check_sftp (SFTP server monitoring plugin)

Last update: December 28, 2022

This is a monitoring plugin written in Bash to check SFTP servers. The plugin supports both key and password authentication. Both open and encrypted (by passphrase) private keys are supported. The plugin will attempt to establish a connection to a specified SFTP server (-H). After a successful connection, the plugin will upload and then download a temporary file into a specified remote directory (-d).

Commercial support

If you are looking for commercial support for this monitoring plugin, need customized modifications or in general customized monitoring plugins, contact us at Infiniroot.com.

Download

Download check_sftp.sh

check_sftp.sh

820 downloads so far...

Download plugin and save it in your Nagios/Monitoring plugin folder (usually /usr/lib/nagios/plugins, depending on your distribution). Afterwards adjust the permissions (usually chmod 755).

Community contributions welcome on GitHub repository.

Version history / Changelog

20221223 1.0.0: Public release
20221223 1.0.1: Add private key authentication with passphrase (issue #1)
20221227 1.0.2: Adjust help, add key auth commands requirement, debug clean

Requirements

  • sftp command (apt install openssh-client)
  • sshpass command when using password authentication (apt install sshpass)
  • ssh-agent and ssh-add commands when using key authentication (apt install openssh-client)

Definition of the parameters

Parameter Description
-H * Hostname or ip address of SFTP server
-P Port (default: 22)
-u Username for SFTP login (default: $USER from Shell environment
-p Password for SFTP login. The use of a password will toggle password authentication, unless an identity key file (-i) is used; in this case it will be used as passphrase for the private key
-i Identity file/Private Key for Key Authentication (example: '~/.ssh/id_rsa')
-o Additional SSH options (-o ...) to be added (default: '-o StrictHostKeyChecking=no ')
-d Remote directory to use for upload/download (default: monitoring)
-t Local temp directory (default: /tmp)
-v Verbose mode (shows sftp commands and output)
-h Shows help

* mandatory parameter

Usage / running the plugin on the command line

Usage:

./check_sftp.sh -H SFTPServer [-P port] [-u username] [-p password] [-i privatekey] [-o options] [-d remotedir] [-t tmpdir] [-v]

Example: SFTP check using password authentication. By submitting a username and password, password authentication will be toggled in the plugin.

./check_sftp.sh -H sftp.example.com -u sftpuser -p verysecret
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672123986) into/from remote directory (monitoring) worked.|checktime=0s;;;;

Example: SFTP check using a different SSH port. By submitting a port, the default port (22) will be overwritten.

./check_sftp.sh -H sftp.example.com -P 2222 -u sftpuser -p verysecret
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672123986) into/from remote directory (monitoring) worked.|checktime=0s;;;;

Example: SFTP check using key authentication. By specifying a private key as identity file (-i), key authentication will be toggled in the plugin.

./check_sftp.sh -H sftp.example.com -u sftpuser -i ~/.ssh/id_rsa
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672124527) into/from remote directory (monitoring) worked.|checktime=1s;;;;

Example: SFTP check using key authentication with encrypted private key. When using key authentication (-i), the password parameter (-p) can be used to define the passphrase to unlock the private key.

./check_sftp.sh -H sftp.example.com -u sftpuser -i ~/.ssh/id_rsa -p passphrase
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672124662) into/from remote directory (monitoring) worked.|checktime=1s;;;;

Command definition

Command definition in Nagios, Icinga 1.x, Shinken, Naemon

The following command definition allows optional parameters all defined within ARG3.

# 'check_sftp' command definition using password authentication
define command{
  command_name check_sftp
  command_line $USER1$/check_sftp.sh -H $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ $ARG3$
}

Another way using private key paths for key authentication. Additional parameters can be defined within ARG3.

# 'check_sftp' command definition using key authentication
define command{
  command_name check_sftp
  command_line $USER1$/check_sftp.sh -H $HOSTADDRESS$ -u $ARG1$ -i $ARG2$ $ARG3$
}

Command definition in Icinga 2.x

object CheckCommand "check_sftp" {
import "plugin-check-command"
command = [ PluginDir + "/check_sftp.sh" ]

arguments = {
"-H" = "$sftp_address$"
"-P" = "$sftp_port$"
"-u" = "$sftp_user$"
"-p" = "$sftp_password$"
"-i" = "$sftp_keyfile$"
"-o" = "$sftp_options$"
"-d" = "$sftp_directory$"
"-t" = "$sftp_tmpdir$"
"-v" = {
set_if = "$sftp_verbose$"
}
}

vars.sftp_address = "$address$"
vars.sftp_verbose = false
vars.sftp_port = "22"
vars.sftp_directory = "monitoring"
vars.sftp_tmpdir = "/tmp"
}

Service definition

Service definition in Nagios, Icinga 1.x, Shinken, Naemon

# Check SFTP using password auth
define service{
  use generic-service
  host_name sftp.example.com
  service_description SFTP
  check_command check_sftp!sftpuser!password
}

# Check SFTP using key auth
define service{
  use generic-service
  host_name sftp.example.com
  service_description SFTP
  check_command check_sftp!sftpuser!/home/nagios/sftp_example_com_key!-p passphrase
}

Service object definition Icinga 2.x

# Check SFTP using password authentication
object Service "SFTP" {
  import "generic-service"
  host_name = "sftp.example.com"
  check_command = "check_sftp"
  vars.sftp_user = "sftpuser"
  vars.sftp_password = "password"
}

# Check SFTP using key authentication and key passphrase
object Service "SFTP" {
  import "generic-service"
  host_name = "sftp.example.com"
  check_command = "check_sftp"
  vars.sftp_user = "sftpuser"
  vars.sftp_keyfile = "/home/nagios/sftp_example_com_key"
  vars.sftp_password = "passphrase"
}

Screenshots