icingaweb2-module-x509
icingaweb2-module-x509 copied to clipboard
Icinga
Certificate validation fills daemon.log
Describe the bug
OpenSSL errors fill the daemon.log multi GBs!
To Reproduce
Scan a lot of VLANs with a lot of self signed services.
Expected behavior
Certificate validation should not lead to system log entries.
Your Environment
Include as many relevant details about the environment you experienced the problem in
- Icinga Web 2 version and modules (System - About):
Operating System: Debian GNU/Linux 9 Icinga Web 2 Version 2.8.2 Git commit 8a89839af94a247ee2149b2336c73b8251b477c0 PHP Version 7.3.22-1+0~20200909.67+debian9~1.gbpdd7b72 Git commit date 2020-08-17
| Name | Version |
|---|---|
| businessprocess | 2.3.0 |
| cube | 1.1.0 |
| doc | 2.8.2 |
| generictts | 2.0.0 |
| graphite | 1.1.0 |
| idoreports | 0.9.1 |
| incubator | 0.5.0 |
| ipl | v0.4.0 |
| monitoring | 2.8.2 |
| nagvis | 1.1.1 |
| pdfexport | 0.9.1 |
| reactbundle | 0.8.0 |
| reporting | 0.10.0 |
| trapdirector | 1.0.5b |
| x509 | 1.0.0 |
Version 1.0.0 Git commit c869318cbf5746c0127e549a93b7a04a7a7634f7
Additional context
It looks to me like it is not the collection but the verification as I configured the jobs to run once per day but the entries in the log happen in bursts every minute.
It looks to me like it is not the collection but the verification as I configured the jobs to run once per day but the entries in the log happen in bursts every minute.
So we can't just stop logging the errors/warnings, but I suspect that you trigger the verify or scan command manually or by some Icinga 2 check, because otherwise I can't imagine how that would happen every single minute.
@lippserd So if you don't mind, I could add a new flag to the two cli commands so that the error/warning logging can be optionally controlled by the user.
Since the runtime of a job depends on the number of targets to be scanned, you may indeed see log messages even some time after the job has started. If a certificate is invalid, it is written to the database anyway, so why should we log it anyway? Therefore, I think it is generally a good idea to think about what to log and with what severity.
So we can't just stop logging the errors/warnings, but I suspect that you trigger the
verifyorscancommand manually or by some Icinga 2 check, because otherwise I can't imagine how that would happen every single minute.
I use the director to generate icingacli x509 checks and attach them to already existing hosts. Works great besides some minor issues like this one and https://github.com/Icinga/icingaweb2-module-director/issues/2598.