Good morning,
i have the certificate monitoring addon allready in place and its scanning the certificates in our network. Now i like to add the hosts and service checks to my regular monitoring. The documentation is not quite clear for me to i have to ask:
Do i really need to import the hosts from the x509 check? I really would like not to add new hosts and have the x509 service checks at my existings hosts and hosts template.
If i can do so, how? Thanks.
the import source in icinga director only helps you to automate this.
The Host import source tells you which hosts got fetched.
like this:
host_name_or_ip, host_address, host_address6, host_ip, host_name, host_ports
The Service import source tells you which hosts got which certificates:
host_name_ip_and_port, cert_dn, cert_fingerprint, cert_issuer, cert_self_signed, cert_subject, cert_subject_alt_name, cert_trusted, cert_valid_from, cert_valid_to, host_address, host_address6 host_ip, host_name, host_port
you can choose in a sync rule how you want the certificate checks created.
But start with the two import rules and review your data.
you can always add the service manually or with any other automation and set these variables in the x509 command:
| Name | Description |
|---|---|
| icingacli_x509_ip | Required. A hosts IP address [or] |
| icingacli_x509_host | Required. A hosts name |
| icingacli_x509_port | Optional. The port to check in particular |
| icingacli_x509_warning | Optional. Less remaining time results in state WARNING (Default: 25%) |
| icingacli_x509_critical | Optional. Less remaining time results in state CRITICAL (Default: 10%) |
| icingacli_x509_allow_self_signed | Optional. Ignore if a certificate or its issuer has been self-signed (Default: false) |
I had the same problem and fixed it by using an additional import to get all hosts from the director and use them to filter in the x509 import.
Below the basket “Director-Basket_x509_automation_85cc5b4.json”. Search for FIXME: and example . com and adapt them to your installation.
{
"ServiceTemplate": {
"116-tpl-service-x509": {
"check_command": "icingacli-x509",
"command_endpoint": "FIXME:icingaweb2.example.com",
"enable_notifications": false,
"fields": [],
"imports": [
"FIXME:tpl-service-generic"
],
"object_name": "116-tpl-service-x509",
"object_type": "template",
"use_agent": true,
"uuid": "8947920c-87ee-4560-844b-6842958c2ce7",
"vars": {
"icingacli_x509_critical": "3d",
"icingacli_x509_warning": "7d"
}
}
},
"ImportSource": {
"Director Hosts": {
"key_column": "object_name",
"modifiers": [
{
"priority": "1",
"property_name": "object_name",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRejectOrSelect",
"settings": {
"filter_method": "regex",
"filter_string": "/.*example.com$|.*example2.com$/",
"policy": "keep"
}
},
{
"priority": "2",
"property_name": "object_name",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRegexReplace",
"settings": {
"pattern": "/^([^.]+).*/",
"replacement": "$1",
"when_not_matched": "keep"
},
"target_property": "short_name"
}
],
"provider_class": "Icinga\\Module\\Director\\Import\\ImportSourceDirectorObject",
"settings": {
"object_class": "host",
"object_type": "",
"resolved": "n",
"resource": "icinga_director"
},
"source_name": "Director Hosts"
},
"x509 Services only if host in director": {
"key_column": "host_name_ip_and_port",
"modifiers": [
{
"priority": "1",
"property_name": "host_name_ip_and_port",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierSkipDuplicates",
"settings": {}
},
{
"description": "only if it is a host name and not an IP address",
"priority": "2",
"property_name": "host_name",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRejectOrSelect",
"settings": {
"filter_method": "regex",
"filter_string": "/(\\b25[0-5]|\\b2[0-4][0-9]|\\b[01]?[0-9][0-9]?)(\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}/",
"policy": "reject"
}
},
{
"description": "create a nicer name for the service object",
"priority": "4",
"property_name": "host_name_ip_and_port",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRegexReplace",
"settings": {
"pattern": "/^(.*)$/",
"replacement": "x509 - $1"
},
"target_property": "service_name"
},
{
"description": "Black List Ports",
"priority": "7",
"property_name": "host_port",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRejectOrSelect",
"settings": {
"filter_method": "regex",
"filter_string": "/3389|5986/",
"policy": "reject"
}
},
{
"priority": "8",
"property_name": "host_ip",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierGetHostByAddr",
"settings": {
"on_failure": "null"
},
"target_property": "host_name_reverse"
},
{
"priority": "9",
"property_name": "arpa",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierDnsRecords",
"settings": {
"on_failure": "null",
"record_type": "PTR"
},
"target_property": "host_name_ptr"
},
{
"priority": "10",
"property_name": "host_ip",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRegexReplace",
"settings": {
"pattern": "/^([0-9]+)\\.([0-9]+)\\.([0-9]+)\\.([0-9]+)$/",
"replacement": "$4.$3.$2.$1.in-addr.arpa."
},
"target_property": "arpa"
},
{
"priority": "11",
"property_name": "host_name",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierGetPropertyFromOtherImportSource",
"settings": {
"foreign_property": "object_name",
"import_source": "Director Hosts"
},
"target_property": "director_host_name"
},
{
"priority": "12",
"property_name": "director_host_name",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRejectOrSelect",
"settings": {
"filter_method": "is_null",
"policy": "reject"
}
},
{
"description": "Blocklist mirth-connect",
"priority": "13",
"property_name": "host_name_ip_and_port",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRejectOrSelect",
"settings": {
"filter_method": "regex",
"filter_string": "/ictpwpsswp01\\.ms\\.example\\.com\\/10\\.5\\.77\\.153:8443|ictlogbwp01\\.ms\\.example\\.com\\/10\\.5\\.72\\.147:443|ictlufuwp02\\.ms\\.example\\.com\\/10\\.5\\.72\\.24:8443|ictviewptwp02\\.ms\\.example\\.com\\/10\\.5\\.72\\.219:8443/",
"policy": "reject"
}
},
{
"description": "Block",
"priority": "14",
"property_name": "host_name_ip_and_port",
"provider_class": "Icinga\\Module\\Director\\PropertyModifier\\PropertyModifierRejectOrSelect",
"settings": {
"filter_method": "wildcard",
"filter_string": "x509 - ictesdswp01.ms.example.com/10.5.77.145:8092",
"policy": "reject"
}
}
],
"provider_class": "Icinga\\Module\\X509\\ProvidedHook\\ServicesImportSource",
"settings": {},
"source_name": "x509 Services only if host in director"
}
},
"SyncRule": {
"x509 Services only if host in director": {
"object_type": "service",
"properties": [
{
"destination_field": "host",
"filter_expression": null,
"merge_policy": "override",
"priority": "1",
"source": "x509 Services only if host in director",
"source_expression": "${host_name}"
},
{
"destination_field": "import",
"filter_expression": null,
"merge_policy": "override",
"priority": "2",
"source": "x509 Services only if host in director",
"source_expression": "116-tpl-service-x509"
},
{
"destination_field": "vars.icingacli_x509_host",
"filter_expression": null,
"merge_policy": "override",
"priority": "3",
"source": "x509 Services only if host in director",
"source_expression": "${host_name}"
},
{
"destination_field": "vars.icingacli_x509_ip",
"filter_expression": null,
"merge_policy": "override",
"priority": "4",
"source": "x509 Services only if host in director",
"source_expression": "${host_ip}"
},
{
"destination_field": "vars.icingacli_x509_port",
"filter_expression": null,
"merge_policy": "override",
"priority": "5",
"source": "x509 Services only if host in director",
"source_expression": "${host_port}"
},
{
"destination_field": "object_name",
"filter_expression": null,
"merge_policy": "override",
"priority": "6",
"source": "x509 Services only if host in director",
"source_expression": "${service_name}"
}
],
"purge_action": "delete",
"purge_existing": true,
"rule_name": "x509 Services only if host in director",
"update_policy": "merge"
}
}
}
Thanks. The import from the basket itself did not work, but i can adopt the settings. Now it works fine.