Ad Widget

Collapse

Trigger operational data: can I diff /etc/passwd?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • c.h.
    Junior Member
    • Dec 2021
    • 29
    #1

    Trigger operational data: can I diff /etc/passwd?

    I'm using Zabbix 5.0.18 and have a template trigger with this condition:
    Code:
    {Template Module Linux generic by Zabbix agent active:vfs.file.contents[/etc/passwd].diff()}>0
    It works, in that it alerts me when the passwd file changes, but it sends the entire passwd file in the alert, and I have to do some work to figure out what changed.

    I've been trying to get it to just list the changes since the previous value, but I don't know how:
    * The history functions appear to be focused on numeric data only
    * The javascript preprocessing step is only given the current value and doesn't have access to the previous value
    * Writing a javascript preprocessing step that reaches out to the zabbix API to retrieve the previous value seems like overkill, but may be necessary

    Is there a simple solution that I'm overlooking?

    Thanks!

    References:
    * https://www.zabbix.com/documentation...ers/expression
    * https://www.zabbix.com/documentation...gers/functions
    * https://www.zabbix.com/documentation...ing/javascript
    * https://www.zabbix.com/documentation...script_objects
    *     https://blog.zabbix.com/maintaining-zabbix-api-token-via-javascript/15561/
    Last edited by c.h.; 17-01-2022, 22:22.
    Tags: None
    • Hamardaban
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • May 2019
      • 2713
      #2
      item: vfs.file.cksum[/etc/passwd]
      trigger: last(//vfs.file.cksum[/etc/passwd],#1)<>last(//vfs.file.cksum[/etc/passwd],#2)

        Comment

        • c.h.
          Junior Member
          • Dec 2021
          • 29
          #3
          Ok, but how about if I've decided against looking at checksums (the Zabbix default)?

          I'd rather see the differences between the old and new password file, to see who or what was added or removed.

          The diff() function only works with numbers, not text.

          The javascript preprocessor can only see the latest text, not the last two texts.

            Comment

            • Hamardaban
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • May 2019
              • 2713
              #4
              I thought you were worried that the contents of passwd are coming to zabbix and you only need to know about the fact of the change.
              In your case, you can write a simple script that will save prev copy of the passwd file in the system and calculate the diff. and call this script through the zabbix agent.
              This is much more accessible and faster than changing the API or JS preprocessing by developers.

              UPDATE 09/2023
              Use zabbix_agents key: vfs.file.cksum OR vfs.file.md5sum
              Last edited by Hamardaban; 18-09-2023, 07:56.

                Comment

                • c.h.
                  Junior Member
                  • Dec 2021
                  • 29
                  #5
                  Oh, I agree, it's totally unreasonable to ask them to change the API or JS preprocessing.

                  I wasn't worried about the contents of the file coming to Zabbix, I was just annoyed that my alerts in Slack were so long and wanted to fix my trigger somehow.

                  I'm just a new Zabbix user who hasn't read (or even fully understood) all of the documentation yet, so it was reasonable to think that there's a simple way to do it that I hadn't read about. :-)
                  Last edited by c.h.; 20-01-2022, 05:52.

                    Comment

                    • c.h.
                      Junior Member
                      • Dec 2021
                      • 29
                      #6
                      Hi;

                      I ended up installing etckeeper, which turns /etc into a git repository:

                      Code:
                      sudo apt install etckeeper
                      Then I added this line to zabbix_agent2.conf:

                      Code:
                      UserParameter=zabbix.passwd_diff,sudo /etc/zabbix/zabbix_passwd_diff.sh
                      And wrote /etc/zabbix/zabbix_passwd_diff.sh:

                      Code:
                      cd /etc; git diff -U0 'HEAD@{1 day ago}' passwd | awk '/^@/,0'​
                      And added /etc/sudoers.d/zabbix_sudo:

                      Code:
                      Defaults:zabbix !requiretty
Cmnd_Alias ZABBIX_ROOT_CMD = /etc/zabbix/zabbix_etckeeper.sh​
zabbix ALL=(root) NOPASSWD:ZABBIX_ROOT_CMD
                      ​
                      Last edited by c.h.; 17-09-2023, 00:26.

                        Comment

                        • Hamardaban
                          #6.1
                          Hamardaban commented
                          18-09-2023, 07:57
                          Editing a comment
                          Use zabbix_agents key: vfs.file.cksum OR vfs.file.md5sum
                        • c.h.
                          Junior Member
                          • Dec 2021
                          • 29
                          #7
                          The problem is, I want to *see* the changes, not just that they've changed. Think `diff`, not `md5sum`.

                            Comment

                            Previous template Next
                            Working...