X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=config%2Fnagios-master.cfg;h=ae2b7769fb2c610d4114133cdedda37ef1034c97;hb=8f1abbea638f862c05f8da453a22b3b98bd37d81;hp=fee689d83f55907fe3864f5d2b5ab942c5b55b43;hpb=a35ad90c67a9ffdcc296f0360386b7c1efd82bf7;p=mirror%2Fdsa-nagios.git diff --git a/config/nagios-master.cfg b/config/nagios-master.cfg index fee689d..ae2b776 100644 --- a/config/nagios-master.cfg +++ b/config/nagios-master.cfg @@ -19,6 +19,16 @@ servers: hostgroups: notacomputer pingable: false check_command: dsa_check_always_ok + gw-1und1: + parents: gw-ubcece + hostgroups: notacomputer + pingable: false + check_command: dsa_check_always_ok + gw-1und1-sec: + parents: gw-ubcece + hostgroups: notacomputer + pingable: false + check_command: dsa_check_always_ok gw-accumu: address: 130.239.18.97 parents: gw-ubcece @@ -144,12 +154,12 @@ servers: # {{{ gw-1und1 powell: address: 87.106.64.223 - parents: gw-ubcece + parents: gw-1und1 hostgroups: computers, service, acpid-hosts, wheezy pkgmirror-1and1: address: 213.165.95.4 parents: powell - hostgroups: computers, service, kvmdomains, wheezy, apache2-hosts, no-bacula + hostgroups: computers, service, kvmdomains, wheezy, apache2-hosts, no-bacula, apache-https babin: address: 213.165.95.6 parents: powell @@ -158,8 +168,7 @@ servers: # {{{ gw-1und1-sec schumann: address: 212.227.126.54 - parents: gw-ubcece - #parents: gw-1und1-sec + parents: gw-1und1-sec hostgroups: computers, acpid-hosts, service, wheezy chopin: address: 195.20.242.124 @@ -175,8 +184,7 @@ servers: hostgroups: computers, service, hasbootfs, hassrvfs, kvmdomains, apache2-hosts, wheezy, apache-https wieck: address: 195.20.242.89 - parents: gw-ubcece - #parents: gw-1und1-sec + parents: gw-1und1-sec hostgroups: computers, service, apache2-hosts, rsyncd-hosts, acpid-hosts, xinetd-hosts, wheezy, security_mirror, hasvarlogfs, no-bacula # }}} # {{{ gw-accumu @@ -282,7 +290,7 @@ servers: picconi: address: 5.153.231.3 parents: gw-bytemark - hostgroups: computers, service, kvmdomains, wheezy, apache2-hosts, nfs-client, autofs, heavy-exim, spamd + hostgroups: computers, service, kvmdomains, wheezy, apache2-hosts, nfs-client, autofs, heavy-exim, spamd, apache-https senfter: address: 5.153.231.4 parents: gw-bytemark @@ -309,68 +317,72 @@ servers: address: 5.153.231.10 parents: gw-bytemark hostgroups: computers, hassrvfs, kvmdomains, wheezy, postgres91-hosts + ganeti-bytemark: + address: 82.195.75.111 + parents: gw-bytemark + hostgroups: notacomputer coccia: address: 5.153.231.11 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, hassrvfs, kvmdomains, wheezy, autofs, nfs-client backuphost: address: 5.153.231.12 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, hassrvfs, kvmdomains, wheezy philp: address: 5.153.231.13 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, hassrvfs, kvmdomains, wheezy, apache2-hosts petrova: address: 5.153.231.25 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, kvmdomains, wheezy, apache2-hosts couper: address: 5.153.231.14 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, hassrvfs, kvmdomains, wheezy, apache2-hosts, nfs-client, autofs rainier: address: 5.153.231.15 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, kvmdomains, wheezy, no-bacula rapoport: address: 5.153.231.16 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, kvmdomains, wheezy, no-bacula delfin: address: 5.153.231.17 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, hassrvfs, kvmdomains, wheezy, apache2-hosts wuiet: address: 5.153.231.18 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, general, kvmdomains, wheezy, service, apache-https, apache2-hosts, heavy-exim, xinetd-hosts dinis: address: 5.153.231.19 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, general, kvmdomains, wheezy donizetti: address: 5.153.231.20 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, general, kvmdomains, wheezy, nfs-client, autofs dillon: address: 5.153.231.22 - parents: gw-bytemark - hostgroups: computers, general, kvmdomains, wheezy, nfs-client, autofs + parents: ganeti-bytemark + hostgroups: computers, general, kvmdomains, wheezy, nfs-client, autofs, hassrvfs ticharich: address: 5.153.231.23 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, general, kvmdomains, wheezy, nfs-client, autofs, apache2-hosts, apache-https, service diamond: address: 5.153.231.24 - parents: gw-bytemark + parents: ganeti-bytemark hostgroups: computers, service, kvmdomains, wheezy, bind9-hosts, no-bacula # }}} # {{{ gw-c3sl santoro: address: 200.17.202.197 parents: gw-c3sl - hostgroups: computers, service, apache2-hosts, rsyncd-hosts, xinetd-hosts, hassrvfs, wheezy, high-RTT, security_mirror, no-bacula + hostgroups: computers, service, apache2-hosts, rsyncd-hosts, xinetd-hosts, hassrvfs, wheezy, high-RTT, security_mirror, no-bacula, apache-https contacts: faw # }}} # {{{ gw-carnet @@ -387,7 +399,7 @@ servers: gluck: address: 150.203.164.38 parents: gw-cecsit - hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl380, hassrvfs, acpid-hosts, xinetd-hosts, wheezy, security_mirror, no-bacula + hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl380, hassrvfs, acpid-hosts, xinetd-hosts, wheezy, security_mirror, no-bacula, apache-https # }}} # {{{ gw-conova sompek: @@ -403,7 +415,7 @@ servers: senfl: address: 128.31.0.51 parents: gw-csail - hostgroups: computers, service, dl360, acpid-hosts, hassrvfs, apache2-hosts, rsyncd-hosts, bind9-hosts, xinetd-hosts, squeeze + hostgroups: computers, service, dl360, acpid-hosts, hassrvfs, apache2-hosts, rsyncd-hosts, bind9-hosts, xinetd-hosts, squeeze, apache-https steffani: address: 128.31.0.36 parents: gw-csail @@ -416,18 +428,18 @@ servers: hostgroups: computers, sw-raid, hassrvfs, wheezy # }}} # {{{ gw-ftcollins - alkman: - address: 192.25.206.63 - parents: gw-ftcollins - hostgroups: computers, buildd, acpid-hosts, wheezy - merulo: - address: 192.25.206.58 - parents: gw-ftcollins - hostgroups: computers, porterbox, hasusrfs, wheezy - mundy: - address: 192.25.206.62 - parents: gw-ftcollins - hostgroups: computers, buildd, hassrvfs, sw-raid, acpid-hosts, wheezy + #alkman: + # address: 192.25.206.63 + # parents: gw-ftcollins + # hostgroups: computers, buildd, acpid-hosts, wheezy + #merulo: + # address: 192.25.206.58 + # parents: gw-ftcollins + # hostgroups: computers, porterbox, hasusrfs, wheezy + #mundy: + # address: 192.25.206.62 + # parents: gw-ftcollins + # hostgroups: computers, buildd, hassrvfs, sw-raid, acpid-hosts, wheezy spohr: address: 192.25.206.33 parents: gw-ftcollins @@ -560,6 +572,10 @@ servers: address: 82.195.75.91 parents: ganeti3 hostgroups: computers, service, kvmdomains, wheezy, bind9-hosts + vogler: + address: 82.195.75.92 + parents: ganeti3 + hostgroups: computers, service, kvmdomains, wheezy # }}} # {{{ gw-marist zani: @@ -579,7 +595,7 @@ servers: buxtehude: address: 140.211.166.26 parents: byrd - hostgroups: computers, service, hassrvfs, acpid-hosts, apache2-hosts, heavy-exim, postgres91-hosts, wheezy, hasvarlogfs + hostgroups: computers, service, hassrvfs, acpid-hosts, apache2-hosts, heavy-exim, postgres91-hosts, wheezy, hasvarlogfs, apache-https # malo TODO mayer: address: 140.211.166.78 @@ -600,7 +616,7 @@ servers: rietz: address: 140.211.166.43 parents: gw-osuosl - hostgroups: computers, service, rsyncd-hosts, dl385, hassrvfs, acpid-hosts, xinetd-hosts, wheezy, bind9-hosts + hostgroups: computers, service, rsyncd-hosts, dl385, hassrvfs, acpid-hosts, xinetd-hosts, wheezy #, bosserver rietz2: address: 140.211.166.44 @@ -649,6 +665,10 @@ servers: address: 86.59.118.152 parents: gw-sil hostgroups: computers, buildd, wheezy + eberlin: + address: 86.59.118.155 + parents: gw-sil + hostgroups: computers, buildd, wheezy # }}} # {{{ gw-ubcece sw-ubcece: @@ -725,10 +745,6 @@ servers: address: 206.12.19.13 parents: sw-ubcece-kais hostgroups: computers, hashomefs, sw-raid, rsyncd-hosts, apache2-hosts, xinetd-hosts, service, nfs-server, squeeze, hassrvfs - paganini: - address: 206.12.19.10 - parents: sw-ubcece-kais - hostgroups: computers, hasbootfs, aacraid, hassrvfs, nfs-client, service, squeeze, autofs respighi: address: 206.12.19.11 parents: sw-ubcece-kais @@ -798,7 +814,7 @@ servers: nono: address: 206.12.19.123 parents: traetta - hostgroups: computers, service, kvmdomains, wheezy, heavy-exim, xinetd-hosts, apache2-hosts, apache-https + hostgroups: computers, service, kvmdomains, wheezy, heavy-exim, xinetd-hosts, apache2-hosts, apache-https, broken_https_default_vhost reger: address: 206.12.19.124 parents: ganeti2 @@ -838,7 +854,7 @@ servers: diabelli: address: 206.12.19.136 parents: traetta - hostgroups: computers, service, hasbootfs, kvmdomains, wheezy, apache2-hosts, apache-https + hostgroups: computers, service, hasbootfs, kvmdomains, wheezy, apache2-hosts, apache-https, broken_https_default_vhost bizet: address: 206.12.19.137 parents: ganeti2 @@ -854,7 +870,7 @@ servers: beach: address: 206.12.19.140 parents: ganeti2 - hostgroups: computers, service, kvmdomains, wheezy, apache2-hosts, xinetd-hosts, hassrvfs, nfs-server, rsyncd-hosts, no-bacula + hostgroups: computers, service, kvmdomains, wheezy, apache2-hosts, xinetd-hosts, hassrvfs, nfs-server, rsyncd-hosts, no-bacula, apache-https ullmann: address: 206.12.19.141 parents: ganeti2 @@ -867,10 +883,6 @@ servers: address: 206.12.19.143 parents: ganeti2 hostgroups: computers, service, kvmdomains, wheezy, hassrvfs, apache2-hosts, apache-https - stanley: - address: 206.12.19.145 - parents: ganeti2 - hostgroups: computers, service, kvmdomains, wheezy, hassrvfs, apache2-hosts, no-bacula muffat: address: 206.12.19.146 parents: ganeti2 @@ -893,11 +905,19 @@ servers: klecker: address: 130.89.148.10 parents: gw-utwente - hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl380, acpid-hosts, xinetd-hosts, wheezy, incomingmailrelayed2025, hassrvfs, apache-https + hostgroups: computers, service, apache2-hosts, rsyncd-hosts, dl380, acpid-hosts, xinetd-hosts, wheezy, incomingmailrelayed2025, hassrvfs klecker-ftp: address: 130.89.148.12 parents: klecker hostgroups: secondary-IPs + klecker-archive: + address: 130.89.148.13 + parents: klecker + hostgroups: secondary-IPs + klecker-static: + address: 130.89.148.14 + parents: klecker + hostgroups: secondary-IPs # }}} # {{{ gw-ynic hildegard: @@ -1097,6 +1117,9 @@ hostgroups: apache-https: alias: hosts with https services private: 1 + broken_https_default_vhost: + alias: https default vhost does not say 200 OK + private: 1 no-bacula: alias: hosts which are not being backed up with bacula @@ -1154,10 +1177,6 @@ hostgroups: # i.e. no port 25 private: 1 - ntpsuckers: - alias: "hosts who's ntp offset is often unknown" - private: 1 - brokensamhain: alias: machines that can not run samhain private: 1 @@ -1224,6 +1243,7 @@ services: ############ Disk Usage ############ #### + - name: disk usage - all servicegroups: diskspace @@ -1320,12 +1340,12 @@ services: - name: disk usage on /srv/farm-snapshot/farm-misc servicegroups: diskspace - nrpe: "/usr/lib/nagios/plugins/check_disk 95 90 /srv/farm-snapshot/farm-misc" + nrpe: "/usr/lib/nagios/plugins/check_disk 97 95 /srv/farm-snapshot/farm-misc" hosts: sibelius - - name: disk usage on /var/lib/postgresql/9.1/dak + name: disk usage on /var/lib/postgresql/9.1 servicegroups: diskspace - nrpe: "/usr/lib/nagios/plugins/check_disk 75 85 /var/lib/postgresql/9.1/dak" + nrpe: "/usr/lib/nagios/plugins/check_disk 75 85 /var/lib/postgresql/9.1" hosts: franck - name: disk usage on /srv/ftp-master.debian.org @@ -1515,6 +1535,12 @@ services: nrpe: "/usr/lib/nagios/plugins/dsa-check-uptime" hostgroups: computers #### + - + name: processes - samhain zombies + nrpe: "/usr/lib/nagios/plugins/check_procs 3 6 -s Z -u root -a samhain" + event_handler: dsa_event_handler_restart_samhain + hostgroups: computers + excludehostgroups: brokensamhain - name: processes - zombies nrpe: "/usr/lib/nagios/plugins/check_procs 5 10 -s Z" @@ -1597,7 +1623,7 @@ services: hostgroups: computers depends: process - ntpd excludehosts: ancina - excludehostgroups: ntpsuckers, deadslow + excludehostgroups: deadslow servicegroups: time # - @@ -1640,6 +1666,20 @@ services: remotecheck: "/usr/lib/nagios/plugins/dsa-check-log-age-loghost $HOSTNAME$" runfrom: lully hostgroups: computers + - + name: MQ connection on rainier + remotecheck: "/usr/lib/nagios/plugins/dsa-check-mq-connection $HOSTNAME$ ud dsa" + runfrom: rainier + hostgroups: computers + normal_check_interval: 60 + retry_check_interval: 15 + - + name: MQ connection on rapoport + remotecheck: "/usr/lib/nagios/plugins/dsa-check-mq-connection $HOSTNAME$ ud dsa" + runfrom: rapoport + hostgroups: computers + normal_check_interval: 60 + retry_check_interval: 15 ### MAIL STUFF ### - @@ -1887,10 +1927,6 @@ services: nrpe: 'if getent ahosts `hostname` | grep -q 127.0; then echo "Warning: local hostname resolves to 127/8 address"; exit 1; else echo "OK: Hostname resolves to non-127/8 address."; exit 0; fi' hostgroups: computers normal_check_interval: 60 - - - name: setup - ud-ldap freshness - nrpe: "/usr/lib/nagios/plugins/dsa-check-udldap-freshness" - hostgroups: computers - name: system - available entropy nrpe: "/usr/lib/nagios/plugins/dsa-check-entropy" @@ -1962,10 +1998,6 @@ services: name: "host SSL cert" nrpe: "if [ -e /etc/ssl/certs/thishost.pem ]; then /usr/lib/nagios/plugins/dsa-check-cert-expire /etc/ssl/certs/thishost.pem; else echo 'No thishost.pem on this host.'; fi" hostgroups: computers - - - name: "pg SSL cert" - nrpe: "/usr/lib/nagios/plugins/dsa-check-cert-expire /etc/ssl/certs/pg-ubcece.debian.org-chained.pem" - hosts: danzi ############ Processes/Services that only run on some computers ############ #### @@ -1995,6 +2027,15 @@ services: hostgroups: sw-raid ### + - + name: process - ud-replicated + nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -u root -C ud-replicated -a '/usr/bin/python /usr/bin/ud-replicated'" + hostgroups: computers + excludehostgroups: squeeze,freebsd + - + name: process - ud-replicated + nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -u root -C python2.7 -a '/usr/bin/python /usr/bin/ud-replicated'" + hostgroups: freebsd - name: process - monit nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -u root -C monit -a '/usr/sbin/monit -d 300 -I -c /etc/monit/monitrc -s /var/lib/monit/monit.state'" @@ -2235,6 +2276,7 @@ services: check: check_https hostgroups: apache-https excludehosts: handel,menotti + excludehostgroups: broken_https_default_vhost depends: "process - apache2 - master" normal_check_interval: 120 - @@ -2243,6 +2285,12 @@ services: hosts: handel,menotti depends: "process - apache2 - master" normal_check_interval: 120 + - + name: network service - https + check: dsa_check_https_any_status + hostgroups: broken_https_default_vhost + depends: "process - apache2 - master" + normal_check_interval: 120 - name: network service - https cert check: dsa_check_cert!443 @@ -2346,7 +2394,7 @@ services: hostgroups: computers - name: process - postgresql91 - master - nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:4 -c 1: -u postgres -C postgres -a '/usr/lib/postgresql/9.1/bin/postgres'" + nrpe: "/usr/lib/nagios/plugins/check_procs -w 1:10 -c 1: -u postgres -C postgres -a '/usr/lib/postgresql/9.1/bin/postgres'" hostgroups: postgres91-hosts - name: postgresql backups @@ -2459,6 +2507,13 @@ services: ############ MISC OTHER Stuff ############ ##### + - + name: puppetmaster cert + nrpe: "/usr/lib/nagios/plugins/dsa-check-cert-expire /var/lib/puppet/ssl/certs/ca.pem" + hosts: handel + normal_check_interval: 60 + max_check_attempts: 2 + retry_check_interval: 5 - name: mirror sync - bugs check: "dsa_check_mirrorsync_skew!bugs.debian.org!project/trace/bugs-master.debian.org!120:600" @@ -2506,15 +2561,25 @@ services: check: "dsa_check_soas_add!alioth.debian.org!alioth.debian.org" hosts: global - - name: DNS SEC - signature expiry + name: DNS - delegation and signature expiry + hosts: global + remotecheck: "/usr/lib/nagios/plugins/dsa-check-zone-rrsig-expiration-many --warn 20d --critical 7d --geozonedir /srv/dns.debian.org/repositories/auto-dns/zones /srv/dns.debian.org/repositories/domains" + runfrom: denis + - + name: DNS - security delegations + hosts: global + remotecheck: "/usr/lib/nagios/plugins/dsa-check-dnssec-delegation --dir /srv/dns.debian.org/repositories/domains --dir /srv/dns.debian.org/repositories/auto-dns/zones check-header" + runfrom: denis + - + name: DNS - key coverage hosts: global - remotecheck: "/usr/lib/nagios/plugins/dsa-check-zone-rrsig-expiration-many --warn 20d --critical 7d --geozonedir /srv/dns.debian.org/geo/zones /srv/dns.debian.org/var/gitdns/domains" - runfrom: orff + remotecheck: "/usr/lib/nagios/plugins/dsa-check-statusfile /srv/dns.debian.org/var/nagios/coverage" + runfrom: denis - - name: DNS SEC - delegations + name: DNS - DS expiry hosts: global - remotecheck: "/usr/lib/nagios/plugins/dsa-check-dnssec-delegation --dir /srv/dns.debian.org/var/gitdns/domains --dir /srv/dns.debian.org/geo/zones check-header" - runfrom: orff + remotecheck: "/usr/lib/nagios/plugins/dsa-check-statusfile /srv/dns.debian.org/var/nagios/ds" + runfrom: denis ############ - @@ -2535,5 +2600,12 @@ services: remotecheck: "/usr/lib/nagios/plugins/dsa-check-msa-eventlog --start=7778 $HOSTADDRESS$ public" runfrom: dijkstra hosts: giustini + ############ + - + name: current chroots + nrpe: "/usr/lib/nagios/plugins/dsa-check-dchroots-current" + hostgroups: porterbox + normal_check_interval: 60 + retry_check_interval: 15 # vim: set ts=2 sw=2 et ai si fdm=marker: