4.3 KiB
4.3 KiB
Handmatige Zabbix-template stappen
Gebruik dit bestand alleen als je Zabbix-versie of importpolicy de YAML-export weigert.
Template
- Ga naar Data collection -> Templates.
- Maak template Template SSL Checker Relaxed.
- Zet de groep op Templates/Custom.
- Voeg macros toe:
{$SSL_CONFIG}=/etc/zabbix/ssl_targets.json{$SSL_CHECK_TIMEOUT}=10
Discovery rule
Maak een discovery rule:
- Name:
SSL target discovery - Type:
External check - Key:
ssl_discovery.py["--config","{$SSL_CONFIG}"] - Update interval:
1h
De discovery output bevat de LLD macros direct in het data object:
{#SSL_NAME}{#SSL_HOST}{#SSL_PORT}{#SSL_OWNER}{#SSL_PROFILE}
Master item prototype
Maak onder de discovery rule een item prototype:
- Name:
SSL raw check [{#SSL_NAME}] - Type:
External check - Key:
ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"] - Type of information:
Text - Update interval:
15m - History:
7d - Trends:
0
Dependent item prototypes
Maak dependent item prototypes met het master item hierboven als bron. Gebruik JSONPath preprocessing per veld, bijvoorbeeld:
ssl.reachable[{#SSL_HOST},{#SSL_PORT}]->$.reachable-> JavaScriptreturn value === true || value === "true" ? 1 : 0;ssl.days_left[{#SSL_HOST},{#SSL_PORT}]->$.days_leftssl.valid_now[{#SSL_HOST},{#SSL_PORT}]->$.valid_now-> boolean JavaScriptssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]->$.hostname_match-> boolean JavaScriptssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]->$.chain_valid-> boolean JavaScriptssl.self_signed[{#SSL_HOST},{#SSL_PORT}]->$.self_signed-> boolean JavaScriptssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]->$.not_yet_valid-> boolean JavaScriptssl.expired[{#SSL_HOST},{#SSL_PORT}]->$.expired-> boolean JavaScriptssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]->$.issuer_orgssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]->$.issuer_cnssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]->$.subject_cnssl.san_names[{#SSL_HOST},{#SSL_PORT}]->$.san_namesssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]->$.fingerprint_sha256ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]->$.expected_issuer_match-> boolean JavaScriptssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]->$.tls_version_negotiatedssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]->$.tls10_supported-> boolean JavaScriptssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]->$.tls11_supported-> boolean JavaScriptssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]->$.tls12_supported-> boolean JavaScriptssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]->$.tls13_supported-> boolean JavaScriptssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]->$.http_reachable-> boolean JavaScriptssl.http_status[{#SSL_HOST},{#SSL_PORT}]->$.http_statusssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]->$.http_status_expected-> boolean JavaScriptssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]->$.http_response_time_msssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]->$.http_hsts-> boolean JavaScriptssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]->$.http_security_headers_scoressl.http_server_header[{#SSL_HOST},{#SSL_PORT}]->$.http_server_headerssl.error[{#SSL_HOST},{#SSL_PORT}]->$.error
Triggers
Maak trigger prototypes op de dependent item prototypes:
- SSL target unreachable: reachable = 0, Warning
- SSL expires within 30 days: days_left < 30 and >= 14, Information
- SSL expires within 14 days: days_left < 14 and >= 7, Warning
- SSL expires within 7 days: days_left < 7 and >= 2, Average
- SSL expires within 2 days: days_left < 2, High
- SSL hostname mismatch: hostname_match = 0, High
- SSL chain invalid: chain_valid = 0, Average
- SSL is self-signed: self_signed = 1, Warning
- SSL not yet valid: not_yet_valid = 1, High
- TLS 1.0 supported: tls10_supported = 1, Warning
- TLS 1.1 supported: tls11_supported = 1, Warning
- HTTP status not expected: http_status_expected = 0, Warning
- HSTS missing: http_hsts = 0, Information
- HTTP security headers score low: score < 2, Information
Text-item change triggers voor issuer/fingerprint zijn bewust niet opgenomen, omdat importeerbaarheid per Zabbix 7.x minor release kan verschillen.