Hello, nous allons voir dans cet article comment superviser la date d’expiration de vos certificats HTTPS ainsi que les certificats racine Windows avec Centreon, NSClient++ et Centreon Plugin Packs.
Ce qu’il vous faut :
- Centreon Server (je suis version 20.10.3)
- Centreon Plugin Packs :Install/Update Centreon plugin packs
- NSClient++ pour Windows : Télécharger
- Script PowerShell : Télécharger | source : exchange.nagios.org
Et bien sûr un site en HTTPS et des certifications racine Windows Server.
HTTPS Certificats Validity Plugin
Commençons par la supervision des certificats de vos sites web HTTPS. Je vous donne la commande CLI et la commande UI (Centreon-web).
Nous allons utiliser le plugin : PLUGIN: apps::protocols::x509::plugin
[root@pixelabs plugins]# ./centreon_plugins.pl --list-plugin | grep protocol | grep PLUGIN
PLUGIN: apps::protocols::bgp::4::plugin
PLUGIN: apps::protocols::dhcp::plugin
PLUGIN: apps::protocols::dns::plugin
PLUGIN: apps::protocols::ftp::plugin
PLUGIN: apps::protocols::http::plugin
PLUGIN: apps::protocols::imap::plugin
PLUGIN: apps::protocols::jmx::plugin
PLUGIN: apps::protocols::ldap::plugin
PLUGIN: apps::protocols::modbus::plugin
PLUGIN: apps::protocols::nrpe::plugin
PLUGIN: apps::protocols::ntp::plugin
PLUGIN: apps::protocols::ospf::snmp::plugin
PLUGIN: apps::protocols::radius::plugin
PLUGIN: apps::protocols::smtp::plugin
PLUGIN: apps::protocols::snmp::plugin
PLUGIN: apps::protocols::ssh::plugin
PLUGIN: apps::protocols::tcp::plugin
PLUGIN: apps::protocols::telnet::plugin
PLUGIN: apps::protocols::tftp::plugin
PLUGIN: apps::protocols::udp::plugin
PLUGIN: apps::protocols::x509::plugin
[root@pixelabs plugins]#
Il n’y a bien sûr qu’un seul mode :
[root@pixelabs plugins]# ./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --list-mode
Plugin Description:
Check X509's certificate validity.
Global Options:
--mode Choose a mode.
--dyn-mode
Specify a mode with the path (separated by '::').
--list-mode
List available modes.
--mode-version
Check minimal version of mode. If not, unknown error.
--version
Display plugin version.
--custommode
Choose a custom mode.
--list-custommode
List available custom modes.
--multiple
Multiple custom mode objects (required by some specific modes)
--pass-manager
Use a password manager.
Modes Meta:
multi
Modes Available:
certificate
[root@pixelabs plugins]#
Ensuite, il est possible de checker via le protocole HTTPS ou TCP :
[root@pixelabs plugins]# ./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --list-custommode
Plugin Description:
Check X509's certificate validity.
Global Options:
--mode Choose a mode.
--dyn-mode
Specify a mode with the path (separated by '::').
--list-mode
List available modes.
--mode-version
Check minimal version of mode. If not, unknown error.
--version
Display plugin version.
--custommode
Choose a custom mode.
--list-custommode
List available custom modes.
--multiple
Multiple custom mode objects (required by some specific modes)
--pass-manager
Use a password manager.
Custom Modes Available:
https
tcp
[root@pixelabs plugins]#
Pour ma part, je vais utiliser HTTPS.
Afficher la page d’aide pour voir les options.
[root@pixelabs plugins]# ./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --help
Plugin Description:
Check X509's certificate validity.
Global Options:
--mode Choose a mode.
--dyn-mode
Specify a mode with the path (separated by '::').
--list-mode
List available modes.
--mode-version
Check minimal version of mode. If not, unknown error.
--version
Display plugin version.
--custommode
Choose a custom mode.
--list-custommode
List available custom modes.
--multiple
Multiple custom mode objects (required by some specific modes)
--pass-manager
Use a password manager.
Output Options:
--verbose
Display long output.
--debug Display also debug messages.
--filter-perfdata
Filter perfdata that match the regexp.
--explode-perfdata-max
Put max perfdata (if it exist) in a specific perfdata (without
values: same with '_max' suffix) (Multiple options)
--change-perfdata --extend-perfdata
Change or extend perfdata. Syntax:
--extend-perfdata=searchlabel,newlabel,target[,[newuom],[min],[m
ax]]
Common examples:
Change storage free perfdata in used:
--change-perfdata=free,used,invert()
Change storage free perfdata in used:
--change-perfdata=used,free,invert()
Scale traffic values automaticaly:
--change-perfdata=traffic,,scale(auto)
Scale traffic values in Mbps:
--change-perfdata=traffic_in,,scale(Mbps),mbps
Change traffic values in percent:
--change-perfdata=traffic_in,,percent()
--extend-perfdata-group
Extend perfdata from multiple perfdatas (methods in target are:
min, max, average, sum) Syntax:
--extend-perfdata-group=searchlabel,newlabel,target[,[newuom],[m
in],[max]]
Common examples:
Sum wrong packets from all interfaces (with interface need
--units-errors=absolute):
--extend-perfdata-group=',packets_wrong,sum(packets_(discard
|error)_(in|out))'
Sum traffic by interface:
--extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traf
fic_(in|out)_$1)'
--change-short-output
Change short output display.
--change-short-output=pattern~replace~modifier
--range-perfdata
Change perfdata range thresholds display: 1 = start value equals
to '0' is removed, 2 = threshold range is not display.
--filter-uom
Filter UOM that match the regexp.
--opt-exit
Optional exit code for an execution error (i.e. wrong option
provided, SSH connection refused, timeout, etc) (Default:
unknown).
--output-ignore-perfdata
Remove perfdata from output.
--output-ignore-label
Remove label status from output.
--output-xml
Display output in XML format.
--output-json
Display output in JSON format.
--output-openmetrics
Display metrics in OpenMetrics format.
--output-file
Write output in file (can be used with json and xml options)
--disco-format
Display discovery arguments (if the mode manages it).
--disco-show
Display discovery values (if the mode manages it).
--float-precision
Set the float precision for thresholds (Default: 8).
--source-encoding
Set encoding of monitoring sources (In some case. Default:
'UTF-8').
Custom Https Options:
http connection
--hostname
IP Addr/FQDN of the webserver host
--port Port used by Webserver (Default: 443)
--method
Specify http method used (Default: 'GET')
--urlpath
Set path to get webpage (Default: '/')
--timeout
Threshold for HTTP timeout (Default: 5)
--header
Set HTTP headers (Multiple option)
Http Global Options:
--http-peer-addr
Set the address you want to connect (Useful if hostname is only
a vhost. no ip resolve)
--proxyurl
Proxy URL
--proxypac
Proxy pac file (can be an url or local file)
--insecure
Insecure SSL connections.
--http-backend
Set the backend used (Default: 'lwp') For curl:
--http-backend=curl
Backend lwp Options:
--ssl-opt
Set SSL Options (--ssl-opt="SSL_version => TLSv1"
--ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE").
--ssl Set SSL version (--ssl=TLSv1).
Backend Curl Options:
--curl-opt
Set CURL Options (--curl-opt="CURLOPT_SSL_VERIFYPEER => 0"
--curl-opt="CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_1" ).
Mode:
Check X509's certificate validity (for SMTPS, POPS, IMAPS, HTTPS)
--warning-status
Set warning threshold for status. (Default: '%{expiration} <
60'). Can use special variables like: %{expiration}, %{subject},
%{issuer}, %{alt_subjects}.
--critical-status
Set critical threshold for status. (Default: '%{expiration} <
30'). Can use special variables like: %{expiration}, %{subject},
%{issuer}, %{alt_subjects}.
Examples :
Raise a critical alarm if certificate expires in less than 30
days or does not cover alternative name 'my.app.com'
--critical-status='%{expiration} < 30 || %{alt_subjects} !~
/my.app.com/'
[root@pixelabs plugins]#
Check HTTPS Certificats Validity
Je check mon propre blog : pixelabs.fr
[root@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --hostname=pixelabs.fr --port=443 --warning-status='%{expiration} < 20' --critical-status='%{expiration} < 10' --verbose
OK: Certificate for 'pixelabs.fr' expires in '43' days [2021-05-06T14:53:07Z] - Issuer: '/C=US/O=Let's Encrypt/CN=R3' |
Alternative subject names: mail.pixelabs.fr, pixelabs.fr, www.pixelabs.fr.
[root@pixelabs plugins]#
N’oubliez pas de rajouter les macros : Configuration > Collecteurs > Resources
- $_SERVICEPLUGIN$
- $_SERVICEMODE$
- $_SERVICECUSTOMCOMMAND$
- $_SERVICEHOST$
- $_SERVICEPORT$
- $_SERVICEWARNING$
- $_SERVICECRITICAL$
- $_SERVICEEXTRAOPTIONS$
Voici la commande pour Centreon web :
- Configuration > Commandes > Vérification
- Nom : HTTP-Certificat-Validity
- Commande :
$USER2$/centreon_plugins.pl --plugin=$_SERVICEPLUGIN$ --mode=$_SERVICEMODE$ --custommode=$_SERVICECUSTOMCOMMAND$ --hostname=$_SERVICEHOST$ --port=$_SERVICEPORT$ --warning-status=$_SERVICEWARNING$ --critical-status=$_SERVICECRITICAL$ $_SERVICEEXTRAOPTIONS$
Exemple de service rapidos :
Il reste maintenant à mettre en place ce service sur tous vos sites Web HTTPS.
Pensez à mettre en place les modèles de services. Cela permet de modifier que l’HOST, le reste ne bouge pas. Au boulot !
Installation NSClient++
Toujours compliqué avec Windows…installer des agents de partout…etc, les articles sous Windows ça me décourage grave, surtout quant-il faut prendre des screenshots…
Enfin bref… on y va.
Sur votre Windows Server, installer l’agent NSClient++ par défaut.
Laisser Generic et cliquez sur Next | Choisir le type d’installation : Typical
|
- Cochez les cases comme sur le screen ci-dessous.
- Allowed hosts : 192.168.1.30est l’adresse IP du serveur Centreon
- Password : ajouter un mot de passe (peut être modifié facilement plus tard)
- Cliquez sur Next et laisser le reste par défaut.
Configuration NSClient++
Allez dans le fichier de configuration NSClient++. Par défaut, le fichier se trouve ici : C:\Program Files\NSClient++\nsclient.ini
Si vous utilisez déjà NSClient et que vous avez votre propre configuration. Ajoutez simplement cette ligne :
Sous le bloc [/settings/external scripts/scripts]
[/settings/external scripts/scripts]
allow arguments = true
allow nasty characters = true
check_ca=cmd /c echo C:\Centreon\check-certificate-expiration.ps1; | powershell.exe -command -
Ma commande s’appelle check_ca et j’ai mis le scripts dans C:\Centreon.
Si vous utilisez NSClient pour la première fois, remplacer par mon fichier ci-dessous :
Remarque : n’oubliez pas de changer l’adresse IP à la ligne 12 (et le mot de passe) :
allowed hosts = 192.168.1.30
# If you want to fill this file with all available options run the following command: # nscp settings --generate --add-defaults --load-all # If you want to activate a module and bring in all its options use: # nscp settings --activate-module <MODULE NAME> --add-defaults # For details run: nscp settings --help ; in flight - TODO [/settings/default] password = pixelabs.fr allowed hosts = 192.168.1.30 [/settings/NRPE/server] insecure = true use ssl = ssl options = verify mode = false allow arguments = true allow nasty characters = true [/modules] CheckNSCP = enabled WEBServer = enabled CheckSystem = enabled NSClientServer = enabled NSCAClient = enabled NRPEServer = enabled CheckExternalScripts = enabled CheckHelpers = enabled CheckEventLog = enabled CheckDisk = enabled [/settings/external scripts/scripts] allow arguments = true allow nasty characters = true check_ca=cmd /c echo C:\Centreon\check-certificate-expiration.ps1; | powershell.exe -command - [/settings/external scripts/wrapped scripts] allow arguments = true allow nasty characters = true [/settings/external scripts/wrappings] allow arguments = true allow nasty characters = true bat = scripts\\%SCRIPT% %ARGS% vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS% ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command - [/settings/external scripts/alias] allow arguments = true allow nasty characters = true alias_cpu=checkCPU warn=95 crit=90 time=5m time=1m time=30s alias_cpu_ex=checkCPU warn=$ARG1$ crit=$ARG2$ time=5m time=1m time=30s alias_mem=checkMem MaxWarn=80% MaxCrit=90% ShowAll=long type=physical type=virtual type=paged type=page alias_up=checkUpTime MinWarn=1d MinWarn=1h alias_disk=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED alias_disk_loose=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED ignore-unreadable alias_volumes=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED alias_volumes_loose=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED ignore-unreadable alias_service=checkServiceState CheckAll alias_service_ex=checkServiceState CheckAll "exclude=Net Driver HPZ12" "exclude=Pml Driver HPZ12" exclude=stisvc alias_process=checkProcState "$ARG1$=started" alias_process_stopped=checkProcState "$ARG1$=stopped" alias_process_count=checkProcState MaxWarnCount=$ARG2$ MaxCritCount=$ARG3$ "$ARG1$=started" alias_process_hung=checkProcState MaxWarnCount=1 MaxCritCount=1 "$ARG1$=hung" alias_event_log=CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)" alias_file_size=CheckFiles "filter=size > $ARG2$" "path=$ARG1$" MaxWarn=1 MaxCrit=1 "syntax=%filename% %size%" max-dir-depth=10 alias_file_age=checkFile2 filter=out "file=$ARG1$" filter-written=>1d MaxWarn=1 MaxCrit=1 "syntax=%filename% %write%" alias_sched_all=CheckTaskSched "filter=exit_code ne 0" "syntax=%title%: %exit_code%" warn=>0 alias_sched_long=CheckTaskSched "filter=status = 'running' AND most_recent_run_time < -$ARG1$" "syntax=%title% (%most_recent_run_time%)" warn=>0 alias_sched_task=CheckTaskSched "filter=title eq '$ARG1$' AND exit_code ne 0" "syntax=%title% (%most_recent_run_time%)" warn=>0 alias_updates=check_updates -warning 0 -critical 0 check_ok=CheckOK Everything is fine!
ATTENTION : Rebooter le service NSClient++
Après chaque modification dans le fichier de configuration NSClient, il faut relancer le service.
Windows Certificats Validity Plugin
Nous allons allons utiliser le plugin NRPE.
[root@pixelabs plugins]# ./centreon_plugins.pl --list-plugin | grep nrpe | grep PLUGIN
PLUGIN: apps::protocols::nrpe::plugin
[root@@pixelabs plugins]#
Les modes disponibles :
[root@@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --list-mode
Plugin Description:
Trigger commands against NRPE/NSClient agent.
Global Options:
--mode Choose a mode.
--dyn-mode
Specify a mode with the path (separated by '::').
--list-mode
List available modes.
--mode-version
Check minimal version of mode. If not, unknown error.
--version
Display plugin version.
--custommode
Choose a custom mode.
--list-custommode
List available custom modes.
--multiple
Multiple custom mode objects (required by some specific modes)
--pass-manager
Use a password manager.
Modes Meta:
multi
Modes Available:
query
[root@@pixelabs plugins]#
Toujours penser à afficher de l’aide pour construire votre commande facilement :
[root@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --mode=query --custommode=nrpe --help
Plugin Description:
Trigger commands against NRPE/NSClient agent.
Global Options:
--mode Choose a mode.
--dyn-mode
Specify a mode with the path (separated by '::').
--list-mode
List available modes.
--mode-version
Check minimal version of mode. If not, unknown error.
--version
Display plugin version.
--custommode
Choose a custom mode.
--list-custommode
List available custom modes.
--multiple
Multiple custom mode objects (required by some specific modes)
--pass-manager
Use a password manager.
Output Options:
--verbose
Display long output.
--debug Display also debug messages.
--filter-perfdata
Filter perfdata that match the regexp.
--explode-perfdata-max
Put max perfdata (if it exist) in a specific perfdata (without
values: same with '_max' suffix) (Multiple options)
--change-perfdata --extend-perfdata
Change or extend perfdata. Syntax:
--extend-perfdata=searchlabel,newlabel,target[,[newuom],[min],[m
ax]]
Common examples:
Change storage free perfdata in used:
--change-perfdata=free,used,invert()
Change storage free perfdata in used:
--change-perfdata=used,free,invert()
Scale traffic values automaticaly:
--change-perfdata=traffic,,scale(auto)
Scale traffic values in Mbps:
--change-perfdata=traffic_in,,scale(Mbps),mbps
Change traffic values in percent:
--change-perfdata=traffic_in,,percent()
--extend-perfdata-group
Extend perfdata from multiple perfdatas (methods in target are:
min, max, average, sum) Syntax:
--extend-perfdata-group=searchlabel,newlabel,target[,[newuom],[m
in],[max]]
Common examples:
Sum wrong packets from all interfaces (with interface need
--units-errors=absolute):
--extend-perfdata-group=',packets_wrong,sum(packets_(discard
|error)_(in|out))'
Sum traffic by interface:
--extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traf
fic_(in|out)_$1)'
--change-short-output
Change short output display.
--change-short-output=pattern~replace~modifier
--range-perfdata
Change perfdata range thresholds display: 1 = start value equals
to '0' is removed, 2 = threshold range is not display.
--filter-uom
Filter UOM that match the regexp.
--opt-exit
Optional exit code for an execution error (i.e. wrong option
provided, SSH connection refused, timeout, etc) (Default:
unknown).
--output-ignore-perfdata
Remove perfdata from output.
--output-ignore-label
Remove label status from output.
--output-xml
Display output in XML format.
--output-json
Display output in JSON format.
--output-openmetrics
Display metrics in OpenMetrics format.
--output-file
Write output in file (can be used with json and xml options)
--disco-format
Display discovery arguments (if the mode manages it).
--disco-show
Display discovery values (if the mode manages it).
--float-precision
Set the float precision for thresholds (Default: 8).
--source-encoding
Set encoding of monitoring sources (In some case. Default:
'UTF-8').
Custom Mode Options:
NRPE protocol
--hostname
Remote hostname or IP address.
Nrpe Class Options:
--nrpe-version
Version: 2 for NRPE v2 (Default), 3 for NRPE v3.
--nrpe-port
Port (Default: 5666).
--nrpe-payload
Buffer payload (For v2 only) (Default: 1024).
--nrpe-bindaddr
Bind to local address.
--nrpe-use-ipv4
Use IPv4 only
--nrpe-use-ipv6
Use IPv6 only
--nrpe-timeout
Timeout in secondes (Default: 10).
--ssl-opt
Set SSL Options (--ssl-opt="SSL_version => 'TLSv1'"
--ssl-opt="SSL_verify_mode => 0" --ssl-opt="SSL_cipher_list =>
ALL").
Mode:
Trigger commands against NRPE/NSClient agent.
--command
Set command. In nrpe use following command to get server version:
--command='_NRPE_CHECK'
--arg
Set arguments (Multiple option. Example: --arg='arg1' --arg='arg2').
--sanitize-message
Sanitize message by removing heading code and separator from
returned message (ie "OK - ").
[root@pixelabs plugins]#
Check Windows Certificats Validity
Check Windows Certificats :
[root@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --mode=query --hostname=dc-pixel01.pixelabs.lan --custommode=nrpe --command=check_ca --nrpe-timeout=30 --verbose
EXPIRED CN=PIXELABS, DC=PIXELABS, DC=LAN expired 22/11/2020 10:03:07
EXPIRED CN=*.pixelabs.lan, OU=PIXELABS, O=PIXEL, L=TOULOUSE, S=HAUTE-GARONNE, C=FR expired 22/11/2020 10:03:07
[root@pixelabs plugins]#
Si vous utilisez ce plugin pour la première fois, vous aurez (sans doute) ces erreurs :
- Can’t locate Convert/Binary/C.pm in @INC (@INC contains: /usr/lib/centreon/plugins …..
- Can’t locate Digest/CRC.pm in @INC (@INC contains: /usr/lib/centreon/plugins ….
- Can’t locate IO/Socket/INET6.pm in @INC (@INC contains: /usr/lib/centreon/plugins ….
- Can’t locate Socket6.pm in @INC (@INC contains: /usr/lib/centreon/plugins ….
Solution : Installer les modules perl suivant :
[root@centreon plugins]# cpan -i Convert::Binary::C [root@centreon plugins]# cpan -i Digest::CRC [root@centreon plugins]# cpan -i IO::Socket::INET6 [root@centreon plugins]# cpan -i Socket6
N’oubliez pas de rajouter les macros : Configuration > Collecteurs > Resources
- $_SERVICEPLUGIN$
- $_SERVICEMODE$
- $_SERVICESUBCOMMAND$
- $_SERVICECOMMAND$
- $_SERVICETIMEOUT$
- $_SERVICEEXTRAOPTIONS$
Voici la commande pour Centreon web :
- Configuration > Commandes > Vérification
- Nom : NRPE-Protocol
- Commande :
$USER2$/centreon_plugins.pl --plugin=$_SERVICEPLUGIN$ --mode=$_SERVICEMODE$ --hostname=$HOSTADDRESS$ --custommode=$_SERVICESUBCOMMAND$ --command=$_SERVICECOMMAND$ --nrpe-timeout=$_SERVICETIMEOUT$ $_SERVICEOPTION$
Exemple de service :
Remarque : vous pouvez réutiliser cette commande pour d’autres hosts. Il y a que le champs COMMAND qui change selon le nom de vos commandes dans votre fichier nsclient.ini.
C’est terminé. Amusez-vous bien.
Bonne journée et à très bientôt.
Bonjour,
Je travaille avec la version Web de centreon(21.10, pluginpack 100), J’ai juste récupéré le script powershell comme vous.
Voici la configuration rajoutée dans mon nsclient.ini:
Elle permet de ranger le fichier powershell dans le dossier script de nrpe et surtout l’ajout de $ARG1$ permet de prendre la main sur les arguments du script powershell dans Centreon, la commande Centreon devient alors celle-ci:
J’ai dupliqué une commande nrpe-network pour la réaliser, il faut alors juste changer à partir du « -c »
La ligne de commande reste effectivement la meilleur méthode pour tester les paramètres:
Bonjour Julien,
Impeccable, merci pour ce retour.
Il y a effectivement plusieurs façon de faire.
Bonne journée.