key>
<delay>0</delay>
<history>28</history>
<trends>365</trends>
<status>0</status>
<value_type>3</value_type>
<allowed_hosts/>
<units>unixtime</units>
<delta>0</delta>
<snmpv3_contextname/>
<snmpv3_securityname/>
<snmpv3_securitylevel>0</snmpv3_securitylevel>
<snmpv3_authprotocol>0</snmpv3_authprotocol>
<snmpv3_authpassphrase/>
<snmpv3_privprotocol>0</snmpv3_privprotocol>
<snmpv3_privpassphrase/>
<formula>1</formula>
<delay_flex/>
<params/>
<ipmi_sensor/>
<data_type>0</data_type>
<authtype>0</authtype>
<username/>
<password/>
<publickey/>
<privatekey/>
<port/>
<description>Check expiry date of SSL certificate for a domain.</description>
<inventory_link>0</inventory_link>
<applications>
<application>
<name>SSL Certificate</name>
</application>
</applications>
<valuemap/>
<logtimefmt/>
<application_prototypes/>
</item_prototype>
</item_prototypes>
<trigger_prototypes>
<trigger_prototype>
<expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].count(#3,0)} = 3</expression>
<recovery_mode>1</recovery_mode>
<recovery_expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].min(#3)} &gt; 0</recovery_expression>
<name>Retrieve SSL certificate info from {#DOMAIN} failing</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} &gt; 0 and &#13;
{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &lt; 0d</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>SSL certificate of {#DOMAIN} has expired on {ITEM.LASTVALUE}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>3</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &gt; 0d and &#13;
{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &lt; 7d</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>SSL certificate of {#DOMAIN} is due to expire on {ITEM.LASTVALUE}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>3</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
<trigger_prototype>
<expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &gt; 7d and &#13;
{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &lt; 31d</expression>
<recovery_mode>0</recovery_mode>
<recovery_expression/>
<name>SSL certificate of {#DOMAIN} is due to expire on {ITEM.LASTVALUE}</name>
<correlation_mode>0</correlation_mode>
<correlation_tag/>
<url/>
<status>0</status>
<priority>2</priority>
<description/>
<type>0</type>
<manual_close>0</manual_close>
<dependencies/>
<tags/>
</trigger_prototype>
</trigger_prototypes>
<graph_prototypes/>
<host_prototypes/>
</discovery_rule>
</discovery_rules>
<httptests/>
<macros>
<macro>
<macro>{$DOMAIN_GROUP}</macro>
<value>NOTSET</value>
</macro>
</macros>
<templates/>
<screens/>
</template>
</templates>
</zabbix_export>

12
zabbix-externalscripts/ssl/sslCertDomains.json Normal file
View File

@ -0,0 +1,12 @@
{
"DomainGroup1": [
{"domain": "www.a.com"},
{"domain": "www.b.com"},
{"domain": "www.c.com"}
],
"DomainGroup2": [
{"domain": "www.d.com"},
{"domain": "www.e.com"},
{"domain": "www.f.com"}
]
}

38
zabbix-externalscripts/sslCertExpiryCheck.sh Normal file
View File

@ -0,0 +1,38 @@
#!/bin/bash
#Author: Long Chen
#Date: 25/01/2017
#Description: A script to send SSL certificates expiry date to zabbix with zabbix sender
#Requires: zabbix sender, openssl client, jq - https://stedolan.github.io/jq/
#Set up cron job to run hourly, example setup below:
#SHELL=/bin/bash
#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/lib/zabbix/externalscripts
# SSL certificates monitoring, run hourly
#0 * * * * sslCertExpiryCheck.sh DomainGroup1 ZabbixHost1 &>/dev/null
#5 * * * * sslCertExpiryCheck.sh DomainGroup2 ZabbixHost2 &>/dev/null
# Query domains in a group
DOMAIN_GROUP=$1
ZABBIX_HOST=$2
SCRIPT_DIR="$( cd "$( dirname "$0" )" && pwd )"
ALL_DOMAINS=$SCRIPT_DIR"/ssl/sslCertDomains.json"
QUERY_DOMAINS=$(eval "cat $ALL_DOMAINS | jq -r '."$DOMAIN_GROUP"[] .domain' | xargs 2>/dev/null")
get_SSL_Certs_Expirydate() {
for domain in $QUERY_DOMAINS; do
expiry_date=$(timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p')
if [ -n "$expiry_date" ]; then
expiry_date_unix=$(date '+%s' --date "$expiry_date")
else
expiry_date_unix=0
fi
echo $ZABBIX_HOST" ssl.cert.expirydate["$domain"] "$expiry_date_unix
done
}
result=$(get_SSL_Certs_Expirydate | /usr/bin/zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -i - 2>&1)
response=$(echo "$result" | awk -F ';' '$1 ~ /^info/ && match($1,/[0-9].*$/) {sum+=substr($1,RSTART,RLENGTH)} END {print sum}')
if [ -n "$response" ]; then
echo "$response"
else
echo "$result"

16
zabbix-externalscripts/sslDomainsDiscovery.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/bash
#Author: Long Chen
#Date: 25/01/2017
#Description: A script to get a list of domains in json format
#Requires: jq - https://stedolan.github.io/jq/
DOMAIN_GROUP=$1
SCRIPT_DIR="$( cd "$( dirname "$0" )" && pwd )"
ALL_DOMAINS=$SCRIPT_DIR"/ssl/sslCertDomains.json"
QUERY_DOMAINS=$(eval "cat $ALL_DOMAINS | jq -r '."$DOMAIN_GROUP"[] .domain' | xargs 2>/dev/null")
for domain in $QUERY_DOMAINS; do
domainlist="$domainlist,"'{"{#DOMAIN}":"'${domain# }'"}'
done
echo '{"data":['${domainlist#,}']}'