# Handmatige Zabbix-template stappen Gebruik dit bestand alleen als je Zabbix-versie of importpolicy de YAML-export weigert. ## Template 1. Ga naar **Data collection -> Templates**. 2. Maak template **Template SSL Checker Relaxed**. 3. Zet de groep op **Templates/Custom**. 4. Voeg macros toe: - `{$SSL_CONFIG}` = `/etc/zabbix/ssl_targets.json` - `{$SSL_CHECK_TIMEOUT}` = `10` ## Discovery rule Maak een discovery rule: - Name: `SSL target discovery` - Type: `External check` - Key: `ssl_discovery.py["--config","{$SSL_CONFIG}"]` - Update interval: `1h` De discovery output bevat de LLD macros direct in het `data` object: - `{#SSL_NAME}` - `{#SSL_HOST}` - `{#SSL_PORT}` - `{#SSL_OWNER}` - `{#SSL_PROFILE}` ## Master item prototype Maak onder de discovery rule een item prototype: - Name: `SSL raw check [{#SSL_NAME}]` - Type: `External check` - Key: `ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]` - Type of information: `Text` - Update interval: `15m` - History: `7d` - Trends: `0` ## Dependent item prototypes Maak dependent item prototypes met het master item hierboven als bron. Gebruik JSONPath preprocessing per veld, bijvoorbeeld: - `ssl.reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.reachable` -> JavaScript `return value === true || value === "true" ? 1 : 0;` - `ssl.days_left[{#SSL_HOST},{#SSL_PORT}]` -> `$.days_left` - `ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]` -> `$.valid_now` -> boolean JavaScript - `ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.hostname_match` -> boolean JavaScript - `ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.chain_valid` -> boolean JavaScript - `ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]` -> `$.self_signed` -> boolean JavaScript - `ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.not_yet_valid` -> boolean JavaScript - `ssl.expired[{#SSL_HOST},{#SSL_PORT}]` -> `$.expired` -> boolean JavaScript - `ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_org` - `ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_cn` - `ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.subject_cn` - `ssl.san_names[{#SSL_HOST},{#SSL_PORT}]` -> `$.san_names` - `ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]` -> `$.fingerprint_sha256` - `ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.expected_issuer_match` -> boolean JavaScript - `ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls_version_negotiated` - `ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls10_supported` -> boolean JavaScript - `ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls11_supported` -> boolean JavaScript - `ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls12_supported` -> boolean JavaScript - `ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls13_supported` -> boolean JavaScript - `ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_reachable` -> boolean JavaScript - `ssl.http_status[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status` - `ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status_expected` -> boolean JavaScript - `ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_response_time_ms` - `ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_hsts` -> boolean JavaScript - `ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_security_headers_score` - `ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_server_header` - `ssl.error[{#SSL_HOST},{#SSL_PORT}]` -> `$.error` ## Triggers Maak trigger prototypes op de dependent item prototypes: - SSL target unreachable: reachable = 0, Warning - SSL expires within 30 days: days_left < 30 and >= 14, Information - SSL expires within 14 days: days_left < 14 and >= 7, Warning - SSL expires within 7 days: days_left < 7 and >= 2, Average - SSL expires within 2 days: days_left < 2, High - SSL hostname mismatch: hostname_match = 0, High - SSL chain invalid: chain_valid = 0, Average - SSL is self-signed: self_signed = 1, Warning - SSL not yet valid: not_yet_valid = 1, High - TLS 1.0 supported: tls10_supported = 1, Warning - TLS 1.1 supported: tls11_supported = 1, Warning - HTTP status not expected: http_status_expected = 0, Warning - HSTS missing: http_hsts = 0, Information - HTTP security headers score low: score < 2, Information Text-item change triggers voor issuer/fingerprint zijn bewust niet opgenomen, omdat importeerbaarheid per Zabbix 7.x minor release kan verschillen.