1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
|
zabbix_export:
version: '6.2'
date: '2022-06-07T19:33:04Z'
template_groups:
-
uuid: a571c0d144b14fd4a87a9d9b2aa9fcd6
name: Templates/Applications
templates:
-
uuid: 5630ec1b1baf449abe1bc5521f85fe6c
template: 'Website certificate by Zabbix agent 2'
name: 'Website certificate by Zabbix agent 2'
description: |
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.
You can discuss this template or leave feedback on our forum https://www.zabbix.com/forum/zabbix-suggestions-and-feedback/428309-discussion-thread-for-official-zabbix-template-tls-ssl-certificates-monitoring
Template tooling version used: 0.41
groups:
-
name: Templates/Applications
items:
-
uuid: 42068372fbce4c12a4f3193fc490d4ec
name: 'Cert: Subject alternative name'
type: DEPENDENT
key: cert.alternative_names
delay: '0'
history: 7d
trends: '0'
value_type: TEXT
description: 'The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.alternative_names
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: 946e205aaa84433a8bf1fe46b9362acd
name: 'Cert: Issuer'
type: DEPENDENT
key: cert.issuer
delay: '0'
history: 7d
trends: '0'
value_type: TEXT
description: 'The field identifies the entity that has signed and issued the certificate.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.issuer
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: f124443debb447a792beb8265d2918ee
name: 'Cert: Last validation status'
type: DEPENDENT
key: cert.message
delay: '0'
history: 7d
trends: '0'
value_type: TEXT
description: 'Last check result message.'
preprocessing:
-
type: JSONPATH
parameters:
- $.result.message
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: e34bffac86ef41e2865fe8410c2d0aa0
name: 'Cert: Expires on'
type: DEPENDENT
key: cert.not_after
delay: '0'
history: 7d
units: unixtime
description: 'The date on which the certificate validity period ends.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.not_after.timestamp
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
triggers:
-
uuid: 8a0e3e73527a45618afe94707234f4c6
expression: '(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}'
name: 'Cert: SSL certificate expires soon'
event_name: 'Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)'
priority: WARNING
description: 'The SSL certificate should be updated or it will become untrusted.'
dependencies:
-
name: 'Cert: SSL certificate is invalid'
expression: 'find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1'
tags:
-
tag: scope
value: notice
-
uuid: c3ba835b28db4f1486ae4be87c3fe55f
name: 'Cert: Valid from'
type: DEPENDENT
key: cert.not_before
delay: '0'
history: 7d
units: unixtime
description: 'The date on which the certificate validity period begins.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.not_before.timestamp
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: 08b47b376f0f4f999bd1110696465fd9
name: 'Cert: Public key algorithm'
type: DEPENDENT
key: cert.public_key_algorithm
delay: '0'
history: 7d
trends: '0'
value_type: CHAR
description: 'The digital signature algorithm is used to verify the signature of a certificate.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.public_key_algorithm
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: d7d4e592cc6741fcba9c21b5195b8544
name: 'Cert: Serial number'
type: DEPENDENT
key: cert.serial_number
delay: '0'
history: 7d
trends: '0'
value_type: CHAR
description: 'The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.serial_number
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: 848cd98e80764f61bbe526316c70da11
name: 'Cert: Fingerprint'
type: DEPENDENT
key: cert.sha1_fingerprint
delay: '0'
history: 7d
trends: '0'
value_type: CHAR
description: 'The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.'
preprocessing:
-
type: JSONPATH
parameters:
- $.sha1_fingerprint
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
triggers:
-
uuid: 7a4c69a5235e444cb7294e6b7189b2b6
expression: 'last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)'
name: 'Cert: Fingerprint has changed'
event_name: 'Cert: Fingerprint has changed (new version: {ITEM.VALUE})'
priority: INFO
description: |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.
There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.
manual_close: 'YES'
tags:
-
tag: scope
value: notice
-
uuid: 67d4cb73b1e74c5f9e63423e9bbdd3a6
name: 'Cert: Signature algorithm'
type: DEPENDENT
key: cert.signature_algorithm
delay: '0'
history: 7d
trends: '0'
value_type: CHAR
description: 'The algorithm identifier for the algorithm used by the CA to sign the certificate.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.signature_algorithm
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: b44c554d025446c6b1761a5fde250f9f
name: 'Cert: Subject'
type: DEPENDENT
key: cert.subject
delay: '0'
history: 7d
trends: '0'
value_type: TEXT
description: 'The field identifies the entity associated with the public key stored in the subject public key field.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.subject
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: 4fc3c39291ea4e3aa6ee04fcec4e1a8d
name: 'Cert: Validation result'
type: DEPENDENT
key: cert.validation
delay: '0'
history: 7d
trends: '0'
value_type: CHAR
description: 'The certificate validation result. Possible values: valid/invalid/valid-but-self-signed'
preprocessing:
-
type: JSONPATH
parameters:
- $.result.value
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
triggers:
-
uuid: 854c791b765a4ae2982ce6436d6e78ca
expression: 'find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1'
name: 'Cert: SSL certificate is invalid'
priority: HIGH
description: 'SSL certificate has expired or it is issued for another domain.'
tags:
-
tag: scope
value: security
-
uuid: a8b04dfe285d47e39c9d360ea43fcdbe
name: 'Cert: Version'
type: DEPENDENT
key: cert.version
delay: '0'
history: 7d
trends: '0'
value_type: CHAR
description: 'The version of the encoded certificate.'
preprocessing:
-
type: JSONPATH
parameters:
- $.x509.version
master_item:
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
tags:
-
tag: component
value: cert
-
uuid: ec072b3b1c6847b79acac9f18d14df8a
name: 'Cert: Get'
key: 'web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]'
delay: 15m
history: 0h
trends: '0'
value_type: TEXT
description: 'Returns the JSON with attributes of a certificate of the requested site.'
preprocessing:
-
type: DISCARD_UNCHANGED_HEARTBEAT
parameters:
- 6h
tags:
-
tag: component
value: raw
tags:
-
tag: class
value: software
-
tag: target
value: certificate
macros:
-
macro: '{$CERT.EXPIRY.WARN}'
value: '7'
description: 'Number of days until the certificate expires.'
-
macro: '{$CERT.WEBSITE.HOSTNAME}'
value: '<Put DNS name>'
description: 'The website DNS name for the connection.'
-
macro: '{$CERT.WEBSITE.IP}'
description: 'The website IP address for the connection.'
-
macro: '{$CERT.WEBSITE.PORT}'
value: '443'
description: 'The TLS/SSL port number of the website.'
|
