From patchwork Wed Jul 19 20:29:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 7003 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4R5nn03DBrz3wgh for ; Wed, 19 Jul 2023 20:42:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R5nmx2VtYz1xN; Wed, 19 Jul 2023 20:42:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4R5nmw1MvJz30B0; Wed, 19 Jul 2023 20:42:08 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4R5nmt5bmPz2y1m for ; Wed, 19 Jul 2023 20:42:06 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4R5nmq60lgz1K2 for ; Wed, 19 Jul 2023 20:42:03 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=H9b1DuBl; dmarc=pass (policy=reject) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1689799324; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fj3UGkrRZauYsgZ9A2+0gdGt5ncxOERf7rPGo/bgITA=; b=wZt27u8CcoMFLktg6ocAHD7yB5i/a/LfK9gJz0NoC73y/ZPx7RDhHnewX6A3PZQWx+HmmX FW3pomCQvTpmJXEys9VPzOK1SMtLOde/RNv3cSRH675QYknYvSAy89bfANkVmaYFd/pZB/ gkJQ0RmiyBK/RchLZlrKj31rMZks2vffcoLbZiAwTU3VxpHMa7zfI0NHQhraXRmjUfJt5b SdvbaCDkcDVYHgORF83k7im/3ZYTQklS7vmfZMEfF+eJ8opNDHww3TqSbUpJcR+xWAk689 36oJ09FTD6Br85Pvxf73JHEfL1CJOcNqcz7ju1CZuTFc8gZXYoRM5bbktYxO5A== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=H9b1DuBl; dmarc=pass (policy=reject) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1689799324; a=rsa-sha256; cv=none; b=P7wHNsUl3Y8bNp8nUchGo1iNgx08052rrJ4w10anytMyclJR5aKtBy8EOr3F8evGanfLsP bub9x8XpbLUULUOKDtmcnf5GIxtg2MMEAd4fKiF065fwuLQNtxLBJd4jL1OB5ji+QJw2r0 QhQHD/jrv0TqV9g6ogNuLBxheoZjywj8tx2HYIZ2uJDdwWBlFE0iAR7ZqOypehehT0FK3M qnV5qVFbiwlzf9hZJKu2WzHeMQFmOm4Lm+cDqde8DKrCiF6lsPgJE2OkJgoTKhB4Ke+uLx kSnFhNDpvA/xZJmGOjHPFYyFwWnCEmUJddGmgtRHCHwaaWizUPWM7ol6Mw/OiQ== Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 8EAC444EC0 for ; Wed, 19 Jul 2023 22:42:02 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zP4X2nmBHpdZ for ; Wed, 19 Jul 2023 22:42:01 +0200 (CEST) Received: from chojin.sicho.home (amaterasu.sicho.home [192.168.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 6E609FEDF1; Wed, 19 Jul 2023 22:41:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1689799321; bh=O+Bixf+ueoUmX1nHsBUrGPwzER8axMu0/SgG82FyOx0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=H9b1DuBlgzB+9GFyYeRV0JSi4KbuASAQOdOHlH8GZ2QF4ZdRVUXTPTEzlJkML2V7+ vAjHHnsKXpkxQeZy7g8LrwzAsYaz5GH4vap981I6syAgrp/1vuJ/wpS1FjqxRkh6hy BK2cSWnI2QUsNaGq4SJ7N0e5zcLiaIFwB/1wEBPWlWEa3vgF889ud6CRZWUx4TR4vw mU9THKp+Wb5VtwF7ecvpZF9N0cjh8OjfBmVfQBG/bav8KnNj2M57qjrQHitE2KcPRI RHq2/kvtbw98UxG9nlwIYVVfLDl7A7ov5DcvK8lY2XJg62CWKsBjp6bHwkNMi/xWIi fWzaVVQZm43AQ== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH 2/2] zabbix_agentd: Add ovpn monitoring items Date: Wed, 19 Jul 2023 22:29:18 +0200 Message-ID: <20230719204140.29157-3-robin.roevens@disroot.org> In-Reply-To: <20230719204140.29157-1-robin.roevens@disroot.org> References: <20230719204140.29157-1-robin.roevens@disroot.org> MIME-Version: 1.0 X-sicho-MailScanner-ID: 6E609FEDF1.A8A80 X-sicho-MailScanner: Found to be clean X-sicho-MailScanner-From: robin.roevens@disroot.org X-sicho-MailScanner-Watermark: 1690404110.94775@kVr40g4SuUyW8CzYcPWXYw X-Rspamd-Action: no action X-Spamd-Result: default: False [-3.39 / 11.00]; BAYES_HAM(-3.00)[99.99%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; R_SPF_ALLOW(-0.20)[+a]; SPF_REPUTATION_SPAM(0.12)[0.041626253884454]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; TO_DN_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; DKIM_REPUTATION(0.00)[0]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RCVD_COUNT_THREE(0.00)[3]; ARC_NA(0.00)[] X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4R5nmq60lgz1K2 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Added new IPFire specific monitoring capabilities to Zabbix Agent: - ipfire.ovpn.clients.discovery: Discovery of configured ovpn clients. Returns a JSON array. - ipfire.ovpn.statusreport.get: Parses and returns /var/run/ovpnserver.log in a JSON array Since /var/run/ovpnserver.log is only readable by root, 'cat' of that file is added to sudoers.d/zabbix_agentd. --- config/zabbix_agentd/sudoers | 2 +- config/zabbix_agentd/userparameter_ipfire.conf | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 2d71ae78f..d93ec5d55 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -8,4 +8,4 @@ # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index c5a636edf..b8b512d82 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -9,4 +9,10 @@ UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/ # Number of currently Active DHCP leases UserParameter=ipfire.dhcpd.clients,grep -s -E 'lease|bind' /var/state/dhcp/dhcpd.leases | sed ':a;/{$/{N;s/\n//;ba}' | grep "state active" | wc -l # Number of Captive Portal clients -UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients \ No newline at end of file +UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END {if (length(sum) == 0) print 0; else print sum}' /var/ipfire/captive/clients +# Discovery of configured ovpn clients +UserParameter=ipfire.ovpn.clients.discovery,cat /var/ipfire/ovpn/ovpnconfig 2>/dev/null | awk -F',' 'BEGIN { ORS = ""; print "[" } { printf "%s{\"{#NAME}\":\"%s\",\"{#COMMONNAME}\":\"%s\",\"{#STATE}\":\"%s\",\"{#REMARK}\":\"%s\",\"{#TYPE}\":\"%s\"}", separator, $3, $4, $2, $27, $5; separator = ","; } END { print "]" }' +# Get OpenVPN status report +UserParameter=ipfire.ovpn.statusreport.get,sudo cat /var/run/ovpnserver.log 2>/dev/null | awk -F"," 'function unixtime(t) { gsub(/[-:]/," ",t); return mktime(t) } BEGIN { ORS = ""; print "{" } /^Updated,.+/ { printf "\"timestamp\":%s,\"clients\":[",unixtime($2) } /^.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,[0-9]+,[0-9]+,.+/ { if ($1 != "Common Name") { printf "%s{\"common_name\":\"%s\",\"real_address\":\"%s\",\"bytes_in\":\"%s\",\"bytes_out\":\"%s\",\"connected_since\":\"%s\"}", separator, $1, $2, $3, $4, unixtime($5); separator = ","; } } /^ROUTING TABLE/ { print "],\"routing_table\":["; separator = "" } /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+,.+,[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+,.+/ { if ($1 != "Virtual Address") { printf "%s{\"common_name\":\"%s\",\"virtual_address\":\"%s\",\"real_address\":\"%s\",\"last_ref\":\"%s\"}", separator, $2, $1, $3, unixtime($4); separator = "," } } END { print "]}" }' +# Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when openvpn service is active +Alias=ipfire.ovpn.statusreport.get[]:ipfire.ovpn.statusreport.get \ No newline at end of file