From b418256001a12bdc49cb6601b4f48efb8de70c56 Mon Sep 17 00:00:00 2001 From: Guillaume Hullin Date: Fri, 21 Jan 2022 11:47:35 +0100 Subject: [PATCH 01/19] fast-forward to latest Futur-Tech version This repo has been reset in order to be a fork of GuillaumeHullin/pfsense-zabbix-template which is a fork of rbicelli/pfsense-zabbix-template --- README.md | 112 +- pfsense_zbx.php | 26 + template_pfsense_active.xml | 374 +- template_pfsense_active_ipsec.xml | 6 +- template_pfsense_active_ovpn_user.xml | 18 +- template_pfsense_active_speedtest.xml | 18 +- zabbix4/template_pfsense_active.xml | 6335 ----------------- zabbix4/template_pfsense_active_ipsec.xml | 877 --- zabbix4/template_pfsense_active_ovpn_user.xml | 635 -- zabbix4/template_pfsense_active_speedtest.xml | 332 - 10 files changed, 353 insertions(+), 8380 deletions(-) delete mode 100644 zabbix4/template_pfsense_active.xml delete mode 100644 zabbix4/template_pfsense_active_ipsec.xml delete mode 100644 zabbix4/template_pfsense_active_ovpn_user.xml delete mode 100644 zabbix4/template_pfsense_active_speedtest.xml diff --git a/README.md b/README.md index 3faab65..f6591c3 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -[![Buy Me A Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/rbicelli) - # pfSense Zabbix Template This is a pfSense active template for Zabbix, based on Standard Agent and a php script using pfSense functions library for monitoring specific data. @@ -35,24 +33,78 @@ Tested with pfSense 2.5.x, Zabbix 4.0, Zabbix 5.0 - Discovery of WAN Interfaces - Perform speed tests and collect metrics +**Template pfSense Active: Speedtest** + + - Discovery of WAN Interfaces + - Perform speed tests and collect metrics + ## Configuration -First copy the file pfsense_zbx.php to your pfsense box (e.g. to /root/scripts). +### Install PHP script for Agent -From **Diagnostics/Command Prompt** input this one-liner: +- Option 1: via Web GUI **Diagnostics/Command Prompt** ```bash -curl --create-dirs -o /root/scripts/pfsense_zbx.php https://raw.githubusercontent.com/rbicelli/pfsense-zabbix-template/master/pfsense_zbx.php +[ -d "/root/scripts" ] || mkdir /root/scripts ; curl -o /root/scripts/pfsense_zbx.php https://raw.githubusercontent.com/Futur-Tech/futur-tech-zabbix-pfsense/main/pfsense_zbx.php +``` +> You can add this command to **Services** > **Shellcmd** in order to download the latest version of the script, each time you reboot or restore a config backup. + +- Option 2 : via pfSense shell + +```bash +mkdir /root/scripts +curl -o /root/scripts/pfsense_zbx.php https://raw.githubusercontent.com/Futur-Tech/futur-tech-zabbix-pfsense/main/pfsense_zbx.php ``` -Then install package "Zabbix Agent 4" on your pfSense Box +### Zabbix Package Install + +From the package manager install package "Zabbix Agent 5" and "Zabbix Proxy 5" + +### Setup Zabbix Proxy + +Make sure to fill the following fields: + +``` +TLS Connect: psk +TLS Accept: psk +TLS PSK Identity: +TLS PSK: +``` +To generate a PSK key you can use the command in Linux: + +```bash +openssl rand -hex 32 +``` + +Click on **Show Advanced Options** + +In Advanced Features-> User Parameters + +``` +EnableRemoteCommands=1 +``` + +### Setup Zabbix Agent + +Make sure to fill the following fields: + +``` +Timeout: 10 +TLS Connect: psk +TLS Accept: psk +TLS PSK Identity: +TLS PSK: +``` +Click on **Show Advanced Options** In Advanced Features-> User Parameters ```bash +# https://github.com/Futur-Tech/futur-tech-zabbix-pfsense AllowRoot=1 +HostMetadataItem=system.uname UserParameter=pfsense.states.max,grep "limit states" /tmp/rules.limits | cut -f4 -d ' ' UserParameter=pfsense.states.current,grep "current entries" /tmp/pfctl_si_out | tr -s ' ' | cut -f4 -d ' ' UserParameter=pfsense.mbuf.current,netstat -m | grep "mbuf clusters" | cut -f1 -d ' ' | cut -d '/' -f1 @@ -62,7 +114,25 @@ UserParameter=pfsense.discovery[*],/usr/local/bin/php /root/scripts/pfsense_zbx. UserParameter=pfsense.value[*],/usr/local/bin/php /root/scripts/pfsense_zbx.php $1 $2 $3 ``` -_Please note that **AllowRoot=1** option is required in order to correctly execute OpenVPN checks and others._ +### Zabbix Server Install Note + +- Add the proxy in: **Administration** -> **Proxies** (don't forget to put the correct PSK). +- Create a new host-group for the proxy **Configuration** -> **Host groups** +- Create a new "Autoregistration actions" **Configuration** -> **Action** -- in the top left select **Autoregistration actions** +- Create a new "Discovery rules" **Configuration** -> **Discovery** + +The new host should automatically register in Zabbix with all templates correctly assigned. + +The Host Name will be the hostname of the Pfsense. + +* Modify the visible name +* Correct the Agent interface if it is incorrect +* Under the tab **Encryption** put the same PSK ID and Key as the proxy *(it doesn't need to be the same as the proxy BUT make sure to not use 2 keys on separate host/proxy with the same identity).* +* **Update the PSK ID and Key in the Pfsense Zabbix Agent!** + +## Note on the script and template + +_Please note that **AllowRoot=1** option is required in order to execute correctly OpenVPN checks and others._ Also increase the **Timeout** value at least to **5**, otherwise some checks will fail. @@ -79,7 +149,7 @@ Possible values are: This is useful when monitoring services which could stay stopped on CARP Backup Member. -## Setup Speedtest +### Setup Speedtest For running speedtests on WAN interfaces you have to install the speedtest package. @@ -87,13 +157,7 @@ For running speedtests on WAN interfaces you have to install the speedtest packa From **Diagnostics/Command Prompt** input this commands: ```bash -pkg update && pkg install -y py38-speedtest-cli -``` - -Speedtest python package could be broken at the moment, so you could need an extra step, *only if manually executing speedtest results in an error*: download the latest version from package author's github repo. - -```bash -curl -Lo /usr/local/lib/python3.8/site-packages/speedtest.py https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py +pkg update && pkg install -y -g 'py*-speedtest-cli' ``` For testing if speedtest is installed properly you can try it: @@ -102,9 +166,17 @@ For testing if speedtest is installed properly you can try it: /usr/local/bin/speedtest ``` -Remember that you will need to install the package on *every* pfSense upgrade. +If you get an error while testing you can overide the Python script from the original version. -Speedtest template creates a cron job and check for entry everytime Zabbix requests its items. If you want to uninstall the cron jobs simply run, from **Diagnostics/Command Prompt**: +```bash +curl -Lo /usr/local/lib/python3.7/site-packages/speedtest.py https://raw.githubusercontent.com/Futur-Tech/speedtest-cli/master/speedtest.py +``` + +> Note that for pfSense 2.4, Python 3.7 is installed. In 2.5, it's Python 3.8... so adjust the path if needed. + +Remember that you will need to install the package on *every* pfSense upgrade, to avoid this inconvenience you can add the install command in **Schellcmd**. + +Speedtest template creates a cron job and check for entry everytime Zabbix requests its items. If you want to uninstall the cron jobs simply run, from **Diagnostics/Command Prompt**: ```bash /url/local/bin/php /root/scripts/pfsense_zbx.php cron_cleanup @@ -112,4 +184,8 @@ Speedtest template creates a cron job and check for entry everytime Zabbix reque ## Credits -[Keenton Zabbix Template](https://github.com/keentonsas/zabbix-template-pfsense) for Zabbix Agent freeBSD part. \ No newline at end of file +Original GIT: https://github.com/rbicelli/pfsense-zabbix-template + +[![Buy Me A Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/rbicelli) + +[Keenton Zabbix Template](https://github.com/keentonsas/zabbix-template-pfsense) for Zabbix Agent freeBSD part. diff --git a/pfsense_zbx.php b/pfsense_zbx.php index 1c6652f..ddb0f7b 100644 --- a/pfsense_zbx.php +++ b/pfsense_zbx.php @@ -1069,6 +1069,29 @@ function pfz_get_smart_status(){ echo $status; } +// Certificats validity date +function pfz_get_cert_date($valuekey){ + global $config; + + $value = 0; + foreach (array("cert", "ca") as $cert_type) { + switch ($valuekey){ + case "validFrom.max": + foreach ($config[$cert_type] as $cert) { + $certinfo = openssl_x509_parse(base64_decode($cert[crt])); + if ($value == 0 or $value < $certinfo['validFrom_time_t']) $value = $certinfo['validFrom_time_t']; + } + break; + case "validTo.min": + foreach ($config[$cert_type] as $cert) { + $certinfo = openssl_x509_parse(base64_decode($cert[crt])); + if ($value == 0 or $value > $certinfo['validTo_time_t']) $value = $certinfo['validTo_time_t']; + } + break; + } + } + echo $value; +} // File is present function pfz_file_exists($filename) { @@ -1269,6 +1292,9 @@ switch (strtolower($argv[1])){ case "smart_status": pfz_get_smart_status(); break; + case "cert_date": + pfz_get_cert_date($argv[2]); + break; default: pfz_test(); } diff --git a/template_pfsense_active.xml b/template_pfsense_active.xml index 00f0c47..a5b8a94 100644 --- a/template_pfsense_active.xml +++ b/template_pfsense_active.xml @@ -1,26 +1,43 @@ 5.0 - 2021-11-09T21:44:28Z + 2022-01-07T10:04:09Z - Templates/Network Devices + Templates/Futur-Tech/Applications