It's time to announce a new monitoring plugin: check_sftp. This is a monitoring plugin to check SFTP server(s).
You might ask, why another check_sftp monitoring plugin?
To correctly monitor different kinds of SFTP servers, I created a list of requirements for a SFTP check plugin:
On my research I came across a couple of monitoring plugins which can be used to check a SFTP connection. But let's take a closer look at them.
None of these existing plugins would fulfill all of my own requirements. Time to create my own implementation.
But creating my own check_sftp.sh plugin from scratch wasn't as easy as I anticipated. During coding of the plugin I came across several issues. The main issue being that sftp (the command) does not support a password. With a clever workaround this could be solved by using sshpass forwarding a $SSHPASS variable to sftp.
Another problem was also handling private keys as SSH identify file which are encrypted with a passphrase. Similar to the password problem, there is no direct way of reading a passphrase from a submitted parameter (-p passphrase) to unlock a key. This needed to be solved using ssh-agent in the background.
But eventually these problems were all solved and check_sftp was ready.
Now with check_sftp published and ready, the usage is very easy and for most users self explaining. Here are a couple of use cases.
By defining a user (-u) and a password (-p), this tells the plugin to switch to password authentication mode:
./check_sftp.sh -H sftp.example.com -u sftpuser -p verysecret
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload,
Download and Removal of file (mon.1672123986) into/from remote directory
(monitoring) worked.|checktime=0s;;;;
The plugin also supports connecting to a different port, if SFTP/SSH listens on a different port than the default (default: 22):
./check_sftp.sh -H sftp.example.com -P 2222 -u sftpuser -p verysecret
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload,
Download and Removal of file (mon.1672123986) into/from remote directory
(monitoring) worked.|checktime=0s;;;;
By default, the plugin uses "monitoring" as remote directory. The plugin will create the remote directory on the SFTP server and upload a temporary file into that directory. Depending on the SFTP user, maybe only a specific directory is writeable. The plugin can be told to use a different remote directory instead by defining the -d parameter:
$ ./check_sftp.sh -H sftp.example.com -u sftpuser -d writedir
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672138346) into/from remote directory (writedir) worked.|checktime=1s;;;;
Using a key authentication is much more secure than using password authentication. The plugin supports key authentication, too, by defining a key file with the -i parameter:
./check_sftp.sh -H sftp.example.com -u sftpuser -i ~/.ssh/id_rsa
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload,
Download and Removal of file (mon.1672124527) into/from remote directory
(monitoring) worked.|checktime=1s;;;;
As you may notice, there was no passphrase required for the key. This could mean that the private key is not encrypted and can be used without unlocking or it could mean that the private key was already added into ssh-agent and is listed under the output of ssh-add -l.
When running check_sftp inside a monitoring solution, such as Nagios or Icinga, the executing user (usually nagios) is usually not running ssh-agent. An encrypted private key therefore needs to be unlocked on the fly with a passphrase. This can be achieved by defining a private key (using -i) and the password parameter (-p). When both -i and -p are used in combination, the plugin knows it needs to unlock the defined private key and add it into a temporary ssh-agent session.
./check_sftp.sh -H sftp.example.com -u sftpuser -i ~/.ssh/id_rsa -p passphrase
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload,
Download and Removal of file (mon.1672124662) into/from remote directory
(monitoring) worked.|checktime=1s;;;;
As always, a documentation of the check_sftp monitoring-plugin was created. The documentation contains basic information about the usage but also shows different use case examples and integration into Nagios, Icinga 1, Icinga 2, Shinken and Naemon monitoring software.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder