From 772bac708086d04486ec5a82299dd1eee5c11bc8 Mon Sep 17 00:00:00 2001 From: Robin Roevens Date: Tue, 21 May 2024 22:52:06 +0200 Subject: [PATCH] Update template IPFire by Zabbix agent active to v0.4 (IPFire 2.29 CU 185+) - Adds OpenVPN Client/Server and CA Certificate validation and monitoring --- .../template_ipfire/6.0/README.md | 11 +- .../6.0/ipfire_by_zabbix_agent_active.yaml | 1461 ++++++++++++----- .../template_ipfire/6.4/README.md | 11 +- .../6.4/ipfire_by_zabbix_agent_active.yaml | 1455 +++++++++++----- 4 files changed, 2180 insertions(+), 758 deletions(-) diff --git a/Network_Appliances/template_ipfire/6.0/README.md b/Network_Appliances/template_ipfire/6.0/README.md index 7104450a5..d48a940a9 100644 --- a/Network_Appliances/template_ipfire/6.0/README.md +++ b/Network_Appliances/template_ipfire/6.0/README.md @@ -13,13 +13,13 @@ Supports monitoring of: - IPFire services (default IPFire services and possible Addon services) - Pakfire status (Installed version, Available update(s)) - Network stats (Line quality, Open Connections, Firewall hits) -- OpenVPN clients and stats (OpenVPN client discovery, OpenVPN client properties, Traffic stats) +- OpenVPN clients and stats (OpenVPN client discovery, OpenVPN client properties, Traffic stats, Client/Server/CA Certificate validation) Use in conjunction with a default Template OS Linux-template for CPU/Memory/Storage monitoring of the IPFire appliance/instance. This template was created for: -- IPFire 2.27 - Core update 179 +- IPFire 2.29 - Core update 185 **Warning**: This template will *NOT* work on earlier versions of IPFire due to changes to the Zabbix Agent addon. @@ -54,6 +54,7 @@ No specific Zabbix configuration is required |{$IPFIRE.OVPN.COMMONNAME.MATCHES} |

OpenVPN clients with common name matching this regex will be discovered

|`^.*$` | |{$IPFIRE.OVPN.COMMONNAME.NOTMATCHES} |

OpenVPN clients with common name matching this regex will not be discovered

|`CHANGE_IF_NEEDED` | |{$IPFIRE.OVPN.STATE.MATCHES} |

OpenVPN clients with a state (on/off) matching this regex will be discovered.

|`on` | +|{$IPFIRE.OVPN.CERT.EXPIRY.WARN} |

Number of days until the OpenVPN server or CA certificate expires.

|`7` | #### Notes about $IPFIRE.SERVICE.TRIGGER This template does not 'detect' if you have manually disabled a service in IPFire, so by default it will alarm you when any service is down. This is done on purpose so that you will also be notified if a service is unintentionly disabled. @@ -65,6 +66,12 @@ For example to disable the OpenVPN service trigger add `{$IPFIRE.SERVICE.TRIGGER Or you could opt to use the variables `{$IPFIRE.SERVICENAME.MATCHES}` and/or `{$IPFIRE.SERVICENAME.NOT_MATCHES}` to filter out services you don't want to be monitored at all. +#### OpenVPN Client discovery +This template is actually a set of 2 and includes a second template `IPFire OpenVPN Client by Zabbix agent` specificaly for use by the OpenVPN Client discovery defined in the main template `IPFire by Zabbix agent active`. + +If the OpenVPN Service of the IPFire instance is enabled, the main template will discover any configured OpenVPN clients (see `{$IPFIRE.OVPN.*}` macro's to set filters), create those as new hosts in Zabbix and link the `IPFire OpenVPN Client by Zabbix agent` template to them. +Those client hosts will then start collecting OpenVPN statistics specific to those clients. + ## Credits [Alexander Koch](https://community.ipfire.org/t/looking-for-the-zabbix-agent-template/1459/2) for the app Pakfire template. diff --git a/Network_Appliances/template_ipfire/6.0/ipfire_by_zabbix_agent_active.yaml b/Network_Appliances/template_ipfire/6.0/ipfire_by_zabbix_agent_active.yaml index 4a25e0c95..1bca980a0 100644 --- a/Network_Appliances/template_ipfire/6.0/ipfire_by_zabbix_agent_active.yaml +++ b/Network_Appliances/template_ipfire/6.0/ipfire_by_zabbix_agent_active.yaml @@ -1,6 +1,6 @@ zabbix_export: version: '6.0' - date: '2023-10-11T19:48:42Z' + date: '2024-05-21T20:05:50Z' groups: - uuid: 6a9e41a5ef934d2196aca8b4abdafff5 name: 'OpenVPN Clients' @@ -27,7 +27,7 @@ zabbix_export: - name: Templates/Applications items: - uuid: 9be0495e730a476fac68b91583bb4146 - name: 'Captive Portal: # of active clients' + name: 'IPFire: Captive Portal: # of active clients' type: ZABBIX_ACTIVE key: ipfire.captive.clients history: 7d @@ -38,7 +38,7 @@ zabbix_export: - tag: service value: captive-portal - uuid: da3ef4de97f343d4a3d0d420e4e0df36 - name: 'DHCP Server: # of active leases' + name: 'IPFire: DHCP Server: # of active leases' type: ZABBIX_ACTIVE key: ipfire.dhcpd.clients history: 7d @@ -49,7 +49,7 @@ zabbix_export: - tag: service value: dhcpd - uuid: d7752458935c4e40adaacd4e1107f40e - name: 'Firewall hits: Get' + name: 'IPFire: Firewall hits: Get' type: ZABBIX_ACTIVE key: ipfire.net.fw.hits.raw history: '0' @@ -64,11 +64,13 @@ zabbix_export: - tag: component value: raw - uuid: 2e0173990de34061b2e743ef22518c6a - name: 'Network: Internet gateway available' + name: 'IPFire: Network: Internet gateway available' type: ZABBIX_ACTIVE key: ipfire.net.gateway.ping history: 7d description: 'Checks if the internet gateway on RED is reachable' + valuemap: + name: 'Service state' tags: - tag: component value: gateway @@ -77,14 +79,14 @@ zabbix_export: triggers: - uuid: 750db20bec7c46e6ab9943e516f52947 expression: 'last(/IPFire by Zabbix agent active/ipfire.net.gateway.ping)<>1' - name: 'Internet Gateway is not reachable' + name: 'IPFire: Internet Gateway is not reachable' priority: HIGH description: 'Internet Gateway on interface RED is unreachable. Internet connection is lost or intermittent.' tags: - tag: scope value: availability - uuid: f548b019c57a42cd8b6d4cf0a244f098 - name: 'Network: Internet gateway ping timings' + name: 'IPFire: Network: Internet gateway ping timings' type: ZABBIX_ACTIVE key: ipfire.net.gateway.pingtime history: 7d @@ -97,7 +99,7 @@ zabbix_export: - tag: component value: network - uuid: a01561b00aab4406a38e34440658848d - name: 'IPFire Services: Get' + name: 'IPFire: Services: Get' type: ZABBIX_ACTIVE key: ipfire.services history: '0' @@ -110,7 +112,7 @@ zabbix_export: - tag: component value: service - uuid: 45efac8b0c984815b9cf5c2790373911 - name: 'System: Core-Update available' + name: 'IPFire: Core-Update available' type: DEPENDENT key: pakfire.core-update-available delay: '0' @@ -154,7 +156,7 @@ zabbix_export: triggers: - uuid: 10fdaa47927d4638b62ec43deff34360 expression: 'last(/IPFire by Zabbix agent active/pakfire.core-update-available)=1' - name: 'Pakfire: Core-Update available' + name: 'IPFire: Pakfire: Core-Update available' url: 'https://{HOST.CONN}:444/cgi-bin/pakfire.cgi' priority: INFO description: 'A Core-Update for IPFire is available. Go to the IPFire webgui > IPFire Pakfire to perform an update.' @@ -165,7 +167,7 @@ zabbix_export: value: security - uuid: 059cebb808634b35a3c2f2304e8cfaf5 expression: 'nodata(/IPFire by Zabbix agent active/pakfire.core-update-available,4h)=1' - name: 'Pakfire: Last Pakfire status update > 4h ago' + name: 'IPFire: Pakfire: Last Pakfire status update > 4h ago' priority: WARNING description: 'Zabbix was unable to retrieve Pakfire status for more than 4h. Check if Pakfire is still correctly working.' tags: @@ -176,7 +178,7 @@ zabbix_export: - tag: scope value: security - uuid: 3c87cd1c09ec4fc2910c2572d9a4f5e9 - name: 'System: Core-Update level' + name: 'IPFire: Core-Update level' type: DEPENDENT key: pakfire.core-update-level delay: '0' @@ -200,11 +202,11 @@ zabbix_export: triggers: - uuid: 315ab087e6b3408eb463eaecbab289f7 expression: 'change(/IPFire by Zabbix agent active/pakfire.core-update-level)>0' - name: 'Pakfire: Core-Update-Level has changed' + name: 'IPFire: Pakfire: Core-Update-Level has changed' priority: INFO manual_close: 'YES' dependencies: - - name: 'Pakfire: Core-Version has changed' + - name: 'IPFire: Pakfire: Core-Version has changed' expression: '(last(/IPFire by Zabbix agent active/pakfire.core-version,#1)<>last(/IPFire by Zabbix agent active/pakfire.core-version,#2))=1' tags: - tag: scope @@ -212,7 +214,7 @@ zabbix_export: - tag: scope value: security - uuid: 96e3883bf9784f45b5ff7a9acaeeb5a9 - name: 'System: Core version' + name: 'IPFire: Core version' type: DEPENDENT key: pakfire.core-version delay: '0' @@ -237,7 +239,7 @@ zabbix_export: triggers: - uuid: 743e14e27c1141cdb08c895e768e9931 expression: '(last(/IPFire by Zabbix agent active/pakfire.core-version,#1)<>last(/IPFire by Zabbix agent active/pakfire.core-version,#2))=1' - name: 'Pakfire: Core-Version has changed' + name: 'IPFire: Pakfire: Core-Version has changed' priority: INFO tags: - tag: scope @@ -245,7 +247,7 @@ zabbix_export: - tag: scope value: security - uuid: 299ed0d3aa97435088fd805646ffe649 - name: 'System: # of addon updates available' + name: 'IPFire: Pakfire: # of addon updates available' type: DEPENDENT key: pakfire.package-updates-available delay: '0' @@ -269,7 +271,7 @@ zabbix_export: triggers: - uuid: 39bc50b094cf40ab86588b909eef2db7 expression: 'last(/IPFire by Zabbix agent active/pakfire.package-updates-available)>0' - name: 'Pakfire: Package-Updates available' + name: 'IPFire: Pakfire: Package-Updates available' priority: INFO tags: - tag: scope @@ -277,7 +279,7 @@ zabbix_export: - tag: scope value: security - uuid: 8dbec81630674c7c89a74ba12cdae84b - name: 'System: Reboot required' + name: 'IPFire: Reboot required' type: DEPENDENT key: pakfire.reboot-required delay: '0' @@ -321,7 +323,7 @@ zabbix_export: triggers: - uuid: 5bf0656d2f9f46258ee36ca10096a9bb expression: 'last(/IPFire by Zabbix agent active/pakfire.reboot-required)=1' - name: 'Pakfire: Reboot required' + name: 'IPFire: Pakfire: Reboot required' url: 'https://{HOST.CONN}:444/cgi-bin/shutdown.cgi' priority: INFO description: 'An update requires a reboot of IPFire to complete. Please reboot the host as soon as possible. Go to the IPFire webgui > System > Shutdown to perform a reboot.' @@ -331,7 +333,7 @@ zabbix_export: - tag: scope value: security - uuid: 0593a390fa7f40e1b23c94fe845eff09 - name: 'Pakfire Status: Get' + name: 'IPFire: Pakfire Status: Get' type: ZABBIX_ACTIVE key: pakfire.status delay: 10m @@ -346,7 +348,7 @@ zabbix_export: - tag: component value: system - uuid: 7349c0e5921440f5bf1e8be3111acb7f - name: 'Network: # of open connections' + name: 'IPFire: Network: # of open connections' type: ZABBIX_ACTIVE key: 'vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_count"]' history: 7d @@ -354,7 +356,7 @@ zabbix_export: - tag: component value: network - uuid: aaa91f7fdd3949d0adf4a6f90e9ddc87 - name: 'Network: Max # of open connections' + name: 'IPFire: Network: Max # of open connections' type: ZABBIX_ACTIVE key: 'vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_max"]' delay: 1h @@ -363,7 +365,7 @@ zabbix_export: - tag: component value: network - uuid: cdc1d6590ab044cc8e9684119238c1db - name: 'System: Last update' + name: 'IPFire: Pakfire: Last update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/core/mine",modify]' delay: 10m @@ -379,7 +381,7 @@ zabbix_export: - tag: component value: system - uuid: 8614cc5f14364b8d851631850a0d0ce9 - name: 'Pakfire: Last core-list update' + name: 'IPFire: Pakfire: Last core-list update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/lists/core-list.db",modify]' delay: 10m @@ -401,11 +403,11 @@ zabbix_export: expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/core-list.db",modify],49h)=0' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/core-list.db",modify],1h)=1' - name: 'Pakfire: Last core-list update > 49h ago' + name: 'IPFire: Pakfire: Last core-list update > 49h ago' priority: WARNING description: 'Auslösung bei Delta > 49h / Recovery bei Delta < 1h' dependencies: - - name: 'Pakfire: Last server-list update > 49h ago' + - name: 'IPFire: Pakfire: Last server-list update > 49h ago' expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],49h)=0' recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],1h)=1' tags: @@ -416,7 +418,7 @@ zabbix_export: - tag: scope value: security - uuid: 72d6284952044ff58795e6076e6ad3c8 - name: 'Pakfire: Last packages-list update' + name: 'IPFire: Pakfire: Last packages-list update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/lists/packages_list.db",modify]' delay: 10m @@ -438,11 +440,11 @@ zabbix_export: expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/packages_list.db",modify],49h)=0' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/packages_list.db",modify],1h)=1' - name: 'Pakfire: Last packages-list update > 49h ago' + name: 'IPFire: Pakfire: Last packages-list update > 49h ago' priority: WARNING description: 'Auslösung bei Delta > 49h / Recovery bei Delta < 1h' dependencies: - - name: 'Pakfire: Last server-list update > 49h ago' + - name: 'IPFire: Pakfire: Last server-list update > 49h ago' expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],49h)=0' recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],1h)=1' tags: @@ -453,7 +455,7 @@ zabbix_export: - tag: scope value: security - uuid: 0dd0776c8b91489784d45bf06893d1c3 - name: 'Pakfire: Last server-list update' + name: 'IPFire: Pakfire: Last server-list update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify]' delay: 10m @@ -475,7 +477,7 @@ zabbix_export: expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],49h)=0' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],1h)=1' - name: 'Pakfire: Last server-list update > 49h ago' + name: 'IPFire: Pakfire: Last server-list update > 49h ago' priority: WARNING description: 'Auslösung bei Delta > 49h / Recovery bei Delta < 1h' tags: @@ -503,7 +505,7 @@ zabbix_export: description: 'Discovery of firewall chains in filter table to create "firewall hits" items/chain' item_prototypes: - uuid: e754323822f04c6b9e2e77bca43344fe - name: 'Firewall: Hits on chain {#FW_CHAIN}' + name: 'IPFire: Firewall: Hits on chain {#FW_CHAIN}' type: DEPENDENT key: 'ipfire.net.fw.hits[{#FW_CHAIN}]' delay: '0' @@ -591,264 +593,765 @@ zabbix_export: tags: - tag: type value: '{#TYPE}' - - uuid: 0724a9154c924222a1495a4665929039 - name: 'IPFire Services discovery' + - uuid: c8db2268889741a6aa3877c61d4524e5 + name: 'IPFire OpenVPN properties discovery' type: DEPENDENT - key: ipfire.services.discovery + key: ipfire.ovpn.discovery delay: '0' filter: - evaltype: AND conditions: - macro: '{#SERVICENAME}' - value: '{$IPFIRE.SERVICENAME.MATCHES}' + value: ^openvpn$ formulaid: A - - macro: '{#SERVICENAME}' - value: '{$IPFIRE.SERVICENAME.NOT_MATCHES}' - operator: NOT_MATCHES_REGEX + - macro: '{#SERVICESTATE}' + value: '1' formulaid: B item_prototypes: - - uuid: bd1d7dfffc65492fb3eb7ade56c07bf8 - name: 'OpenVPN: # clients connected' + - uuid: ecd52470e79a4a8da9c16a0f069c1714 + name: 'IPFire OpenVPN: CA Cert: Issuer' type: DEPENDENT - key: 'ipfire.ovpn.clients.count[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert.issuer[{#SINGLETON}]' delay: '0' - description: 'Number of clients currently connected with OpenVPN' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity that has signed and issued the certificate.' preprocessing: - type: JSONPATH parameters: - - $.clients.length() - error_handler: CUSTOM_VALUE - error_handler_params: '0' + - $.x509.issuer master_item: - key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 17b4f2e8a9b944c7b09f81c6b6f8699b - name: 'OpenVPN: Statusreport: Get' - type: ZABBIX_ACTIVE - key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' - history: '0' + value: cert + - uuid: 22cc547a94cb44e4a4255af9a13e899c + name: 'IPFire OpenVPN: CA Cert: Last validation status' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.message[{#SINGLETON}]' + delay: '0' + history: 7d trends: '0' value_type: TEXT - description: 'Get OpenVPN status report containing list of connected clients and routing tables' + description: 'Last check result message.' preprocessing: - - type: DISCARD_UNCHANGED + - type: JSONPATH parameters: - - '' + - $.result.message + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: network - - tag: component - value: raw + value: cert + - uuid: b88e5aa661dd42a5a325398dbb97f38f + name: 'IPFire OpenVPN: CA Cert: Expires on' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.not_after[{#SINGLETON}]' + delay: '0' + history: 7d + units: unixtime + description: 'The date on which the certificate validity period ends.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.not_after.timestamp + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 9f207a283c4347569f02374f8e548b69 - name: 'OpenVPN: Last status report update' + value: cert + trigger_prototypes: + - uuid: e59bc8217ab444559a90f389c12c6987 + expression: '(last(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.not_after[{#SINGLETON}]) - now()) / 86400 < {$IPFIRE.OVPN.CERT.EXPIRY.WARN}' + name: 'OpenVPN CA Cert: SSL certificate expires soon' + event_name: 'OpenVPN CA Cert: SSL certificate expires soon (less than {$IPFIRE.OVPN.CERT.EXPIRY.WARN} days)' + priority: WARNING + description: 'The SSL certificate should be updated or it will become untrusted.' + dependencies: + - name: 'OpenVPN Server Cert: SSL certificate is invalid' + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cert.validation[server{#SINGLETON}],,"like","invalid")=1' + tags: + - tag: scope + value: notice + - uuid: 028cdbb29f0048bbb591d8b5d94e9153 + name: 'IPFire OpenVPN: CA Cert: Valid from' type: DEPENDENT - key: 'ipfire.ovpn.statusreport.timestamp[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert.not_before[{#SINGLETON}]' delay: '0' - history: 1d + history: 7d units: unixtime - description: 'Timestamp of last OpenVPN server statusreport update' + description: 'The date on which the certificate validity period begins.' preprocessing: - type: JSONPATH parameters: - - $.timestamp - error_handler: DISCARD_VALUE + - $.x509.not_before.timestamp master_item: - key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: network + value: cert + - uuid: 6e4746e6cf294988883615b6d8bc9b49 + name: 'IPFire OpenVPN: CA Cert: Public key algorithm' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.public_key_algorithm[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The digital signature algorithm is used to verify the signature of a certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.public_key_algorithm + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 64ab99104e5c4a748745fbc1d02b1803 - name: '{#SERVICE}: Memory usage' + value: cert + - uuid: 2242e77ad41e4e2ea5605e672a25e992 + name: 'IPFire OpenVPN: CA Cert: Serial number' type: DEPENDENT - key: 'ipfire.services.memory[{#SERVICENAME}]' + key: 'ipfire.ovpn.cacert.serial_number[{#SINGLETON}]' delay: '0' history: 7d - units: b + trends: '0' + value_type: CHAR + description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].memory.first()' - error_handler: DISCARD_VALUE + - $.x509.serial_number master_item: - key: ipfire.services + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: memory + value: cert + - uuid: 1052d1fe7ee54b5f8cad3ead608df3b6 + name: 'IPFire OpenVPN: CA Cert: Fingerprint' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.sha1_fingerprint[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.' + preprocessing: + - type: JSONPATH + parameters: + - $.sha1_fingerprint + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' - - uuid: 3d679fd91a334de1949e5cc5afdcc8a3 - name: '{#SERVICE}: Start on boot' + value: cert + trigger_prototypes: + - uuid: 440e36cc23a043a8bdb7351b8df2e60d + expression: 'last(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.sha1_fingerprint[{#SINGLETON}])<>last(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.sha1_fingerprint[{#SINGLETON}],#2)' + name: 'OpenVPN CA Cert: Fingerprint has changed' + event_name: 'OpenVPN CA Cert: Fingerprint has changed (new version: {ITEM.VALUE})' + priority: INFO + description: 'The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.' + tags: + - tag: scope + value: notice + - uuid: 8abc28b3cbea48848641f56482793c22 + name: 'IPFire OpenVPN: CA Cert: Signature algorithm' type: DEPENDENT - key: 'ipfire.services.onboot[{#SERVICENAME}]' + key: 'ipfire.ovpn.cacert.signature_algorithm[{#SINGLETON}]' delay: '0' history: 7d - valuemap: - name: 'Boolean Yes/no' + trends: '0' + value_type: CHAR + description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].onboot.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '1' + - $.x509.signature_algorithm master_item: - key: ipfire.services + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' - - uuid: 865fe738cfb34752b83605930b3cf180 - name: '{#SERVICE}: Pid' + value: cert + - uuid: 3123fc50b6bd48ac871de1dc2c4c80e5 + name: 'IPFire OpenVPN: CA Cert: Subject' type: DEPENDENT - key: 'ipfire.services.pid[{#SERVICENAME}]' + key: 'ipfire.ovpn.cacert.subject[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity associated with the public key stored in the subject public key field.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.subject + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 7cb856be9e8240bc80d0ebe2aba2f488 + name: 'IPFire OpenVPN: CA Cert: Validation result' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.validation[{#SINGLETON}]' delay: '0' history: 7d + trends: '0' + value_type: CHAR + description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].pid.first()' - error_handler: DISCARD_VALUE + - $.result.value + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: + - tag: component + value: cert + trigger_prototypes: + - uuid: 4178bb0b408e493cb7ee2a1f07e98ce7 + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.validation[{#SINGLETON}],,"like","invalid")=1' + name: 'OpenVPN CA Cert: SSL certificate is invalid' + priority: HIGH + tags: + - tag: scope + value: security + - uuid: 14d0a15423ed4b3e9e990d0f31cbc2d0 + name: 'IPFire OpenVPN: CA Cert: Version' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.version[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The version of the encoded certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.version + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 2e5c0f41659148ec920c6cf42bb71e7e + name: 'IPFire OpenVPN: CA Cert: Get' + type: ZABBIX_ACTIVE + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + delay: 15m + history: '0' + trends: '0' + value_type: TEXT + description: 'Returns the JSON with attributes of the OpenVPN CA certificate.' + preprocessing: + - type: CHECK_JSON_ERROR + parameters: + - $.error - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - - 1h + - 6h + tags: + - tag: component + value: raw + - uuid: a8368193a41b49e1bf5ff41422e517f4 + name: 'IPFire OpenVPN: Server Cert: Issuer' + type: DEPENDENT + key: 'ipfire.ovpn.cert.issuer[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity that has signed and issued the certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.issuer master_item: - key: ipfire.services + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' tags: - tag: component - value: os + value: cert + - uuid: f832183696e44b3cb48f4f7c51320be4 + name: 'IPFire OpenVPN: Server Cert: Last validation status' + type: DEPENDENT + key: 'ipfire.ovpn.cert.message[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'Last check result message.' + preprocessing: + - type: JSONPATH + parameters: + - $.result.message + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' - - uuid: 7fa6c6e4b6cf4a018ac3002122b0e0e5 - name: '{#SERVICE}: State' + value: cert + - uuid: f9754743529a4e12b3b5d3081b42262e + name: 'IPFire OpenVPN: Server Cert: Expires on' type: DEPENDENT - key: 'ipfire.services.state[{#SERVICENAME}]' + key: 'ipfire.ovpn.cert.not_after[server{#SINGLETON}]' delay: '0' history: 7d - valuemap: - name: 'Service state' + units: unixtime + description: 'The date on which the certificate validity period ends.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].state.first()' + - $.x509.not_after.timestamp master_item: - key: ipfire.services + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' + value: cert trigger_prototypes: - - uuid: 71d4baaa724140179fbde0bbdd170dfa - expression: '{$IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}"} and last(/IPFire by Zabbix agent active/ipfire.services.state[{#SERVICENAME}])<>1' - name: '{#SERVICE}: Service not running' - priority: HIGH - description: 'The IPFire service {#SERVICE} is not running. If this service is manually disabled, set host macro $IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}" to 0 to disable this trigger.' + - uuid: 18007cbcec8a4c3caad12c3f87d8e650 + expression: '(last(/IPFire by Zabbix agent active/ipfire.ovpn.cert.not_after[server{#SINGLETON}]) - now()) / 86400 < {$IPFIRE.OVPN.CERT.EXPIRY.WARN}' + name: 'OpenVPN Server Cert: SSL certificate expires soon' + event_name: 'OpenVPN Server Cert: SSL certificate expires soon (less than {$IPFIRE.OVPN.CERT.EXPIRY.WARN} days)' + priority: WARNING + description: 'The SSL certificate should be updated or it will become untrusted.' + dependencies: + - name: 'OpenVPN Server Cert: SSL certificate is invalid' + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cert.validation[server{#SINGLETON}],,"like","invalid")=1' tags: - tag: scope - value: availability - trigger_prototypes: - - uuid: adf12fb393704b90b3bd5541a447e2a1 - expression: | - last(/IPFire by Zabbix agent active/ipfire.services.onboot[{#SERVICENAME}])=1 and - (nodata(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.get[{#SINGLETON}],5m)=1 or - time()-last(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.timestamp[{#SINGLETON}])>5m) - name: 'OpenVPN: Statusreport outdated' - priority: AVERAGE - description: | - Did not receive a recent OpenVPN status report. OpenVPN client data is probably outdated and/or inaccurate. - Check if Zabbix Agent is running and properly configured to send OpenVPN status reports (UserParameter: ipfire.ovpn.statusreport.get) and/or OpenVPN server configuration is the IPFire default. - dependencies: - - name: '{#SERVICE}: Service not running' - expression: '{$IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}"} and last(/IPFire by Zabbix agent active/ipfire.services.state[{#SERVICENAME}])<>1' + value: notice + - uuid: 4c74a5c951ae437f8e283cd8d23731e4 + name: 'IPFire OpenVPN: Server Cert: Valid from' + type: DEPENDENT + key: 'ipfire.ovpn.cert.not_before[server{#SINGLETON}]' + delay: '0' + history: 7d + units: unixtime + description: 'The date on which the certificate validity period begins.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.not_before.timestamp + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' tags: - - tag: scope - value: availability - master_item: - key: ipfire.services - lld_macro_paths: - - lld_macro: '{#SERVICENAME}' - path: $.servicename - - lld_macro: '{#SERVICE}' - path: $.service - - lld_macro: '{#SINGLETON}' - path: $.singleton - preprocessing: - - type: JAVASCRIPT - parameters: - - | - // Filter out toggling parts: state, pid, memory, onboot & add singleton - discovery_items = JSON.parse(value); - discovery_items.map(function (item) { ['state','pid','memory', 'onboot'].forEach(function(key) { delete item[key] }); item['singleton'] = "" }); - return JSON.stringify(discovery_items); - - type: DISCARD_UNCHANGED_HEARTBEAT - parameters: - - 1h - overrides: - - name: 'Don''t discover OpenVPN specific items/triggers on other services' - step: '1' - filter: - conditions: - - macro: '{#SERVICENAME}' - value: openvpn - operator: NOT_MATCHES_REGEX - formulaid: A - operations: - - operationobject: ITEM_PROTOTYPE - operator: REGEXP - value: '^OpenVPN: .*' - discover: NO_DISCOVER - - operationobject: TRIGGER_PROTOTYPE - operator: REGEXP - value: '^OpenVPN: .*' - discover: NO_DISCOVER - tags: - - tag: class - value: software - - tag: target - value: ipfire - macros: - - macro: '{$IPFIRE.CONN.MAX.RESOLVE}' - value: '85' - description: 'Percentage of max open connections used before resolving trigger' - - macro: '{$IPFIRE.CONN.MAX.WARN}' - value: '95' - description: 'Max percentage of max open connections used before triggering warning' - - macro: '{$IPFIRE.FW_CHAIN.MATCHES}' - value: '^.*$' - description: 'Only discover firewall chains matching this regex' - - macro: '{$IPFIRE.FW_CHAIN.NOT_MATCHES}' - value: CHANGE_IF_NEEDED - description: 'Do not discover firewall chains matching this regex' - - macro: '{$IPFIRE.OVPN.COMMONNAME.MATCHES}' - value: '^.*$' - description: 'OpenVPN clients with common name matching this regex will be discovered' - - macro: '{$IPFIRE.OVPN.COMMONNAME.NOTMATCHES}' - value: CHANGE_IF_NEEDED - description: 'OpenVPN clients with common name matching this regex will not be discovered' - - macro: '{$IPFIRE.OVPN.STATE.MATCHES}' - value: 'on' - description: 'OpenVPN clients with a state (on/off) matching this regex will be discovered.' - - macro: '{$IPFIRE.SERVICE.TRIGGER}' - value: '1' - description: 'Whether Zabbix needs to trigger when an IPFire service is down. This variable can be used with context to exclude specific services.' + - tag: component + value: cert + - uuid: a1913f8b80fd457fa1ddcbb350b968ea + name: 'IPFire OpenVPN: Server Cert: Public key algorithm' + type: DEPENDENT + key: 'ipfire.ovpn.cert.public_key_algorithm[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The digital signature algorithm is used to verify the signature of a certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.public_key_algorithm + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: e2fda2e63ed04f06959d3ed0e28a23a3 + name: 'IPFire OpenVPN: Server Cert: Serial number' + type: DEPENDENT + key: 'ipfire.ovpn.cert.serial_number[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.serial_number + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: b4757f58c9ef46489d17e4553b441d22 + name: 'IPFire OpenVPN: Server Cert: Fingerprint' + type: DEPENDENT + key: 'ipfire.ovpn.cert.sha1_fingerprint[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.' + preprocessing: + - type: JSONPATH + parameters: + - $.sha1_fingerprint + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + trigger_prototypes: + - uuid: a610d42edaf04ce4bbc6d22e65da92d0 + expression: 'last(/IPFire by Zabbix agent active/ipfire.ovpn.cert.sha1_fingerprint[server{#SINGLETON}])<>last(/IPFire by Zabbix agent active/ipfire.ovpn.cert.sha1_fingerprint[server{#SINGLETON}],#2)' + name: 'OpenVPN Server Cert: Fingerprint has changed' + event_name: 'OpenVPN Server Cert: Fingerprint has changed (new version: {ITEM.VALUE})' + priority: INFO + description: 'The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.' + tags: + - tag: scope + value: notice + - uuid: 5b8e0df42cf24865b1ed2ae25551de7d + name: 'IPFire OpenVPN: Server Cert: Signature algorithm' + type: DEPENDENT + key: 'ipfire.ovpn.cert.signature_algorithm[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.signature_algorithm + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 6cc4db8c6f244cb2b2ee9400103f1cb8 + name: 'IPFire OpenVPN: Server Cert: Subject' + type: DEPENDENT + key: 'ipfire.ovpn.cert.subject[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity associated with the public key stored in the subject public key field.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.subject + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 2acc3977d84b4bc9829cd2534929b04c + name: 'IPFire OpenVPN: Server Cert: Validation result' + type: DEPENDENT + key: 'ipfire.ovpn.cert.validation[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed' + preprocessing: + - type: JSONPATH + parameters: + - $.result.value + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + trigger_prototypes: + - uuid: 1ad362eb206e4be68e01a5ffba994b9c + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cert.validation[server{#SINGLETON}],,"like","invalid")=1' + name: 'OpenVPN Server Cert: SSL certificate is invalid' + priority: HIGH + tags: + - tag: scope + value: security + - uuid: 857bd4ed6f2c4062a8c55f5be77347fe + name: 'IPFire OpenVPN: Server Cert: Version' + type: DEPENDENT + key: 'ipfire.ovpn.cert.version[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The version of the encoded certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.version + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 620b605ad2a3419597de389b4cfce7f8 + name: 'IPFire OpenVPN: Server Cert: Get' + type: ZABBIX_ACTIVE + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + delay: 15m + history: '0' + trends: '0' + value_type: TEXT + description: 'Returns the JSON with attributes of a certificate of the requested site.' + preprocessing: + - type: CHECK_JSON_ERROR + parameters: + - $.error + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 6h + tags: + - tag: component + value: raw + - uuid: d2e5f0f3425249b3a08a650e30822546 + name: 'IPFire: OpenVPN: # clients connected' + type: DEPENDENT + key: 'ipfire.ovpn.clients.count[{#SINGLETON}]' + delay: '0' + history: 7d + description: 'Number of clients currently connected with OpenVPN' + preprocessing: + - type: JSONPATH + parameters: + - $.clients.length() + error_handler: CUSTOM_VALUE + error_handler_params: '0' + master_item: + key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + tags: + - tag: component + value: network + - tag: component + value: service + - tag: service + value: openvpn + - uuid: b3520ce61ef24a8b8a606f1b3f3e1907 + name: 'IPFire: OpenVPN: Statusreport: Get' + type: ZABBIX_ACTIVE + key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + history: '0' + trends: '0' + value_type: TEXT + description: 'Get OpenVPN status report containing list of connected clients and routing tables' + preprocessing: + - type: DISCARD_UNCHANGED + parameters: + - '' + tags: + - tag: component + value: raw + - uuid: ff5d2b4c7e0e4bac9788a7eb2b737bdb + name: 'IPFire: OpenVPN: Last status report update' + type: DEPENDENT + key: 'ipfire.ovpn.statusreport.timestamp[{#SINGLETON}]' + delay: '0' + history: 1d + units: unixtime + description: 'Timestamp of last OpenVPN server statusreport update' + preprocessing: + - type: JSONPATH + parameters: + - $.timestamp + master_item: + key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + tags: + - tag: component + value: network + - tag: component + value: service + - tag: service + value: openvpn + trigger_prototypes: + - uuid: 16156984f21243a09a9c486e28dafd01 + expression: '(nodata(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.get[{#SINGLETON}],5m)=1 or time()-last(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.timestamp[{#SINGLETON}])>5m)' + name: 'IPFire: OpenVPN: Statusreport outdated' + priority: AVERAGE + description: | + Did not receive a recent OpenVPN status report. OpenVPN client data is probably outdated and/or inaccurate. + Check if Zabbix Agent is running and properly configured to send OpenVPN status reports (UserParameter: ipfire.ovpn.statusreport.get) and/or OpenVPN server configuration is the IPFire default. + tags: + - tag: scope + value: availability + master_item: + key: ipfire.services + lld_macro_paths: + - lld_macro: '{#SERVICENAME}' + path: $.servicename + - lld_macro: '{#SERVICESTATE}' + path: $.state + - lld_macro: '{#SERVICE}' + path: $.service + - lld_macro: '{#SINGLETON}' + path: $.singleton + preprocessing: + - type: JAVASCRIPT + parameters: + - | + // Filter out toggling parts: pid, memory, onboot & add singleton + discovery_items = JSON.parse(value); + discovery_items.map(function (item) { ['pid','memory', 'onboot'].forEach(function(key) { delete item[key] }); item['singleton'] = "" }); + return JSON.stringify(discovery_items); + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + - uuid: 0724a9154c924222a1495a4665929039 + name: 'IPFire Services discovery' + type: DEPENDENT + key: ipfire.services.discovery + delay: '0' + filter: + evaltype: AND + conditions: + - macro: '{#SERVICENAME}' + value: '{$IPFIRE.SERVICENAME.MATCHES}' + formulaid: A + - macro: '{#SERVICENAME}' + value: '{$IPFIRE.SERVICENAME.NOT_MATCHES}' + operator: NOT_MATCHES_REGEX + formulaid: B + item_prototypes: + - uuid: 64ab99104e5c4a748745fbc1d02b1803 + name: 'IPFire: {#SERVICE}: Memory usage' + type: DEPENDENT + key: 'ipfire.services.memory[{#SERVICENAME}]' + delay: '0' + history: 7d + units: b + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].memory.first()' + error_handler: DISCARD_VALUE + master_item: + key: ipfire.services + tags: + - tag: component + value: memory + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + - uuid: 3d679fd91a334de1949e5cc5afdcc8a3 + name: 'IPFire: {#SERVICE}: Start on boot' + type: DEPENDENT + key: 'ipfire.services.onboot[{#SERVICENAME}]' + delay: '0' + history: 7d + valuemap: + name: 'Boolean Yes/no' + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].onboot.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '1' + master_item: + key: ipfire.services + tags: + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + - uuid: 865fe738cfb34752b83605930b3cf180 + name: 'IPFire: {#SERVICE}: Pid' + type: DEPENDENT + key: 'ipfire.services.pid[{#SERVICENAME}]' + delay: '0' + history: 7d + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].pid.first()' + error_handler: DISCARD_VALUE + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + master_item: + key: ipfire.services + tags: + - tag: component + value: os + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + - uuid: 7fa6c6e4b6cf4a018ac3002122b0e0e5 + name: 'IPFire: {#SERVICE}: State' + type: DEPENDENT + key: 'ipfire.services.state[{#SERVICENAME}]' + delay: '0' + history: 7d + valuemap: + name: 'Service state' + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].state.first()' + master_item: + key: ipfire.services + tags: + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + trigger_prototypes: + - uuid: 71d4baaa724140179fbde0bbdd170dfa + expression: '{$IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}"} and last(/IPFire by Zabbix agent active/ipfire.services.state[{#SERVICENAME}])<>1' + name: 'IPFire: {#SERVICE}: Service not running' + priority: HIGH + description: 'The IPFire service {#SERVICE} is not running. If this service is manually disabled, set host macro $IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}" to 0 to disable this trigger.' + tags: + - tag: scope + value: availability + master_item: + key: ipfire.services + lld_macro_paths: + - lld_macro: '{#SERVICENAME}' + path: $.servicename + - lld_macro: '{#SERVICE}' + path: $.service + - lld_macro: '{#SINGLETON}' + path: $.singleton + preprocessing: + - type: JAVASCRIPT + parameters: + - | + // Filter out toggling parts: state, pid, memory, onboot & add singleton + discovery_items = JSON.parse(value); + discovery_items.map(function (item) { ['state','pid','memory', 'onboot'].forEach(function(key) { delete item[key] }); item['singleton'] = "" }); + return JSON.stringify(discovery_items); + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + tags: + - tag: class + value: software + - tag: target + value: ipfire + macros: + - macro: '{$IPFIRE.CONN.MAX.RESOLVE}' + value: '85' + description: 'Percentage of max open connections used before resolving trigger' + - macro: '{$IPFIRE.CONN.MAX.WARN}' + value: '95' + description: 'Max percentage of max open connections used before triggering warning' + - macro: '{$IPFIRE.FW_CHAIN.MATCHES}' + value: '^.*$' + description: 'Only discover firewall chains matching this regex' + - macro: '{$IPFIRE.FW_CHAIN.NOT_MATCHES}' + value: CHANGE_IF_NEEDED + description: 'Do not discover firewall chains matching this regex' + - macro: '{$IPFIRE.OVPN.CERT.EXPIRY.WARN}' + value: '7' + description: 'Number of days until the OpenVPN server or CA certificate expires.' + - macro: '{$IPFIRE.OVPN.COMMONNAME.MATCHES}' + value: '^.*$' + description: 'OpenVPN clients with common name matching this regex will be discovered' + - macro: '{$IPFIRE.OVPN.COMMONNAME.NOTMATCHES}' + value: CHANGE_IF_NEEDED + description: 'OpenVPN clients with common name matching this regex will not be discovered' + - macro: '{$IPFIRE.OVPN.STATE.MATCHES}' + value: 'on' + description: 'OpenVPN clients with a state (on/off) matching this regex will be discovered.' + - macro: '{$IPFIRE.SERVICE.TRIGGER}' + value: '1' + description: 'Whether Zabbix needs to trigger when an IPFire service is down. This variable can be used with context to exclude specific services.' - macro: '{$IPFIRE.SERVICENAME.MATCHES}' value: '^.*$' description: 'All services matching this regex will be discovered' @@ -887,41 +1390,162 @@ zabbix_export: groups: - name: Templates/Modules items: + - uuid: 713f21c4059a452d8aa6746dbb4c024d + name: 'OpenVPN Client: Bytes received' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_in + delay: '0' + history: 7d + units: b + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '0' + - type: SIMPLE_CHANGE + parameters: + - '' + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 57993d21e1d04b319b4adc5f70385a30 + name: 'OpenVPN Client: Bytes received total' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_in_total + delay: '0' + history: 7d + units: b + description: 'Total amount of bytes received during current/last connection' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' + error_handler: DISCARD_VALUE + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 130de3a8a8bf4e4987ac563eabb88602 + name: 'OpenVPN Client: Bytes sent' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_out + delay: '0' + history: 7d + units: b + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '0' + - type: SIMPLE_CHANGE + parameters: + - '' + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 81bdb6e42bdd46a58308531d0cffac32 + name: 'OpenVPN Client: Bytes sent total' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_out_total + delay: '0' + history: 7d + units: b + description: 'Total amount of bytes sent during current/last connection' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' + error_handler: DISCARD_VALUE + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network - uuid: bead53bd8f1f4382b4c36733db3ab0f3 - name: 'OpenVPN: Client common name' + name: 'OpenVPN Client: Common name' type: SCRIPT key: ipfire.ovpn.client.commonname history: 7d - trends: '0' - value_type: CHAR - params: 'return "{$IPFIRE.OVPN.CLIENT.COMMONNAME}";' - description: 'OpenVPN Client connection name as configured in IPFire WUI' + trends: '0' + value_type: CHAR + params: 'return "{$IPFIRE.OVPN.CLIENT.COMMONNAME}";' + description: 'OpenVPN Client connection name as configured in IPFire WUI' + inventory_link: ALIAS + preprocessing: + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1d + tags: + - tag: component + value: system + - uuid: e035d6315a7e4403a25185d17bbe6489 + name: 'OpenVPN Client: Connection state' + type: DEPENDENT + key: ipfire.ovpn.client.connected + delay: '0' + history: 7d + description: 'Whether the client is currently connected' + valuemap: + name: 'OpenVPN Connection state' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].length()' + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 8b0ba4b88ae549a0a4a2346e1cf40133 + name: 'OpenVPN Client: Last connection time' + type: DEPENDENT + key: ipfire.ovpn.client.connected_since + delay: '0' + history: 7d + units: unixtime + description: 'Timestamp of last client connection initiation' preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].connected_since.first()' + error_handler: DISCARD_VALUE - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - - 1d + - 1h + master_item: + key: ipfire.ovpn.statusreport.get tags: - tag: component - value: service - - tag: service - value: openvpn + value: network - uuid: add7fbf01d384c0bab9ded620fa9f958 - name: 'OpenVPN: Last connection duration' + name: 'OpenVPN Client: Last connection duration' type: CALCULATED - key: 'ipfire.ovpn.client.connection[{$IPFIRE.OVPN.CLIENT.COMMONNAME},duration]' + key: ipfire.ovpn.client.connection.duration history: 7d units: s - params: 'last(//ipfire.ovpn.routing_table[{$IPFIRE.OVPN.CLIENT.COMMONNAME},last_ref])-last(//ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},connected_since])' + params: last(//ipfire.ovpn.routing_table.last_ref)-last(//ipfire.ovpn.client.connected_since) description: 'Duration of current or last connection' + preprocessing: + - type: CHECK_NOT_SUPPORTED + parameters: + - '' + error_handler: CUSTOM_VALUE + error_handler_params: '0' tags: - tag: component value: network - - tag: component - value: service - - tag: service - value: openvpn - uuid: 12b42114672c4f698fa3e9407d0f0346 - name: 'OpenVPN: Client name' + name: 'OpenVPN Client: Name' type: SCRIPT key: ipfire.ovpn.client.name history: 7d @@ -929,17 +1553,47 @@ zabbix_export: value_type: CHAR params: 'return "{$IPFIRE.OVPN.CLIENT.NAME}";' description: 'OpenVPN Client name as configured in IPFire WUI' + inventory_link: NAME preprocessing: - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn + value: system + - uuid: fd22e3d29b4c4c358c77d100cd412990 + name: 'OpenVPN Client: Remote IP Address' + type: DEPENDENT + key: ipfire.ovpn.client.real_address + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'Real IP address of client' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].real_address.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '0.0.0.0:0' + - type: REGEX + parameters: + - '^(\d+\.\d+\.\d+\.\d+):\d+$' + - \1 + - type: STR_REPLACE + parameters: + - 0.0.0.0 + - '' + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network - uuid: 7eeabe63f0ba4f3dbd32403ed37c5acb - name: 'OpenVPN: Client remark' + name: 'OpenVPN Client: Remark' type: SCRIPT key: ipfire.ovpn.client.remark history: 7d @@ -947,22 +1601,23 @@ zabbix_export: value_type: TEXT params: 'return "{$IPFIRE.OVPN.CLIENT.REMARK}";' description: 'OpenVPN Client remark as configured in IPFire WUI' + inventory_link: NOTES preprocessing: - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn + value: system - uuid: 108aef4c2b184624a00961f5b64500c4 - name: 'OpenVPN: Client access status' + name: 'OpenVPN Client: Access status' type: SCRIPT key: ipfire.ovpn.client.state history: 7d params: 'return "{$IPFIRE.OVPN.CLIENT.STATE}";' description: 'Whether the client is enabled to access the IPFire OpenVPN server.' + valuemap: + name: 'OpenVPN Client access status' preprocessing: - type: STR_REPLACE parameters: @@ -983,11 +1638,9 @@ zabbix_export: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn + value: system - uuid: 08411efa83e3490da6858c96fe8e406f - name: 'OpenVPN: Client type' + name: 'OpenVPN Client: Client type' type: SCRIPT key: ipfire.ovpn.client.type history: 7d @@ -995,6 +1648,7 @@ zabbix_export: value_type: CHAR params: 'return "{$IPFIRE.OVPN.CLIENT.TYPE}";' description: 'OpenVPN Client type' + inventory_link: TYPE valuemap: name: 'OpenVPN Client type' preprocessing: @@ -1003,192 +1657,258 @@ zabbix_export: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 713f21c4059a452d8aa6746dbb4c024d - name: 'OpenVPN: Bytes received' + value: system + - uuid: db6227665ba04e148dedfba12ac450c4 + name: 'OpenVPN Client: Cert: Issuer' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_in]' + key: ipfire.ovpn.clientcert.issuer delay: '0' history: 7d - units: b + trends: '0' + value_type: TEXT + description: 'The field identifies the entity that has signed and issued the certificate.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '0' - - type: SIMPLE_CHANGE - parameters: - - '' + - $.x509.issuer master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 57993d21e1d04b319b4adc5f70385a30 - name: 'OpenVPN: Bytes received total' + value: cert + - uuid: b0174d18778c4d8b8d9a220fda660096 + name: 'OpenVPN Client: Cert: Last validation status' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_in_total]' + key: ipfire.ovpn.clientcert.message delay: '0' history: 7d - units: b - description: 'Total amount of bytes received during current/last connection' + trends: '0' + value_type: TEXT + description: 'Last check result message.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' - error_handler: DISCARD_VALUE + - $.result.message master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 130de3a8a8bf4e4987ac563eabb88602 - name: 'OpenVPN: Bytes sent' + value: cert + - uuid: 244fd75a9580427589d26396d3f9efb6 + name: 'OpenVPN Client: Cert: Expires on' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_out]' + key: ipfire.ovpn.clientcert.not_after delay: '0' history: 7d - units: b + units: unixtime + description: 'The date on which the certificate validity period ends.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '0' - - type: SIMPLE_CHANGE - parameters: - - '' + - $.x509.not_after.timestamp master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 81bdb6e42bdd46a58308531d0cffac32 - name: 'OpenVPN: Bytes sent total' + value: cert + triggers: + - uuid: 65334a4eb0d342e0aa73769bc78a00bc + expression: '(last(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.not_after) - now()) / 86400 < {$IPFIRE.OVPN.CLIENT.CERT.EXPIRY.WARN}' + name: 'OpenVPN Client Cert: SSL certificate expires soon' + event_name: 'OpenVPN Client Cert: SSL certificate expires soon (less than {$IPFIRE.OVPN.CLIENT.CERT.EXPIRY.WARN} days)' + priority: WARNING + description: 'The SSL certificate should be updated or it will become untrusted.' + dependencies: + - name: 'OpenVPN Client Cert: SSL certificate is invalid' + expression: 'find(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.validation,,"like","invalid")=1' + tags: + - tag: scope + value: notice + - uuid: cb798f86f6894878965213cd4ed0b10b + name: 'OpenVPN Client: Cert: Valid from' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_out_total]' + key: ipfire.ovpn.clientcert.not_before delay: '0' history: 7d - units: b - description: 'Total amount of bytes sent during current/last connection' + units: unixtime + description: 'The date on which the certificate validity period begins.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' - error_handler: DISCARD_VALUE + - $.x509.not_before.timestamp master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: e035d6315a7e4403a25185d17bbe6489 - name: 'OpenVPN: Connection state' + value: cert + - uuid: d5773a7618a348b4ac1e0065f79587a6 + name: 'OpenVPN Client: Cert: Public key algorithm' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},connected]' + key: ipfire.ovpn.clientcert.public_key_algorithm delay: '0' history: 7d - description: 'Whether the client is currently connected' - valuemap: - name: 'OpenVPN Connection state' + trends: '0' + value_type: CHAR + description: 'The digital signature algorithm is used to verify the signature of a certificate.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].length()' - - type: DISCARD_UNCHANGED_HEARTBEAT - parameters: - - 1h + - $.x509.public_key_algorithm master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network + value: cert + - uuid: 678e46dfa08f49d9a98f55d196904317 + name: 'OpenVPN Client: Cert: Serial number' + type: DEPENDENT + key: ipfire.ovpn.clientcert.serial_number + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.serial_number + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 8b0ba4b88ae549a0a4a2346e1cf40133 - name: 'OpenVPN: Last connection time' + value: cert + - uuid: d841e1b51324411c940328a6d4038ae0 + name: 'OpenVPN Client: Cert: Fingerprint' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},connected_since]' + key: ipfire.ovpn.clientcert.sha1_fingerprint delay: '0' history: 7d - units: unixtime - description: 'Timestamp of last client connection initiation' + trends: '0' + value_type: CHAR + description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].connected_since.first()' - error_handler: DISCARD_VALUE - - type: DISCARD_UNCHANGED_HEARTBEAT + - $.sha1_fingerprint + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: + - tag: component + value: cert + triggers: + - uuid: 53ecc2da628046be8071356dc59fe957 + expression: 'last(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.sha1_fingerprint) <> last(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.sha1_fingerprint,#2)' + name: 'OpenVPN Client Cert: Fingerprint has changed' + event_name: 'OpenVPN Client Cert: Fingerprint has changed (new version: {ITEM.VALUE})' + priority: INFO + description: 'The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.' + manual_close: 'YES' + tags: + - tag: scope + value: notice + - uuid: 9af3911b12414e4d89f55d3d8c94a56b + name: 'OpenVPN Client: Cert: Signature algorithm' + type: DEPENDENT + key: ipfire.ovpn.clientcert.signature_algorithm + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.' + preprocessing: + - type: JSONPATH parameters: - - 1h + - $.x509.signature_algorithm master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network + value: cert + - uuid: 89bb1bc5d56046389152c082b29441d8 + name: 'OpenVPN Client: Cert: Subject' + type: DEPENDENT + key: ipfire.ovpn.clientcert.subject + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity associated with the public key stored in the subject public key field.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.subject + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: fd22e3d29b4c4c358c77d100cd412990 - name: 'OpenVPN: Remote IP Address' + value: cert + - uuid: e660e5e152364662b30d27bb5d2cbcc8 + name: 'OpenVPN Client: Cert: Validation result' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},real_address]' + key: ipfire.ovpn.clientcert.validation delay: '0' history: 7d trends: '0' value_type: CHAR - description: 'Real IP address of client' + description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].real_address.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '0.0.0.0:0' - - type: REGEX + - $.result.value + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: + - tag: component + value: cert + triggers: + - uuid: 24a26bf58cd44bd48e20077b1e030237 + expression: 'find(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.validation,,"like","invalid")=1' + name: 'OpenVPN Client Cert: SSL certificate is invalid' + priority: HIGH + description: 'SSL certificate has expired or it is issued for another domain.' + tags: + - tag: scope + value: security + - uuid: abcc7aca88094244a149bfaad890f5bb + name: 'OpenVPN Client: Cert: Version' + type: DEPENDENT + key: ipfire.ovpn.clientcert.version + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The version of the encoded certificate.' + preprocessing: + - type: JSONPATH parameters: - - '^(\d+\.\d+\.\d+\.\d+):\d+$' - - \1 - - type: STR_REPLACE + - $.x509.version + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: + - tag: component + value: cert + - uuid: e0bea7e224884143aeba3a008fa892c2 + name: 'OpenVPN Client: Cert: Get' + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + delay: 15m + history: '0' + trends: '0' + value_type: TEXT + description: 'Returns the JSON with attributes of a certificate of the requested site.' + preprocessing: + - type: CHECK_JSON_ERROR parameters: - - 0.0.0.0 - - '' + - $.error - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - - 1h - master_item: - key: ipfire.ovpn.statusreport.get + - 6h tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn + value: raw - uuid: 175a8220c2e04e42884e1a5b67de263f - name: 'OpenVPN: Last activity' + name: 'OpenVPN Client: Last activity' type: DEPENDENT - key: 'ipfire.ovpn.routing_table[{$IPFIRE.OVPN.CLIENT.COMMONNAME},last_ref]' + key: ipfire.ovpn.routing_table.last_ref delay: '0' history: 7d units: unixtime @@ -1203,14 +1923,10 @@ zabbix_export: tags: - tag: component value: network - - tag: component - value: service - - tag: service - value: openvpn - uuid: c1c65e8f92b84008a69eb40db7907d61 - name: 'OpenVPN: VPN IP Address' + name: 'OpenVPN Client: VPN IP Address' type: DEPENDENT - key: 'ipfire.ovpn.routing_table[{$IPFIRE.OVPN.CLIENT.COMMONNAME},virtual_address]' + key: ipfire.ovpn.routing_table.virtual_address delay: '0' history: 7d trends: '0' @@ -1229,12 +1945,8 @@ zabbix_export: tags: - tag: component value: network - - tag: component - value: service - - tag: service - value: openvpn - uuid: 5c6b95eedb1a47d99dfba1bb092d56bf - name: 'OpenVPN statusreport: Get' + name: 'OpenVPN Client: Statusreport: Get' key: ipfire.ovpn.statusreport.get history: '0' trends: '0' @@ -1245,14 +1957,8 @@ zabbix_export: parameters: - '' tags: - - tag: component - value: network - tag: component value: raw - - tag: component - value: service - - tag: service - value: openvpn tags: - tag: class value: device @@ -1261,6 +1967,9 @@ zabbix_export: - tag: target value: openvpn-client macros: + - macro: '{$IPFIRE.OVPN.CLIENT.CERT.EXPIRY.WARN}' + value: '7' + description: 'Number of days until the OpenVPN client certificate expires.' - macro: '{$IPFIRE.OVPN.CLIENT.COMMONNAME}' value: FILLED_IN_BY_HOST_DISCOVERY description: 'OpenVPN client Common Name' @@ -1304,7 +2013,7 @@ zabbix_export: expression: 'last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_count"])/last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_max"])*100>{$IPFIRE.CONN.MAX.WARN}' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_count"])/last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_max"])*100<={$IPFIRE.CONN.MAX.RESOLVE}' - name: 'Number of open connection is too high (> 90% of max open connections)' + name: 'IPFire: Number of open connection is too high (> 90% of max open connections)' opdata: 'Open connections: {ITEM.LASTVALUE1}, Max open connections: {ITEM.LASTVALUE2}' priority: WARNING description: | @@ -1317,7 +2026,7 @@ zabbix_export: value: capacity graphs: - uuid: f9acf1d3482f4af3b619a649eb81b844 - name: 'Line Quality' + name: 'IPFire: Line Quality' graph_items: - sortorder: '1' drawtype: GRADIENT_LINE @@ -1326,7 +2035,7 @@ zabbix_export: host: 'IPFire by Zabbix agent active' key: ipfire.net.gateway.pingtime - uuid: f4bf7726c930427aa2a99bad42d7fa7f - name: 'Open Connections' + name: 'IPFire: Open Connections' graph_items: - sortorder: '1' color: FF0000 diff --git a/Network_Appliances/template_ipfire/6.4/README.md b/Network_Appliances/template_ipfire/6.4/README.md index 97c691659..27e42e755 100644 --- a/Network_Appliances/template_ipfire/6.4/README.md +++ b/Network_Appliances/template_ipfire/6.4/README.md @@ -13,13 +13,13 @@ Supports monitoring of: - IPFire services (default IPFire services and possible Addon services) - Pakfire status (Installed version, Available update(s)) - Network stats (Line quality, Open Connections, Firewall hits) -- OpenVPN clients and stats (OpenVPN client discovery, OpenVPN client properties, Traffic stats) +- OpenVPN clients and stats (OpenVPN client discovery, OpenVPN client properties, Traffic stats, Client/Server/CA Certificate validation) Use in conjunction with a default Template OS Linux-template for CPU/Memory/Storage monitoring of the IPFire appliance/instance. This template was created for: -- IPFire 2.27 - Core update 179 +- IPFire 2.29 - Core update 185 **Warning**: This template will *NOT* work on earlier versions of IPFire due to changes to the Zabbix Agent addon. @@ -54,6 +54,7 @@ No specific Zabbix configuration is required |{$IPFIRE.OVPN.COMMONNAME.MATCHES} |

OpenVPN clients with common name matching this regex will be discovered

|`^.*$` | |{$IPFIRE.OVPN.COMMONNAME.NOTMATCHES} |

OpenVPN clients with common name matching this regex will not be discovered

|`CHANGE_IF_NEEDED` | |{$IPFIRE.OVPN.STATE.MATCHES} |

OpenVPN clients with a state (on/off) matching this regex will be discovered.

|`on` | +|{$IPFIRE.OVPN.CERT.EXPIRY.WARN} |

Number of days until the OpenVPN server or CA certificate expires.

|`7` | #### Notes about $IPFIRE.SERVICE.TRIGGER This template does not 'detect' if you have manually disabled a service in IPFire, so by default it will alarm you when any service is down. This is done on purpose so that you will also be notified if a service is unintentionly disabled. @@ -65,6 +66,12 @@ For example to disable the OpenVPN service trigger add `{$IPFIRE.SERVICE.TRIGGER Or you could opt to use the variables `{$IPFIRE.SERVICENAME.MATCHES}` and/or `{$IPFIRE.SERVICENAME.NOT_MATCHES}` to filter out services you don't want to be monitored at all. +#### OpenVPN Client discovery +This template is actually a set of 2 and includes a second template `IPFire OpenVPN Client by Zabbix agent` specificaly for use by the OpenVPN Client discovery defined in the main template `IPFire by Zabbix agent active`. + +If the OpenVPN Service of the IPFire instance is enabled, the main template will discover any configured OpenVPN clients (see `{$IPFIRE.OVPN.*}` macro's to set filters), create those as new hosts in Zabbix and link the `IPFire OpenVPN Client by Zabbix agent` template to them. +Those client hosts will then start collecting OpenVPN statistics specific to those clients. + ## Credits [Alexander Koch](https://community.ipfire.org/t/looking-for-the-zabbix-agent-template/1459/2) for the app Pakfire template. diff --git a/Network_Appliances/template_ipfire/6.4/ipfire_by_zabbix_agent_active.yaml b/Network_Appliances/template_ipfire/6.4/ipfire_by_zabbix_agent_active.yaml index 9baa227fb..adf509f27 100644 --- a/Network_Appliances/template_ipfire/6.4/ipfire_by_zabbix_agent_active.yaml +++ b/Network_Appliances/template_ipfire/6.4/ipfire_by_zabbix_agent_active.yaml @@ -25,12 +25,12 @@ zabbix_export: Created by Robin Roevens (robin.roevens (at) disroot.org) vendor: name: RobinR1 - version: 6.4-0.3 + version: 6.4-0.4 groups: - name: Templates/Applications items: - uuid: 9be0495e730a476fac68b91583bb4146 - name: 'Captive Portal: # of active clients' + name: 'IPFire: Captive Portal: # of active clients' type: ZABBIX_ACTIVE key: ipfire.captive.clients history: 7d @@ -41,7 +41,7 @@ zabbix_export: - tag: service value: captive-portal - uuid: da3ef4de97f343d4a3d0d420e4e0df36 - name: 'DHCP Server: # of active leases' + name: 'IPFire: DHCP Server: # of active leases' type: ZABBIX_ACTIVE key: ipfire.dhcpd.clients history: 7d @@ -52,7 +52,7 @@ zabbix_export: - tag: service value: dhcpd - uuid: d7752458935c4e40adaacd4e1107f40e - name: 'Firewall hits: Get' + name: 'IPFire: Firewall hits: Get' type: ZABBIX_ACTIVE key: ipfire.net.fw.hits.raw history: '0' @@ -60,18 +60,16 @@ zabbix_export: value_type: TEXT description: 'Raw data item for retrieving firewall hits on all forwarding chains' tags: - - tag: component - value: firewall - - tag: component - value: network - tag: component value: raw - uuid: 2e0173990de34061b2e743ef22518c6a - name: 'Network: Internet gateway available' + name: 'IPFire: Network: Internet gateway available' type: ZABBIX_ACTIVE key: ipfire.net.gateway.ping history: 7d description: 'Checks if the internet gateway on RED is reachable' + valuemap: + name: 'Service state' tags: - tag: component value: gateway @@ -80,14 +78,14 @@ zabbix_export: triggers: - uuid: 750db20bec7c46e6ab9943e516f52947 expression: 'last(/IPFire by Zabbix agent active/ipfire.net.gateway.ping)<>1' - name: 'Internet Gateway is not reachable' + name: 'IPFire: Internet Gateway is not reachable' priority: HIGH description: 'Internet Gateway on interface RED is unreachable. Internet connection is lost or intermittent.' tags: - tag: scope value: availability - uuid: f548b019c57a42cd8b6d4cf0a244f098 - name: 'Network: Internet gateway ping timings' + name: 'IPFire: Network: Internet gateway ping timings' type: ZABBIX_ACTIVE key: ipfire.net.gateway.pingtime history: 7d @@ -100,7 +98,7 @@ zabbix_export: - tag: component value: network - uuid: a01561b00aab4406a38e34440658848d - name: 'IPFire Services: Get' + name: 'IPFire: Services: Get' type: ZABBIX_ACTIVE key: ipfire.services history: '0' @@ -110,10 +108,8 @@ zabbix_export: tags: - tag: component value: raw - - tag: component - value: service - uuid: 45efac8b0c984815b9cf5c2790373911 - name: 'System: Core-Update available' + name: 'IPFire: Core-Update available' type: DEPENDENT key: pakfire.core-update-available delay: '0' @@ -157,7 +153,7 @@ zabbix_export: triggers: - uuid: 10fdaa47927d4638b62ec43deff34360 expression: 'last(/IPFire by Zabbix agent active/pakfire.core-update-available)=1' - name: 'Pakfire: Core-Update available' + name: 'IPFire: Pakfire: Core-Update available' url: 'https://{HOST.CONN}:444/cgi-bin/pakfire.cgi' priority: INFO description: 'A Core-Update for IPFire is available. Go to the IPFire webgui > IPFire Pakfire to perform an update.' @@ -168,7 +164,7 @@ zabbix_export: value: security - uuid: 059cebb808634b35a3c2f2304e8cfaf5 expression: 'nodata(/IPFire by Zabbix agent active/pakfire.core-update-available,4h)=1' - name: 'Pakfire: Last Pakfire status update > 4h ago' + name: 'IPFire: Pakfire: Last Pakfire status update > 4h ago' priority: WARNING description: 'Zabbix was unable to retrieve Pakfire status for more than 4h. Check if Pakfire is still correctly working.' tags: @@ -179,7 +175,7 @@ zabbix_export: - tag: scope value: security - uuid: 3c87cd1c09ec4fc2910c2572d9a4f5e9 - name: 'System: Core-Update level' + name: 'IPFire: Core-Update level' type: DEPENDENT key: pakfire.core-update-level delay: '0' @@ -203,11 +199,11 @@ zabbix_export: triggers: - uuid: 315ab087e6b3408eb463eaecbab289f7 expression: 'change(/IPFire by Zabbix agent active/pakfire.core-update-level)>0' - name: 'Pakfire: Core-Update-Level has changed' + name: 'IPFire: Pakfire: Core-Update-Level has changed' priority: INFO manual_close: 'YES' dependencies: - - name: 'Pakfire: Core-Version has changed' + - name: 'IPFire: Pakfire: Core-Version has changed' expression: '(last(/IPFire by Zabbix agent active/pakfire.core-version,#1)<>last(/IPFire by Zabbix agent active/pakfire.core-version,#2))=1' tags: - tag: scope @@ -215,7 +211,7 @@ zabbix_export: - tag: scope value: security - uuid: 96e3883bf9784f45b5ff7a9acaeeb5a9 - name: 'System: Core version' + name: 'IPFire: Core version' type: DEPENDENT key: pakfire.core-version delay: '0' @@ -240,7 +236,7 @@ zabbix_export: triggers: - uuid: 743e14e27c1141cdb08c895e768e9931 expression: '(last(/IPFire by Zabbix agent active/pakfire.core-version,#1)<>last(/IPFire by Zabbix agent active/pakfire.core-version,#2))=1' - name: 'Pakfire: Core-Version has changed' + name: 'IPFire: Pakfire: Core-Version has changed' priority: INFO tags: - tag: scope @@ -248,7 +244,7 @@ zabbix_export: - tag: scope value: security - uuid: 299ed0d3aa97435088fd805646ffe649 - name: 'System: # of addon updates available' + name: 'IPFire: Pakfire: # of addon updates available' type: DEPENDENT key: pakfire.package-updates-available delay: '0' @@ -272,7 +268,7 @@ zabbix_export: triggers: - uuid: 39bc50b094cf40ab86588b909eef2db7 expression: 'last(/IPFire by Zabbix agent active/pakfire.package-updates-available)>0' - name: 'Pakfire: Package-Updates available' + name: 'IPFire: Pakfire: Package-Updates available' priority: INFO tags: - tag: scope @@ -280,7 +276,7 @@ zabbix_export: - tag: scope value: security - uuid: 8dbec81630674c7c89a74ba12cdae84b - name: 'System: Reboot required' + name: 'IPFire: Reboot required' type: DEPENDENT key: pakfire.reboot-required delay: '0' @@ -324,7 +320,7 @@ zabbix_export: triggers: - uuid: 5bf0656d2f9f46258ee36ca10096a9bb expression: 'last(/IPFire by Zabbix agent active/pakfire.reboot-required)=1' - name: 'Pakfire: Reboot required' + name: 'IPFire: Pakfire: Reboot required' url: 'https://{HOST.CONN}:444/cgi-bin/shutdown.cgi' priority: INFO description: 'An update requires a reboot of IPFire to complete. Please reboot the host as soon as possible. Go to the IPFire webgui > System > Shutdown to perform a reboot.' @@ -334,7 +330,7 @@ zabbix_export: - tag: scope value: security - uuid: 0593a390fa7f40e1b23c94fe845eff09 - name: 'Pakfire Status: Get' + name: 'IPFire: Pakfire Status: Get' type: ZABBIX_ACTIVE key: pakfire.status delay: 10m @@ -342,14 +338,10 @@ zabbix_export: trends: '0' value_type: TEXT tags: - - tag: component - value: pakfire - tag: component value: raw - - tag: component - value: system - uuid: 7349c0e5921440f5bf1e8be3111acb7f - name: 'Network: # of open connections' + name: 'IPFire: Network: # of open connections' type: ZABBIX_ACTIVE key: 'vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_count"]' history: 7d @@ -357,7 +349,7 @@ zabbix_export: - tag: component value: network - uuid: aaa91f7fdd3949d0adf4a6f90e9ddc87 - name: 'Network: Max # of open connections' + name: 'IPFire: Network: Max # of open connections' type: ZABBIX_ACTIVE key: 'vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_max"]' delay: 1h @@ -366,7 +358,7 @@ zabbix_export: - tag: component value: network - uuid: cdc1d6590ab044cc8e9684119238c1db - name: 'System: Last update' + name: 'IPFire: Pakfire: Last update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/core/mine",modify]' delay: 10m @@ -382,7 +374,7 @@ zabbix_export: - tag: component value: system - uuid: 8614cc5f14364b8d851631850a0d0ce9 - name: 'Pakfire: Last core-list update' + name: 'IPFire: Pakfire: Last core-list update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/lists/core-list.db",modify]' delay: 10m @@ -404,11 +396,11 @@ zabbix_export: expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/core-list.db",modify],49h)=0' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/core-list.db",modify],1h)=1' - name: 'Pakfire: Last core-list update > 49h ago' + name: 'IPFire: Pakfire: Last core-list update > 49h ago' priority: WARNING description: 'Auslösung bei Delta > 49h / Recovery bei Delta < 1h' dependencies: - - name: 'Pakfire: Last server-list update > 49h ago' + - name: 'IPFire: Pakfire: Last server-list update > 49h ago' expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],49h)=0' recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],1h)=1' tags: @@ -419,7 +411,7 @@ zabbix_export: - tag: scope value: security - uuid: 72d6284952044ff58795e6076e6ad3c8 - name: 'Pakfire: Last packages-list update' + name: 'IPFire: Pakfire: Last packages-list update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/lists/packages_list.db",modify]' delay: 10m @@ -441,11 +433,11 @@ zabbix_export: expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/packages_list.db",modify],49h)=0' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/packages_list.db",modify],1h)=1' - name: 'Pakfire: Last packages-list update > 49h ago' + name: 'IPFire: Pakfire: Last packages-list update > 49h ago' priority: WARNING description: 'Auslösung bei Delta > 49h / Recovery bei Delta < 1h' dependencies: - - name: 'Pakfire: Last server-list update > 49h ago' + - name: 'IPFire: Pakfire: Last server-list update > 49h ago' expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],49h)=0' recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],1h)=1' tags: @@ -456,7 +448,7 @@ zabbix_export: - tag: scope value: security - uuid: 0dd0776c8b91489784d45bf06893d1c3 - name: 'Pakfire: Last server-list update' + name: 'IPFire: Pakfire: Last server-list update' type: ZABBIX_ACTIVE key: 'vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify]' delay: 10m @@ -478,7 +470,7 @@ zabbix_export: expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],49h)=0' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'fuzzytime(/IPFire by Zabbix agent active/vfs.file.time["/opt/pakfire/db/lists/server-list.db",modify],1h)=1' - name: 'Pakfire: Last server-list update > 49h ago' + name: 'IPFire: Pakfire: Last server-list update > 49h ago' priority: WARNING description: 'Auslösung bei Delta > 49h / Recovery bei Delta < 1h' tags: @@ -506,7 +498,7 @@ zabbix_export: description: 'Discovery of firewall chains in filter table to create "firewall hits" items/chain' item_prototypes: - uuid: e754323822f04c6b9e2e77bca43344fe - name: 'Firewall: Hits on chain {#FW_CHAIN}' + name: 'IPFire: Firewall: Hits on chain {#FW_CHAIN}' type: DEPENDENT key: 'ipfire.net.fw.hits[{#FW_CHAIN}]' delay: '0' @@ -594,255 +586,756 @@ zabbix_export: tags: - tag: type value: '{#TYPE}' - - uuid: 0724a9154c924222a1495a4665929039 - name: 'IPFire Services discovery' + - uuid: c8db2268889741a6aa3877c61d4524e5 + name: 'IPFire OpenVPN properties discovery' type: DEPENDENT - key: ipfire.services.discovery + key: ipfire.ovpn.discovery delay: '0' filter: - evaltype: AND conditions: - macro: '{#SERVICENAME}' - value: '{$IPFIRE.SERVICENAME.MATCHES}' + value: ^openvpn$ formulaid: A - - macro: '{#SERVICENAME}' - value: '{$IPFIRE.SERVICENAME.NOT_MATCHES}' - operator: NOT_MATCHES_REGEX + - macro: '{#SERVICESTATE}' + value: '1' formulaid: B item_prototypes: - - uuid: bd1d7dfffc65492fb3eb7ade56c07bf8 - name: 'OpenVPN: # clients connected' + - uuid: ecd52470e79a4a8da9c16a0f069c1714 + name: 'IPFire OpenVPN: CA Cert: Issuer' type: DEPENDENT - key: 'ipfire.ovpn.clients.count[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert.issuer[{#SINGLETON}]' delay: '0' - description: 'Number of clients currently connected with OpenVPN' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity that has signed and issued the certificate.' preprocessing: - type: JSONPATH parameters: - - $.clients.length() - error_handler: CUSTOM_VALUE - error_handler_params: '0' + - $.x509.issuer master_item: - key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 17b4f2e8a9b944c7b09f81c6b6f8699b - name: 'OpenVPN: Statusreport: Get' - type: ZABBIX_ACTIVE - key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' - history: '0' + value: cert + - uuid: 22cc547a94cb44e4a4255af9a13e899c + name: 'IPFire OpenVPN: CA Cert: Last validation status' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.message[{#SINGLETON}]' + delay: '0' + history: 7d trends: '0' value_type: TEXT - description: 'Get OpenVPN status report containing list of connected clients and routing tables' + description: 'Last check result message.' preprocessing: - - type: DISCARD_UNCHANGED + - type: JSONPATH parameters: - - '' + - $.result.message + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: network - - tag: component - value: raw + value: cert + - uuid: b88e5aa661dd42a5a325398dbb97f38f + name: 'IPFire OpenVPN: CA Cert: Expires on' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.not_after[{#SINGLETON}]' + delay: '0' + history: 7d + units: unixtime + description: 'The date on which the certificate validity period ends.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.not_after.timestamp + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 9f207a283c4347569f02374f8e548b69 - name: 'OpenVPN: Last status report update' + value: cert + trigger_prototypes: + - uuid: e59bc8217ab444559a90f389c12c6987 + expression: '(last(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.not_after[{#SINGLETON}]) - now()) / 86400 < {$IPFIRE.OVPN.CERT.EXPIRY.WARN}' + name: 'OpenVPN CA Cert: SSL certificate expires soon' + event_name: 'OpenVPN CA Cert: SSL certificate expires soon (less than {$IPFIRE.OVPN.CERT.EXPIRY.WARN} days)' + priority: WARNING + description: 'The SSL certificate should be updated or it will become untrusted.' + dependencies: + - name: 'OpenVPN Server Cert: SSL certificate is invalid' + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cert.validation[server{#SINGLETON}],,"like","invalid")=1' + tags: + - tag: scope + value: notice + - uuid: 028cdbb29f0048bbb591d8b5d94e9153 + name: 'IPFire OpenVPN: CA Cert: Valid from' type: DEPENDENT - key: 'ipfire.ovpn.statusreport.timestamp[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert.not_before[{#SINGLETON}]' delay: '0' - history: 1d + history: 7d units: unixtime - description: 'Timestamp of last OpenVPN server statusreport update' + description: 'The date on which the certificate validity period begins.' preprocessing: - type: JSONPATH parameters: - - $.timestamp - error_handler: DISCARD_VALUE + - $.x509.not_before.timestamp master_item: - key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: network + value: cert + - uuid: 6e4746e6cf294988883615b6d8bc9b49 + name: 'IPFire OpenVPN: CA Cert: Public key algorithm' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.public_key_algorithm[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The digital signature algorithm is used to verify the signature of a certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.public_key_algorithm + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 64ab99104e5c4a748745fbc1d02b1803 - name: '{#SERVICE}: Memory usage' + value: cert + - uuid: 2242e77ad41e4e2ea5605e672a25e992 + name: 'IPFire OpenVPN: CA Cert: Serial number' type: DEPENDENT - key: 'ipfire.services.memory[{#SERVICENAME}]' + key: 'ipfire.ovpn.cacert.serial_number[{#SINGLETON}]' delay: '0' history: 7d - units: b + trends: '0' + value_type: CHAR + description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].memory.first()' - error_handler: DISCARD_VALUE + - $.x509.serial_number master_item: - key: ipfire.services + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: memory + value: cert + - uuid: 1052d1fe7ee54b5f8cad3ead608df3b6 + name: 'IPFire OpenVPN: CA Cert: Fingerprint' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.sha1_fingerprint[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.' + preprocessing: + - type: JSONPATH + parameters: + - $.sha1_fingerprint + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' - - uuid: 3d679fd91a334de1949e5cc5afdcc8a3 - name: '{#SERVICE}: Start on boot' + value: cert + trigger_prototypes: + - uuid: 440e36cc23a043a8bdb7351b8df2e60d + expression: 'last(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.sha1_fingerprint[{#SINGLETON}])<>last(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.sha1_fingerprint[{#SINGLETON}],#2)' + name: 'OpenVPN CA Cert: Fingerprint has changed' + event_name: 'OpenVPN CA Cert: Fingerprint has changed (new version: {ITEM.VALUE})' + priority: INFO + description: 'The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.' + tags: + - tag: scope + value: notice + - uuid: 8abc28b3cbea48848641f56482793c22 + name: 'IPFire OpenVPN: CA Cert: Signature algorithm' type: DEPENDENT - key: 'ipfire.services.onboot[{#SERVICENAME}]' + key: 'ipfire.ovpn.cacert.signature_algorithm[{#SINGLETON}]' delay: '0' history: 7d - valuemap: - name: 'Boolean Yes/no' + trends: '0' + value_type: CHAR + description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].onboot.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '1' + - $.x509.signature_algorithm master_item: - key: ipfire.services + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' - - uuid: 865fe738cfb34752b83605930b3cf180 - name: '{#SERVICE}: Pid' + value: cert + - uuid: 3123fc50b6bd48ac871de1dc2c4c80e5 + name: 'IPFire OpenVPN: CA Cert: Subject' type: DEPENDENT - key: 'ipfire.services.pid[{#SERVICENAME}]' + key: 'ipfire.ovpn.cacert.subject[{#SINGLETON}]' delay: '0' history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity associated with the public key stored in the subject public key field.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].pid.first()' - error_handler: DISCARD_VALUE + - $.x509.subject + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 7cb856be9e8240bc80d0ebe2aba2f488 + name: 'IPFire OpenVPN: CA Cert: Validation result' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.validation[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed' + preprocessing: + - type: JSONPATH + parameters: + - $.result.value + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: + - tag: component + value: cert + trigger_prototypes: + - uuid: 4178bb0b408e493cb7ee2a1f07e98ce7 + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cacert.validation[{#SINGLETON}],,"like","invalid")=1' + name: 'OpenVPN CA Cert: SSL certificate is invalid' + priority: HIGH + tags: + - tag: scope + value: security + - uuid: 14d0a15423ed4b3e9e990d0f31cbc2d0 + name: 'IPFire OpenVPN: CA Cert: Version' + type: DEPENDENT + key: 'ipfire.ovpn.cacert.version[{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The version of the encoded certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.version + master_item: + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 2e5c0f41659148ec920c6cf42bb71e7e + name: 'IPFire OpenVPN: CA Cert: Get' + type: ZABBIX_ACTIVE + key: 'ipfire.ovpn.cacert[{#SINGLETON}]' + delay: 15m + history: '0' + trends: '0' + value_type: TEXT + description: 'Returns the JSON with attributes of the OpenVPN CA certificate.' + preprocessing: + - type: CHECK_JSON_ERROR + parameters: + - $.error - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - - 1h + - 6h + tags: + - tag: component + value: raw + - uuid: a8368193a41b49e1bf5ff41422e517f4 + name: 'IPFire OpenVPN: Server Cert: Issuer' + type: DEPENDENT + key: 'ipfire.ovpn.cert.issuer[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity that has signed and issued the certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.issuer master_item: - key: ipfire.services + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' tags: - tag: component - value: os + value: cert + - uuid: f832183696e44b3cb48f4f7c51320be4 + name: 'IPFire OpenVPN: Server Cert: Last validation status' + type: DEPENDENT + key: 'ipfire.ovpn.cert.message[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'Last check result message.' + preprocessing: + - type: JSONPATH + parameters: + - $.result.message + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' - - uuid: 7fa6c6e4b6cf4a018ac3002122b0e0e5 - name: '{#SERVICE}: State' + value: cert + - uuid: f9754743529a4e12b3b5d3081b42262e + name: 'IPFire OpenVPN: Server Cert: Expires on' type: DEPENDENT - key: 'ipfire.services.state[{#SERVICENAME}]' + key: 'ipfire.ovpn.cert.not_after[server{#SINGLETON}]' delay: '0' history: 7d - valuemap: - name: 'Service state' + units: unixtime + description: 'The date on which the certificate validity period ends.' preprocessing: - type: JSONPATH parameters: - - '$[?(@.servicename == "{#SERVICENAME}")].state.first()' + - $.x509.not_after.timestamp master_item: - key: ipfire.services + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' tags: - tag: component - value: service - - tag: service - value: '{#SERVICENAME}' + value: cert trigger_prototypes: - - uuid: 71d4baaa724140179fbde0bbdd170dfa - expression: '{$IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}"} and last(/IPFire by Zabbix agent active/ipfire.services.state[{#SERVICENAME}])<>1' - name: '{#SERVICE}: Service not running' - priority: HIGH - description: 'The IPFire service {#SERVICE} is not running. If this service is manually disabled, set host macro $IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}" to 0 to disable this trigger.' + - uuid: 18007cbcec8a4c3caad12c3f87d8e650 + expression: '(last(/IPFire by Zabbix agent active/ipfire.ovpn.cert.not_after[server{#SINGLETON}]) - now()) / 86400 < {$IPFIRE.OVPN.CERT.EXPIRY.WARN}' + name: 'OpenVPN Server Cert: SSL certificate expires soon' + event_name: 'OpenVPN Server Cert: SSL certificate expires soon (less than {$IPFIRE.OVPN.CERT.EXPIRY.WARN} days)' + priority: WARNING + description: 'The SSL certificate should be updated or it will become untrusted.' + dependencies: + - name: 'OpenVPN Server Cert: SSL certificate is invalid' + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cert.validation[server{#SINGLETON}],,"like","invalid")=1' tags: - tag: scope - value: availability - trigger_prototypes: - - uuid: adf12fb393704b90b3bd5541a447e2a1 - expression: | - last(/IPFire by Zabbix agent active/ipfire.services.onboot[{#SERVICENAME}])=1 and - (nodata(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.get[{#SINGLETON}],5m)=1 or - time()-last(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.timestamp[{#SINGLETON}])>5m) - name: 'OpenVPN: Statusreport outdated' - priority: AVERAGE - description: | - Did not receive a recent OpenVPN status report. OpenVPN client data is probably outdated and/or inaccurate. - Check if Zabbix Agent is running and properly configured to send OpenVPN status reports (UserParameter: ipfire.ovpn.statusreport.get) and/or OpenVPN server configuration is the IPFire default. - dependencies: - - name: '{#SERVICE}: Service not running' - expression: '{$IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}"} and last(/IPFire by Zabbix agent active/ipfire.services.state[{#SERVICENAME}])<>1' + value: notice + - uuid: 4c74a5c951ae437f8e283cd8d23731e4 + name: 'IPFire OpenVPN: Server Cert: Valid from' + type: DEPENDENT + key: 'ipfire.ovpn.cert.not_before[server{#SINGLETON}]' + delay: '0' + history: 7d + units: unixtime + description: 'The date on which the certificate validity period begins.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.not_before.timestamp + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' tags: - - tag: scope - value: availability - master_item: - key: ipfire.services - lld_macro_paths: - - lld_macro: '{#SERVICENAME}' - path: $.servicename - - lld_macro: '{#SERVICE}' - path: $.service - - lld_macro: '{#SINGLETON}' - path: $.singleton - preprocessing: - - type: JAVASCRIPT - parameters: - - | - // Filter out toggling parts: state, pid, memory, onboot & add singleton - discovery_items = JSON.parse(value); - discovery_items.map(function (item) { ['state','pid','memory', 'onboot'].forEach(function(key) { delete item[key] }); item['singleton'] = "" }); - return JSON.stringify(discovery_items); - - type: DISCARD_UNCHANGED_HEARTBEAT - parameters: - - 1h - overrides: - - name: 'Don''t discover OpenVPN specific items/triggers on other services' - step: '1' - filter: - conditions: - - macro: '{#SERVICENAME}' - value: openvpn - operator: NOT_MATCHES_REGEX - formulaid: A - operations: - - operationobject: ITEM_PROTOTYPE - operator: REGEXP - value: '^OpenVPN: .*' - discover: NO_DISCOVER - - operationobject: TRIGGER_PROTOTYPE - operator: REGEXP - value: '^OpenVPN: .*' - discover: NO_DISCOVER - tags: - - tag: class - value: software - - tag: target - value: ipfire - macros: - - macro: '{$IPFIRE.CONN.MAX.RESOLVE}' - value: '85' - description: 'Percentage of max open connections used before resolving trigger' - - macro: '{$IPFIRE.CONN.MAX.WARN}' - value: '95' - description: 'Max percentage of max open connections used before triggering warning' - - macro: '{$IPFIRE.FW_CHAIN.MATCHES}' - value: '^.*$' - description: 'Only discover firewall chains matching this regex' - - macro: '{$IPFIRE.FW_CHAIN.NOT_MATCHES}' - value: CHANGE_IF_NEEDED - description: 'Do not discover firewall chains matching this regex' - - macro: '{$IPFIRE.OVPN.COMMONNAME.MATCHES}' - value: '^.*$' - description: 'OpenVPN clients with common name matching this regex will be discovered' + - tag: component + value: cert + - uuid: a1913f8b80fd457fa1ddcbb350b968ea + name: 'IPFire OpenVPN: Server Cert: Public key algorithm' + type: DEPENDENT + key: 'ipfire.ovpn.cert.public_key_algorithm[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The digital signature algorithm is used to verify the signature of a certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.public_key_algorithm + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: e2fda2e63ed04f06959d3ed0e28a23a3 + name: 'IPFire OpenVPN: Server Cert: Serial number' + type: DEPENDENT + key: 'ipfire.ovpn.cert.serial_number[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.serial_number + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: b4757f58c9ef46489d17e4553b441d22 + name: 'IPFire OpenVPN: Server Cert: Fingerprint' + type: DEPENDENT + key: 'ipfire.ovpn.cert.sha1_fingerprint[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.' + preprocessing: + - type: JSONPATH + parameters: + - $.sha1_fingerprint + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + trigger_prototypes: + - uuid: a610d42edaf04ce4bbc6d22e65da92d0 + expression: 'last(/IPFire by Zabbix agent active/ipfire.ovpn.cert.sha1_fingerprint[server{#SINGLETON}])<>last(/IPFire by Zabbix agent active/ipfire.ovpn.cert.sha1_fingerprint[server{#SINGLETON}],#2)' + name: 'OpenVPN Server Cert: Fingerprint has changed' + event_name: 'OpenVPN Server Cert: Fingerprint has changed (new version: {ITEM.VALUE})' + priority: INFO + description: 'The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.' + tags: + - tag: scope + value: notice + - uuid: 5b8e0df42cf24865b1ed2ae25551de7d + name: 'IPFire OpenVPN: Server Cert: Signature algorithm' + type: DEPENDENT + key: 'ipfire.ovpn.cert.signature_algorithm[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.signature_algorithm + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 6cc4db8c6f244cb2b2ee9400103f1cb8 + name: 'IPFire OpenVPN: Server Cert: Subject' + type: DEPENDENT + key: 'ipfire.ovpn.cert.subject[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity associated with the public key stored in the subject public key field.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.subject + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 2acc3977d84b4bc9829cd2534929b04c + name: 'IPFire OpenVPN: Server Cert: Validation result' + type: DEPENDENT + key: 'ipfire.ovpn.cert.validation[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed' + preprocessing: + - type: JSONPATH + parameters: + - $.result.value + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + trigger_prototypes: + - uuid: 1ad362eb206e4be68e01a5ffba994b9c + expression: 'find(/IPFire by Zabbix agent active/ipfire.ovpn.cert.validation[server{#SINGLETON}],,"like","invalid")=1' + name: 'OpenVPN Server Cert: SSL certificate is invalid' + priority: HIGH + tags: + - tag: scope + value: security + - uuid: 857bd4ed6f2c4062a8c55f5be77347fe + name: 'IPFire OpenVPN: Server Cert: Version' + type: DEPENDENT + key: 'ipfire.ovpn.cert.version[server{#SINGLETON}]' + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The version of the encoded certificate.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.version + master_item: + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + tags: + - tag: component + value: cert + - uuid: 620b605ad2a3419597de389b4cfce7f8 + name: 'IPFire OpenVPN: Server Cert: Get' + type: ZABBIX_ACTIVE + key: 'ipfire.ovpn.clientcert[server{#SINGLETON}]' + delay: 15m + history: '0' + trends: '0' + value_type: TEXT + description: 'Returns the JSON with attributes of a certificate of the requested site.' + preprocessing: + - type: CHECK_JSON_ERROR + parameters: + - $.error + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 6h + tags: + - tag: component + value: raw + - uuid: d2e5f0f3425249b3a08a650e30822546 + name: 'IPFire: OpenVPN: # clients connected' + type: DEPENDENT + key: 'ipfire.ovpn.clients.count[{#SINGLETON}]' + delay: '0' + history: 7d + description: 'Number of clients currently connected with OpenVPN' + preprocessing: + - type: JSONPATH + parameters: + - $.clients.length() + error_handler: CUSTOM_VALUE + error_handler_params: '0' + master_item: + key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + tags: + - tag: component + value: network + - tag: component + value: service + - tag: service + value: openvpn + - uuid: b3520ce61ef24a8b8a606f1b3f3e1907 + name: 'IPFire: OpenVPN: Statusreport: Get' + type: ZABBIX_ACTIVE + key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + history: '0' + trends: '0' + value_type: TEXT + description: 'Get OpenVPN status report containing list of connected clients and routing tables' + preprocessing: + - type: DISCARD_UNCHANGED + parameters: + - '' + tags: + - tag: component + value: raw + - uuid: ff5d2b4c7e0e4bac9788a7eb2b737bdb + name: 'IPFire: OpenVPN: Last status report update' + type: DEPENDENT + key: 'ipfire.ovpn.statusreport.timestamp[{#SINGLETON}]' + delay: '0' + history: 1d + units: unixtime + description: 'Timestamp of last OpenVPN server statusreport update' + preprocessing: + - type: JSONPATH + parameters: + - $.timestamp + master_item: + key: 'ipfire.ovpn.statusreport.get[{#SINGLETON}]' + tags: + - tag: component + value: network + - tag: component + value: service + - tag: service + value: openvpn + trigger_prototypes: + - uuid: 16156984f21243a09a9c486e28dafd01 + expression: '(nodata(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.get[{#SINGLETON}],5m)=1 or time()-last(/IPFire by Zabbix agent active/ipfire.ovpn.statusreport.timestamp[{#SINGLETON}])>5m)' + name: 'IPFire: OpenVPN: Statusreport outdated' + priority: AVERAGE + description: | + Did not receive a recent OpenVPN status report. OpenVPN client data is probably outdated and/or inaccurate. + Check if Zabbix Agent is running and properly configured to send OpenVPN status reports (UserParameter: ipfire.ovpn.statusreport.get) and/or OpenVPN server configuration is the IPFire default. + tags: + - tag: scope + value: availability + master_item: + key: ipfire.services + lld_macro_paths: + - lld_macro: '{#SERVICENAME}' + path: $.servicename + - lld_macro: '{#SERVICESTATE}' + path: $.state + - lld_macro: '{#SERVICE}' + path: $.service + - lld_macro: '{#SINGLETON}' + path: $.singleton + preprocessing: + - type: JAVASCRIPT + parameters: + - | + // Filter out toggling parts: pid, memory, onboot & add singleton + discovery_items = JSON.parse(value); + discovery_items.map(function (item) { ['pid','memory', 'onboot'].forEach(function(key) { delete item[key] }); item['singleton'] = "" }); + return JSON.stringify(discovery_items); + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + - uuid: 0724a9154c924222a1495a4665929039 + name: 'IPFire Services discovery' + type: DEPENDENT + key: ipfire.services.discovery + delay: '0' + filter: + evaltype: AND + conditions: + - macro: '{#SERVICENAME}' + value: '{$IPFIRE.SERVICENAME.MATCHES}' + formulaid: A + - macro: '{#SERVICENAME}' + value: '{$IPFIRE.SERVICENAME.NOT_MATCHES}' + operator: NOT_MATCHES_REGEX + formulaid: B + item_prototypes: + - uuid: 64ab99104e5c4a748745fbc1d02b1803 + name: 'IPFire: {#SERVICE}: Memory usage' + type: DEPENDENT + key: 'ipfire.services.memory[{#SERVICENAME}]' + delay: '0' + history: 7d + units: b + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].memory.first()' + error_handler: DISCARD_VALUE + master_item: + key: ipfire.services + tags: + - tag: component + value: memory + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + - uuid: 3d679fd91a334de1949e5cc5afdcc8a3 + name: 'IPFire: {#SERVICE}: Start on boot' + type: DEPENDENT + key: 'ipfire.services.onboot[{#SERVICENAME}]' + delay: '0' + history: 7d + valuemap: + name: 'Boolean Yes/no' + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].onboot.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '1' + master_item: + key: ipfire.services + tags: + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + - uuid: 865fe738cfb34752b83605930b3cf180 + name: 'IPFire: {#SERVICE}: Pid' + type: DEPENDENT + key: 'ipfire.services.pid[{#SERVICENAME}]' + delay: '0' + history: 7d + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].pid.first()' + error_handler: DISCARD_VALUE + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + master_item: + key: ipfire.services + tags: + - tag: component + value: os + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + - uuid: 7fa6c6e4b6cf4a018ac3002122b0e0e5 + name: 'IPFire: {#SERVICE}: State' + type: DEPENDENT + key: 'ipfire.services.state[{#SERVICENAME}]' + delay: '0' + history: 7d + valuemap: + name: 'Service state' + preprocessing: + - type: JSONPATH + parameters: + - '$[?(@.servicename == "{#SERVICENAME}")].state.first()' + master_item: + key: ipfire.services + tags: + - tag: component + value: service + - tag: service + value: '{#SERVICENAME}' + trigger_prototypes: + - uuid: 71d4baaa724140179fbde0bbdd170dfa + expression: '{$IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}"} and last(/IPFire by Zabbix agent active/ipfire.services.state[{#SERVICENAME}])<>1' + name: 'IPFire: {#SERVICE}: Service not running' + priority: HIGH + description: 'The IPFire service {#SERVICE} is not running. If this service is manually disabled, set host macro $IPFIRE.SERVICE.TRIGGER:"{#SERVICENAME}" to 0 to disable this trigger.' + tags: + - tag: scope + value: availability + master_item: + key: ipfire.services + lld_macro_paths: + - lld_macro: '{#SERVICENAME}' + path: $.servicename + - lld_macro: '{#SERVICE}' + path: $.service + - lld_macro: '{#SINGLETON}' + path: $.singleton + preprocessing: + - type: JAVASCRIPT + parameters: + - | + // Filter out toggling parts: state, pid, memory, onboot & add singleton + discovery_items = JSON.parse(value); + discovery_items.map(function (item) { ['state','pid','memory', 'onboot'].forEach(function(key) { delete item[key] }); item['singleton'] = "" }); + return JSON.stringify(discovery_items); + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + tags: + - tag: class + value: software + - tag: target + value: ipfire + macros: + - macro: '{$IPFIRE.CONN.MAX.RESOLVE}' + value: '85' + description: 'Percentage of max open connections used before resolving trigger' + - macro: '{$IPFIRE.CONN.MAX.WARN}' + value: '95' + description: 'Max percentage of max open connections used before triggering warning' + - macro: '{$IPFIRE.FW_CHAIN.MATCHES}' + value: '^.*$' + description: 'Only discover firewall chains matching this regex' + - macro: '{$IPFIRE.FW_CHAIN.NOT_MATCHES}' + value: CHANGE_IF_NEEDED + description: 'Do not discover firewall chains matching this regex' + - macro: '{$IPFIRE.OVPN.CERT.EXPIRY.WARN}' + value: '7' + description: 'Number of days until the OpenVPN server or CA certificate expires.' + - macro: '{$IPFIRE.OVPN.COMMONNAME.MATCHES}' + value: '^.*$' + description: 'OpenVPN clients with common name matching this regex will be discovered' - macro: '{$IPFIRE.OVPN.COMMONNAME.NOTMATCHES}' value: CHANGE_IF_NEEDED description: 'OpenVPN clients with common name matching this regex will not be discovered' @@ -889,45 +1382,166 @@ zabbix_export: This template is applied to discovered OpenVPN client hosts by the template IPFire by Zabbix agent and is not meant to be applied manually to any hosts. vendor: name: RobinR1 - version: 6.4-0.3 + version: 6.4-0.4 groups: - name: Templates/Modules items: + - uuid: 713f21c4059a452d8aa6746dbb4c024d + name: 'OpenVPN Client: Bytes received' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_in + delay: '0' + history: 7d + units: b + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '0' + - type: SIMPLE_CHANGE + parameters: + - '' + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 57993d21e1d04b319b4adc5f70385a30 + name: 'OpenVPN Client: Bytes received total' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_in_total + delay: '0' + history: 7d + units: b + description: 'Total amount of bytes received during current/last connection' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' + error_handler: DISCARD_VALUE + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 130de3a8a8bf4e4987ac563eabb88602 + name: 'OpenVPN Client: Bytes sent' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_out + delay: '0' + history: 7d + units: b + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '0' + - type: SIMPLE_CHANGE + parameters: + - '' + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 81bdb6e42bdd46a58308531d0cffac32 + name: 'OpenVPN Client: Bytes sent total' + type: DEPENDENT + key: ipfire.ovpn.client.bytes_out_total + delay: '0' + history: 7d + units: b + description: 'Total amount of bytes sent during current/last connection' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' + error_handler: DISCARD_VALUE + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network - uuid: bead53bd8f1f4382b4c36733db3ab0f3 - name: 'OpenVPN: Client common name' + name: 'OpenVPN Client: Common name' type: SCRIPT key: ipfire.ovpn.client.commonname history: 7d - trends: '0' - value_type: CHAR - params: 'return "{$IPFIRE.OVPN.CLIENT.COMMONNAME}";' - description: 'OpenVPN Client connection name as configured in IPFire WUI' + trends: '0' + value_type: CHAR + params: 'return "{$IPFIRE.OVPN.CLIENT.COMMONNAME}";' + description: 'OpenVPN Client connection name as configured in IPFire WUI' + inventory_link: ALIAS + preprocessing: + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1d + tags: + - tag: component + value: system + - uuid: e035d6315a7e4403a25185d17bbe6489 + name: 'OpenVPN Client: Connection state' + type: DEPENDENT + key: ipfire.ovpn.client.connected + delay: '0' + history: 7d + description: 'Whether the client is currently connected' + valuemap: + name: 'OpenVPN Connection state' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].length()' + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network + - uuid: 8b0ba4b88ae549a0a4a2346e1cf40133 + name: 'OpenVPN Client: Last connection time' + type: DEPENDENT + key: ipfire.ovpn.client.connected_since + delay: '0' + history: 7d + units: unixtime + description: 'Timestamp of last client connection initiation' preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].connected_since.first()' + error_handler: DISCARD_VALUE - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - - 1d + - 1h + master_item: + key: ipfire.ovpn.statusreport.get tags: - tag: component - value: service - - tag: service - value: openvpn + value: network - uuid: add7fbf01d384c0bab9ded620fa9f958 - name: 'OpenVPN: Last connection duration' + name: 'OpenVPN Client: Last connection duration' type: CALCULATED - key: 'ipfire.ovpn.client.connection[{$IPFIRE.OVPN.CLIENT.COMMONNAME},duration]' + key: ipfire.ovpn.client.connection.duration history: 7d units: s - params: 'last(//ipfire.ovpn.routing_table[{$IPFIRE.OVPN.CLIENT.COMMONNAME},last_ref])-last(//ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},connected_since])' + params: last(//ipfire.ovpn.routing_table.last_ref)-last(//ipfire.ovpn.client.connected_since) description: 'Duration of current or last connection' + preprocessing: + - type: CHECK_NOT_SUPPORTED + parameters: + - '' + error_handler: CUSTOM_VALUE + error_handler_params: '0' tags: - tag: component value: network - - tag: component - value: service - - tag: service - value: openvpn - uuid: 12b42114672c4f698fa3e9407d0f0346 - name: 'OpenVPN: Client name' + name: 'OpenVPN Client: Name' type: SCRIPT key: ipfire.ovpn.client.name history: 7d @@ -935,17 +1549,47 @@ zabbix_export: value_type: CHAR params: 'return "{$IPFIRE.OVPN.CLIENT.NAME}";' description: 'OpenVPN Client name as configured in IPFire WUI' + inventory_link: NAME preprocessing: - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn + value: system + - uuid: fd22e3d29b4c4c358c77d100cd412990 + name: 'OpenVPN Client: Remote IP Address' + type: DEPENDENT + key: ipfire.ovpn.client.real_address + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'Real IP address of client' + preprocessing: + - type: JSONPATH + parameters: + - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].real_address.first()' + error_handler: CUSTOM_VALUE + error_handler_params: '0.0.0.0:0' + - type: REGEX + parameters: + - '^(\d+\.\d+\.\d+\.\d+):\d+$' + - \1 + - type: STR_REPLACE + parameters: + - 0.0.0.0 + - '' + - type: DISCARD_UNCHANGED_HEARTBEAT + parameters: + - 1h + master_item: + key: ipfire.ovpn.statusreport.get + tags: + - tag: component + value: network - uuid: 7eeabe63f0ba4f3dbd32403ed37c5acb - name: 'OpenVPN: Client remark' + name: 'OpenVPN Client: Remark' type: SCRIPT key: ipfire.ovpn.client.remark history: 7d @@ -953,22 +1597,23 @@ zabbix_export: value_type: TEXT params: 'return "{$IPFIRE.OVPN.CLIENT.REMARK}";' description: 'OpenVPN Client remark as configured in IPFire WUI' + inventory_link: NOTES preprocessing: - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn + value: system - uuid: 108aef4c2b184624a00961f5b64500c4 - name: 'OpenVPN: Client access status' + name: 'OpenVPN Client: Access status' type: SCRIPT key: ipfire.ovpn.client.state history: 7d params: 'return "{$IPFIRE.OVPN.CLIENT.STATE}";' description: 'Whether the client is enabled to access the IPFire OpenVPN server.' + valuemap: + name: 'OpenVPN Client access status' preprocessing: - type: STR_REPLACE parameters: @@ -989,11 +1634,9 @@ zabbix_export: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn + value: system - uuid: 08411efa83e3490da6858c96fe8e406f - name: 'OpenVPN: Client type' + name: 'OpenVPN Client: Client type' type: SCRIPT key: ipfire.ovpn.client.type history: 7d @@ -1001,6 +1644,7 @@ zabbix_export: value_type: CHAR params: 'return "{$IPFIRE.OVPN.CLIENT.TYPE}";' description: 'OpenVPN Client type' + inventory_link: TYPE valuemap: name: 'OpenVPN Client type' preprocessing: @@ -1009,192 +1653,258 @@ zabbix_export: - 1d tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 713f21c4059a452d8aa6746dbb4c024d - name: 'OpenVPN: Bytes received' + value: system + - uuid: db6227665ba04e148dedfba12ac450c4 + name: 'OpenVPN Client: Cert: Issuer' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_in]' + key: ipfire.ovpn.clientcert.issuer delay: '0' history: 7d - units: b + trends: '0' + value_type: TEXT + description: 'The field identifies the entity that has signed and issued the certificate.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '0' - - type: SIMPLE_CHANGE - parameters: - - '' + - $.x509.issuer master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 57993d21e1d04b319b4adc5f70385a30 - name: 'OpenVPN: Bytes received total' + value: cert + - uuid: b0174d18778c4d8b8d9a220fda660096 + name: 'OpenVPN Client: Cert: Last validation status' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_in_total]' + key: ipfire.ovpn.clientcert.message delay: '0' history: 7d - units: b - description: 'Total amount of bytes received during current/last connection' + trends: '0' + value_type: TEXT + description: 'Last check result message.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_in.first()' - error_handler: DISCARD_VALUE + - $.result.message master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 130de3a8a8bf4e4987ac563eabb88602 - name: 'OpenVPN: Bytes sent' + value: cert + - uuid: 244fd75a9580427589d26396d3f9efb6 + name: 'OpenVPN Client: Cert: Expires on' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_out]' + key: ipfire.ovpn.clientcert.not_after delay: '0' history: 7d - units: b + units: unixtime + description: 'The date on which the certificate validity period ends.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '0' - - type: SIMPLE_CHANGE - parameters: - - '' + - $.x509.not_after.timestamp master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: 81bdb6e42bdd46a58308531d0cffac32 - name: 'OpenVPN: Bytes sent total' + value: cert + triggers: + - uuid: 65334a4eb0d342e0aa73769bc78a00bc + expression: '(last(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.not_after) - now()) / 86400 < {$IPFIRE.OVPN.CLIENT.CERT.EXPIRY.WARN}' + name: 'OpenVPN Client Cert: SSL certificate expires soon' + event_name: 'OpenVPN Client Cert: SSL certificate expires soon (less than {$IPFIRE.OVPN.CLIENT.CERT.EXPIRY.WARN} days)' + priority: WARNING + description: 'The SSL certificate should be updated or it will become untrusted.' + dependencies: + - name: 'OpenVPN Client Cert: SSL certificate is invalid' + expression: 'find(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.validation,,"like","invalid")=1' + tags: + - tag: scope + value: notice + - uuid: cb798f86f6894878965213cd4ed0b10b + name: 'OpenVPN Client: Cert: Valid from' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},bytes_out_total]' + key: ipfire.ovpn.clientcert.not_before delay: '0' history: 7d - units: b - description: 'Total amount of bytes sent during current/last connection' + units: unixtime + description: 'The date on which the certificate validity period begins.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].bytes_out.first()' - error_handler: DISCARD_VALUE + - $.x509.not_before.timestamp master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn - - uuid: e035d6315a7e4403a25185d17bbe6489 - name: 'OpenVPN: Connection state' + value: cert + - uuid: d5773a7618a348b4ac1e0065f79587a6 + name: 'OpenVPN Client: Cert: Public key algorithm' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},connected]' + key: ipfire.ovpn.clientcert.public_key_algorithm delay: '0' history: 7d - description: 'Whether the client is currently connected' - valuemap: - name: 'OpenVPN Connection state' + trends: '0' + value_type: CHAR + description: 'The digital signature algorithm is used to verify the signature of a certificate.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].length()' - - type: DISCARD_UNCHANGED_HEARTBEAT - parameters: - - 1h + - $.x509.public_key_algorithm master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network + value: cert + - uuid: 678e46dfa08f49d9a98f55d196904317 + name: 'OpenVPN Client: Cert: Serial number' + type: DEPENDENT + key: ipfire.ovpn.clientcert.serial_number + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.serial_number + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: 8b0ba4b88ae549a0a4a2346e1cf40133 - name: 'OpenVPN: Last connection time' + value: cert + - uuid: d841e1b51324411c940328a6d4038ae0 + name: 'OpenVPN Client: Cert: Fingerprint' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},connected_since]' + key: ipfire.ovpn.clientcert.sha1_fingerprint delay: '0' history: 7d - units: unixtime - description: 'Timestamp of last client connection initiation' + trends: '0' + value_type: CHAR + description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].connected_since.first()' - error_handler: DISCARD_VALUE - - type: DISCARD_UNCHANGED_HEARTBEAT + - $.sha1_fingerprint + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: + - tag: component + value: cert + triggers: + - uuid: 53ecc2da628046be8071356dc59fe957 + expression: 'last(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.sha1_fingerprint) <> last(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.sha1_fingerprint,#2)' + name: 'OpenVPN Client Cert: Fingerprint has changed' + event_name: 'OpenVPN Client Cert: Fingerprint has changed (new version: {ITEM.VALUE})' + priority: INFO + description: 'The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.' + manual_close: 'YES' + tags: + - tag: scope + value: notice + - uuid: 9af3911b12414e4d89f55d3d8c94a56b + name: 'OpenVPN Client: Cert: Signature algorithm' + type: DEPENDENT + key: ipfire.ovpn.clientcert.signature_algorithm + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.' + preprocessing: + - type: JSONPATH parameters: - - 1h + - $.x509.signature_algorithm master_item: - key: ipfire.ovpn.statusreport.get + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' tags: - tag: component - value: network + value: cert + - uuid: 89bb1bc5d56046389152c082b29441d8 + name: 'OpenVPN Client: Cert: Subject' + type: DEPENDENT + key: ipfire.ovpn.clientcert.subject + delay: '0' + history: 7d + trends: '0' + value_type: TEXT + description: 'The field identifies the entity associated with the public key stored in the subject public key field.' + preprocessing: + - type: JSONPATH + parameters: + - $.x509.subject + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: - tag: component - value: service - - tag: service - value: openvpn - - uuid: fd22e3d29b4c4c358c77d100cd412990 - name: 'OpenVPN: Remote IP Address' + value: cert + - uuid: e660e5e152364662b30d27bb5d2cbcc8 + name: 'OpenVPN Client: Cert: Validation result' type: DEPENDENT - key: 'ipfire.ovpn.client[{$IPFIRE.OVPN.CLIENT.COMMONNAME},real_address]' + key: ipfire.ovpn.clientcert.validation delay: '0' history: 7d trends: '0' value_type: CHAR - description: 'Real IP address of client' + description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed' preprocessing: - type: JSONPATH parameters: - - '$.clients[?(@.common_name == "{$IPFIRE.OVPN.CLIENT.COMMONNAME}")].real_address.first()' - error_handler: CUSTOM_VALUE - error_handler_params: '0.0.0.0:0' - - type: REGEX + - $.result.value + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: + - tag: component + value: cert + triggers: + - uuid: 24a26bf58cd44bd48e20077b1e030237 + expression: 'find(/IPFire OpenVPN Client by Zabbix agent/ipfire.ovpn.clientcert.validation,,"like","invalid")=1' + name: 'OpenVPN Client Cert: SSL certificate is invalid' + priority: HIGH + description: 'SSL certificate has expired or it is issued for another domain.' + tags: + - tag: scope + value: security + - uuid: abcc7aca88094244a149bfaad890f5bb + name: 'OpenVPN Client: Cert: Version' + type: DEPENDENT + key: ipfire.ovpn.clientcert.version + delay: '0' + history: 7d + trends: '0' + value_type: CHAR + description: 'The version of the encoded certificate.' + preprocessing: + - type: JSONPATH parameters: - - '^(\d+\.\d+\.\d+\.\d+):\d+$' - - \1 - - type: STR_REPLACE + - $.x509.version + master_item: + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + tags: + - tag: component + value: cert + - uuid: e0bea7e224884143aeba3a008fa892c2 + name: 'OpenVPN Client: Cert: Get' + key: 'ipfire.ovpn.clientcert[{$IPFIRE.OVPN.CLIENT.NAME}]' + delay: 15m + history: '0' + trends: '0' + value_type: TEXT + description: 'Returns the JSON with attributes of a certificate of the requested site.' + preprocessing: + - type: CHECK_JSON_ERROR parameters: - - 0.0.0.0 - - '' + - $.error - type: DISCARD_UNCHANGED_HEARTBEAT parameters: - - 1h - master_item: - key: ipfire.ovpn.statusreport.get + - 6h tags: - tag: component - value: network - - tag: component - value: service - - tag: service - value: openvpn + value: raw - uuid: 175a8220c2e04e42884e1a5b67de263f - name: 'OpenVPN: Last activity' + name: 'OpenVPN Client: Last activity' type: DEPENDENT - key: 'ipfire.ovpn.routing_table[{$IPFIRE.OVPN.CLIENT.COMMONNAME},last_ref]' + key: ipfire.ovpn.routing_table.last_ref delay: '0' history: 7d units: unixtime @@ -1209,14 +1919,10 @@ zabbix_export: tags: - tag: component value: network - - tag: component - value: service - - tag: service - value: openvpn - uuid: c1c65e8f92b84008a69eb40db7907d61 - name: 'OpenVPN: VPN IP Address' + name: 'OpenVPN Client: VPN IP Address' type: DEPENDENT - key: 'ipfire.ovpn.routing_table[{$IPFIRE.OVPN.CLIENT.COMMONNAME},virtual_address]' + key: ipfire.ovpn.routing_table.virtual_address delay: '0' history: 7d trends: '0' @@ -1235,12 +1941,8 @@ zabbix_export: tags: - tag: component value: network - - tag: component - value: service - - tag: service - value: openvpn - uuid: 5c6b95eedb1a47d99dfba1bb092d56bf - name: 'OpenVPN statusreport: Get' + name: 'OpenVPN Client: Statusreport: Get' key: ipfire.ovpn.statusreport.get history: '0' trends: '0' @@ -1251,14 +1953,8 @@ zabbix_export: parameters: - '' tags: - - tag: component - value: network - tag: component value: raw - - tag: component - value: service - - tag: service - value: openvpn tags: - tag: class value: device @@ -1267,6 +1963,9 @@ zabbix_export: - tag: target value: openvpn-client macros: + - macro: '{$IPFIRE.OVPN.CLIENT.CERT.EXPIRY.WARN}' + value: '7' + description: 'Number of days until the OpenVPN client certificate expires.' - macro: '{$IPFIRE.OVPN.CLIENT.COMMONNAME}' value: FILLED_IN_BY_HOST_DISCOVERY description: 'OpenVPN client Common Name' @@ -1310,7 +2009,7 @@ zabbix_export: expression: 'last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_count"])/last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_max"])*100>{$IPFIRE.CONN.MAX.WARN}' recovery_mode: RECOVERY_EXPRESSION recovery_expression: 'last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_count"])/last(/IPFire by Zabbix agent active/vfs.file.contents["/proc/sys/net/netfilter/nf_conntrack_max"])*100<={$IPFIRE.CONN.MAX.RESOLVE}' - name: 'Number of open connection is too high (> 90% of max open connections)' + name: 'IPFire: Number of open connection is too high (> 90% of max open connections)' opdata: 'Open connections: {ITEM.LASTVALUE1}, Max open connections: {ITEM.LASTVALUE2}' priority: WARNING description: | @@ -1323,7 +2022,7 @@ zabbix_export: value: capacity graphs: - uuid: f9acf1d3482f4af3b619a649eb81b844 - name: 'Line Quality' + name: 'IPFire: Line Quality' graph_items: - sortorder: '1' drawtype: GRADIENT_LINE @@ -1332,7 +2031,7 @@ zabbix_export: host: 'IPFire by Zabbix agent active' key: ipfire.net.gateway.pingtime - uuid: f4bf7726c930427aa2a99bad42d7fa7f - name: 'Open Connections' + name: 'IPFire: Open Connections' graph_items: - sortorder: '1' color: FF0000