Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature request] SSL Certificate Input #1971

Closed
mattyjones opened this issue Oct 30, 2016 · 8 comments
Closed

[feature request] SSL Certificate Input #1971

mattyjones opened this issue Oct 30, 2016 · 8 comments

Comments

@mattyjones
Copy link
Contributor

Feature Request

A telegraf input for SSL certificates and associated values.

Proposal:

I would like to write a telegraf input that could pull fields/values from a SSL certificate. I see the following data as useful:

    SHA1: E9C256B700DF43A5BF3134A09B3703726D10E4D4
    SubjectKeyId: CA9725EE546D2B525F0650AE5E713C7D09BE96F9
    SignatureAlgorithm: SHA256WithRSA
    PublicKeyAlgorithm: RSA
    DNSNames: [*.appspot.com *.thinkwithgoogle.com *.withgoogle.com *.withyoutube.com appspot.com thinkwithgoogle.com withgoogle.com withyoutube.com]
    NotBefore: 2016-10-19 13:43:38 -0400 EDT
    NotAfter: 2017-01-11 12:14:00 -0500 EST
    ExpiresIn: Expires in 73 days
    Issuer: Google Internet Authority G2
    AuthorityKeyId: 4ADD06161BBCF668B576F581B6BB621ABA5A812F

Current behavior:

Nothing currently exists that I am aware of

Desired behavior:

All reasonable stats for the certificate tree for a given certificate

Use case:

I want alerts on my certificates expiring. I would like the dates to be in influx along with the expire date and then using kapacitor I could say something along the lines of:

// certExpirationAlert

// Parameters
var info = TRUE 
var warn = 30d
var crit = 7d
var period = 7d
var every = 7d

// Dataframe
var data = batch
  |query('''SELECT expireDate FROM cert''')
    .period(period)
    .every(every)
    .groupBy('host')

// Thresholds
var alert = data
  |alert()
    .id('{{ index .Tags "host"}}/{alert_metric}')
    .message('{{ .ID }}:{{ index .Fields "stat" }}')
    .info(lambda: info)
    .warn(lambda: "stat" > warn)
    .crit(lambda: "stat" > crit)
@phemmer
Copy link
Contributor

phemmer commented Oct 30, 2016

Telegraf is used for capturing time series data. Values that change. Most of those values do not change. The only one that does is the expiry time. For that see #1762

@mattyjones
Copy link
Contributor Author

@phemmer Fair, enough I am unsure how I missed that. Thanks!

I will leave this here for now but I have no objection to closing this and using the above mentioned input if no one else can think of a good use for this data.

@phemmer
Copy link
Contributor

phemmer commented Oct 30, 2016

Perhaps a mixture of the two might be best. I think all that data is overkill, but some of it might be useful for tagging & filtering if you're monitoring a large number of servers with different certificates.

@mattyjones
Copy link
Contributor Author

mattyjones commented Oct 30, 2016

Speaking to the above about the timeseries data, I completely agree. My reason for pulling everything is because data is cheap, if I am going to pull one thing I might as well pull it all. Who knows in the future how it could be used or what other inputs I could cross reference with it.

I do agree on the overkill but I also believe when it comes to metrics, within reason, anything worth doing is worth overdoing. ;)

@phemmer
Copy link
Contributor

phemmer commented Oct 30, 2016

Perhaps. For frequently polled data, that extra information can be detrimental though. It's a lot of data to have to store when you're really just after a single 4 or 8 byte number. More work for the time series DB (e.g. InfluxDB). It's also a lot of data to have to ignore when you're manually poking through the DB.
Though granted, I don't imagine this will be frequently polled.

But if I were to throw out a feature list, I would expect such a plugin to provide the following:

  • Expiry (obviously)
  • Cert subject, or CN at the least
  • Cert serial
  • Host IP (the actual IP of the host the plugin resolved and connected to).
  • Checksum (something small, like crc32, just to make sure we uniquely identify the cert)

In the case that a host name is used to connect to, I would expect the plugin to connect to all of the resolved IPs, instead of having to resort to random chance each time it runs.
In the case of both host names and IPs, I would also expect to be able to override the hostname for use with SNI. Probably even be able to provide multiple hostnames, and perform a full permutation of connection IPs, and SNI hostnames.

@jcmcken
Copy link
Contributor

jcmcken commented Apr 27, 2018

+1 on this functionality

Just to comment on the idea that Telegraf is only used for capturing time-series data:

Yep, and it's a shame, because it means people are either:

  • Pumping lots of static data into their Influx/other TS backends because they don't want to implement two separate tools. This has its own operational burden, but is easier than the second option (in my opinion), which is...
  • Implementing two separate tools with two separate storage mechanisms.

I believe InfluxDB itself has had various issues over time asking for implementation of a generic key-value store for exactly this reason. Kapacitor has related issues to this as well.

@danielnelson
Copy link
Contributor

Here are a couple related pull requests:
#3829
#3768

@danielnelson
Copy link
Contributor

We have the x509_cert plugin in 1.8, but it doesn't contain all the data requested above. @mattyjones Can you try using this plugin and open a new issue for any of the fields or functionality you feel is needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants