From e02cf4445a94e674523bd1793b139e75eb8dbfec Mon Sep 17 00:00:00 2001 From: Cyril Brulebois Date: Thu, 7 Mar 2024 06:19:04 +0100 Subject: [PATCH] feat: add ipsec plugin This makes it possible to monitor IPsec security associations (up and connecting). --- plugins/network/ipsec | 100 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100755 plugins/network/ipsec diff --git a/plugins/network/ipsec b/plugins/network/ipsec new file mode 100755 index 00000000..4a46550d --- /dev/null +++ b/plugins/network/ipsec @@ -0,0 +1,100 @@ +#!/usr/bin/perl + +=head1 NAME + +ipsec - Plugin to monitor IPsec security associations + +=head1 SCOPE + +Use the `ipsec status` command to learn about security associations, thanks to +the following format string (src/libcharon/plugins/stroke/stroke_list.c): + + fprintf(out, "Security Associations (%u up, %u connecting):\n", /* ... */); + +=head1 CONFIGURATION + +This plugin requires access to the control socket, so it should be configured to +run with sufficient privileges (e.g. as root). + +To set warning and critical levels, assuming a single 'up' is desired at all +times, let exceptions get raised for all values that aren't the specified one +(or within the specified interval): + + [ipsec] + user root + env.up_critical 1 + env.connecting_critical 0 + +There are no default warning or critical levels. + +=head1 AUTHOR + +© 2024 Cyril Brulebois + +=head1 LICENSE + +GPLv2 + +=cut + +use warnings; +use strict; + +# limits management +my %limits; +foreach my $status (qw(up connecting)) { + foreach my $level (qw(warning critical)) { + $limits{$status}{$level} = $ENV{"${status}_${level}"}; + } +} + +sub print_limit_if_defined { + my ($status, $level) = @_; + if (defined $limits{$status}{$level}) { + print "$status.$level $limits{$status}{$level}\n"; + } +} + +# autoconf +if (defined $ARGV[0] and $ARGV[0] eq "autoconf") { + print "no\n"; + exit 0; +} + +# config +if (defined $ARGV[0] and $ARGV[0] eq "config") { + print "graph_title IPsec security associations\n"; + print "graph_args --base 1000 -l 0\n"; + print "graph_scale no\n"; + print "graph_vlabel Count\n"; + print "graph_category network\n"; + print "graph_total total\n"; + print "graph_info This graph shows the number of security associations and their status\n"; + + + print "up.label up\n"; + print "up.draw AREA\n"; + print_limit_if_defined('up', 'warning'); + print_limit_if_defined('up', 'critical'); + print "connecting.label connecting\n"; + print "connecting.draw STACK\n"; + print_limit_if_defined('connecting', 'warning'); + print_limit_if_defined('connecting', 'critical'); + exit 0; +} + +# actual work +my ($up, $connecting); +foreach my $line (`ipsec status`) { + if ($line =~ /^Security Associations [(](\d+) up, (\d+) connecting[)]:$/) { + ($up, $connecting) = ($1, $2); + } +} +if (defined $up and defined $connecting) { + print "up.value $up\n"; + print "connecting.value $connecting\n"; +} +else { + print STDERR "unable to find the expected format string\n"; + exit -1; +}