CheckMk F5 Certificate Expiration using SNMP
Problem this snippet solves:
The default checks provided by CheckMK do not monitor for the traffic certificate expiration. I wrote a custom check to allow them to be discovered and monitored. The default values of 30 days for warning and 10 days for critical are defined and can be modified. The default certificates ('/Common/default.crt','/Common/f5-irule.crt','/Common/ca-bundle.crt','/Common/f5-ca-bundle.crt') are all ignored.
How to use this snippet:
Code :
#!/usr/bin/python # -*- encoding: utf-8; py-indent-offset: 4 -*- # +------------------------------------------------------------------+ # | ____ _ _ __ __ _ __ | # | / ___| |__ ___ ___| | __ | \/ | |/ / | # | | | | '_ \ / _ \/ __| |/ / | |\/| | ' / | # | | |___| | | | __/ (__| < | | | | . \ | # | \____|_| |_|\___|\___|_|\_\___|_| |_|_|\_\ | # | | # | Copyright Mathias Kettner 2017 mk@mathias-kettner.de | # +------------------------------------------------------------------+ # # This file is part of Check_MK. # The official homepage is at http://mathias-kettner.de/check_mk. # # check_mk is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation in version 2. check_mk is distributed # in the hope that it will be useful, but WITHOUT ANY WARRANTY; with- # out even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. See the GNU General Public License for more de- # tails. You should have received a copy of the GNU General Public # License along with GNU Make; see the file COPYING. If not, write # to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, # Boston, MA 02110-1301 USA. ## Custom check for F5 certificate expiration ## Author: Shaun Pillé ## Contact: shaun.pille@gmail.com ## Version 0.2 #define current date in epoch time currdate = int(time.time()) cert_thresholds = [] #define warning and critical thresholds in days custom_warn=30 custom_crit=10 #convert custom warning thresholds to epoch time cert_thresholds = [(custom_warn*86400),(custom_crit*86400)] #inventory all certificates installed on the F5 def inventory_f5_bigip_certs(info): ignore_list = set (['/Common/default.crt','/Common/f5-irule.crt','/Common/ca-bundle.crt','/Common/f5-ca-bundle.crt']) for certname, fulldate, epochdate in info: if certname not in ignore_list: yield certname, "cert_thresholds" #check the expiration dates and return crit, warn, ok based on defined thresholds def check_f5_bigip_certs(item, params, info): cert_warn, cert_crit = params state=0 for certname, fulldate, epochdate in info: if certname == item: expires=(int(epochdate) - currdate)/86400 if int(epochdate) - currdate < cert_crit: state=2 elif int(epochdate) - currdate >= cert_crit and int(epochdate) - currdate <= cert_warn: state=1 else: state=0 infotext = "Valid for %d days" % expires if certname: infotext = ": ".join([infotext]) if state > 0: infotext += " (warn/crit below %s/%s)" % (custom_warn, custom_crit) yield state, infotext, [("daysleft", expires, cert_warn, cert_crit)] #checkdata to pull matching SNMP strings check_info["f5_bigip_certs"] = { "check_function" : check_f5_bigip_certs, "inventory_function" : inventory_f5_bigip_certs, "service_description" : "Certificate Expiration %s", "snmp_info" : ( ".1.3.6.1.4.1.3375.2.1.15.1.2.1", [ 1,4,5 ] ) }
Tested this on version:
No Version FoundPublished Sep 12, 2020
Version 1.0ShaunNeutron
Fog
Joined September 12, 2020
ShaunNeutron
Fog
Joined September 12, 2020
No CommentsBe the first to comment