Установка Telegraf для мониторинга SSL/TLS на Alma Linux 8
Установка Prometheus на Alma Linux 8
Создать файл по пути /etc/yum.repos.d/influxdata.repo:
[influxdata]
name = InfluxData Repository - Stable
baseurl = https://repos.influxdata.com/stable/$basearch/main
enabled = 1
gpgcheck = 1
gpgkey = https://repos.influxdata.com/influxdata-archive_compat.keyВыполнить установку telegraf
dnf install telegrafВ файле /etc/telegraf/telegraf.conf добавить конфиг для подключения prometheus:
# ...
# # Configuration for the Prometheus client to spawn
# [[outputs.prometheus_client]]
# ## Address to listen on.
# ## ex:
# ## listen = ":9273"
# ## listen = "vsock://:9273"
# listen = ":9273"
#
# ## Maximum duration before timing out read of the request
# # read_timeout = "10s"
# ## Maximum duration before timing out write of the response
# # write_timeout = "10s"
#
# ## Metric version controls the mapping from Prometheus metrics into Telegraf metrics.
# ## See "Metric Format Configuration" in plugins/inputs/prometheus/README.md for details.
# ## Valid options: 1, 2
# # metric_version = 1
#
# ## Use HTTP Basic Authentication.
# # basic_username = "Foo"
# # basic_password = "Bar"
#
# ## If set, the IP Ranges which are allowed to access metrics.
# ## ex: ip_range = ["192.168.0.0/24", "192.168.1.0/30"]
# # ip_range = []
#
# ## Path to publish the metrics on.
# # path = "/metrics"
#
# ## Expiration interval for each metric. 0 == no expiration
# # expiration_interval = "60s"
#
# ## Collectors to enable, valid entries are "gocollector" and "process".
# ## If unset, both are enabled.
# # collectors_exclude = ["gocollector", "process"]
#
# ## Send string metrics as Prometheus labels.
# ## Unless set to false all string metrics will be sent as labels.
# # string_as_label = true
#
# ## If set, enable TLS with the given certificate.
# # tls_cert = "/etc/ssl/telegraf.crt"
# # tls_key = "/etc/ssl/telegraf.key"
#
# ## Set one or more allowed client CA certificate file names to
# ## enable mutually authenticated TLS connections
# # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]
#
# ## Export metric collection time.
# # export_timestamp = false
#
# ## Specify the metric type explicitly.
# ## This overrides the metric-type of the Telegraf metric. Globbing is allowed.
# # [outputs.prometheus_client.metric_types]
# # counter = []
# # gauge = []
[[outputs.prometheus_client]]
listen = "127.0.0.1:9273"
# ...В файле /etc/telegraf/telegraf.conf добавить конфиг пути к SSL:
# ...
# # Reads metrics from a SSL certificate
# [[inputs.x509_cert]]
# ## List certificate sources, support wildcard expands for files
# ## Prefix your entry with 'file://' if you intend to use relative paths
# sources = ["tcp://example.org:443", "https://influxdata.com:443",
# "smtp://mail.localhost:25", "udp://127.0.0.1:4433",
# "/etc/ssl/certs/ssl-cert-snakeoil.pem",
# "/etc/mycerts/*.mydomain.org.pem", "file:///path/to/*.pem"]
#
# ## Timeout for SSL connection
# # timeout = "5s"
#
# ## Pass a different name into the TLS request (Server Name Indication).
# ## This is synonymous with tls_server_name, and only one of the two
# ## options may be specified at one time.
# ## example: server_name = "myhost.example.org"
# # server_name = "myhost.example.org"
#
# ## Only output the leaf certificates and omit the root ones.
# # exclude_root_certs = false
#
# ## Optional TLS Config
# # tls_ca = "/etc/telegraf/ca.pem"
# # tls_cert = "/etc/telegraf/cert.pem"
# # tls_key = "/etc/telegraf/key.pem"
# # tls_server_name = "myhost.example.org"
#
# ## Set the proxy URL
# # use_proxy = true
# # proxy_url = "http://localhost:8888"
[[inputs.x509_cert]]
sources = ["https://example.com:443"]
insecure_skip_verify = true
# ...Запустить и добавить в автозапуск
systemctl start telegraf && systemctl enable telegrafдобавление telegraf на сервере Prometheus в файл /etc/prometheus/prometheus.yml (пример расположения на одном сервере):
# ...
- job_name: "SSL/TLS Certs"
static_configs:
- targets: ["127.0.0.1:9273"]на сервере где Prometheus пезапустить Prometheus:
systemctl restart prometheusимпортировать JSON Model для Grafana:
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 6,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "adic092vlnym8b"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"custom": {
"align": "left",
"cellOptions": {
"type": "auto"
},
"filterable": false,
"inspect": false
},
"mappings": [
{
"options": {
"valid": {
"color": "green",
"index": 0
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Verification"
},
"properties": [
{
"id": "mappings",
"value": [
{
"options": {
"invalid": {
"color": "red",
"index": 1,
"text": "Invalid"
},
"valid": {
"color": "green",
"index": 0,
"text": "Valid"
}
},
"type": "value"
}
]
},
{
"id": "custom.cellOptions",
"value": {
"type": "color-text"
}
},
{
"id": "custom.filterable",
"value": true
}
]
},
{
"matcher": {
"id": "byName",
"options": "Error"
},
"properties": [
{
"id": "custom.cellOptions",
"value": {
"type": "color-text"
}
},
{
"id": "thresholds",
"value": {
"mode": "absolute",
"steps": [
{
"color": "red",
"value": null
}
]
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "Domain"
},
"properties": [
{
"id": "mappings",
"value": [
{
"options": {
"pattern": "https[:][/]{2}(.+)[:]443",
"result": {
"index": 0,
"text": "$1"
}
},
"type": "regex"
}
]
}
]
}
]
},
"gridPos": {
"h": 23,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"cellHeight": "sm",
"footer": {
"countRows": false,
"fields": "",
"reducer": [
"sum"
],
"show": false
},
"frameIndex": 1,
"showHeader": true,
"sortBy": [
{
"desc": false,
"displayName": "End date"
}
]
},
"pluginVersion": "10.4.1",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "adic092vlnym8b"
},
"editorMode": "code",
"exemplar": false,
"expr": "x509_cert_enddate{san!=\"\"}*1000",
"format": "table",
"instant": true,
"interval": "",
"legendFormat": "{{label_name}}",
"range": false,
"refId": "A"
}
],
"title": "SSL/TLS Certificate Expiry Status",
"transformations": [
{
"id": "merge",
"options": {}
},
{
"id": "organize",
"options": {
"excludeByName": {
"Time": true,
"Value": false,
"__name__": true,
"common_name": false,
"host": true,
"instance": true,
"issuer_common_name": true,
"job": true,
"ocsp_stapled": true,
"public_key_algorithm": true,
"san": true,
"serial_number": true,
"signature_algorithm": true,
"type": true,
"verification": false,
"verification_error": false
},
"includeByName": {},
"indexByName": {
"Time": 0,
"Value": 2,
"__name__": 6,
"common_name": 5,
"host": 7,
"instance": 8,
"issuer_common_name": 9,
"job": 10,
"ocsp_stapled": 11,
"public_key_algorithm": 12,
"san": 13,
"serial_number": 14,
"signature_algorithm": 15,
"source": 1,
"type": 16,
"verification": 3,
"verification_error": 4
},
"renameByName": {
"Value": "End date",
"common_name": "Common name",
"source": "Domain",
"verification": "Verification",
"verification_error": "Error"
}
}
},
{
"id": "sortBy",
"options": {
"fields": {},
"sort": [
{
"field": "End date"
}
]
}
},
{
"id": "convertFieldType",
"options": {
"conversions": [
{
"dateFormat": "YYYY-MM-DD",
"destinationType": "time",
"enumConfig": {
"text": []
},
"targetField": "End date"
}
],
"fields": {}
}
}
],
"type": "table"
}
],
"schemaVersion": 39,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-2d",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "SSL/TLS Certificate Expiry Status",
"uid": "nRouqJ_Gk",
"version": 11,
"weekStart": ""
}