Files
zabbix-ssl-checker/zabbix/MANUAL_TEMPLATE_STEPS.md
T
2026-05-21 19:20:49 +02:00

95 lines
4.3 KiB
Markdown

# Handmatige Zabbix-template stappen
Gebruik dit bestand alleen als je Zabbix-versie of importpolicy de YAML-export weigert.
## Template
1. Ga naar **Data collection -> Templates**.
2. Maak template **Template SSL Checker Relaxed**.
3. Zet de groep op **Templates/Custom**.
4. Voeg macros toe:
- `{$SSL_CONFIG}` = `/etc/zabbix/ssl_targets.json`
- `{$SSL_CHECK_TIMEOUT}` = `10`
## Discovery rule
Maak een discovery rule:
- Name: `SSL target discovery`
- Type: `External check`
- Key: `ssl_discovery.py["--config","{$SSL_CONFIG}"]`
- Update interval: `1h`
De discovery output bevat de LLD macros direct in het `data` object:
- `{#SSL_NAME}`
- `{#SSL_HOST}`
- `{#SSL_PORT}`
- `{#SSL_OWNER}`
- `{#SSL_PROFILE}`
## Master item prototype
Maak onder de discovery rule een item prototype:
- Name: `SSL raw check [{#SSL_NAME}]`
- Type: `External check`
- Key: `ssl_check.py["--config","{$SSL_CONFIG}","--host","{#SSL_HOST}","--port","{#SSL_PORT}"]`
- Type of information: `Text`
- Update interval: `15m`
- History: `7d`
- Trends: `0`
## Dependent item prototypes
Maak dependent item prototypes met het master item hierboven als bron. Gebruik JSONPath preprocessing per veld, bijvoorbeeld:
- `ssl.reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.reachable` -> JavaScript `return value === true || value === "true" ? 1 : 0;`
- `ssl.days_left[{#SSL_HOST},{#SSL_PORT}]` -> `$.days_left`
- `ssl.valid_now[{#SSL_HOST},{#SSL_PORT}]` -> `$.valid_now` -> boolean JavaScript
- `ssl.hostname_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.hostname_match` -> boolean JavaScript
- `ssl.chain_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.chain_valid` -> boolean JavaScript
- `ssl.self_signed[{#SSL_HOST},{#SSL_PORT}]` -> `$.self_signed` -> boolean JavaScript
- `ssl.not_yet_valid[{#SSL_HOST},{#SSL_PORT}]` -> `$.not_yet_valid` -> boolean JavaScript
- `ssl.expired[{#SSL_HOST},{#SSL_PORT}]` -> `$.expired` -> boolean JavaScript
- `ssl.issuer_org[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_org`
- `ssl.issuer_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.issuer_cn`
- `ssl.subject_cn[{#SSL_HOST},{#SSL_PORT}]` -> `$.subject_cn`
- `ssl.san_names[{#SSL_HOST},{#SSL_PORT}]` -> `$.san_names`
- `ssl.fingerprint_sha256[{#SSL_HOST},{#SSL_PORT}]` -> `$.fingerprint_sha256`
- `ssl.expected_issuer_match[{#SSL_HOST},{#SSL_PORT}]` -> `$.expected_issuer_match` -> boolean JavaScript
- `ssl.tls_version_negotiated[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls_version_negotiated`
- `ssl.tls10_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls10_supported` -> boolean JavaScript
- `ssl.tls11_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls11_supported` -> boolean JavaScript
- `ssl.tls12_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls12_supported` -> boolean JavaScript
- `ssl.tls13_supported[{#SSL_HOST},{#SSL_PORT}]` -> `$.tls13_supported` -> boolean JavaScript
- `ssl.http_reachable[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_reachable` -> boolean JavaScript
- `ssl.http_status[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status`
- `ssl.http_status_expected[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_status_expected` -> boolean JavaScript
- `ssl.http_response_time_ms[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_response_time_ms`
- `ssl.http_hsts[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_hsts` -> boolean JavaScript
- `ssl.http_security_headers_score[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_security_headers_score`
- `ssl.http_server_header[{#SSL_HOST},{#SSL_PORT}]` -> `$.http_server_header`
- `ssl.error[{#SSL_HOST},{#SSL_PORT}]` -> `$.error`
## Triggers
Maak trigger prototypes op de dependent item prototypes:
- SSL target unreachable: reachable = 0, Warning
- SSL expires within 30 days: days_left < 30 and >= 14, Information
- SSL expires within 14 days: days_left < 14 and >= 7, Warning
- SSL expires within 7 days: days_left < 7 and >= 2, Average
- SSL expires within 2 days: days_left < 2, High
- SSL hostname mismatch: hostname_match = 0, High
- SSL chain invalid: chain_valid = 0, Average
- SSL is self-signed: self_signed = 1, Warning
- SSL not yet valid: not_yet_valid = 1, High
- TLS 1.0 supported: tls10_supported = 1, Warning
- TLS 1.1 supported: tls11_supported = 1, Warning
- HTTP status not expected: http_status_expected = 0, Warning
- HSTS missing: http_hsts = 0, Information
- HTTP security headers score low: score < 2, Information
Text-item change triggers voor issuer/fingerprint zijn bewust niet opgenomen, omdat importeerbaarheid per Zabbix 7.x minor release kan verschillen.