[ZBX-20075] [template][F5 Big-IP SNMP] wrong trigger expression for certificate monitoring Created: 2021 Oct 12  Updated: 2024 Apr 10  Resolved: 2021 Dec 13

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Templates (T)
Affects Version/s: 5.4.4
Fix Version/s: 5.0.19rc1, 5.4.9rc1, 6.0.0beta1, 6.0 (plan)

Type: Problem report Priority: Major
Reporter: thomas Assignee: Alexander Bakaldin
Resolution: Fixed Votes: 0
Labels: templates
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Zabbix installation "All In One" VM
==============================
CentOS Linux release 8.1.1911 (Core)
==============================
mariadb.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-backup.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-common.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-connector-c.x86_64 3.0.7-1.el8
mariadb-connector-c-config.noarch 3.0.7-1.el8
mariadb-connector-c-devel.x86_64 3.0.7-1.el8
mariadb-devel.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-errmsg.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-gssapi-server.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-server.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
mariadb-server-utils.x86_64 3:10.3.17-1.module_el8.1.0+217+4d875839
net-snmp.x86_64 1:5.8-20.el8
net-snmp-agent-libs.x86_64 1:5.8-20.el8
net-snmp-libs.x86_64 1:5.8-20.el8
zabbix-agent.x86_64 5.4.4-1.el8
zabbix-nginx-conf.noarch 5.4.4-1.el8
zabbix-server-mysql.x86_64 5.4.4-1.el8
zabbix-sql-scripts.noarch 5.4.4-1.el8
zabbix-web.noarch 5.4.4-1.el8
zabbix-web-deps.noarch 5.4.4-1.el8
zabbix-web-mysql.noarch 5.4.4-1.el8


Team: Team INT
Sprint: Sprint 83 (Dec 2021)
Story Points: 1

 Description   

Steps to reproduce:

Create a host and link template "F5 Big-IP SNMP" to this host. If host is a F5 device, installed certificates are discovered by "Certificate discovery" rule.

Result:

Trigger expression to monitor certificate expiration date is wrong :

 

last(/F5 Big-IP SNMP/bigip.cert.expiration.date[{#CERT.NAME}]) + 86400 * {$BIGIP.CERT.MIN} < now()

 

Problem isn't not created when there is less than {$BIGIP.CERT.MIN} days before certificate expiration but {$BIGIP.CERT.MIN} days later after certificate expiration.

Expected:

Trigger expression should be :

 

last(/BDF F5 Big-IP SNMP/bigip.cert.expiration.date[{#CERT.NAME}]) - 86400 * {$BIGIP.CERT.MIN} < now()

I also suggest improvements :

 

  1. The existing trigger prototype should depends on another trigger prototype (severity=warning) to monitor expired certificate : 
    last(/BDF F5 Big-IP SNMP/bigip.cert.expiration.date[{#CERT.NAME}]) < now()

    Thus, F5 admins are notified when a certificate is about to expire and also when certificate is expired.

  2. Increase update interval for certificate discovery (1d ?)
  3. Increase update interval for item prototypes (12h ?)
  4. Delete throttling (preprocessing)
  5. Configure trends to 0 days and history to 1 day

 Comments   
Comment by Alexander Bakaldin [ 2021 Dec 07 ]

Available in:

Generated at Sun Apr 05 12:44:33 EEST 2026 using Jira 10.3.18#10030018-sha1:5642e4ad348b6c2a83ebdba689d04763a2393cab.