Is there a definition for the severities? Are all warnings something that
does not require action? If they are, I'd rather ignore them as I've
plugged this into Nagios and I only want alerts that require me to do
something (right now I'm just checking that `ipa-healthcheck
--failures-only` is empty. Right now this warning is triggering my
monitoring- but if I ignore alerts until this is cleared, I could miss
other problems).
There are a lot of ways to look at this, but IMHO I'd suggest something
like:
* "System is not working correctly"
* "Action needs to be taken to prevent failure" (it's often useful to have
an early warning threshold and a later critical threshold- taking care of
warnings during business hours will probably reduce the amount of criticals
that wake someone up)
* "Informative"
This way your monitoring system can alert on the first two, but the third
one shows up somewhere, but doesn't send alerts.
...
I think I'll change my monitoring to just alert on CRITICAL and ERROR,
hopefully that won't be a bad idea.
Cheers,
Álex
On Sun, Dec 8, 2019 at 7:08 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Alex Corcoles via FreeIPA-users wrote:
> Hi,
>
> I've been running ipa-healthcheck for a while and this morning I started
> to get a few failures:
>
> {
> "source": "ipahealthcheck.ipa.certs",
> "kw": {
> "msg": "Request id 20180929065627 expires in 27 days",
> "expiration_date": "20200104123511Z",
> "days": 27,
> "key": "20180929065627"
> },
> "uuid": "02af62dc-ac2c-48a6-951f-884e119be9a7",
> "duration": "0.046374",
> "when": "20191208113322Z",
> "check": "IPACertmongerExpirationCheck",
> "result": "WARNING"
> },
> {
> "source": "ipahealthcheck.ipa.certs",
> "kw": {
> "msg": "Request id 20180929065620 expires in 27 days",
> "expiration_date": "20200104123511Z",
> "days": 27,
> "key": "20180929065620"
> },
> "uuid": "ce377ee1-6f8a-4921-9c33-01c6d82e91ff",
> "duration": "0.148693",
> "when": "20191208113323Z",
> "check": "IPACertfileExpirationCheck",
> "result": "WARNING"
> },
>
> I get a pair of these for a couple of certs. Should WARNING results be
> ignored (because those should be renewed automatically, perhaps?)? I was
> running --failures-only, but perhaps I should run --severity
> CRITICAL,ERROR for monitoring?
These are there so you are aware that an expiration event is coming up.
Just keep an eye on it, it should resolve itself when certmonger thinks
its time. This is reported as a heads-up and a just-in-case-certmonger
falls over (or if you have no CA renewal manager, for example).
rob
--
___
{~._.~}
( Y )
()~*~() mail: alex at corcoles dot net
(_)-(_)
http://alex.corcoles.net/