Hello!
I'm currently building a complete lab environment with a full network segment, a VLAN for Zabbix (7.0.19) and Grafana for monitoring the whole project, and some services in a DMZ network (SMTP, SFTP and WEB). Currently what I'm stuck at is that I'm trying to create an item that monitors the amount of failed SSH authentication attempts in the SFTP server (or any other Linux server in the environment) but I can't seem to get the syntax right for it, and couldn't find much information regarding these kinds of checks online.
What I have at the moment on an template called "OpenSSH Service Health" is:
Cheers!
Dan
I'm currently building a complete lab environment with a full network segment, a VLAN for Zabbix (7.0.19) and Grafana for monitoring the whole project, and some services in a DMZ network (SMTP, SFTP and WEB). Currently what I'm stuck at is that I'm trying to create an item that monitors the amount of failed SSH authentication attempts in the SFTP server (or any other Linux server in the environment) but I can't seem to get the syntax right for it, and couldn't find much information regarding these kinds of checks online.
What I have at the moment on an template called "OpenSSH Service Health" is:
- 1 item that monitors the service state with "net.tcp.service[ssh,22]", working as intended
- 1 item that monitors the service's response time with "net.tcp.perf[ssh,22], working as intended
- 1 item that monitors the accepted logins with "log["/var/log/auth.log","Accepted password",,,,skip]", also seems to be working from what I gathered
- 1 item that monitors the failed logins with "log[/var/log/auth.log","Failed password",,100,,skip]", which is also working as intended however, this is a condition to be met and not a counter so it'll always return either 1 or 0
- I gave zabbix_agentd read permissions to the /var/log/auth.log files on Linux servers with SSH enabled and it's able to read it properly
- Make another item (either dependent or calculated) that counts the amount of times the "failed authentication" item returns 1 in the span of a minute (for ease, I named the earlier item "Failed SSH Logins (raw)" and I'll be calling this one "Failed SSH Logins (count)"
- I've tried it through dependent items, while having the "raw" item as the master, and the dependent one to count how many times the previous item returned 1 in 1m, but I can't seem to understand the "count()" syntax from the 7.0 documentation.
- Tried something similar with the calculated item, but can't seem to find the right syntax with it either. I've put the previous expression as the key, and tried to count it on the expression, but no result as of now.
Cheers!
Dan
Comment