Add fail2ban CheckCommand definition

The check_fail2ban plugin use the fail2ban-client binary
to monitor fail2ban jails.

diff --git a/doc/10-icinga-template-library.md b/doc/10-icinga-template-library.md
index 3ff76f7f40fb92a554b11bc133f25614d95d0e03..6c72cc46352ff292724c87667ecb8063947fc86a 100644 (file)
--- a/doc/10-icinga-template-library.md
+++ b/doc/10-icinga-template-library.md
@@ -2993,6 +2993,33 @@ lsyncd_statfile         | **Optional.** Set status file path (default: /var/run/
 lsyncd_warning          | **Optional.** Warning if more than N delays (default: 10).
 lsyncd_critical         | **Optional.** Critical if more then N delays (default: 100).
 
+#### fail2ban <a id="plugin-contrib-command-fail2ban"></a>
+
+The [check_fail2ban](https://github.com/fail2ban/fail2ban/tree/master/files/nagios) plugin
+uses the `fail2ban-client` binary to monitor [fail2ban](http://www.fail2ban.org) jails.
+
+The plugin requires `sudo` permissions.
+You can add a sudoers file to allow your monitoring user to use the plugin, i.e. edit /etc/sudoers.d/icinga and add:
+```
+icinga ALL=(root) NOPASSWD:/usr/lib/nagios/plugins/check_fail2ban
+```
+
+and set the correct permissions:
+```bash
+chown -c root: /etc/sudoers.d/icinga
+chmod -c 0440 /etc/sudoers.d/icinga
+```
+
+Custom attributes passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
+
+Name                    | Description
+------------------------|---------------------------------------------------------------------------
+fail2ban_display        | **Optional.** To modify the output display, default is 'CHECK FAIL2BAN ACTIVITY'
+fail2ban_path           | **Optional.** Specify the path to the tw_cli binary, default value is /usr/bin/fail2ban-client
+fail2ban_warning        | **Optional.** Specify a warning threshold, default is 1
+fail2ban_critical       | **Optional.** Specify a critical threshold, default is 2
+fail2ban_socket         | **Optional.** Specify a socket path, default is unset
+fail2ban_perfdata       | **Optional.** If set to true, activate the perfdata output, default value for the plugin is set to true.
 
 ### Operating System <a id="plugin-contrib-operating-system"></a>
 

diff --git a/itl/plugins-contrib.d/network-services.conf b/itl/plugins-contrib.d/network-services.conf
index 989a9eb05e3a54bb3fcc785c64b2b80fe6a77aac..d8034fe8bfb3d83d09d82dee736a44826bded2de 100644 (file)
--- a/itl/plugins-contrib.d/network-services.conf
+++ b/itl/plugins-contrib.d/network-services.conf
@@ -101,3 +101,36 @@ object CheckCommand "lsyncd" {
                }
        }
 }
+
+object CheckCommand "fail2ban" {
+       command = [ "sudo", PluginDir + "/check_fail2ban" ]
+
+       arguments = {
+               "-D" = {
+                       value = "$fail2ban_display$"
+                       description = "To modify the output display, default is 'CHECK FAIL2BAN ACTIVITY'"
+               }
+               "-P" = {
+                       value = "$fail2ban_path$"
+                       description = "Specify the path to the tw_cli binary, default value is /usr/bin/fail2ban-client"
+               }
+               "-w" = {
+                       value = "$fail2ban_warning$"
+                       description = "Specify a warning threshold, default is 1"
+               }
+               "-c" = {
+                       value = "$fail2ban_critical$"
+                       description = "Specify a critical threshold, default is 2"
+               }
+               "-s" = {
+                       value = "$fail2ban_socket$"
+                       description = "Specify a socket path, default is unset"
+               }
+               "-p" = {
+                       set_if = "$fail2ban_perfdata$"
+                       description = "If set to true, activate the perfdata output"
+               }
+       }
+
+       vars.fail2ban_perfdata = true
+}