Merge pull request #8521 from lucaferret/main

added checkmk syslog format
ntop · Jul 16, 2024 · adb44c7 · adb44c7
2 parents 4603c5d + 9ce11dd
commit adb44c7
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 35 deletions.
diff --git a/doc/src/alerts/available_recipients.rst b/doc/src/alerts/available_recipients.rst
@@ -5,37 +5,39 @@ Available Recipients
 
 Currently available Endpoints/Recipients and license required are: 
 
-+----------------+-----------+-----+--------------+--------------+
-|                | Community | Pro | Enterprise M | Enterprise L |
-+================+===========+=====+==============+==============+
-| Discord        | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Elasticsearch  |           | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| e-mail         | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Fail2Ban       |           | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Mattermost     | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| MS Teams       |           |     |              | x            |
-+----------------+-----------+-----+--------------+--------------+
-| PagerDuty      |           |     |              | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Shell Script   | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Slack          | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Syslog         | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Telegram       | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| Webhook        | x         | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
-| WeChat         |           |     |              | x            |
-+----------------+-----------+-----+--------------+--------------+
-| TheHive        |           | x   | x            | x            |
-+----------------+-----------+-----+--------------+--------------+
++---------------+-----------+-----+--------------+--------------+
+|               | Community | Pro | Enterprise M | Enterprise L |
++===============+===========+=====+==============+==============+
+| Discord       | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Elasticsearch |           | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| e-mail        | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Fail2Ban      |           | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Mattermost    | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| MS Teams      |           |     |              | x            |
++---------------+-----------+-----+--------------+--------------+
+| PagerDuty     |           |     |              | x            |
++---------------+-----------+-----+--------------+--------------+
+| Shell Script  | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Slack         | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Syslog        | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Syslog checkmk|           |     | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Telegram      | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| Webhook       | x         | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
+| WeChat        |           |     |              | x            |
++---------------+-----------+-----+--------------+--------------+
+| TheHive       |           | x   | x            | x            |
++---------------+-----------+-----+--------------+--------------+
 
 Below a guide on how to configure each Endpoint/Recipient.
 
@@ -393,6 +395,34 @@ Examples of JSON alerts sent to syslog are
    develv ntopng: {"entity_value":"ntopng","ifid":1,"action":"store","tstamp":1536245738,"type":"process_notification","entity_type":"host","message":"[<tstamp>]][Process] Stopped ntopng v.3.7.180906 (CentOS Linux release 7.5.1804 (Core) ) [pid: 4783][options: --interface \"eno1\" --interface \"lo\" --dump-flows \"[hidden]\" --https-port \"4433\" --dont-change-user ]","severity":"info"}
    devel ntopng: {"message":"[<tstamp>][Threshold Cross][Engaged] Minute traffic crossed by interface eno1 [891.58 KB > 1 Byte]","entity_value":"iface_0","ifid":0,"alert_key":"min_bytes","tstamp":1536247320,"type":"threshold_cross","action":"engage","severity":"error","entity_type":"interface"}
 
+**Checkmk**
+
+This format is used to track ntopng events within checkmk.
+
+Checkmk messages have the following format:
+
+.. code:: bash
+   [Checkmk@18662 sl="family_id" comment="(Interface) (Severity) (Type) (Entity) (Entity Value) (Action)" severity="severity"] ... and a plain text message...
+
+Fields have the following meanings:
+
+- :code: `sl`: an identifier of the event, used, for example, to perform searches.
+- :code: `comment`: contain the information described in the Plaintext section, except for timestamp, which is assigned by checkmk to the event.
+- :severity: `severity`: the severity of the alert.
+
+An example of Checkmk alert sent to syslog is
+
+.. code:: bash
+
+   devel ntopng: [Checkmk@18662 sl="4" comment=" (Interface: enp0s3) (Severity: Warning) (Flow) (Binary file/data transfer (attempt)) (vbox:43972 -> it.archive.ubuntu.com:80)  Binary file/data transfer (attempt)" severity="Warning"] Binary file/data transfer (attempt)
+
+
+The value for service level have to be manualy mapped inside Checkmk under `Global settings > Notifications > Service Levels`.
+
+The final result should look like the one showed in the image below.
+
+.. figure:: ../img/checkmk_service_level_association.png
+
 Telegram
 --------
 

diff --git a/doc/src/img/checkmk_service_level_association.png b/doc/src/img/checkmk_service_level_association.png
diff --git a/httpdocs/templates/pages/notifications/syslog/syslog_endpoint.template b/httpdocs/templates/pages/notifications/syslog/syslog_endpoint.template
@@ -7,11 +7,12 @@
         <select name="syslog_alert_format" class="form-select" required>
             <option value="plaintext">{{ i18n("notification_endpoint.syslog.text") }}</option>
             <option value="plaintextrfc">{{ i18n("notification_endpoint.syslog.text") }} (RFC 5424)</option>
-            <option value="json">Raw JSON</option>
+            <option value="json">Raw JSON2</option>
 {%
   if ntop.isEnterpriseM() then
 %}
             <option value="ecs">ECS</option>
+            <option value="checkmk">Checkmk</option>
 {%
   end
 %}

diff --git a/scripts/lua/modules/http_lint.lua b/scripts/lua/modules/http_lint.lua
@@ -195,7 +195,7 @@ end
 -- ##############################################
 
 local function validateSyslogFormat(p)
-   if p == "plaintext" or p == "plaintextrfc" or p == "json" or p == "ecs" then
+   if p == "plaintext" or p == "plaintextrfc" or p == "json" or p == "ecs" or p == "checkmk" then
       return true
    end
 

diff --git a/scripts/lua/modules/notifications/endpoints/syslog.lua b/scripts/lua/modules/notifications/endpoints/syslog.lua
@@ -102,6 +102,14 @@ function syslog.sendMessage(settings, notif, severity)
      else
         return false
      end
+   elseif syslog_format and syslog_format == "checkmk" then
+      if ntop.isEnterpriseM() then
+         package.path = dirs.installdir .. "/pro/scripts/lua/modules/?.lua;" .. package.path
+         local checkmk_format = require "checkmk_format"
+         msg = checkmk_format.format(json.decode(notif))
+      else 
+         return false
+      end
    else -- syslog_format == "plaintext" or "plaintextrfc"
       -- prepare a plain text message
       msg = format_utils.formatMessage(json.decode(notif), {
@@ -125,14 +133,18 @@ function syslog.sendMessage(settings, notif, severity)
       local info = ntop.getInfo()
       local pid = info.pid
 
-      if syslog_format and syslog_format == "plaintextrfc" then
+      if syslog_format and (syslog_format == "plaintextrfc" or syslog_format == "checkmk") then
          local iso_time = format_utils.formatEpochISO8601() -- "2020-11-19T18:31:21.003Z" (UTC)
 
          -- RFC5424 Format:
          -- <PRIO>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID MSG
          -- Example:
          -- <113>1 2020-11-19T18:31:21.003Z 192.168.1.1 ntopng 21365 ID1 -
-         msg = "<"..prio..">1 "..iso_time.." "..host.." "..tag.." "..pid.." - - "..msg
+         if syslog_format == "plaintextrfc" then 
+            msg = "<"..prio..">1 "..iso_time.." "..host.." "..tag.." "..pid.." - - "..msg
+         else
+            msg = "<"..prio..">1 "..iso_time.." "..host.." "..tag.." "..pid.." - "..msg
+         end
       else
          local log_time = os.date("%b %d %X") -- "Feb 25 09:58:12" (localtime)
          --local log_time = os.date("!%b %d %X") -- "Feb 25 09:58:12" (UTC)