Files
zabbix-ssl-checker/zabbix/MANUAL_TEMPLATE_STEPS.md
T
2026-05-21 19:20:49 +02:00

4.3 KiB

Handmatige Zabbix-template stappen

Gebruik dit bestand alleen als je Zabbix-versie of importpolicy de YAML-export weigert.

Template

  1. Ga naar Data collection -> Templates.
  2. Maak template Template SSL Checker Relaxed.
  3. Zet de groep op Templates/Custom.
  4. Voeg macros toe:
    • {$SSL_CONFIG} = /etc/zabbix/ssl_targets.json
    • {$SSL_CHECK_TIMEOUT} = 10

Discovery rule

Maak een discovery rule:

  • Name: SSL target discovery
  • Type: External check
  • Key: ssl_discovery.py["--config","{$SSL_CONFIG}"]
  • Update interval: 1h

De discovery output bevat de LLD macros direct in het data object:

  • {#SSL_NAME}
  • {#SSL_HOST}
  • {#SSL_PORT}
  • {#SSL_OWNER}
  • {#SSL_PROFILE}

Master item prototype

Maak onder de discovery rule een item prototype:

  • Name: SSL raw check [{#SSL_NAME}]
  • Type: External check
  • Key: ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]
  • Type of information: Text
  • Update interval: 15m
  • History: 7d
  • Trends: 0

Dependent item prototypes

Maak dependent item prototypes met het master item hierboven als bron. Gebruik JSONPath preprocessing per veld, bijvoorbeeld:

  • ssl.reachable[{#SSL_HOST},{#SSL_PORT}] -> $.reachable -> JavaScript return value === true || value === "true" ? 1 : 0;
  • ssl.days_left[{#SSL_HOST},{#SSL_PORT}] -> $.days_left
  • ssl.valid_now[{#SSL_HOST},{#SSL_PORT}] -> $.valid_now -> boolean JavaScript
  • ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}] -> $.hostname_match -> boolean JavaScript
  • ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}] -> $.chain_valid -> boolean JavaScript
  • ssl.self_signed[{#SSL_HOST},{#SSL_PORT}] -> $.self_signed -> boolean JavaScript
  • ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}] -> $.not_yet_valid -> boolean JavaScript
  • ssl.expired[{#SSL_HOST},{#SSL_PORT}] -> $.expired -> boolean JavaScript
  • ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}] -> $.issuer_org
  • ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}] -> $.issuer_cn
  • ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}] -> $.subject_cn
  • ssl.san_names[{#SSL_HOST},{#SSL_PORT}] -> $.san_names
  • ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}] -> $.fingerprint_sha256
  • ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}] -> $.expected_issuer_match -> boolean JavaScript
  • ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}] -> $.tls_version_negotiated
  • ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}] -> $.tls10_supported -> boolean JavaScript
  • ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}] -> $.tls11_supported -> boolean JavaScript
  • ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}] -> $.tls12_supported -> boolean JavaScript
  • ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}] -> $.tls13_supported -> boolean JavaScript
  • ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}] -> $.http_reachable -> boolean JavaScript
  • ssl.http_status[{#SSL_HOST},{#SSL_PORT}] -> $.http_status
  • ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}] -> $.http_status_expected -> boolean JavaScript
  • ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}] -> $.http_response_time_ms
  • ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}] -> $.http_hsts -> boolean JavaScript
  • ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}] -> $.http_security_headers_score
  • ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}] -> $.http_server_header
  • ssl.error[{#SSL_HOST},{#SSL_PORT}] -> $.error

Triggers

Maak trigger prototypes op de dependent item prototypes:

  • SSL target unreachable: reachable = 0, Warning
  • SSL expires within 30 days: days_left < 30 and >= 14, Information
  • SSL expires within 14 days: days_left < 14 and >= 7, Warning
  • SSL expires within 7 days: days_left < 7 and >= 2, Average
  • SSL expires within 2 days: days_left < 2, High
  • SSL hostname mismatch: hostname_match = 0, High
  • SSL chain invalid: chain_valid = 0, Average
  • SSL is self-signed: self_signed = 1, Warning
  • SSL not yet valid: not_yet_valid = 1, High
  • TLS 1.0 supported: tls10_supported = 1, Warning
  • TLS 1.1 supported: tls11_supported = 1, Warning
  • HTTP status not expected: http_status_expected = 0, Warning
  • HSTS missing: http_hsts = 0, Information
  • HTTP security headers score low: score < 2, Information

Text-item change triggers voor issuer/fingerprint zijn bewust niet opgenomen, omdat importeerbaarheid per Zabbix 7.x minor release kan verschillen.