Merge branch 'dev' into master #40

Merged
jdubois merged 26 commits from dev into master 2021-12-17 16:27:00 +01:00
25 changed files with 1048 additions and 95 deletions

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
/vars/evolinux-secrets.yml
/vars/evolix-main.yml

View file

@ -7,6 +7,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
### Changed
### Fixed
### Removed
## [21.12] - 2021-12-17
### Changed
- Configure locale to en_US.UTF-8 in .profile file so that "git log" displays the accents correctly
- Use vim as default git editor
- Change version pattern and fix release scheme
### Added
- Add a bioctl NRPE check for RAID devices
## [6.9.2] - 2021-10-15
### Added
- Add a more complete ipsecctl check script
- Add doas configuration for check_openvpn_certificates.sh
### Fixed
- Fix check_dhcpd for dhcpd server themselves : use back check_procs -c1: -C dhcpd
- Fix check_mailq : check from monitoring-plugins current version is not compatible with opensmtpd
## [6.9.1] - 2021-07-19
### Added
- Configure the ntpd.conf file
## [6.9.0] - 2021-05-06
### Changed

View file

@ -1,13 +1,10 @@
# EvoBSD 6.9.0
# EvoBSD
EvoBSD is an ansible project used for customising OpenBSD hosts
used by Evolix.
EvoBSD is an ansible project used for customising OpenBSD hosts used by Evolix.
## How to install an OpenBSD machine
**Note :** The system must be installed with a root account only.
Put your public key in the remote root's autorized_keys
(/root/.ssh/authorized_keys)
1. Install ansible's prerequisites
@ -17,6 +14,8 @@ ansible-playbook prerequisite.yml -CDi hosts -l HOSTNAME
2. Run it
The variables files evolix-main.yml and evolinux-secrets.yml are customized variables for Evolix that overwrite main.yml variables. They are not needed if you are not from Evolix.
First use (become_method: su) :
```
@ -29,52 +28,8 @@ Subsequent use (become_method: sudo) :
ansible-playbook evolixisation.yml --ask-vault-pass -CDKi hosts --skip-tags pf -l HOSTNAME
```
### Testing
Changes can be tested by using [Packer](https://www.packer.io/) and
[vmm(4)](https://man.openbsd.org/vmm.4) :
* This process depends on the [Go](https://golang.org/) programming language.
**Packages**
Needing a Golang eco system and some basics
````
pkg_add go-- packer-- git--
````
* We use the [packer-builder-openbsd-vmm](https://github.com/double-p/packer-builder-openbsd-vmm) project to bridge Packer and vmm(4)
````
git clone https://github.com/double-p/packer-builder-openbsd-vmm.git
````
**builds**
Set ````GOPATH```` (default: ~/go), if the 1.4GB dependencies wont fit.
````
make
make install
````
* You need your unprivileged user to be able to run vmctl(8) through doas(1)
```
echo "permit nopass myunprivilegeduser as root cmd /usr/sbin/vmctl" >> /etc/doas.conf
```
See packer-builder-openbsd-vmm/examples/README.examples for further instructions
* Enable NAT on your host machine
```
pass out on em0 inet from tap0:network to any nat-to (em0)
```
*assuming em0 is your egress interface*
## Contributions
See the [contribution guidelines](CONTRIBUTING.md)
## License

View file

@ -16,8 +16,8 @@
vars_files:
- vars/main.yml
- vars/secrets.yml
- vars/openbsd-secret.yml
- vars/evolix-main.yml
- vars/evolinux-secrets.yml
roles:
- etc-git
@ -40,6 +40,3 @@
- include_role:
name: evocheck
tasks_from: exec.yml
# environment:
# PKG_PATH: "http://ftp.openbsd.org/pub/OpenBSD/{{ ansible_distribution_version }}/packages/{{ ansible_architecture }}/"

4
hosts
View file

@ -1,5 +1,5 @@
[openbsd]
foo.example.com
foo.example.com ansible_host=192.0.2.1
[openbsd:vars]
ansible_python_interpreter=/usr/local/bin/python3
ansible_python_interpreter=/usr/local/bin/python3.9

View file

@ -1,6 +1,5 @@
---
ntpd_servers:
- "ntp.evolix.net"
ntpd_servers: "ntp.evolix.net"
general_alert_email: "root@localhost"
general_technical_realm: "example.com"

View file

@ -32,17 +32,18 @@ SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
# timeout (in seconds) for SSH connections
SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
## We use /home/backup : feel free to use your own dir
# We use /home/backup : feel free to use your own dir
LOCAL_BACKUP_DIR="/home/backup"
# You can set "linux" or "bsd" manually or let it choose automatically
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
# Change these 2 variables if you have more than one backup cron
PIDFILE="/var/run/evobackup.pid"
LOGFILE="/var/log/evobackup.log"
# Store pid and logs in a file named after this program's name
PROGNAME=$(basename $0)
PIDFILE="/var/run/${PROGNAME}.pid"
LOGFILE="/var/log/${PROGNAME}.log"
## Enable/Disable tasks
# Enable/Disable tasks
LOCAL_TASKS=${LOCAL_TASKS:-1}
SYNC_TASKS=${SYNC_TASKS:-1}
@ -312,8 +313,9 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
${FINDMNT_BIN} > ${LOCAL_BACKUP_DIR}/findmnt.txt
fi
else
## Dump network connections with netstat
netstat -finet -atn > ${LOCAL_BACKUP_DIR}/netstat.out
## Dump network connections with fstat
fstat | head -1 > ${LOCAL_BACKUP_DIR}/netstat.out
fstat | grep internet >> ${LOCAL_BACKUP_DIR}/netstat.out
## List OpenBSD packages
pkg_info -m > ${LOCAL_BACKUP_DIR}/packages
@ -415,6 +417,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then
--exclude "lxc/*/rootfs/var/apt" \
--exclude "lxc/*/rootfs/var/cache" \
--exclude "lxc/*/rootfs/var/lib/php5" \
--exclude "lxc/*/rootfs/var/lib/php/sessions" \
--exclude "lxc/*/rootfs/var/lock" \
--exclude "lxc/*/rootfs/var/log" \
--exclude "lxc/*/rootfs/var/run" \

View file

@ -31,3 +31,8 @@
command: mount -u -o noatime /home
args:
warn: false
- name: reload ntp
service:
name: ntpd
state: restarted

View file

@ -15,10 +15,10 @@
dest: "{{ item.dest }}"
owner: 'root'
group: 'wheel'
mode: '0755'
mode: '{{ item.mode }}'
with_items:
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/'}
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/'}
- {src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700'}
- {src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600'}
tags:
- evomaintenance
- script-evomaintenance

View file

@ -10,3 +10,4 @@
- include: newsyslog.yml
- include: cron.yml
- include: fstab.yml
- include: ntp.yml

30
roles/base/tasks/ntp.yml Normal file
View file

@ -0,0 +1,30 @@
---
- name: Retrieve ntpd.conf content
command: cat ntpd.conf
args:
chdir: /etc/
check_mode: no
register: ntpd_conf
tags:
- ntp
- name: Empty ntpd.conf before customizing it
file:
path: /etc/ntpd.conf
state: absent
when: ntpd_conf.stdout is not regex("^server ntp.evolix.net$")
tags:
- ntp
- name: Customize ntpd conf
lineinfile:
path: /etc/ntpd.conf
line: "server {{ ntpd_servers }}"
create: yes
owner: root
group: wheel
mode: '0644'
notify:
- reload ntp
tags:
- ntp

View file

@ -5,8 +5,7 @@ permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_ssh_group }} as
permit nopass _collectd as root cmd /bin/cat
permit nopass _collectd as root cmd /usr/sbin/bgpctl
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_mailq.pl
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
@ -16,3 +15,4 @@ permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_state
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl_critiques.sh
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh

View file

@ -4,6 +4,8 @@
PATH="{{ evobsd_path }}"
export PATH HOME TERM
export LANG="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
export PS1="\u@\h:\w\\$ "
HISTFILE=$HOME/.histfile
export HISTSIZE=10000

View file

@ -44,6 +44,12 @@
tags:
- etc-git
- name: Set vim as default editor
git_config:
name: core.editor
scope: global
value: vim
- name: does /etc/ have any commit?
command: "git log"
args:
@ -118,7 +124,7 @@
- name: hourly cron job for /etc/.git status is installed
cron:
name: git status
minute: 42
minute: "42"
job: >
who
> /dev/null

View file

@ -3,7 +3,7 @@
# EvoCheck
# Script to verify compliance of an OpenBSD server powered by Evolix
readonly VERSION="6.7.7"
readonly VERSION="21.09"
# Disable LANG*
@ -108,13 +108,17 @@ check_softdep(){
}
check_noatime(){
if [ $(mount | grep -c noatime) -ne $(grep -c ffs /etc/fstab) ]; then
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
fi
}
check_tmoutprofile(){
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
if [ -f /etc/skel/.profile ]; then
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
else
failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
fi
}
check_raidok(){
@ -176,7 +180,7 @@ check_gitperms(){
test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700"
}
check_advbase(){
check_carpadvbase(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
bad_advbase=0
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
@ -185,21 +189,21 @@ check_advbase(){
fi
done
if [[ "$bad_advbase" -eq 1 ]]; then
failed "IS_ADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
fi
fi
}
check_preempt(){
check_carppreempt(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
if [[ "$preempt" -ne 1 ]]; then
failed "IS_PREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
fi
if [ -f /etc/sysctl.conf ]; then
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_PREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
else
failed "IS_PREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
fi
fi
}
@ -353,6 +357,29 @@ check_openvpncronlog(){
fi
}
check_carpadvskew(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
ifconfig $carp | grep -q master
master=$?
ifconfig $carp | grep -q backup
backup=$?
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
if [ "$master" -eq 0 ]; then
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
fi
elif [ "$backup" -eq 0 ]; then
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
fi
else
failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state."
fi
done
fi
}
main() {
# Default return code : 0 = no error
@ -369,8 +396,8 @@ main() {
test "${IS_UPTIME:=1}" = 1 && check_uptime
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_ADVBASE:=1}" = 1 && check_advbase
test "${IS_PREEMPT:=1}" = 1 && check_preempt
test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase
test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom
@ -394,6 +421,7 @@ main() {
test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
test "${IS_NTP:=1}" = 1 && check_ntp
test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
exit ${RC}
}

View file

@ -2,7 +2,7 @@
- name: Enable IPv4 forwarding
sysctl:
name: net.inet.ip.forwarding
value: 1
value: "1"
state: present
reload: true
tags:
@ -11,7 +11,7 @@
- name: Enable IPv6 forwarding
sysctl:
name: net.inet6.ip6.forwarding
value: 1
value: "1"
state: present
reload: true
tags:

View file

@ -0,0 +1,94 @@
#!/bin/sh
# Use : ./check_ipsecctl_critiques.sh
# check_ipsecctl.sh must be installed
# Do not forget to also set variables under "Additional check with ping" : $VPNS + Definition of destination IPs + IPs in "case $vpn in"
# If needed, you can custom "local_ip" if the local IP used for ipsec is not the default one, or if multiples IP are use (e.g. "local_ip=192.0.2.[12]" if 192.0.2.1 and 192.0.2.2 are both used).
# Variables
CHECK_IPSECCTL="/usr/local/libexec/nagios/plugins/check_ipsecctl.sh"
STATUS=0
VPN_KO=""
default_int=$(route -n show -inet | grep default | awk '{ print $8 }' | grep -v pppoe0)
default_ip=$(ifconfig $default_int | grep inet | head -1 | awk '{ print $2 }')
# No check if CARP backup
carp=$(/sbin/ifconfig carp0 2>/dev/null | /usr/bin/grep 'status' | cut -d' ' -f2)
if [ "$carp" = "backup" ]; then
echo "It's alright I'm just a backup!"
exit 0
fi
# First check that isakmpd is running
if ! /usr/sbin/rcctl check isakmpd >/dev/null; then
echo "CRITICAL : The isakmpd daemon is down. Start it with : rcctl start isakmpd && ipsecctl -f /etc/ipsec.conf"
STATUS=2
fi
# Make sure "0.0.0.0" is not configured
if /sbin/ipsecctl -sa | grep -qF 0.0.0.0; then
echo "CRITICAL : Configuration error on client side, \"0.0.0.0\" is configured and makes the network to bug. Check with \"ipsecctl -sa | grep -F 0.0.0.0\" which VPN is affected and shut it down, and contact the client or the VPN provider to solve the problem."
STATUS=2
fi
# Check with "ipsecctl -sa"
for vpn in $(cat /etc/ipsec.conf | grep -v "^#" | awk '{print $2}'); do
vpn=$(basename $vpn .conf\")
local_ip=$default_ip
remote_ip=$(grep -E "remote_ip" /etc/ipsec/${vpn}.conf | grep -v "^#" | grep -o "[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*")
$CHECK_IPSECCTL $local_ip $remote_ip "$vpn" > /dev/null
if [ $? -ne 0 ]; then
STATUS=2
VPN_KO="$VPN_KO $vpn"
fi
done
# Additional check with ping because "ipsecctl -sa" is not enough, only if previous checks didn't fail
if [ $STATUS -eq 0 ]; then
# Definition of VPNs to be checked
VPNS="A_from_vlan1 A_from_vlan2 B_from_vlan1 C_from_vlan2"
# Definition of destination IPs (client side) to ping for each VPN
A_from_vlan1_IP="192.168.1.1"
A_from_vlan2_IP="192.168.2.1"
B_from_vlan1_IP="172.16.1.1"
C_from_vlan2_IP="10.0.1.1"
for vpn in $VPNS; do
# dst_ip takes the value of VPNS_IP
eval dst_ip=\$${vpn}_IP
# Definition of the source IP of the ping according to the source network used (our side, adjust the -I option)
case $vpn in
*vlan1*) ping -q -i 0.1 -I 192.168.5.5 -c 3 -w 1 $dst_ip >/dev/null ;;
*vlan2*) ping -q -i 0.1 -I 172.16.2.5 -c 3 -w 1 $dst_ip >/dev/null ;;
esac
if [ $? -ne 0 ]; then
VPN_KO="$VPN_KO $vpn"
fi
done
fi
if [ -n "$VPN_KO" ]; then
echo "VPNs down:$VPN_KO"
exit 2
else
if [ "$STATUS" -eq 0 ]; then
echo "ALL VPN(s) UP(s)"
exit 0
else
exit $STATUS
fi
fi

View file

@ -0,0 +1,778 @@
#!/usr/bin/perl -w
# check_mailq - check to see how many messages are in the smtp queue awating
# transmittal.
#
# Initial version support sendmail's mailq command
# Support for multiple sendmail queues (Carlos Canau)
# Support for qmail (Benjamin Schmid)
# License Information:
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
# MA 02110-1301, USA
#
############################################################################
use POSIX;
use strict;
use Getopt::Long;
use vars qw($opt_V $opt_h $opt_v $verbose $PROGNAME $opt_w $opt_c $opt_t $opt_s $opt_d
$opt_M $mailq $status $state $msg $msg_q $msg_p $opt_W $opt_C $mailq $mailq_args
@lines %srcdomains %dstdomains);
use FindBin;
use lib "$FindBin::Bin";
use lib '/usr/local/libexec/nagios/';
use utils qw(%ERRORS &print_revision &support &usage );
my ($sudo);
sub print_help ();
sub print_usage ();
sub process_arguments ();
$ENV{'PATH'}='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin';
$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
$PROGNAME = "check_mailq";
$mailq = 'sendmail'; # default
$msg_q = 0 ;
$msg_p = 0 ;
# If appended, must start with a space
$mailq_args = '' ;
$state = $ERRORS{'UNKNOWN'};
$utils::PATH_TO_SMTPCTL = "/usr/sbin/smtpctl";
Getopt::Long::Configure('bundling');
$status = process_arguments();
if ($status){
print "ERROR: processing arguments\n";
exit $ERRORS{"UNKNOWN"};
}
if ($opt_d) {
$mailq_args = $mailq_args . ' -C ' . $opt_d;
}
if ($opt_s) {
if ($utils::PATH_TO_SUDO ne "") {
if (-x $utils::PATH_TO_SUDO) {
$sudo = $utils::PATH_TO_SUDO;
} else {
print "ERROR: Cannot execute sudo\n";
exit $ERRORS{'UNKNOWN'};
}
}
} else {
$sudo = "";
}
$SIG{'ALRM'} = sub {
print ("ERROR: timed out waiting for $utils::PATH_TO_MAILQ \n");
exit $ERRORS{"WARNING"};
};
alarm($opt_t);
# switch based on MTA
if ($mailq eq "sendmail") {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
# single queue empty
##/var/spool/mqueue is empty
# single queue: 1
## /var/spool/mqueue (1 request)
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
##h32E30p01763 2782 Wed Apr 2 15:03 <silvaATkpnqwest.pt>
## 8BITMIME
## <silvaATeunet.pt>
# multi queue empty
##/var/spool/mqueue/q0/df is empty
##/var/spool/mqueue/q1/df is empty
##/var/spool/mqueue/q2/df is empty
##/var/spool/mqueue/q3/df is empty
##/var/spool/mqueue/q4/df is empty
##/var/spool/mqueue/q5/df is empty
##/var/spool/mqueue/q6/df is empty
##/var/spool/mqueue/q7/df is empty
##/var/spool/mqueue/q8/df is empty
##/var/spool/mqueue/q9/df is empty
##/var/spool/mqueue/qA/df is empty
##/var/spool/mqueue/qB/df is empty
##/var/spool/mqueue/qC/df is empty
##/var/spool/mqueue/qD/df is empty
##/var/spool/mqueue/qE/df is empty
##/var/spool/mqueue/qF/df is empty
## Total Requests: 0
# multi queue: 1
##/var/spool/mqueue/q0/df is empty
##/var/spool/mqueue/q1/df is empty
##/var/spool/mqueue/q2/df is empty
## /var/spool/mqueue/q3/df (1 request)
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
##h32De2f23534* 48 Wed Apr 2 14:40 nocol
## nouserATEUnet.pt
## canau
##/var/spool/mqueue/q4/df is empty
##/var/spool/mqueue/q5/df is empty
##/var/spool/mqueue/q6/df is empty
##/var/spool/mqueue/q7/df is empty
##/var/spool/mqueue/q8/df is empty
##/var/spool/mqueue/q9/df is empty
##/var/spool/mqueue/qA/df is empty
##/var/spool/mqueue/qB/df is empty
##/var/spool/mqueue/qC/df is empty
##/var/spool/mqueue/qD/df is empty
##/var/spool/mqueue/qE/df is empty
##/var/spool/mqueue/qF/df is empty
## Total Requests: 1
while (<MAILQ>) {
# match email addr on queue listing
if ( (/<.*@.*\.(\w+\.\w+)>/) || (/<.*@(\w+\.\w+)>/) ) {
my $domain = $1;
if (/^\w+/) {
print "$utils::PATH_TO_MAILQ = srcdomain = $domain \n" if $verbose ;
$srcdomains{$domain} ++;
}
next;
}
#
# ...
# sendmail considers a message with more than one destiny, say N, to the same MX
# to have N messages in queue.
# we will only consider one in this code
if (( /\s\(reply:\sread\serror\sfrom\s.*\.(\w+\.\w+)\.$/ ) || ( /\s\(reply:\sread\serror\sfrom\s(\w+\.\w+)\.$/ ) ||
( /\s\(timeout\swriting\smessage\sto\s.*\.(\w+\.\w+)\.:/ ) || ( /\s\(timeout\swriting\smessage\sto\s(\w+\.\w+)\.:/ ) ||
( /\s\(host\smap:\slookup\s\(.*\.(\w+\.\w+)\):/ ) || ( /\s\(host\smap:\slookup\s\((\w+\.\w+)\):/ ) ||
( /\s\(Deferred:\s.*\s.*\.(\w+\.\w+)\.\)/ ) || ( /\s\(Deferred:\s.*\s(\w+\.\w+)\.\)/ ) ) {
print "$utils::PATH_TO_MAILQ = dstdomain = $1 \n" if $verbose ;
$dstdomains{$1} ++;
}
if (/\s+\(I\/O\serror\)/) {
print "$utils::PATH_TO_MAILQ = dstdomain = UNKNOWN \n" if $verbose ;
$dstdomains{'UNKNOWN'} ++;
}
# Finally look at the overall queue length
#
if (/mqueue/) {
print "$utils::PATH_TO_MAILQ = $_ "if $verbose ;
if (/ \((\d+) request/) {
#
# single queue: first line
# multi queue: one for each queue. overwrite on multi queue below
$msg_q = $1 ;
}
} elsif (/^\s+Total\sRequests:\s(\d+)$/i) {
print "$utils::PATH_TO_MAILQ = $_ \n" if $verbose ;
#
# multi queue: last line
$msg_q = $1 ;
}
}
## close mailq
close (MAILQ);
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
## now check the queue length(s)
if ($msg_q == 0) {
$msg = "OK: $mailq mailq is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check for domain specific queue lengths if requested
if (defined $opt_W) {
# Apply threshold to queue lengths FROM domain
my @srckeys = sort { $srcdomains{$b} <=> $srcdomains{$a} } keys %srcdomains;
my $srcmaxkey = $srckeys[0];
print "src max is $srcmaxkey with $srcdomains{$srcmaxkey} messages\n" if $verbose;
if ($srcdomains{$srcmaxkey} >= $opt_W && $srcdomains{$srcmaxkey} < $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
} else {
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
}
} elsif ($srcdomains{$srcmaxkey} >= $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C)";
$state = $ERRORS{'CRITICAL'};
} elsif ($state == $ERRORS{'WARNING'}) {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C) -and- " . $msg;
$msg =~ s/WARNING: //;
} elsif ($state == $ERRORS{'CRITICAL'}) {
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
} else {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'CRITICAL'};
}
} else {
if ($srcdomains{$srcmaxkey} > 0) {
$msg .= " $srcdomains{$srcmaxkey} msgs. FROM $srcmaxkey is below threshold ($opt_W/$opt_C)";
}
}
# Apply threshold to queue lengths TO domain
my @dstkeys = sort { $dstdomains{$b} <=> $dstdomains{$a} } keys %dstdomains;
my $dstmaxkey = $dstkeys[0];
print "dst max is $dstmaxkey with $dstdomains{$dstmaxkey} messages\n" if $verbose;
if ($dstdomains{$dstmaxkey} >= $opt_W && $dstdomains{$dstmaxkey} < $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
} else {
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
}
} elsif ($dstdomains{$dstmaxkey} >= $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C)";
$state = $ERRORS{'CRITICAL'};
} elsif ($state == $ERRORS{'WARNING'}) {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C) -and- " . $msg;
$msg =~ s/WARNING: //;
} elsif ($state == $ERRORS{'CRITICAL'}) {
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
} else {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'CRITICAL'};
}
} else {
if ($dstdomains{$dstmaxkey} > 0) {
$msg .= " $dstdomains{$dstmaxkey} msgs. TO $dstmaxkey is below threshold ($opt_W/$opt_C)";
}
}
} # End of queue length thresholds
}
} # end of ($mailq eq "sendmail")
elsif ( $mailq eq "postfix" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ ) {
if (-x $utils::PATH_TO_MAILQ) {
if (! open (MAILQ, "$utils::PATH_TO_MAILQ$mailq_args | ")) {
print "ERROR: $utils::PATH_TO_MAILQ$mailq_args returned an error\n";
exit $ERRORS{'UNKNOWN'};
}
}
else {
if ( $sudo ne "" ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ$mailq_args | " ) ) {
print "ERROR: $utils::PATH_TO_MAILQ$mailq_args is not executable with sudo by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: $utils::PATH_TO_MAILQ$mailq_args is not executable by (uid $>:gid($))) and sudo is not set in utils.pm\n";
exit $ERRORS{'UNKNOWN'};
}
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined in utils.pm\n";
exit $ERRORS{'UNKNOWN'};
}
@lines = reverse <MAILQ>;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ$mailq_args",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
# check queue length
if ($lines[0]=~/Kbytes in (\d+)/) {
$msg_q = $1 ;
}elsif ($lines[0]=~/Mail queue is empty/) {
$msg_q = 0;
}else{
print "Couldn't match $utils::PATH_TO_MAILQ$mailq_args output\n";
exit $ERRORS{'UNKNOWN'};
}
# check messages not processed
#if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
# my $msg_p = $1;
#}else{
# print "Couldn't match $utils::PATH_TO_MAILQ output\n";
# exit $ERRORS{'UNKNOWN'};
#}
# check queue length(s)
if ($msg_q == 0){
$msg = "OK: $mailq mailq reports queue is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
# are defined)
#if (defined $opt_W) {
# $msg .= "[Preprocessed = $msg_p]";
# if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
# $state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
# }elsif ($msg_p >= $opt_C ) {
# $state = $ERRORS{"CRITICAL"} ;
# }
#}
}
} # end of ($mailq eq "postfix")
elsif ( $mailq eq "qmail" ) {
# open qmail-qstat
if ( defined $utils::PATH_TO_QMAIL_QSTAT && -x $utils::PATH_TO_QMAIL_QSTAT ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_QMAIL_QSTAT | " ) ) {
print "ERROR: could not open $utils::PATH_TO_QMAIL_QSTAT \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_QMAIL_QSTAT){
unless (-x $utils::PATH_TO_QMAIL_QSTAT) {
print "ERROR: $utils::PATH_TO_QMAIL_QSTAT is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_QMAIL_QSTAT is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
@lines = <MAILQ>;
# close qmail-qstat
close MAILQ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
# check queue length
if ($lines[0]=~/^messages in queue: (\d+)/) {
$msg_q = $1 ;
}else{
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
exit $ERRORS{'UNKNOWN'};
}
# check messages not processed
if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
my $msg_p = $1;
}else{
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
exit $ERRORS{'UNKNOWN'};
}
# check queue length(s)
if ($msg_q == 0){
$msg = "OK: qmail-qstat reports queue is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
# are defined)
if (defined $opt_W) {
$msg .= "[Preprocessed = $msg_p]";
if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
$state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
}elsif ($msg_p >= $opt_C ) {
$state = $ERRORS{"CRITICAL"} ;
}
}
}
} # end of ($mailq eq "qmail")
elsif ( $mailq eq "exim" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
#22m 1.7K 19aEEr-0007hx-Dy <> *** frozen ***
#root@exlixams.glups.fr
if (/\s[\w\d]{6}-[\w\d]{6}-[\w\d]{2}\s/) { # message id 19aEEr-0007hx-Dy
$msg_q++ ;
}
}
close(MAILQ) ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "exim")
elsif ( $mailq eq "opensmtpd" ) {
## open smtpctl
if ( defined $utils::PATH_TO_SMTPCTL && -x $utils::PATH_TO_SMTPCTL ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_SMTPCTL show queue | " ) ) {
print "ERROR: could not open $utils::PATH_TO_SMTPCTL \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_SMTPCTL){
unless (-x $utils::PATH_TO_SMTPCTL) {
print "ERROR: $utils::PATH_TO_SMTPCTL is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_SMTPCTL is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
# 34357f5b3f589feb|inet4|mta||f.someone@domaina.org|no-reply@domainb.com|no-reply@domainb.com|1498235412|1498581012|0|25|pending|17168|Network error on destination MXs
if (/^.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*|.*$/) {
$msg_q++ ;
}
}
close(MAILQ);
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_SMTPCTL",$/;
exit $ERRORS{CRITICAL};
}
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "opensmtpd")
elsif ( $mailq eq "nullmailer" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
#2006-06-22 16:00:00 282 bytes
if (/^[1-9][0-9]*-[01][0-9]-[0-3][0-9]\s[0-2][0-9]\:[0-5][0-9]\:[0-5][0-9]\s{1,2}[0-9]+\sbytes$/) {
$msg_q++ ;
}
}
close(MAILQ) ;
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "nullmailer")
elsif ( $mailq eq "opensmtp" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
$msg_q++ while (<MAILQ>);
close(MAILQ) ;
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "opensmtp")
# Perfdata support
print "$msg|unsent=$msg_q;$opt_w;$opt_c;0\n";
exit $state;
#####################################
#### subs
sub process_arguments(){
GetOptions
("V" => \$opt_V, "version" => \$opt_V,
"v" => \$opt_v, "verbose" => \$opt_v,
"h" => \$opt_h, "help" => \$opt_h,
"M:s" => \$opt_M, "mailserver:s" => \$opt_M, # mailserver (default sendmail)
"w=i" => \$opt_w, "warning=i" => \$opt_w, # warning if above this number
"c=i" => \$opt_c, "critical=i" => \$opt_c, # critical if above this number
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
"s" => \$opt_s, "sudo" => \$opt_s,
"d:s" => \$opt_d, "configdir:s" => \$opt_d
);
if ($opt_V) {
print_revision($PROGNAME,'@NP_VERSION@');
exit $ERRORS{'OK'};
}
if ($opt_h) {
print_help();
exit $ERRORS{'OK'};
}
if (defined $opt_v ){
$verbose = $opt_v;
}
unless (defined $opt_t) {
$opt_t = $utils::TIMEOUT ; # default timeout
}
unless ( defined $opt_w && defined $opt_c ) {
print_usage();
exit $ERRORS{'UNKNOWN'};
}
if ( $opt_w >= $opt_c) {
print "Warning (-w) cannot be greater than Critical (-c)!\n";
exit $ERRORS{'UNKNOWN'};
}
if (defined $opt_W && ! defined !$opt_C) {
print "Need -C if using -W\n";
exit $ERRORS{'UNKNOWN'};
}elsif(defined $opt_W && defined $opt_C) {
if ($opt_W >= $opt_C) {
print "Warning (-W) cannot be greater than Critical (-C)!\n";
exit $ERRORS{'UNKNOWN'};
}
}
if (defined $opt_M) {
if ($opt_M =~ /^(sendmail|qmail|postfix|exim|nullmailer|opensmtpd)$/) {
$mailq = $opt_M ;
}elsif( $opt_M eq ''){
$mailq = 'sendmail';
}else{
print "-M: $opt_M is not supported\n";
exit $ERRORS{'UNKNOWN'};
}
}else{
if (defined $utils::PATH_TO_QMAIL_QSTAT
&& -x $utils::PATH_TO_QMAIL_QSTAT)
{
$mailq = 'qmail';
}
elsif (-d '/var/lib/postfix' || -d '/var/local/lib/postfix'
|| -e '/usr/sbin/postfix' || -e '/usr/local/sbin/postfix')
{
$mailq = 'postfix';
}
elsif (-d '/usr/lib/exim4' || -d '/usr/local/lib/exim4'
|| -e '/usr/sbin/exim' || -e '/usr/local/sbin/exim')
{
$mailq = 'exim';
}
elsif (-d '/usr/lib/nullmailer' || -d '/usr/local/lib/nullmailer'
|| -e '/usr/sbin/nullmailer-send'
|| -e '/usr/local/sbin/nullmailer-send')
{
$mailq = 'nullmailer';
}
elsif (defined $utils::PATH_TO_SMTPCTL && -x $utils::PATH_TO_SMTPCTL)
{
$mailq = 'opensmtpd';
}
else {
$mailq = 'sendmail';
}
}
return $ERRORS{'OK'};
}
sub print_usage () {
print "Usage: $PROGNAME -w <warn> -c <crit> [-W <warn>] [-C <crit>] [-M <MTA>] [-t <timeout>] [-s] [-d <CONFIGDIR>] [-v]\n";
}
sub print_help () {
print_revision($PROGNAME,'@NP_VERSION@');
print "Copyright (c) 2002 Subhendu Ghosh/Carlos Canau/Benjamin Schmid\n";
print "\n";
print_usage();
print "\n";
print " Checks the number of messages in the mail queue (supports multiple sendmail queues, qmail)\n";
print " Feedback/patches to support non-sendmail mailqueue welcome\n\n";
print "-w (--warning) = Min. number of messages in queue to generate warning\n";
print "-c (--critical) = Min. number of messages in queue to generate critical alert ( w < c )\n";
print "-W (--Warning) = Min. number of messages for same domain in queue to generate warning\n";
print "-C (--Critical) = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
print "-t (--timeout) = Plugin timeout in seconds (default = $utils::TIMEOUT)\n";
print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer | opensmtpd ] (default = autodetect)\n";
print "-h (--help)\n";
print "-V (--version)\n";
print "-v (--verbose) = debugging output\n";
print "\n\n";
print "Note: -w and -c are required arguments. -W and -C are optional.\n";
print " -W and -C are applied to domains listed on the queues - both FROM and TO. (sendmail)\n";
print " -W and -C are applied message not yet preproccessed. (qmail)\n";
print " This plugin tries to autodetect which mailserver you are running,\n";
print " you can override the autodetection with -M.\n";
print " This plugin uses the system mailq command (sendmail) or qmail-stat (qmail)\n";
print " to look at the queues. Mailq can usually only be accessed by root or \n";
print " a TrustedUser. You will have to set appropriate permissions for the plugin to work.\n";
print "";
print "\n\n";
support();
}

View file

@ -5,10 +5,11 @@
- nrpe--
state: present
- name: Install monitoring-plugins
- name: Install monitoring packages
openbsd_pkg:
name:
- monitoring-plugins
- check_bioctl
state: present
- name: Create nrpe.d dir
@ -50,12 +51,14 @@
- {name: 'check_carp_if', force: true}
- {name: 'check_connections_state.sh', force: false}
- {name: 'check_ipsecctl.sh', force: false}
- {name: 'check_ipsecctl_critiques.sh', force: false}
- {name: 'check_openbgpd', force: true}
- {name: 'check_openvpn', force: false}
- {name: 'check_openvpn.pl', force: true}
- {name: 'check_ospfd_simple', force: true}
- {name: 'check_packetfilter.sh', force: true}
- {name: 'check_pf_states', force: false}
- {name: 'check_mailq.pl', force: true}
notify: restart nrpe
- name: Nagios plugins are installed - template

View file

@ -21,7 +21,7 @@ command[check_smtp]=/usr/local/libexec/nagios/check_smtp -H localhost -f {{ gene
command[check_dns]=/usr/local/libexec/nagios/check_dns -H evolix.net
command[check_ntp]=/usr/local/libexec/nagios/check_ntp -H ntp-check.evolix.net
command[check_ssh]=/usr/local/libexec/nagios/check_ssh -p 22 localhost
command[check_mailq]=doas /usr/local/libexec/nagios/check_mailq -w 10 -c 20
command[check_mailq]=doas /usr/local/libexec/nagios/plugins/check_mailq.pl -M opensmtpd -w 5 -c 10
# Specific services checks
command[check_imap]=/usr/local/libexec/nagios/check_imap -H localhost
@ -32,20 +32,21 @@ command[check_unbound]=/usr/local/libexec/nagios/check_dig -l evolix.net -H loca
#command[check_smb]=/usr/local/libexec/nagios/check_tcp -H IPLOCALE -p 445
command[check_mysql]=/usr/local/libexec/nagios/check_mysql -H 127.0.0.1 -f /etc/nrpe.d/.my.cnf
#command[check_vpn]=/usr/local/libexec/nagios/check_ping -H IPDISTANTE -p 1 -w 5000,100% -c 5000,100%
#command[check_dhcpd]=doas /usr/local/libexec/nagios/check_dhcp -i INTERFACE -s IP -u
command[check_dhcpd]=/usr/local/libexec/nagios/check_procs -c1:1 -C dhcpd
command[check_bioctl]=/usr/local/libexec/nagios/check_bioctl -d sd2
# Local checks (not packaged)
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P PASSWORD
#command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn # Wrapper of check_openvpn.pl, to use when the server is CARP backup and OpenVPN should not run
command[check_openvpn_certificates]=/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
#command[check_carp1]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master
command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh
#command[check_carp0]=/usr/local/libexec/nagios/plugins/check_carp_if carp0 master
command[check_mem]=/usr/local/libexec/nagios/plugins/check_free_mem.sh -w 20% -c 10%
#command[check_vpn]=doas /usr/local/libexec/nagios/plugins/check_ipsecctl.sh IPDISTANTE IPLOCALE "VPN MARSEILLE-ROME"
command[check_pf_states]=doas /usr/local/libexec/nagios/plugins/check_pf_states
command[check_ospfd]=doas /usr/local/libexec/nagios/plugins/check_ospfd
command[check_ospf6d]=doas /usr/local/libexec/nagios/plugins/check_ospf6d
command[check_ospfd_simple]=doas /usr/local/libexec/nagios/plugins/check_ospfd_simple
command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u
#command[check_bgpd]=doas /usr/local/libexec/nagios/plugins/check_openbgpd -u
command[check_connections_state]=doas /usr/local/libexec/nagios/plugins/check_connections_state.sh
command[check_packetfilter]=doas /usr/local/libexec/nagios/plugins/check_packetfilter.sh

View file

@ -16,7 +16,7 @@ CA_ECHO=""
error() {
if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then
echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ?"
echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ? On Debian, is the check executed with sudo ?"
fi
}
@ -29,7 +29,7 @@ _30_days="2592000"
current_date=$($date_cmd +"%s")
# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf
conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")
conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/" | head -1)
[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")}
conf_file=${conf_file:-"/etc/openvpn/server.conf"}

View file

@ -146,3 +146,15 @@ ServiceType: firewall
ServiceVersion: packetfilter