icinga2-checks/check_opnsense_traffic_for_...

#!/usr/bin/env python3
import argparse
import sys
import traceback
from ipaddress import ip_network

import numpy as np
import requests
from urllib3.exceptions import InsecureRequestWarning

import checker.nagios as nagios
from checker import print_icinga2_check_status
from checker.http import get_with_retry
from checker.linuxfabric.base import get_state
from checker.markdown import list_to_markdown_table
from checker.units import filesize


def is_internet_traffic(ip):
    private_networks = [
        ip_network("10.0.0.0/8"),
        ip_network("172.16.0.0/12"),
        ip_network("192.168.0.0/16"),
    ]
    return not any(ip in network for network in private_networks)


def get_traffic_top(args, interface):
    response = requests.get(f'https://{args.opnsense}/api/diagnostics/traffic/top/{interface}',
                            headers={'Accept': 'application/json'}, auth=(args.key, args.secret), verify=False,
                            timeout=10)
    if response.status_code != 200:
        print(f'UNKNOWN: unable to query OPNsense API for {interface}: {response.status_code}\n{response.text}')
        sys.exit(nagios.UNKNOWN)
    return response.json()


def main():
    parser = argparse.ArgumentParser(description='Check OPNsense network traffic for a host.')
    parser.add_argument('--opnsense', required=True, help='OPNsense hostname or IP address.')
    parser.add_argument('--key', required=True, help='OPNsense API key.')
    parser.add_argument('--secret', required=True, help='OPNsense API secret.')
    parser.add_argument('--interface', required=True, help='Interface to check (e.g., lan). Can be something like "lan,wan"')
    parser.add_argument('--host', required=True, help='Address of the host to check.')
    parser.add_argument('--duration', default=10, type=int, help='How many seconds to gather statistics.')
    parser.add_argument('--fail-empty', action='store_true', help='If the API did not return any data, fail with UNKNOWN. Otherwise, assume that there was no traffic.')
    parser.add_argument('--bandwidth', type=float, required=True, help='Bandwidth speed in Mbps. Used to calculate percentage.')
    parser.add_argument('--bandwidth-critical', type=int, default=75, help='Critical if percent of bandwidth usage is greater than or equal to this.')
    parser.add_argument('--bandwidth-warn', type=int, default=50, help='Warning if percent of bandwidth usage is greater than or equal to this.')
    parser.add_argument('--conn-critical', type=int, default=-1, help='Set critical level for number of connections. Default: -1 (disabled).')
    parser.add_argument('--conn-warn', type=int, default=-1, help='Set warning level for number of connections. Default: -1 (disabled).')
    parser.add_argument('--timeout', type=int, default=10, help='Timeout in seconds for the HTTP requests to OPNsense. Default: 10.')
    args = parser.parse_args()

    check_result = {}
    interface_names = {}

    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

    # Map interface names to their internal names
    interfaces_mapping = requests.get(f'https://{args.opnsense}/api/diagnostics/traffic/interface',
                                      headers={'Accept': 'application/json'}, auth=(args.key, args.secret),
                                      verify=False, timeout=args.timeout)
    if interfaces_mapping.status_code != 200:
        print(
            f'UNKNOWN: unable to query OPNsense API for interface mappings: {interfaces_mapping.status_code}\n{interfaces_mapping.text}')
        sys.exit(nagios.UNKNOWN)
    interfaces_mapping = interfaces_mapping.json()['interfaces']
    interfaces_to_check = set(args.interface.split(','))
    for name, interface in interfaces_mapping.items():
        if interface['name'] in interfaces_to_check:
            interfaces_to_check.remove(interface['name'])
            interface_names[interface['name']] = name

    if not len(interface_names.keys()):
        print_icinga2_check_status('did not find any valid interface names! Double-check the name.', nagios.STATE_UNKNOWN)
        sys.exit(nagios.UNKNOWN)

    for name, interface in interface_names.items():
        # Fetch the data
        traffic_data = []
        for _ in range(args.duration):
            # start_time = time.time()
            response = get_with_retry('https://{args.opnsense}/api/diagnostics/traffic/top/{interface}',
                                      headers={'Accept': 'application/json'}, auth=(args.key, args.secret), verify=False,
                                      timeout=args.timeout)
            # end_time = time.time()
            # api_request_time = end_time - start_time

            if isinstance(response.json(), list):
                print_icinga2_check_status(f'OPNsense returned wrong datatype:\n{response.text}', nagios.STATE_UNKNOWN)
                sys.exit(nagios.STATE_UNKNOWN)

            for item in response.json().get(interface, {}).get('records', False):
                if item['address'] == args.host:
                    traffic_data.append(item)

            # adjusted_sleep_duration = max(1 - api_request_time, 0)
            # time.sleep(adjusted_sleep_duration)

        if not len(traffic_data) and args.fail_empty:
            print_icinga2_check_status(f'interface or host not found in OPNsense API response. Raw response:\n{traffic_data}', nagios.STATE_UNKNOWN)
            sys.exit(nagios.UNKNOWN)
        elif not len(traffic_data):
            # There was no traffic.
            check_result[name] = {
                'rate_in': 0,
                'rate_out': 0,
                'cumulative_in': 0,
                'cumulative_out': 0,
                'connections': 0
            }
        else:
            try:
                check_result[name] = {
                    'rate_in': np.average([x['rate_bits_in'] for x in traffic_data]),
                    'rate_out': np.average([x['rate_bits_out'] for x in traffic_data]),
                    'cumulative_in': np.average([x['cumulative_bytes_in'] for x in traffic_data]),
                    'cumulative_out': np.average([x['cumulative_bytes_out'] for x in traffic_data]),
                    'connections': int(np.average([len(x['details']) for x in traffic_data]))
                }
            except Exception as e:
                print_icinga2_check_status(f'failed to parse traffic data: {e}\n{traceback.format_exc()}\n{traffic_data}', nagios.STATE_UNKNOWN)
                sys.exit(nagios.UNKNOWN)

    warn_b_value = (args.bandwidth * args.bandwidth_warn / 100) * 1e+6
    crit_b_value = (args.bandwidth * args.bandwidth_critical / 100) * 1e+6

    exit_code = nagios.OK
    critical = []
    warn = []
    perf_data = []

    output_table = [
        ('Host', 'Interface', 'Rate In', 'Rate Out', 'Cumulative In', 'Cumulative Out', 'Connections', 'Status')
    ]

    def check_b(name, state, value):
        nonlocal exit_code
        if state == nagios.STATE_CRIT:
            critical.append((name, filesize(value)))
            exit_code = max(nagios.CRITICAL, exit_code)
            return '[CRITICAL]', exit_code
        elif state == nagios.STATE_WARN:
            warn.append((name, filesize(value)))
            exit_code = max(nagios.STATE_WARN, exit_code)
            return '[WARNING]', exit_code

    for name, data in check_result.items():
        status = '[OK]'

        in_state = get_state(data['rate_in'], warn_b_value, crit_b_value, 'ge')
        in_status, exit_code = check_b(name, in_state, data['rate_in'])

        out_state = get_state(data['rate_out'], warn_b_value, crit_b_value, 'ge')
        in_status, exit_code = check_b(name, out_state, data['rate_out'])

        conn_state = get_state(data['connections'], args.conn_warn, args.conn_critical, 'ge')
        conn_status, exit_code = check_b(name, conn_state, data['connections'])

        perf_data[f'{name}_rate_in'] = {'value': int(data["rate_in"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}
        perf_data[f'{name}_rate_out'] = {'value': int(data["rate_out"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}
        perf_data[f'{name}_cumulative_in'] = {'value': int(data["cumulative_in"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}
        perf_data[f'{name}_cumulative_out'] = {'value': int(data["cumulative_out"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}
        perf_data[f'{name}_connections'] = {'value': int(data["connections"]), 'warn': args.conn_warn, 'crit': args.conn_critical, 'unit': 'B'}

        output_table.append((args.host, name, filesize(data['rate_in']), filesize(data['rate_out']),
                             filesize(data['cumulative_in']), filesize(data['cumulative_out']), data['connections'],
                             status))

    if exit_code == nagios.STATE_OK:
        text_result = f'bandwidth is below {args.bandwidth} Mbps.'
    else:
        text_result = ', '.join([*critical, *warn])
    if len(check_result) > 1:
        text_result += list_to_markdown_table(output_table, align='left', seperator='!', borders=False)

    print_icinga2_check_status(text_result, exit_code, perf_data)
    sys.exit(exit_code)


if __name__ == "__main__":
    try:
        main()
    except Exception as e:
        print_icinga2_check_status(f'exception "{e}"\n{traceback.format_exc()}', nagios.STATE_UNKNOWN)
        sys.exit(nagios.UNKNOWN)
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`#!/usr/bin/env python3`
			`import argparse`
			`import sys`
			`import traceback`
working on refactor 2023-06-15 11:00:41 -06:00			`from ipaddress import ip_network`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00
			`import numpy as np`
			`import requests`
			`from urllib3.exceptions import InsecureRequestWarning`

			`import checker.nagios as nagios`
working on refactor 2023-06-15 11:00:41 -06:00			`from checker import print_icinga2_check_status`
			`from checker.http import get_with_retry`
			`from checker.linuxfabric.base import get_state`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`from checker.markdown import list_to_markdown_table`
merge dev 2023-04-21 23:54:20 -06:00			`from checker.units import filesize`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00

check_bandwidth: add regex ignore and better timing check_opnsense: restrict to internet, better timing 2023-05-26 17:06:27 -06:00			`def is_internet_traffic(ip):`
			`private_networks = [`
			`ip_network("10.0.0.0/8"),`
			`ip_network("172.16.0.0/12"),`
			`ip_network("192.168.0.0/16"),`
			`]`
			`return not any(ip in network for network in private_networks)`


			`def get_traffic_top(args, interface):`
			`response = requests.get(f'https://{args.opnsense}/api/diagnostics/traffic/top/{interface}',`
			`headers={'Accept': 'application/json'}, auth=(args.key, args.secret), verify=False,`
			`timeout=10)`
			`if response.status_code != 200:`
			`print(f'UNKNOWN: unable to query OPNsense API for {interface}: {response.status_code}\n{response.text}')`
			`sys.exit(nagios.UNKNOWN)`
			`return response.json()`


check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`def main():`
			`parser = argparse.ArgumentParser(description='Check OPNsense network traffic for a host.')`
			`parser.add_argument('--opnsense', required=True, help='OPNsense hostname or IP address.')`
			`parser.add_argument('--key', required=True, help='OPNsense API key.')`
			`parser.add_argument('--secret', required=True, help='OPNsense API secret.')`
fix NaNs on pve guest metrics, add opnsense bandwidth levels, 2023-05-06 14:51:50 -06:00			`parser.add_argument('--interface', required=True, help='Interface to check (e.g., lan). Can be something like "lan,wan"')`
merge dev 2023-04-21 23:54:20 -06:00			`parser.add_argument('--host', required=True, help='Address of the host to check.')`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`parser.add_argument('--duration', default=10, type=int, help='How many seconds to gather statistics.')`
fix NaNs on pve guest metrics, add opnsense bandwidth levels, 2023-05-06 14:51:50 -06:00			`parser.add_argument('--fail-empty', action='store_true', help='If the API did not return any data, fail with UNKNOWN. Otherwise, assume that there was no traffic.')`
			`parser.add_argument('--bandwidth', type=float, required=True, help='Bandwidth speed in Mbps. Used to calculate percentage.')`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00			`parser.add_argument('--bandwidth-critical', type=int, default=75, help='Critical if percent of bandwidth usage is greater than or equal to this.')`
			`parser.add_argument('--bandwidth-warn', type=int, default=50, help='Warning if percent of bandwidth usage is greater than or equal to this.')`
			`parser.add_argument('--conn-critical', type=int, default=-1, help='Set critical level for number of connections. Default: -1 (disabled).')`
			`parser.add_argument('--conn-warn', type=int, default=-1, help='Set warning level for number of connections. Default: -1 (disabled).')`
check_opnsense_traffic_for_host: configurable timeout check_scrutiny_disks: dont error on no data 2023-06-10 21:24:18 -06:00			`parser.add_argument('--timeout', type=int, default=10, help='Timeout in seconds for the HTTP requests to OPNsense. Default: 10.')`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`args = parser.parse_args()`

			`check_result = {}`
			`interface_names = {}`

			`requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)`

			`# Map interface names to their internal names`
			`interfaces_mapping = requests.get(f'https://{args.opnsense}/api/diagnostics/traffic/interface',`
handle glitches on check opnsense traffic for host 2023-05-03 12:10:40 -06:00			`headers={'Accept': 'application/json'}, auth=(args.key, args.secret),`
check_opnsense_traffic_for_host: configurable timeout check_scrutiny_disks: dont error on no data 2023-06-10 21:24:18 -06:00			`verify=False, timeout=args.timeout)`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`if interfaces_mapping.status_code != 200:`
handle glitches on check opnsense traffic for host 2023-05-03 12:10:40 -06:00			`print(`
			`f'UNKNOWN: unable to query OPNsense API for interface mappings: {interfaces_mapping.status_code}\n{interfaces_mapping.text}')`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`sys.exit(nagios.UNKNOWN)`
			`interfaces_mapping = interfaces_mapping.json()['interfaces']`
			`interfaces_to_check = set(args.interface.split(','))`
			`for name, interface in interfaces_mapping.items():`
			`if interface['name'] in interfaces_to_check:`
			`interfaces_to_check.remove(interface['name'])`
			`interface_names[interface['name']] = name`

			`if not len(interface_names.keys()):`
working on refactor 2023-06-15 11:00:41 -06:00			`print_icinga2_check_status('did not find any valid interface names! Double-check the name.', nagios.STATE_UNKNOWN)`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`sys.exit(nagios.UNKNOWN)`

			`for name, interface in interface_names.items():`
			`# Fetch the data`
			`traffic_data = []`
			`for _ in range(args.duration):`
working on refactor 2023-06-15 11:00:41 -06:00			`# start_time = time.time()`
			`response = get_with_retry('https://{args.opnsense}/api/diagnostics/traffic/top/{interface}',`
			`headers={'Accept': 'application/json'}, auth=(args.key, args.secret), verify=False,`
			`timeout=args.timeout)`
			`# end_time = time.time()`
			`# api_request_time = end_time - start_time`

check_opnsense_traffic_for_host: unknown when list 2023-06-11 19:25:33 -06:00			`if isinstance(response.json(), list):`
working on refactor 2023-06-15 11:00:41 -06:00			`print_icinga2_check_status(f'OPNsense returned wrong datatype:\n{response.text}', nagios.STATE_UNKNOWN)`
			`sys.exit(nagios.STATE_UNKNOWN)`
check_opnsense_traffic_for_host: unknown when list 2023-06-11 19:25:33 -06:00
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`for item in response.json().get(interface, {}).get('records', False):`
			`if item['address'] == args.host:`
			`traffic_data.append(item)`
check_bandwidth: add regex ignore and better timing check_opnsense: restrict to internet, better timing 2023-05-26 17:06:27 -06:00
working on refactor 2023-06-15 11:00:41 -06:00			`# adjusted_sleep_duration = max(1 - api_request_time, 0)`
			`# time.sleep(adjusted_sleep_duration)`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00
handle glitches on check opnsense traffic for host 2023-05-03 12:10:40 -06:00			`if not len(traffic_data) and args.fail_empty:`
working on refactor 2023-06-15 11:00:41 -06:00			`print_icinga2_check_status(f'interface or host not found in OPNsense API response. Raw response:\n{traffic_data}', nagios.STATE_UNKNOWN)`
handle glitches on check opnsense traffic for host 2023-05-03 12:10:40 -06:00			`sys.exit(nagios.UNKNOWN)`
			`elif not len(traffic_data):`
fix NaNs on pve guest metrics, add opnsense bandwidth levels, 2023-05-06 14:51:50 -06:00			`# There was no traffic.`
handle glitches on check opnsense traffic for host 2023-05-03 12:10:40 -06:00			`check_result[name] = {`
fix traffic 2023-05-03 12:48:44 -06:00			`'rate_in': 0,`
			`'rate_out': 0,`
			`'cumulative_in': 0,`
			`'cumulative_out': 0,`
fix keyerror 2023-05-03 14:07:59 -06:00			`'connections': 0`
improve formatting 2023-05-03 12:12:07 -06:00			`}`
fix traffic 2023-05-03 12:48:44 -06:00			`else:`
			`try:`
			`check_result[name] = {`
			`'rate_in': np.average([x['rate_bits_in'] for x in traffic_data]),`
			`'rate_out': np.average([x['rate_bits_out'] for x in traffic_data]),`
			`'cumulative_in': np.average([x['cumulative_bytes_in'] for x in traffic_data]),`
			`'cumulative_out': np.average([x['cumulative_bytes_out'] for x in traffic_data]),`
			`'connections': int(np.average([len(x['details']) for x in traffic_data]))`
			`}`
			`except Exception as e:`
working on refactor 2023-06-15 11:00:41 -06:00			`print_icinga2_check_status(f'failed to parse traffic data: {e}\n{traceback.format_exc()}\n{traffic_data}', nagios.STATE_UNKNOWN)`
fix traffic 2023-05-03 12:48:44 -06:00			`sys.exit(nagios.UNKNOWN)`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00			`warn_b_value = (args.bandwidth * args.bandwidth_warn / 100) * 1e+6`
			`crit_b_value = (args.bandwidth * args.bandwidth_critical / 100) * 1e+6`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00
			`exit_code = nagios.OK`
			`critical = []`
			`warn = []`
			`perf_data = []`

check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00			`output_table = [`
			`('Host', 'Interface', 'Rate In', 'Rate Out', 'Cumulative In', 'Cumulative Out', 'Connections', 'Status')`
			`]`

working on refactor 2023-06-15 11:00:41 -06:00			`def check_b(name, state, value):`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00			`nonlocal exit_code`
working on refactor 2023-06-15 11:00:41 -06:00			`if state == nagios.STATE_CRIT:`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00			`critical.append((name, filesize(value)))`
working on refactor 2023-06-15 11:00:41 -06:00			`exit_code = max(nagios.CRITICAL, exit_code)`
			`return '[CRITICAL]', exit_code`
			`elif state == nagios.STATE_WARN:`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00			`warn.append((name, filesize(value)))`
working on refactor 2023-06-15 11:00:41 -06:00			`exit_code = max(nagios.STATE_WARN, exit_code)`
			`return '[WARNING]', exit_code`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00
			`for name, data in check_result.items():`
			`status = '[OK]'`

working on refactor 2023-06-15 11:00:41 -06:00			`in_state = get_state(data['rate_in'], warn_b_value, crit_b_value, 'ge')`
			`in_status, exit_code = check_b(name, in_state, data['rate_in'])`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00
working on refactor 2023-06-15 11:00:41 -06:00			`out_state = get_state(data['rate_out'], warn_b_value, crit_b_value, 'ge')`
			`in_status, exit_code = check_b(name, out_state, data['rate_out'])`

			`conn_state = get_state(data['connections'], args.conn_warn, args.conn_critical, 'ge')`
			`conn_status, exit_code = check_b(name, conn_state, data['connections'])`

			`perf_data[f'{name}_rate_in'] = {'value': int(data["rate_in"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}`
			`perf_data[f'{name}_rate_out'] = {'value': int(data["rate_out"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}`
			`perf_data[f'{name}_cumulative_in'] = {'value': int(data["cumulative_in"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}`
			`perf_data[f'{name}_cumulative_out'] = {'value': int(data["cumulative_out"]), 'warn': warn_b_value, 'crit': crit_b_value, 'unit': 'B'}`
			`perf_data[f'{name}_connections'] = {'value': int(data["connections"]), 'warn': args.conn_warn, 'crit': args.conn_critical, 'unit': 'B'}`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00
check_bandwidth: add regex ignore and better timing check_opnsense: restrict to internet, better timing 2023-05-26 17:06:27 -06:00			`output_table.append((args.host, name, filesize(data['rate_in']), filesize(data['rate_out']),`
			`filesize(data['cumulative_in']), filesize(data['cumulative_out']), data['connections'],`
			`status))`
check opnsense traffic: fix metrics 2023-05-06 15:55:46 -06:00
working on refactor 2023-06-15 11:00:41 -06:00			`if exit_code == nagios.STATE_OK:`
			`text_result = f'bandwidth is below {args.bandwidth} Mbps.'`
			`else:`
			`text_result = ', '.join([critical, warn])`
			`if len(check_result) > 1:`
			`text_result += list_to_markdown_table(output_table, align='left', seperator='!', borders=False)`

			`print_icinga2_check_status(text_result, exit_code, perf_data)`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`sys.exit(exit_code)`


			`if __name__ == "__main__":`
			`try:`
			`main()`
			`except Exception as e:`
working on refactor 2023-06-15 11:00:41 -06:00			`print_icinga2_check_status(f'exception "{e}"\n{traceback.format_exc()}', nagios.STATE_UNKNOWN)`
check opnsense traffic for host 2023-04-21 23:54:20 -06:00			`sys.exit(nagios.UNKNOWN)`