Check by-ssh
Overview
This plugin uses SSH to execute a command on a remote host, returning STDOUT and, in case of failure, STDERR and the command’s return code. With this information and with pattern matching on STDOUT, the plugin can alert with selectable severities.
Fact Sheet
Check Plugin Download |
https://github.com/Linuxfabrik/monitoring-plugins/tree/main/check-plugins/by-ssh |
Check Interval Recommendation |
Once a minute |
Can be called without parameters |
No |
Compiled for |
Linux |
Requirements |
command-line tool |
Help
usage: by-ssh [-h] [-V] [--always-ok] --command COMMAND
[--configfile CONFIGFILE] [--critical-pattern CRIT_PATTERN]
[--critical-regex CRIT_REGEX] [--disable-pseudo-terminal] -H
HOSTNAME [--identity IDENTITY] [--ipv4] [--ipv6] [-p PASSWORD]
[--port PORT] [--quiet] [--severity-retc {ok,warn,crit,unknown}]
[--severity-stderr {ok,warn,crit,unknown}]
[--severity-stdout {ok,warn,crit,unknown}]
[--severity-timeout {ok,warn,crit,unknown}]
[--skip-stderr SKIP_STDERR] [--skip-stdout SKIP_STDOUT]
[--ssh-option SSH_OPTION] [--shell] [--test TEST] [-u USERNAME]
[--warning-pattern WARN_PATTERN] [--warning-regex WARN_REGEX]
This plugin uses SSH to execute a command on a remote host, returning STDOUT
and, in case of failure, STDERR and the command's return code. With this
information and with pattern matching on STDOUT, the plugin can alert with
selectable severities.
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
--always-ok Always returns OK.
--command COMMAND SSH: Command that will be executed on the remote host.
--configfile CONFIGFILE
SSH: Specifies an alternative per-user configuration
file. If a configuration file is given on the command
line, the system-wide configuration file
(`/etc/ssh/ssh_config`) will be ignored. The default
for the per-user configuration file is
`~/.ssh/config`. If set to `none`, no configuration
files will be read.
--critical-pattern CRIT_PATTERN
Any line matching this pattern (case-insensitive) will
count as a critical. Can be specified multiple times.
--critical-regex CRIT_REGEX
Any line matching this python regex (case-insensitive)
will count as a critical. Can be specified multiple
times.
--disable-pseudo-terminal
SSH: Disable pseudo-terminal allocation.
-H HOSTNAME, --hostname HOSTNAME
SSH: Hostname
--identity IDENTITY SSH: Selects a file from which the identity (private
key) for public key authentication is read. You can
also specify a public key file to use the
corresponding private key that is loaded in ssh-
agent(1) when the private key file is not present
locally. The default is `~/.ssh/id_dsa`,
`~/.ssh/id_ecdsa`, `~/.ssh/id_ecdsa_sk`,
`~/.ssh/id_ed25519`, `~/.ssh/id_ed25519_sk` and
`~/.ssh/id_rsa`. Identity files may also be specified
on a per-host basis in the configuration file. It is
possible to have multiple --identity options (and
multiple identities specified in configuration files).
If no certificates have been explicitly specified by
the CertificateFile directive, ssh will also try to
load certificate information from the filename
obtained by appending `-cert.pub` to identity
filenames.
--ipv4 SSH: Forces ssh to use IPv4 addresses only.
--ipv6 SSH: Forces ssh to use IPv6 addresses only.
-p PASSWORD, --password PASSWORD
SSH: Password authentication. NOT RECOMMENDED.
Requires `sshpass`. If you need to use password-based
SSH login, run this plugin only on trusted hosts. `ps`
will expose the SSH password.
--port PORT SSH: Port to connect to on the remote host. This can
be specified on a per-host basis in the configuration
file. Default: 22
--quiet SSH: Quiet mode. Causes most warning and diagnostic
messages to be suppressed.
--severity-retc {ok,warn,crit,unknown}
Severity for alerting if there is a return code != 0.
Default: warn
--severity-stderr {ok,warn,crit,unknown}
Severity for alerting if there is an output on STDERR.
Default: warn
--severity-stdout {ok,warn,crit,unknown}
Severity for alerting if there is an output on STDOUT.
Default: ok
--severity-timeout {ok,warn,crit,unknown}
Severity on connection problems. Default: unknown
--skip-stderr SKIP_STDERR
Ignore all (0) or first n lines on STDERR. Default: -1
(no ignore)
--skip-stdout SKIP_STDOUT
Ignore all (0) or first n lines on STDOUT. Default: -1
(no ignore)
--ssh-option SSH_OPTION
SSH: Can be used to give options in the format used in
the configuration file. This is useful for specifying
options for which there is no separate command-line
flag. For full details of the options, and their
possible values, see ssh_config(5). Can be specified
multiple times.
--shell If specified, allows you to expand environment
variables and file globs according to the shell's
usual mechanism, which can be a security hazard.
Default: You just can run simple shell command without
globs, pipes etc.
--test TEST For unit tests. Needs "path-to-stdout-file,path-to-
stderr-file,expected-retc".
-u USERNAME, --username USERNAME
SSH: Username. Default: root
--warning-pattern WARN_PATTERN
Any line matching this pattern (case-insensitive) will
count as a warning. Can be specified multiple times.
--warning-regex WARN_REGEX
Any line matching this python regex (case-insensitive)
will count as a warning. Can be specified multiple
times.
Usage Examples
Simple example - returns CRIT if dmesg --level=emerg,alert,crit reports critical events:
./by-ssh \
--hostname appserver \
--username linuxfabrik \
--severity-stdout crit \
--command 'sudo dmesg --level=emerg,alert,crit'
Output:
[140369.507978] watchdog: BUG: soft lockup - CPU#0 stuck for 37858s! [swapper/0:0] [CRITICAL]
Now imagine a command status interface that prints to STDOUT like this:
eth0 Link encap:Ethernet HWaddr 00:01:4E:03:00:00
and much more output
ETH0 (Speed|Duplex): 1000Mb/s|Full
Command Result : 0 (Success)
You want to get a CRIT if the command does not return Command Result : 0. A very comprehensive plugin call that shows most of the options:
./by-ssh \
--configfile ~/.ssh/config \
--disable-pseudo-terminal \
--identity ~/.ssh/id_rsa1 \
--identity ~/.ssh/id_rsa2 \
--ipv6 \
--port 22 \
--quiet \
--ssh-option 'ConnectTimeout=3' \
--ssh-option 'MACs=hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com' \
\
--severity-retc crit \
--severity-stderr ok \
--severity-timeout unknown \
--critical-regex 'command result : (?!0).*' \
\
--hostname appserver \
--username linuxfabrik \
--shell \
--command 'status interface | tail -1'
Get a WARNING if the /opt directory does NOT have rwxrwxrwx permissions, using a negative lookahead in a Python regular expression:
./by-ssh \
--hostname appserver \
--username linuxfabrik \
--warning-regex '^(?!drwxrwxrwx.*).*opt$' \
--command 'ls -ld /opt'
# another more consistent way using `stat` and a more readable regex (but same logic)
./by-ssh \
--hostname appserver \
--username linuxfabrik \
--warning-regex '^(?!777)\d{3}$' \
--command 'stat /opt -c %a'
Output in case of an error will look like this:
Command Result : 65535 (PSe2 Shell execution) [CRITICAL]
Calling an invalid command:
./by-ssh \
--hostname appserver \
--username linuxfabrik \
--command 'sudo gobbledygook'
Output:
retc: 1 [WARNING]; stderr: sudo: gobbledygook: command not found [WARNING]; stdout: None
States
States are computed in this particular order. The worst state is returned (CRIT before WARN before UNKNOWN before OK).
Output on STDOUT?
Depending on the given
--severity-stdout, returns OK (default), WARN, CRIT or UNKNOWN.Returns WARN depending on the results of
--warning-patternor--warning-regex.Returns CRIT depending on the results of
--critical-patternor--critical-regex.
Output on STDERR?
Depending on the given
--severity-stderr, returns OK, WARN (default), CRIT or UNKNOWN if there is output on STDERR.
Return code != 0?
Depending on the given
--severity-timeout, returns OK, WARN, CRIT or UNKNOWN (default) if SSH can’t connect.Depending on the given
--severity-retc, returns OK, WARN (default), CRIT or UNKNOWN if there is a return code != 0.
Perfdata / Metrics
Name |
Type |
Description |
|---|---|---|
remote_runtime |
Seconds |
Time connecting, running the command on the remote host and disconnecting. |
Credits, License
Authors: Linuxfabrik GmbH, Zurich; originally written by Dominik Riva, Universitätsspital Basel/Switzerland
License: The Unlicense, see LICENSE file.