diff --git a/zabbix_conf/samba_dc.conf b/zabbix_conf/samba_dc.conf new file mode 100644 index 0000000..44333b2 --- /dev/null +++ b/zabbix_conf/samba_dc.conf @@ -0,0 +1,3 @@ +# Create a text item with key samba_dc.info[300] and a check interval of 300 +# Then use dependent item to get individual counters +UserParameter=samba_dc.info[*],sudo /var/lib/zabbix/bin/check_samba_dc_sudo --since=$1 diff --git a/zabbix_scripts/check_samba_dc_sudo b/zabbix_scripts/check_samba_dc_sudo new file mode 100644 index 0000000..9a629e7 --- /dev/null +++ b/zabbix_scripts/check_samba_dc_sudo @@ -0,0 +1,152 @@ +#!/usr/bin/perl -w + +use strict; +use warnings; +use JSON; +use Getopt::Long; +use File::Which; +use Date::Parse; +use Data::Dumper; + +my $samba_tool = which('samba-tool'); +my $pdbedit = which('pdbedit'); +# Number of seconds in the past to count authentications +my $since = 300; +my $pretty = 0; +# This log is expected to be in JSON format. For example, in smb.conf : +# log level = 1 auth_audit:3 auth_json_audit:4@/var/log/samba/audit_auth.log +my $audit_auth_log = '/var/log/samba/audit_auth.log'; + +if (not defined $samba_tool or not defined $pdbedit){ + print 'ZBX_NOTSUPPORTED'; + exit 1; +} + +GetOptions( + 'pretty' => \$pretty, + 'since=i' => \$since, + 'audit-auth-log=s' => \$audit_auth_log +); + +my $json = { + accounts => { + users => 0, + inactive_users => 0, + active_users => 0, + groups => 0, + computers => 0 + }, + replication => 'UNKNWON', + processes => { + cldap_server => 0, + kccsrv => 0, + dreplsrv => 0, + ldap_server => 0, + kdc_server => 0, + dnsupdate => 0, + 'notify-daemon' => 0, + rpc_server => 0, + winbind_server => 0, + nbt_server => 0, + dnssrv => 0, + samba => 0, + }, + gpo => 0, + ou => 0, + activity => { + authentications => { + users => { + success => 0, + failure => 0 + }, + computers => { + success => 0, + failure => 0 + } + }, + authorizations => { + users => 0, + computers => 0 + }, + since => $since + } +}; + +# Get the numbers of users. pdbedit is prefered here because we can +# differentiate active and inactive users, which samba-tool can't do +# While at it, also get the computers +foreach (qx($pdbedit -L -v)){ + next unless (m/^Account Flags:\s+\[(.*)\]/); + my $flags = $1; + if ($flags =~ m/U/){ + $json->{accounts}->{users}++; + if ($flags =~ m/D/){ + $json->{accounts}->{inactive_users}++; + } else { + $json->{accounts}->{active_users}++; + } + } elsif ($flags =~ m/W/){ + $json->{accounts}->{computers}++; + } +} + +# Now count groups +foreach (qx($samba_tool group list)){ + $json->{accounts}->{groups}++; +} + +# Get replication status +# We want just a quick summary, so only output the first line +# manual checks will be needed to get the details, but if this field doesn't contains [ALL GOOD], +# then something is probably wrong +$json->{replication} = (split(/\n/, qx($samba_tool drs showrepl --summary)))[0]; + +# Get the list of workers +foreach (qx($samba_tool processes)){ + if (/^([^\(\s]+).+\d+$/){ + $json->{processes}->{$1}++; + } +} + +# Get the number of GPO +foreach (qx($samba_tool gpo listall)){ + next unless (/^GPO/); + $json->{gpo}++; +} + +# Get the number of OU +foreach (qx($samba_tool ou list)){ + $json->{ou}++; +} + +if (-e $audit_auth_log){ + open (my $auth_log, '<', $audit_auth_log) or die "Couldn't open $audit_auth_log : $!\n"; + foreach my $line (<$auth_log>){ + my $event = from_json($line); + my $type = $event->{type}; + # We're only interested in Authentication and Authorization messages + next if ($type ne 'Authentication' and $type ne 'Authorization'); + # Parse the date in the timstamp field + my $timestamp = str2time($event->{timestamp}); + + # Only look at lines from the last $since seconds. Skip if date couldn't be parsed + next if (not defined $timestamp or time() - $timestamp > $since); + + my $subject; + if ($type eq 'Authentication'){ + # Accounts ending with $ are for computers + $subject = ($event->{$type}->{mappedAccount} =~ m/\$$/) ? 'computers' : 'users'; + if ($event->{Authentication}->{status} eq 'NT_STATUS_OK'){ + $json->{activity}->{authentications}->{$subject}->{success}++; + } else { + $json->{activity}->{authentications}->{$subject}->{failure}++; + } + } else { + $subject = ($event->{$type}->{account} =~ m/\$$/) ? 'computers' : 'users'; + $json->{activity}->{authorizations}->{$subject}++; + } + } + close $auth_log; +} + +print to_json($json, { pretty => $pretty }); diff --git a/zabbix_templates/Template_App_Samba_DC.xml b/zabbix_templates/Template_App_Samba_DC.xml new file mode 100644 index 0000000..5fb5e3b --- /dev/null +++ b/zabbix_templates/Template_App_Samba_DC.xml @@ -0,0 +1,791 @@ + + + 5.0 + 2021-01-09T16:18:21Z + + + Templates + + + + + + + + Samba: Authentications & Authorizations + NO + NO + STACKED + + + 1 + EF9A9A + + Template_App_Samba_DC + samba_dc.info[activity.authorizations.computers] + + + + 2 + CE93D8 + + Template_App_Samba_DC + samba_dc.info[activity.authentications.computers.success] + + + + 3 + 9FA8DA + + Template_App_Samba_DC + samba_dc.info[activity.authentications.computers.failure] + + + + 4 + 81D4FA + + Template_App_Samba_DC + samba_dc.info[activity.authorizations.users] + + + + 5 + B2DFDB + + Template_App_Samba_DC + samba_dc.info[activity.authentications.users.success] + + + + 6 + FFF59D + + Template_App_Samba_DC + samba_dc.info[activity.authentications.users.failure] + + + + + + Samba: CPU + STACKED + + + 1 + FFAB91 + + Template_App_Samba_DC + proc.cpu.util[samba] + + + + 2 + FFE082 + + Template_App_Samba_DC + proc.cpu.util[smbd] + + + + 3 + E6EE9C + + Template_App_Samba_DC + proc.cpu.util[winbindd] + + + + + + Samba: Directory entries + STACKED + + + 1 + F48FB1 + + Template_App_Samba_DC + samba_dc.info[computers] + + + + 2 + B39DDB + + Template_App_Samba_DC + samba_dc.info[groups] + + + + 3 + BBDEFB + + Template_App_Samba_DC + samba_dc.info[active_users] + + + + 4 + C8E6C9 + + Template_App_Samba_DC + samba_dc.info[inactive_users] + + + + 5 + FFECB3 + + Template_App_Samba_DC + samba_dc.info[gpo] + + + + 6 + FF8A65 + + Template_App_Samba_DC + samba_dc.info[ou] + + + + + + Samba: Services performance + STACKED + + + 1 + EF9A9A + + Template_App_Samba_DC + net.udp.service.perf[ntp,,] + + + + 2 + CE93D8 + + Template_App_Samba_DC + net.tcp.service.perf[ldap,,] + + + + 3 + C5CAE9 + + Template_App_Samba_DC + net.tcp.service.perf[ldap,,3268] + + + + 4 + B3E5FC + + Template_App_Samba_DC + net.tcp.service.perf[tcp,,88] + + + + + +