nagios-plugins
==============
This repository contains my small collection of modified and custom written
nagios check plugins and scripts for [Nagios](http://www.nagios.org).
Most of these are very custom solutions or modified versions of standard plugins
so distributing them through [NagiosExchange](https://exchange.nagios.org/) is
not really appropriate. I am publishing them separately so that others may
benefit from these as well. Use them freely and please let me know is you
encounter any issues or require changes.
The latest versions, documentation and bugtracker available on my
[GitLab instance](https://gitlab.lindenaar.net/scripts/privacyidea-checkotp)
Copyright (c) 2015 - 2016 Frederik Lindenaar. free for distribution under
the GNU General Public License, see [below](#license)
contents
========
This repository contains the following scripts:
* [check_memory](#check_memory)
patched version of nagios-plugins check_memory script for Linux procps v3.3+
* [check_multiple_host_addresses](#host_addresses)
monitor multi-home and dual-stack (i.e. ipv4 and ipv6) servers.
* [check_otp](#check_otp)
plugin to monitor PrivacyIDEA (and LinOTP) OTP validation
* [check_temperature](#check_temperature)
plugin to monitor the CPU temperature of a RaspberryPi or that of a DS18b20 1-wire sensor on a RaspberryPi
* [nagiosstatus](#nagiosstatus)
CGI-BIN script to report the status of nagios (to monitor nagios itself)
<a name=check_memory>plugins/check_memory</a>
---------------------------------------------
Nagios check script to monitor the memory on Linux systems. Due to changes in
the output of procps v3.3 (the changelog refers to it as modernizing it), it's
output changed and breaks the the check_memory script as shipped with many linux
distributions. This version supports both the old and the new format so that
is indifferent of which version of procps (to date) is used. No other changes
were made to the script.
<a name=host_addresses>plugins/check_multiple_host_addresses</a>
----------------------------------------------------------------
This script is a first attempt to monitor multi-home and dual-stack (i.e. ipv4
and ipv6) servers. In my setup a server should only considered availble if it is
available on all of its primary addresses (i.e. both ipv4 and ipv6). It uses the
excellent check_multi script to perform multiple a ping check to see if a host
is available and reports the consolidated status. Using check_multi has the
advantage that pnp4nagios and other scripting graphing solutions will support
this solution as well.
Installation is straightforward, after installing the script on your server, add
the following to your `commands.cmd` configuration file to make it available:
~~~
# 'check-host-alive' command definition for multi-homed/dual-stack servers
define command{
command_name check-addresses-alive
command_line [install_path]/plugins/check_multiplehost_addresses '$HOSTADDRESS$' '$_HOSTADDRESS6$'
}
~~~
The example above assumes that the IPv6 address of the host is provided as part
of the host configuration, i.e.:
~~~
define host {
...
address 192.168.0.1
_address6 fdf8:f340:ab9d:c213::1
...
}
~~~
To use the script either add `check_command check-addresses-alive`
to the specific hosts that should use the check or to the generic host used as
template.
<a name=check_otp>plugins/check_otp</a>
---------------------------------------
Plugin (check) to monitor OTP validation, currently implemented for PrivacyIDEA
(and LinOTP). The check can validate a provided password/secret or calculate an
HOTP or TOTP value and use that to validate (with or without a password). Other
methods and interfaces can be plugged in easily (please raise a request or
provide a patch).
Please run `check_otp -h` for an actual overview of the available options. The
script currently supports 3 modes of operation:
* password - simply authenticate with the provided secret (no calculations)
* totp - calculate the TOTP code using a key and current time
* hotp - calculate the HOTP code using a key and a count (automatically
increments the count in case a count file is used)
Generic parameters (connection parameters, critical/warning thresholds, etc.)
should be provided before the mode of operation is specified, mode-specific
parameters should follow the mode selected. Keys, passwords and HOTP counts can
be read from a file as well. Checks can be performed based on token
serial or a login and a password (only mandatory for password authentication).
HOTP/TOTP modes require a Base16/32/64 encoded key provided on the command-line
or in a file. The generated HOTP/TOTP value is appended to the password/secret
(if provided), the order can be changed with the `-m` command line parameter.
Installation for is straightforward, after installing the script on the server
add the following to your Nagios `commands.cmd` configuration file:
~~~
# 'check_totp_serial' command definition to test TOTP based on token serial (no password)
# parameters: token serial (ARG1), key (ARG2), additional parameters in ARG3
define command {
command_name check_totp_serial
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ $ARG3$
}
# 'check_totp_serial' command definition to test TOTP based on token serial and password
# parameters: token serial (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
define command {
command_name check_totp_serial_pwd
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
}
# 'check_totp_login' command definition to test TOTP based on login and password
# parameters: login (ARG1), key (ARG2), password (ARG3), additional parameters in ARG4
define command {
command_name check_totp_login
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG1$ -k $ARG2$ -p $ARG3$ $ARG4$
}
# 'check_totp_serial_dir' command definition to test TOTP based on token serial
# parameters: directory (ARG1), token serial (ARG2) additional parameters in ARG3
define command {
command_name check_totp_serial_dir
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
}
# 'check_totp_serial_dir_pwd' command definition to test TOTP based on token serial and password
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
command_name check_totp_serial_dir_pwd
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -s $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
}
# 'check_totp_login_dir' command definition to test TOTP based on login
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
command_name check_totp_login_dir
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key $ARG3$
}
# 'check_totp_login_dir_pwd' command definition to test TOTP based on login and password
# parameters: directory (ARG1), login (ARG2) additional parameters in ARG3
define command {
command_name check_totp_login_dir_pwd
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token totp -l $ARG2$ -K $ARG1$/$ARG2$.key -P $ARG1$/$ARG2$.pwd $ARG3$
}
# 'check_hotp_serial_dir' command definition to test HOTP based on token serial
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
command_name check_hotp_serial_dir
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
}
# 'check_hotp_serial_dir_pwd' command definition to test HOTP based on token serial and password
# parameters: directory (ARG1), token serial (ARG2), additional parameters in ARG3
define command {
command_name check_hotp_serial_dir_pwd
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -s $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
}
# 'check_hotp_login_dir' command definition to test HOTP based on login
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
command_name check_hotp_login_dir
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count $ARG3$
}
# 'check_hotp_login_dir_pwd' command definition to test HOTP based on login and password
# parameters: directory (ARG1), login (ARG2), additional parameters in ARG3
define command {
command_name check_hotp_login_dir_pwd
command_line [install_path]/plugins/check_otp -H $HOSTNAME$ -w 3 -c 8 -P /token hotp -l $ARG2$ -K $ARG1$/$ARG2$.key -C $ARG1$/$ARG2$.count -P $ARG1$/$ARG2$.pwd $ARG3$
}
~~~
Please check / adjust the following:
* replace `[install_path]/plugins` with the location of the script
* assumption is that the `$HOSTNAME$` can be used for an SSL connection (and
that the certificate is valid for this host, use the -u parameter and an
URL if this is not the case)
* path on the server is assumed to be /token (API endpoints will be added)
* check the thresholds for Warning (3s) and Critical (8s), adjust if needed
The `dir` and `dir_pwd` commands allow to store all sensitive data for tokens in
a folder and hence only require a folder name and token serial or login. This
expects the folder specified to contain the following files:
* [serial/login].key - HOTP/TOTP key in Base16/32/64 format on first line
* [serial/login].pwd - password (only first line is used)
* [serial/login].count - numeric HOTP count on first line, autoincremented
Please note that required files must exist or the check will fail with an error.
To use the it define a service check like below:
~~~
# check that TOTP authentication is working for token serial and provided key
define service {
host hostname.mydomain.tld
service_description Check TOTP Authentication
check_command check_totp_serial!TOTP0001234X!82f37371367b7e8aafb320b2d9b2721f66bbf161
use generic-service
}
# check that TOTP authentication is working for token serial and info from folder
define service {
host hostname.mydomain.tld
service_description Check TOTP Authentication
check_command check_totp_serial_dir!/etc/nagios3/tokeninfo!TOTP0001234X
use generic-service
}
# check that HOTP authentication is working for token serial and info from folder
define service {
host hostname.mydomain.tld
service_description Check TOTP Authentication
check_command check_hotp_serial_dir!/etc/nagios3/tokeninfo!HOTP0004321Y
use generic-service
}
~~~
<a name=check_temperature>plugins/check_temperature</a>
-------------------------------------------------------
Plugin (check) to monitor monitor the Raspberry Pi CPU temperature or that of a
temperature sensor connected to a RaspberryPi. This implementation currently
supports the DS18B20 1-wire temperature sensor. Other methods and interfaces can
be plugged in easily (just raise a request or provide a patch). For information
on how to connect sensor to the RaspberryPi and to get it working please see
[this Adafruit tutorial](
https://learn.adafruit.com/adafruits-raspberry-pi-lesson-11-ds18b20-temperature-sensing).
No setup is required to read the CPU temperature. To enable the 1-wire interface
support on the RaspberryPi one can use the command:
~~~
sudo raspi-config nonint do_onewire 0
~~~
or use `raspi-config` in interactive mode (9. Advanced Options --> A9. 1-Wire).
Please note that changing this requires a reboot.
Installation for is straightforward, after installing the script on the server
add the following to your Nagios `commands.cmd` configuration file:
~~~
# 'check_cpu_temperature' command definition to monitor CPU temperature in C
# parameters: warning (ARG1) and critical (ARG2) temperature in Celcius
define command {
command_name check_temperature
command_line [install_path]/plugins/check_temperature -w $ARG1$ -c $ARG2$ rpi_cpu
}
# 'check_cpu_ftemperature' command definition to monitor CPU temperature in F
# parameters: warning (ARG1) and critical (ARG2) temperature in Celcius
define command {
command_name check_temperature
command_line [install_path]/plugins/check_temperature -F -w $ARG1$ -c $ARG2$ rpi_cpu
}
# 'check_temperature' command definition to monitor a single temperature in C
# parameters: warning (ARG1) and critical (ARG2) temperature in Celcius
define command {
command_name check_temperature
command_line [install_path]/plugins/check_temperature -w $ARG1$ -c $ARG2$ w1_ds18b20
}
# 'check_ftemperature' command definition to monitor a single temperature in F
# parameters: warning (ARG1) and critical (ARG2) temperature in Farenheit
define command {
command_name check_ftemperature
command_line [install_path]/plugins/check_temperature -F -w $ARG1$ -c $ARG2$ w1_ds18b20
}
# 'check_temperature_sensor' command definition to monitor a single temperature in C
# parameters: sensor serial (ARG1), warning (ARG2) and critical (ARG3) temperature in Celcius
define command {
command_name check_temperature_sensor
command_line [install_path]/plugins/check_temperature -w $ARG2$ -c $ARG3$ w1_ds18b20 -s $ARG1$
}
# 'check_ftemperature_sensor' command definition to monitor a single temperature in F
# parameters: sensor serial (ARG1), warning (ARG2) and critical (ARG3) temperature in Farenheit
define command {
command_name check_ftemperature_sensor
command_line [install_path]/plugins/check_temperature -F -w $ARG2$ -c $ARG3$ w1_ds18b20 -s $ARG1$
}
~~~
Make sure to replace `[install_path]/plugins` with the location of the script.
To use the it define a service check like below:
~~~
# check RaspberryPi CPU temperature in Celcius
define service {
host hostname.mydomain.tld
service_description CPU Temperature
check_command check_cpu_temperature!55!75
use generic-service
}
# check temperature in Celcius using a DS18B20 sensor connected to a RaspberryPi
define service {
host hostname.mydomain.tld
service_description Check Temperature
check_command check_temperature!30!35
use generic-service
}
# check temperature with DS18B20 sensor 0000a31ea3de connected to a RaspberryPi
define service {
host hostname.mydomain.tld
service_description Check Temperature
check_command check_temperature_sensor!0000a31ea3de!30!35
use generic-service
}
~~~
Please run `check_temperature -h` after installation for an overview of the
available command line options (e.g. to enable logging to a file).
<a name=nagiosstatus>cgi-bin/nagiosstatus.sh</a>
------------------------------------------------
Very simplistic CGI-BIN script that checkes whether nagios is still running and
still updating its status. It wil always return an HTTP Status 200 (OK) and a
simple text page with one of the following texts:
- `STOPPED` - in case the nagios process is not running
- `STALLED` - in case the nagios status file has not been updated for 5 minutes
- `OK` - when Nagios is running and updated its status file < 5 minutes ago
I wrote this script to be used with an external monitoring system, I use it with
the free subscription from [Pingdom](http://www.pingdom.com) to get alerts when
my Nagios monitoring system is no longer reachable.
<a name="license">License</a>
-----------------------------
These scripts, documentation & configration examples are free software: you can
redistribute and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.
This script, documenatation and configuration examples are distributed in the
hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, download it from <http://www.gnu.org/licenses/>.