Kapisi/roles/Sharingan/templates/monitrc.j2

###############################################################################
## Monit control file
###############################################################################
##
## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
## Below you will find examples of some frequently used statements. For
## information about the control file and a complete list of statements and
## options, please have a look in the Monit manual.
##
##
###############################################################################
## Global section
###############################################################################
set daemon  30              # check services at 30 seconds intervals
    with start delay 240    # optional: delay the first check by 4-minutes (by
                            # default Monit check immediately after Monit start)
#
## Set syslog logging. If you want to log to a standalone log file instead,
## specify the full path to the log file
#
set log syslog

#
#
## Set the location of the Monit lock file which stores the process id of the
## running Monit instance. By default this file is stored in $HOME/.monit.pid
#
# set pidfile /var/run/monit.pid
#
## Set the location of the Monit id file which stores the unique id for the
## Monit instance. The id is generated and stored on first Monit start. By
## default the file is placed in $HOME/.monit.id.
#
# set idfile /var/.monit.id
#
## Set the location of the Monit state file which saves monitoring states
## on each cycle. By default the file is placed in $HOME/.monit.state. If
## the state file is stored on a persistent filesystem, Monit will recover
## the monitoring state across reboots. If it is on temporary filesystem, the
## state will be lost on reboot which may be convenient in some situations.
#
# set statefile /var/.monit.state
#
#

## Set limits for various tests. The following example shows the default values:
##
# set limits {
#     programOutput:     512 B,      # check program's output truncate limit
#     sendExpectBuffer:  256 B,      # limit for send/expect protocol test
#     fileContentBuffer: 512 B,      # limit for file content test
#     httpContentBuffer: 1 MB,       # limit for HTTP content test
#     networkTimeout:    5 seconds   # timeout for network I/O
#     programTimeout:    300 seconds # timeout for check program
#     stopTimeout:       30 seconds  # timeout for service stop
#     startTimeout:      30 seconds  # timeout for service start
#     restartTimeout:    30 seconds  # timeout for service restart
# }

## Set global SSL options (just most common options showed, see manual for
## full list).
#
# set ssl {
#     verify     : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
#     selfsigned : allow   # allow self signed SSL certificates (reject by default)
#}
#
#
## Set the list of mail servers for alert delivery. Multiple servers may be
## specified using a comma separator. If the first mail server fails, Monit
# will use the second mail server in the list and so on. By default Monit uses
# port 25 - it is possible to override this with the PORT option.
#
# set mailserver mail.bar.baz,               # primary mailserver
#                backup.bar.baz port 10025,  # backup mailserver on port 10025
#                localhost                   # fallback relay
#
#
## By default Monit will drop alert events if no mail servers are available.
## If you want to keep the alerts for later delivery retry, you can use the
## EVENTQUEUE statement. The base directory where undelivered alerts will be
## stored is specified by the BASEDIR option. You can limit the queue size
## by using the SLOTS option (if omitted, the queue is limited by space
## available in the back end filesystem).
#
# set eventqueue
#     basedir /var/monit  # set the base directory where events will be stored
#     slots 100           # optionally limit the queue size
#
#
## Send status and events to M/Monit (for more information about M/Monit
## see https://mmonit.com/). By default Monit registers credentials with
## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
## have to register Monit credentials manually in M/Monit. It is possible to
## disable credential registration using the commented out option below.
## Though, if safety is a concern we recommend instead using https when
## communicating with M/Monit and send credentials encrypted. The password
## should be URL encoded if it contains URL-significant characters like
## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
## adding the timeout option.
#
# set mmonit http://monit:monit@192.168.1.10:8080/collector
#     # with timeout 30 seconds              # Default timeout is 5 seconds
#     # and register without credentials     # Don't register credentials
#
#
## Monit by default uses the following format for alerts if the mail-format
## statement is missing::
## --8<--
## set mail-format {
##   from:    Monit <monit@$HOST>
##   subject: monit alert --  $EVENT $SERVICE
##   message: $EVENT Service $SERVICE
##                 Date:        $DATE
##                 Action:      $ACTION
##                 Host:        $HOST
##                 Description: $DESCRIPTION
##
##            Your faithful employee,
##            Monit
## }
## --8<--
##
## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
## are expanded at runtime. For example, to override the sender, use:
#
# set mail-format { from: monit@foo.bar }
#
#
## You can set alert recipients whom will receive alerts if/when a
## service defined in this file has errors. Alerts may be restricted on
## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar                       # receive all alerts
#
## Do not alert when Monit starts, stops or performs a user initiated action.
## This filter is recommended to avoid getting alerts for trivial cases.
#
# set alert your-name@your.domain not on { instance, action }
#
#
## Monit has an embedded HTTP interface which can be used to view status of
## services monitored and manage services from a web interface. The HTTP
## interface is also required if you want to issue Monit commands from the
## command line, such as 'monit status' or 'monit restart service' The reason
## for this is that the Monit client uses the HTTP interface to send these
## commands to a running Monit daemon. See the Monit Wiki if you want to
## enable SSL for the HTTP interface.
#
set httpd port 2812 and
    use address localhost  # only accept connection from localhost (drop if you use M/Monit)
    allow localhost        # allow localhost to connect to the server and
    # require user 'admin' with password
    allow admin:"{{ secrets['Sharingan']['monit'] | default('monit') }}"
    #with ssl {            # enable SSL/TLS and set path to server certificate
    #    pemfile: /etc/ssl/certs/monit.pem
    #}

###############################################################################
## Services
###############################################################################
##
## Check general system resources such as load average, cpu and memory
## usage. Each test specifies a resource, conditions and the action to be
## performed should a test fail.
#
#  check system $HOST
#    if loadavg (1min) per core > 2 for 5 cycles then alert
#    if loadavg (5min) per core > 1.5 for 10 cycles then alert
#    if cpu usage > 95% for 10 cycles then alert
#    if memory usage > 75% then alert
#    if swap usage > 25% then alert
#
#
## Check if a file exists, checksum, permissions, uid and gid. In addition
## to alert recipients in the global section, customized alert can be sent to
## additional recipients by specifying a local alert handler. The service may
## be grouped using the GROUP option. More than one group can be specified by
## repeating the 'group name' statement.
#
#  check file apache_bin with path /usr/local/apache/bin/httpd
#    if failed checksum and
#       expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
#    if failed permission 755 then unmonitor
#    if failed uid "root" then unmonitor
#    if failed gid "root" then unmonitor
#    alert security@foo.bar on {
#           checksum, permission, uid, gid, unmonitor
#        } with the mail-format { subject: Alarm! }
#    group server
#
#
## Check that a process is running, in this case Apache, and that it respond
## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
## and number of children. If the process is not running, Monit will restart
## it by default. In case the service is restarted very often and the
## problem remains, it is possible to disable monitoring using the TIMEOUT
## statement. This service depends on another service (apache_bin) which
## is defined above.
#
#  check process apache with pidfile /usr/local/apache/logs/httpd.pid
#    start program = "/etc/init.d/httpd start" with timeout 60 seconds
#    stop program  = "/etc/init.d/httpd stop"
#    if cpu > 60% for 2 cycles then alert
#    if cpu > 80% for 5 cycles then restart
#    if totalmem > 200.0 MB for 5 cycles then restart
#    if children > 250 then restart
#    if disk read > 500 kb/s for 10 cycles then alert
#    if disk write > 500 kb/s for 10 cycles then alert
#    if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
#    if failed port 443 protocol https with timeout 15 seconds then restart
#    if 3 restarts within 5 cycles then unmonitor
#    depends on apache_bin
#    group server
#
#
## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
## Other services, such as databases, may depend on this resource and an automatically
## graceful stop may be cascaded to them before the filesystem will become full and data
## lost.
#
#  check filesystem datafs with path /dev/sdb1
#    start program  = "/bin/mount /data"
#    stop program  = "/bin/umount /data"
#    if failed permission 660 then unmonitor
#    if failed uid "root" then unmonitor
#    if failed gid "disk" then unmonitor
#    if space usage > 80% for 5 times within 15 cycles then alert
#    if space usage > 99% then stop
#    if inode usage > 30000 then alert
#    if inode usage > 99% then stop
#    if read rate > 1 MB/s for 5 cycles then alert
#    if read rate > 500 operations/s for 5 cycles then alert
#    if write rate > 1 MB/s for 5 cycles then alert
#    if write rate > 500 operations/s for 5 cycles then alert
#    if service time > 10 milliseconds for 3 times within 5 cycles then alert
#    group server
#
#
## Check a file's timestamp. In this example, we test if a file is older
## than 15 minutes and assume something is wrong if its not updated. Also,
## if the file size exceed a given limit, execute a script
#
#  check file database with path /data/mydatabase.db
#    if failed permission 700 then alert
#    if failed uid "data" then alert
#    if failed gid "data" then alert
#    if timestamp > 15 minutes then alert
#    if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
#
#
## Check directory permission, uid and gid.  An event is triggered if the
## directory does not belong to the user with uid 0 and gid 0.  In addition,
## the permissions have to match the octal description of 755 (see chmod(1)).
#
#  check directory bin with path /bin
#    if failed permission 755 then unmonitor
#    if failed uid 0 then unmonitor
#    if failed gid 0 then unmonitor
#
#
## Check a remote host availability by issuing a ping test and check the
## content of a response from a web server. Up to three pings are sent and
## connection to a port and an application level network check is performed.
#
#  check host myserver with address 192.168.1.1
#    if failed ping then alert
#    if failed port 3306 protocol mysql with timeout 15 seconds then alert
#    if failed port 80 protocol http
#       and request /some/path with content = "a string"
#    then alert
#
#
## Check a network link status (up/down), link capacity changes, saturation
## and bandwidth usage.
#
#  check network public with interface eth0
#    if failed link then alert
#    if changed link then alert
#    if saturation > 90% then alert
#    if download > 10 MB/s then alert
#    if total uploaded > 1 GB in last hour then alert
#
#
## Check custom program status output.
#
#  check program myscript with path /usr/local/bin/myscript.sh
#    if status != 0 then alert
#
#
###############################################################################
## Includes
###############################################################################
##
## It is possible to include additional configuration parts from other files or
## directories.
#
include /etc/monit.d/{{ inventory_hostname }}
Catching up with current successes 2022-01-25 23:54:43 -06:00			`###############################################################################`
			`## Monit control file`
			`###############################################################################`
			`##`
			`## Comments begin with a '#' and extend through the end of the line. Keywords`
			`## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.`
			`##`
			`## Below you will find examples of some frequently used statements. For`
			`## information about the control file and a complete list of statements and`
			`## options, please have a look in the Monit manual.`
			`##`
			`##`
			`###############################################################################`
			`## Global section`
			`###############################################################################`
			`set daemon 30 # check services at 30 seconds intervals`
			`with start delay 240 # optional: delay the first check by 4-minutes (by`
			`# default Monit check immediately after Monit start)`
			`#`
			`## Set syslog logging. If you want to log to a standalone log file instead,`
			`## specify the full path to the log file`
			`#`
			`set log syslog`

			`#`
			`#`
			`## Set the location of the Monit lock file which stores the process id of the`
			`## running Monit instance. By default this file is stored in $HOME/.monit.pid`
			`#`
			`# set pidfile /var/run/monit.pid`
			`#`
			`## Set the location of the Monit id file which stores the unique id for the`
			`## Monit instance. The id is generated and stored on first Monit start. By`
			`## default the file is placed in $HOME/.monit.id.`
			`#`
			`# set idfile /var/.monit.id`
			`#`
			`## Set the location of the Monit state file which saves monitoring states`
			`## on each cycle. By default the file is placed in $HOME/.monit.state. If`
			`## the state file is stored on a persistent filesystem, Monit will recover`
			`## the monitoring state across reboots. If it is on temporary filesystem, the`
			`## state will be lost on reboot which may be convenient in some situations.`
			`#`
			`# set statefile /var/.monit.state`
			`#`
			`#`

			`## Set limits for various tests. The following example shows the default values:`
			`##`
			`# set limits {`
			`# programOutput: 512 B, # check program's output truncate limit`
			`# sendExpectBuffer: 256 B, # limit for send/expect protocol test`
			`# fileContentBuffer: 512 B, # limit for file content test`
			`# httpContentBuffer: 1 MB, # limit for HTTP content test`
			`# networkTimeout: 5 seconds # timeout for network I/O`
			`# programTimeout: 300 seconds # timeout for check program`
			`# stopTimeout: 30 seconds # timeout for service stop`
			`# startTimeout: 30 seconds # timeout for service start`
			`# restartTimeout: 30 seconds # timeout for service restart`
			`# }`

			`## Set global SSL options (just most common options showed, see manual for`
			`## full list).`
			`#`
			`# set ssl {`
			`# verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)`
			`# selfsigned : allow # allow self signed SSL certificates (reject by default)`
			`#}`
			`#`
			`#`
			`## Set the list of mail servers for alert delivery. Multiple servers may be`
			`## specified using a comma separator. If the first mail server fails, Monit`
			`# will use the second mail server in the list and so on. By default Monit uses`
			`# port 25 - it is possible to override this with the PORT option.`
			`#`
			`# set mailserver mail.bar.baz, # primary mailserver`
			`# backup.bar.baz port 10025, # backup mailserver on port 10025`
			`# localhost # fallback relay`
			`#`
			`#`
			`## By default Monit will drop alert events if no mail servers are available.`
			`## If you want to keep the alerts for later delivery retry, you can use the`
			`## EVENTQUEUE statement. The base directory where undelivered alerts will be`
			`## stored is specified by the BASEDIR option. You can limit the queue size`
			`## by using the SLOTS option (if omitted, the queue is limited by space`
			`## available in the back end filesystem).`
			`#`
			`# set eventqueue`
			`# basedir /var/monit # set the base directory where events will be stored`
			`# slots 100 # optionally limit the queue size`
			`#`
			`#`
			`## Send status and events to M/Monit (for more information about M/Monit`
			`## see https://mmonit.com/). By default Monit registers credentials with`
			`## M/Monit so M/Monit can smoothly communicate back to Monit and you don't`
			`## have to register Monit credentials manually in M/Monit. It is possible to`
			`## disable credential registration using the commented out option below.`
			`## Though, if safety is a concern we recommend instead using https when`
			`## communicating with M/Monit and send credentials encrypted. The password`
			`## should be URL encoded if it contains URL-significant characters like`
			`## ":", "?", "@". Default timeout is 5 seconds, you can customize it by`
			`## adding the timeout option.`
			`#`
			`# set mmonit http://monit:monit@192.168.1.10:8080/collector`
			`# # with timeout 30 seconds # Default timeout is 5 seconds`
			`# # and register without credentials # Don't register credentials`
			`#`
			`#`
			`## Monit by default uses the following format for alerts if the mail-format`
			`## statement is missing::`
			`## --8<--`
			`## set mail-format {`
			`## from: Monit <monit@$HOST>`
			`## subject: monit alert -- $EVENT $SERVICE`
			`## message: $EVENT Service $SERVICE`
			`## Date: $DATE`
			`## Action: $ACTION`
			`## Host: $HOST`
			`## Description: $DESCRIPTION`
			`##`
			`## Your faithful employee,`
			`## Monit`
			`## }`
			`## --8<--`
			`##`
			`## You can override this message format or parts of it, such as subject`
			`## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.`
			`## are expanded at runtime. For example, to override the sender, use:`
			`#`
			`# set mail-format { from: monit@foo.bar }`
			`#`
			`#`
			`## You can set alert recipients whom will receive alerts if/when a`
			`## service defined in this file has errors. Alerts may be restricted on`
			`## events by using a filter as in the second example below.`
			`#`
			`# set alert sysadm@foo.bar # receive all alerts`
			`#`
			`## Do not alert when Monit starts, stops or performs a user initiated action.`
			`## This filter is recommended to avoid getting alerts for trivial cases.`
			`#`
			`# set alert your-name@your.domain not on { instance, action }`
			`#`
			`#`
			`## Monit has an embedded HTTP interface which can be used to view status of`
			`## services monitored and manage services from a web interface. The HTTP`
			`## interface is also required if you want to issue Monit commands from the`
			`## command line, such as 'monit status' or 'monit restart service' The reason`
			`## for this is that the Monit client uses the HTTP interface to send these`
			`## commands to a running Monit daemon. See the Monit Wiki if you want to`
			`## enable SSL for the HTTP interface.`
			`#`
			`set httpd port 2812 and`
			`use address localhost # only accept connection from localhost (drop if you use M/Monit)`
			`allow localhost # allow localhost to connect to the server and`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`# require user 'admin' with password`
Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00			`allow admin:"{{ secrets['Sharingan']['monit'] \| default('monit') }}"`
Catching up with current successes 2022-01-25 23:54:43 -06:00			`#with ssl { # enable SSL/TLS and set path to server certificate`
			`# pemfile: /etc/ssl/certs/monit.pem`
			`#}`

			`###############################################################################`
			`## Services`
			`###############################################################################`
			`##`
			`## Check general system resources such as load average, cpu and memory`
			`## usage. Each test specifies a resource, conditions and the action to be`
			`## performed should a test fail.`
			`#`
			`# check system $HOST`
			`# if loadavg (1min) per core > 2 for 5 cycles then alert`
			`# if loadavg (5min) per core > 1.5 for 10 cycles then alert`
			`# if cpu usage > 95% for 10 cycles then alert`
			`# if memory usage > 75% then alert`
			`# if swap usage > 25% then alert`
			`#`
			`#`
			`## Check if a file exists, checksum, permissions, uid and gid. In addition`
			`## to alert recipients in the global section, customized alert can be sent to`
			`## additional recipients by specifying a local alert handler. The service may`
			`## be grouped using the GROUP option. More than one group can be specified by`
			`## repeating the 'group name' statement.`
			`#`
			`# check file apache_bin with path /usr/local/apache/bin/httpd`
			`# if failed checksum and`
			`# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor`
			`# if failed permission 755 then unmonitor`
			`# if failed uid "root" then unmonitor`
			`# if failed gid "root" then unmonitor`
			`# alert security@foo.bar on {`
			`# checksum, permission, uid, gid, unmonitor`
			`# } with the mail-format { subject: Alarm! }`
			`# group server`
			`#`
			`#`
			`## Check that a process is running, in this case Apache, and that it respond`
			`## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,`
			`## and number of children. If the process is not running, Monit will restart`
			`## it by default. In case the service is restarted very often and the`
			`## problem remains, it is possible to disable monitoring using the TIMEOUT`
			`## statement. This service depends on another service (apache_bin) which`
			`## is defined above.`
			`#`
			`# check process apache with pidfile /usr/local/apache/logs/httpd.pid`
			`# start program = "/etc/init.d/httpd start" with timeout 60 seconds`
			`# stop program = "/etc/init.d/httpd stop"`
			`# if cpu > 60% for 2 cycles then alert`
			`# if cpu > 80% for 5 cycles then restart`
			`# if totalmem > 200.0 MB for 5 cycles then restart`
			`# if children > 250 then restart`
			`# if disk read > 500 kb/s for 10 cycles then alert`
			`# if disk write > 500 kb/s for 10 cycles then alert`
			`# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart`
			`# if failed port 443 protocol https with timeout 15 seconds then restart`
			`# if 3 restarts within 5 cycles then unmonitor`
			`# depends on apache_bin`
			`# group server`
			`#`
			`#`
			`## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.`
			`## Other services, such as databases, may depend on this resource and an automatically`
			`## graceful stop may be cascaded to them before the filesystem will become full and data`
			`## lost.`
			`#`
			`# check filesystem datafs with path /dev/sdb1`
			`# start program = "/bin/mount /data"`
			`# stop program = "/bin/umount /data"`
			`# if failed permission 660 then unmonitor`
			`# if failed uid "root" then unmonitor`
			`# if failed gid "disk" then unmonitor`
			`# if space usage > 80% for 5 times within 15 cycles then alert`
			`# if space usage > 99% then stop`
			`# if inode usage > 30000 then alert`
			`# if inode usage > 99% then stop`
			`# if read rate > 1 MB/s for 5 cycles then alert`
			`# if read rate > 500 operations/s for 5 cycles then alert`
			`# if write rate > 1 MB/s for 5 cycles then alert`
			`# if write rate > 500 operations/s for 5 cycles then alert`
			`# if service time > 10 milliseconds for 3 times within 5 cycles then alert`
			`# group server`
			`#`
			`#`
			`## Check a file's timestamp. In this example, we test if a file is older`
			`## than 15 minutes and assume something is wrong if its not updated. Also,`
			`## if the file size exceed a given limit, execute a script`
			`#`
			`# check file database with path /data/mydatabase.db`
			`# if failed permission 700 then alert`
			`# if failed uid "data" then alert`
			`# if failed gid "data" then alert`
			`# if timestamp > 15 minutes then alert`
			`# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba`
			`#`
			`#`
			`## Check directory permission, uid and gid. An event is triggered if the`
			`## directory does not belong to the user with uid 0 and gid 0. In addition,`
			`## the permissions have to match the octal description of 755 (see chmod(1)).`
			`#`
			`# check directory bin with path /bin`
			`# if failed permission 755 then unmonitor`
			`# if failed uid 0 then unmonitor`
			`# if failed gid 0 then unmonitor`
			`#`
			`#`
			`## Check a remote host availability by issuing a ping test and check the`
			`## content of a response from a web server. Up to three pings are sent and`
			`## connection to a port and an application level network check is performed.`
			`#`
			`# check host myserver with address 192.168.1.1`
			`# if failed ping then alert`
			`# if failed port 3306 protocol mysql with timeout 15 seconds then alert`
			`# if failed port 80 protocol http`
			`# and request /some/path with content = "a string"`
			`# then alert`
			`#`
			`#`
			`## Check a network link status (up/down), link capacity changes, saturation`
			`## and bandwidth usage.`
			`#`
			`# check network public with interface eth0`
			`# if failed link then alert`
			`# if changed link then alert`
			`# if saturation > 90% then alert`
			`# if download > 10 MB/s then alert`
			`# if total uploaded > 1 GB in last hour then alert`
			`#`
			`#`
			`## Check custom program status output.`
			`#`
			`# check program myscript with path /usr/local/bin/myscript.sh`
			`# if status != 0 then alert`
			`#`
			`#`
			`###############################################################################`
			`## Includes`
			`###############################################################################`
			`##`
			`## It is possible to include additional configuration parts from other files or`
			`## directories.`
			`#`
			`include /etc/monit.d/{{ inventory_hostname }}`