LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-08-2013, 11:03 AM   #1
lce411
Member
 
Registered: Jul 2012
Posts: 50

Rep: Reputation: Disabled
DNS key monitoring through Nagios


Is it possible to monitor DNSSEC key expiration through Nagios? If so, is it native or does it require a third-party tool? I've been trying to find something that will monitor our DNS key expiration dates and report the keys that are about to expire (>30 days). The ones I have found online seem to require numerous additional packages be installed and/or don't have a lot of support. Can anyone help me out?
 
Old 02-08-2013, 11:40 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
Is it possible to monitor DNSSEC key expiration through Nagios? If so, is it native or does it require a third-party tool? I've been trying to find something that will monitor our DNS key expiration dates and report the keys that are about to expire (>30 days). The ones I have found online seem to require numerous additional packages be installed and/or don't have a lot of support. Can anyone help me out?
Don't know of any right off, but writing your own Nagios script isn't difficult. Since you already know how to check that key and have a good idea of the parameters you're looking for, you're in a good spot. This tutorial is pretty detailed, and (if you know how to write a basic bash script), should be easy to modify for your needs.
http://community.spiceworks.com/how_...cripts-in-bash

Using it along with expchk should be a simple thing.
 
Old 02-08-2013, 12:45 PM   #3
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Don't know of any right off, but writing your own Nagios script isn't difficult. Since you already know how to check that key and have a good idea of the parameters you're looking for, you're in a good spot. This tutorial is pretty detailed, and (if you know how to write a basic bash script), should be easy to modify for your needs.
http://community.spiceworks.com/how_...cripts-in-bash

Using it along with expchk should be a simple thing.
Thanks for the link. I'm having trouble figuring out the best way to query the zone-signing keys, to check the "Inactive" date. Would 'sed' work better than 'grep'? I would need to pass those results to another command (compare them to the current date), to verify if they are less than a set number of days from expiring. I could be confusing myself and over-thinking this, but it now seems like something that is out of my scripting ability.
 
Old 02-08-2013, 12:53 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Seen this?
https://www.dnssec-tools.org/wiki/in..._Modifications
 
Old 02-08-2013, 05:14 PM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
Thanks for the link. I'm having trouble figuring out the best way to query the zone-signing keys, to check the "Inactive" date. Would 'sed' work better than 'grep'? I would need to pass those results to another command (compare them to the current date), to verify if they are less than a set number of days from expiring. I could be confusing myself and over-thinking this, but it now seems like something that is out of my scripting ability.
Should be simple..just feel the output from expchk (script: https://www.dnssec-tools.org/svn/dns...scripts/expchk), and feed it into awk. Something like (UNTESTED...check output from expchk script)
Code:
var=`expchk -all | awk {'print $2'}`
..will put the number output into the variable you can now call as $var. From there, just do a simple check..if it's less than xx it's ok; greater than xx, warn; greater than yy, critical. Then you'll have three thresholds you can put into Nagios.
 
Old 02-11-2013, 03:30 PM   #6
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Should be simple..just feel the output from expchk (script: https://www.dnssec-tools.org/svn/dns...scripts/expchk), and feed it into awk. Something like (UNTESTED...check output from expchk script)
Code:
var=`expchk -all | awk {'print $2'}`
..will put the number output into the variable you can now call as $var. From there, just do a simple check..if it's less than xx it's ok; greater than xx, warn; greater than yy, critical. Then you'll have three thresholds you can put into Nagios.
I installed the perl packages found here and tried running the script located at the link that was posted above, but got this error:
Code:
Can't locate Net/DNS/SEC/Tools/conf.pm in @INC (@INC contains: /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at ./zone_key_check.sh line 16.
BEGIN failed--compilation aborted at ./zone_key_check.sh line 16.
Does anyone know what else I need to install to resolve this?
 
Old 02-11-2013, 05:06 PM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
I installed the perl packages found here and tried running the script located at the link that was posted above, but got this error:
Code:
Can't locate Net/DNS/SEC/Tools/conf.pm in @INC (@INC contains: /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at ./zone_key_check.sh line 16.
BEGIN failed--compilation aborted at ./zone_key_check.sh line 16.
Does anyone know what else I need to install to resolve this?
Yes, download and install the dnssec-tools from:
https://www.dnssec-tools.org/wiki/in...g_DNSSEC-Tools

..the INSTALL file has good instructions on what dependencies you need, and where to get them. Not a tough install...

Last edited by TB0ne; 02-11-2013 at 05:24 PM.
 
Old 02-12-2013, 12:34 PM   #8
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Yes, download and install the dnssec-tools from:
https://www.dnssec-tools.org/wiki/in...g_DNSSEC-Tools

..the INSTALL file has good instructions on what dependencies you need, and where to get them. Not a tough install...
Okay, I've got everything installed (I think). When I first tried to run the script I got this:
Code:
[root@ustc-dns1 keys]# /usr/local/sbin/zone_key_check.sh -all
usage:  expchk [options] <keyrec files>
        options:
                -all            show all zones
                -expired        show expired zones
                -valid          show valid zones
                -warn <num>     warn if expiration in <num> days
                -zone <name>    show the specified zone only
                -count          only show the count of matching zones
                -help           display this help message
                -Version        display version number
I tried different command line arguments, but I always get the 'help' screen in return. I tried running the command: /usr/local/sbin/zone_key_check.sh -valid /etc/named/keys/ but got nothing in return, just a new command-line. I also tried running the script with an actual zone key path in the command and it returned the same thing. I edited the dnssec-tools.conf file to reflect the correct command path names, but could not get any results from the command. Is there a specific command line format that I should use?
 
Old 02-12-2013, 01:43 PM   #9
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
Okay, I've got everything installed (I think). When I first tried to run the script I got this:
Code:
[root@ustc-dns1 keys]# /usr/local/sbin/zone_key_check.sh -all
usage:  expchk [options] <keyrec files>
        options:
                -all            show all zones
                -expired        show expired zones
                -valid          show valid zones
                -warn <num>     warn if expiration in <num> days
                -zone <name>    show the specified zone only
                -count          only show the count of matching zones
                -help           display this help message
                -Version        display version number
I tried different command line arguments, but I always get the 'help' screen in return. I tried running the command: /usr/local/sbin/zone_key_check.sh -valid /etc/named/keys/ but got nothing in return, just a new command-line. I also tried running the script with an actual zone key path in the command and it returned the same thing. I edited the dnssec-tools.conf file to reflect the correct command path names, but could not get any results from the command. Is there a specific command line format that I should use?
You're getting that because the expchk command needs an argument, and you're not providing one, so it's returning the help screen. Run the expchk command on its own first, and put in some of the options you see above. Try "-all", "-warn", or "-expired", to see what it returns. Parse that output with your script to check on what's up.

Can you also post the contents of zone_key_check.sh?? Unless we see that, we can't tell you what might be going on.
 
Old 02-12-2013, 02:00 PM   #10
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
You're getting that because the expchk command needs an argument, and you're not providing one, so it's returning the help screen. Run the expchk command on its own first, and put in some of the options you see above. Try "-all", "-warn", or "-expired", to see what it returns. Parse that output with your script to check on what's up.

Can you also post the contents of zone_key_check.sh?? Unless we see that, we can't tell you what might be going on.
The content of zone_key_check.sh is from the link you provided above (https://www.dnssec-tools.org/svn/dns...scripts/expchk). I named it that, so other admins could easily identify it. (I've since replaced the 'sh' with 'pl' since it's a perl script) I have tried using various command-line arguments and I never get any response about current or expiring keys. I was trying to get a response on the command-line before I start working on a script to parse the output and try to incorporate it into Nagios. I just want to make sure everything is working up to this point, but I can't get an expected response. I've spoken with the admin that has been working on our DNS and he says dnssec-signzone was used to incorporate the keys into the zone record and dnssec-keygen is used to generate the actual keys, so DNSSec tools were used, but I can't get them to cooperate!
 
Old 02-12-2013, 02:51 PM   #11
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
The content of zone_key_check.sh is from the link you provided above (https://www.dnssec-tools.org/svn/dns...scripts/expchk). I named it that, so other admins could easily identify it. (I've since replaced the 'sh' with 'pl' since it's a perl script)
Yes, but the name of that program is expchk, and should be named expchk.pl. It even has a man page under that name:
http://linux.die.net/man/1/expchk

Renaming it is a bit confusing.
Quote:
I have tried using various command-line arguments and I never get any response about current or expiring keys. I was trying to get a response on the command-line before I start working on a script to parse the output and try to incorporate it into Nagios. I just want to make sure everything is working up to this point, but I can't get an expected response. I've spoken with the admin that has been working on our DNS and he says dnssec-signzone was used to incorporate the keys into the zone record and dnssec-keygen is used to generate the actual keys, so DNSSec tools were used, but I can't get them to cooperate!
The syntax is:
Code:
expchk.pl -all <keyrec file name>
or something like this:
Code:
/usr/local/sbin/expchk.pl -all /etc/dnssec/filename
 
Old 02-12-2013, 03:07 PM   #12
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Yes, but the name of that program is expchk, and should be named expchk.pl. It even has a man page under that name:
http://linux.die.net/man/1/expchk

Renaming it is a bit confusing.

The syntax is:
Code:
expchk.pl -all <keyrec file name>
or something like this:
Code:
/usr/local/sbin/expchk.pl -all /etc/dnssec/filename
I appreciate all the help so far. I renamed the script, as you suggested, and tried the command again and got nothing. Is this the right format for the key names: Kxxx.xxx.xxx.in-addr.arpa.+xxx+xxxxx.key, Kxxx.xxx.xxx.in-addr.arpa.+xxx.xxxxx.private, Kdomain.name.mil.+xxx+xxxxx.key? I entered
Code:
/usr/local/sbin/expchk.pl -all /etc/named/keys/filename
and it just returned to an empty command line.
 
Old 02-12-2013, 03:31 PM   #13
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
I appreciate all the help so far. I renamed the script, as you suggested, and tried the command again and got nothing. Is this the right format for the key names: Kxxx.xxx.xxx.in-addr.arpa.+xxx+xxxxx.key, Kxxx.xxx.xxx.in-addr.arpa.+xxx.xxxxx.private, Kdomain.name.mil.+xxx+xxxxx.key?
I believe so, yes.
Quote:
I entered
Code:
/usr/local/sbin/expchk.pl -all /etc/named/keys/filename
and it just returned to an empty command line.
Are your key files in that directory? And do you have any named "filename"??? What I gave above was just an example...you have to replace filename with the name of the file you want to check, including the path....
 
Old 02-13-2013, 08:36 AM   #14
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
I believe so, yes.

Are your key files in that directory? And do you have any named "filename"??? What I gave above was just an example...you have to replace filename with the name of the file you want to check, including the path....
I'm sorry, I meant to put that into italics. Yes, all our keys are in that directory and yes I have tried it with specific key file names and on the directory as a whole (/etc/named/keys/*). I have tried every command line argument that I could think of and nothing provides a response. The only thing that provides an expected response is the -Version argument; everything else gives me nothing.

Could I be missing a Perl add-on? I installed: Net:: DNS, Net:: DNS::SEC, Test::More, IO::Socket, MIME::Base64, Digest::MD5, and Digest::HMAC_MD5. These were the only ones that I saw listed as required or as prerequisites.

Last edited by lce411; 02-13-2013 at 08:37 AM.
 
Old 02-13-2013, 09:40 AM   #15
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 23,275

Rep: Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523Reputation: 6523
Quote:
Originally Posted by lce411 View Post
I'm sorry, I meant to put that into italics. Yes, all our keys are in that directory and yes I have tried it with specific key file names and on the directory as a whole (/etc/named/keys/*). I have tried every command line argument that I could think of and nothing provides a response. The only thing that provides an expected response is the -Version argument; everything else gives me nothing.

Could I be missing a Perl add-on? I installed: Net:: DNS, Net:: DNS::SEC, Test::More, IO::Socket, MIME::Base64, Digest::MD5, and Digest::HMAC_MD5. These were the only ones that I saw listed as required or as prerequisites.
Could be...did you install them?? They're listed as required because they're all used, so if you're missing one/more of them, things won't work correctly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS monitoring by Nagios XI rohitchauhan Linux - Newbie 5 06-23-2012 02:03 AM
Nagios Monitoring sachingarg18@yahoo.com Linux - Newbie 3 04-12-2011 05:50 AM
Nagios monitoring call_krushna Linux - Networking 1 01-12-2011 09:51 AM
[SOLVED] nagios h/w monitoring divyashree Linux - Hardware 9 09-21-2010 07:47 AM
network monitoring:unable to launch nagios network monitoring system oladapo1980 Linux - Newbie 0 07-21-2009 02:45 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration