From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gh7rp23dDz338t for ; Thu, 18 Jun 2026 18:03:54 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gh7rk6JtLz32c1 for ; Thu, 18 Jun 2026 18:03:50 +0000 (UTC) Received: from layka.disroot.org (layka.disroot.org [178.21.23.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4gh7rj3zDVz70p for ; Thu, 18 Jun 2026 18:03:49 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=ebjnVhHW; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Seal: i=1; a=rsa-sha256; d=lists.ipfire.org; s=202003rsa; cv=none; t=1781805829; b=fNVUh+2rdEefKhKRiI6d2PQjS7lrzQTGlgEmWuIQTRLSuB0M6iRusww79r892Ma/AqOU0s lfkiFy6oqLiu24EcqyErqra4bWcWdxhiAfcI+Kjc/z97sWNGbcOzry26ua1LTNKyOG/4rH DJD0e0hL8AE6TZP4sU1QcMf1rilKBGOZQcoftohcFqxlD2DBNroARgQJGE1v4yBT1S/c9v OmhKmZI7cdDf8tF3NCw3BoYox9Y1zhqmhcDGsfa+p/2+XLbpKoMYbWy+c8w+nOPJrJpK41 J+AaPGeKFF34WSaHIt5DX3sj+ZTUgrX+iXrBMy1eTaxE4gHIFjlItwfOnXYFaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1781805829; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=oae7gJhso6T5baUnKE7zSf6lC85bNFJQuuJDpxs8qLk=; b=FMU+MVOjI/B8TsU0hg7WnyF9RCWPLj1eIu2zqjpK9Ak6X0Hfvaqnb0/c8s0YluVZTZzJk3 PtJTKyEwKxvFKNvdJQ5zyC5Zm1RxLuylq+vlJ5bi4hITDYilXnwX1wYQm1Pkc/U/EeRSBM ZVUgU6ZuhScLgCM153anP5gOMlsc1jxbFWuuBH9bbOmmnqUqSJ7xjpofvp7EQgya6ddLFM epYSHVtTzeDXK+SryOlfIU4BDY2CCsghcnYyjq/65BwRusv5xf7E8yYORT4GnKI1KYYXd4 L8WxoMnDO3Tswc+DZkAP5c2PIwuqnkRCWI0dJd4O1t/Y/8Q5GNxV46u8/rcZ7Q== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=ebjnVhHW; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 042652774F; Thu, 18 Jun 2026 20:03:49 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id a91aZCfZPftj; Thu, 18 Jun 2026 20:03:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1781805828; bh=DC0kfvKWxZ42vS2t5sjx9xJj/58nkc3hWMjRvTotSTs=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ebjnVhHWlPS78YhLHmKNdx8+cWf8SHftIENH2T6MhoQirkTXTCiaC/9xxom1++sKp 7hCeXSaEbRvgDqMW/S83vWLRg9lQ7X6h+923WWGKp0wr7xsLMxFHnbMg8G+z+PQ/5f KzxrSkwAYYk6lXUN0dW+aQhVC6svVS4GLU6yECaTpJ7hUs/inqh6TgoQwstrP2JfMy hIbnJ2ZyN1dwZ01wcRyvkY6Er+5LPao326SkgF2F+96yLVlwPOQeXCuJbh7VUW0Gd3 6+pcBtuzFPEpO2wYHCMRCS/t5nEcEKSB6KkxpTWi+ZheRnbvV3V4M4suAUvts8n6pH UuQU0RSVBxqXg== Received: from chojin.roevenslambrechts.be (Chojin.roevenslambrechts.be [192.168.0.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 05566551FAC; Thu, 18 Jun 2026 20:03:44 +0200 (CEST) From: Robin Roevens To: development@lists.ipfire.org, Michael Tremer Cc: Robin Roevens Subject: [PATCH] zabbix_agentd: Add support for kresd metrics Date: Thu, 18 Jun 2026 19:58:34 +0200 Message-ID: <20260618180341.35720-2-robin.roevens@disroot.org> In-Reply-To: <20260618180341.35720-1-robin.roevens@disroot.org> References: <20260618180341.35720-1-robin.roevens@disroot.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-RoevensLambrechts-MailScanner-ID: 05566551FAC.AD033 X-RoevensLambrechts-MailScanner: Found to be clean X-RoevensLambrechts-MailScanner-From: robin.roevens@disroot.org X-RoevensLambrechts-MailScanner-Watermark: 1782410625.46933@M2lvNzaxqTyrvog8fYB9DA X-Rspamd-Action: no action X-Spamd-Result: default: False [-5.01 / 11.00]; BAYES_HAM(-3.00)[100.00%]; R_DKIM_ALLOW(-1.65)[disroot.org:s=mail]; MID_CONTAINS_FROM(1.00)[]; DKIM_REPUTATION(-0.91)[-0.91458259578858]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject]; R_SPF_ALLOW(-0.20)[+a]; SPF_REPUTATION_HAM(-0.15)[-0.14804339834727]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; MISSING_XM_UA(0.00)[]; TO_DN_SOME(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; MIME_TRACE(0.00)[0:+]; MX_INFLIGHT(0.00)[disroot.org]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[178.21.23.139:from]; FROM_EQ_ENVFROM(0.00)[]; IP_REPUTATION_HAM(0.00)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[disroot.org:+] X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4gh7rj3zDVz70p Add new UserParameter ipfire.kresd.stats.get for retrieval of kresd metrics using curl over unix-sockert. Add curl command to sudoers for Zabbix agent to be able to access the unix-socket. Signed-off-by: Robin Roevens --- config/zabbix_agentd/sudoers | 1 + config/zabbix_agentd/userparameter_ipfire.conf | 3 +++ 2 files changed, 4 insertions(+) diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 50a9e69de..13edfcce9 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -12,3 +12,4 @@ zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/sb zabbix ALL=(ALL) NOPASSWD: /usr/local/bin/openvpnctrl rw log, /usr/local/bin/wireguardctrl dump zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl +zabbix ALL=(ALL) NOPASSWD: /usr/bin/curl -s --unix-socket /var/run/knot-resolver/kres-api.sock http\://localhost/metrics/json diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index e88c20298..a91e305a3 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -10,9 +10,12 @@ UserParameter=ipfire.captive.clients,awk -F ',' 'length($2) == 17 {sum += 1} END UserParameter=ipfire.services.get,sudo /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl # IPS throughput bypassed/scanned/whitelisted in bytes/type (JSON) UserParameter=ipfire.ips.throughput.get,sudo /usr/local/bin/getipstat -xm | awk 'BEGIN{ORS="";print "{"}/Chain IPS/{f=1}/BYPASSED/&&f{printf "\"bypassed\":%s",$2}/SCANNED/&&f{printf ",\"scanned\":%s",$2}/WHITELISTED/&&f{printf ",\"whitelisted\":%s",$2}/^$/{f=0}END{print "}"}' +# Knot DNS resolver statistics +UserParameter=ipfire.kresd.stats.get,sudo /usr/bin/curl -s --unix-socket /var/run/knot-resolver/kres-api.sock http://localhost/metrics/json # Addon: Guardian: Number of currently blocked IP's UserParameter=ipfire.guardian.blocked.count,sudo /usr/local/bin/getipstat | awk 'BEGIN{ORS="";c=0}/Chain GUARDIAN/{f=1}/DROP/&&f{c++}/^$/{f=0}END{print c}' # # Allow item key to be called with (unused) parameters. This allows the #SINGLETON method of discovering this item only when specific service is active Alias=ipfire.ips.throughput.get[]:ipfire.ips.throughput.get +Alias=ipfire.kresd.stats.get[]:ipfire.kresd.stats.get Alias=ipfire.guardian.blocked.count[]:ipfire.guardian.blocked.count \ No newline at end of file -- 2.54.0 -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.