Skip to main content

Azure Policy States

Pack Assets​

Templates​

The Monitoring Connector Azure Policies States brings a host template:

  • Cloud-Azure-PolicyInsights-PolicyStates

The connector brings the following service template:

Service AliasService TemplateService Description
ComplianceCloud-Azure-PolicyInsights-PolicyStates-Compliance-ApiCheck Azure policies compliance

Collected metrics & status​

Metric nameUnit
policies.non_compliant.countcount
compliance_state#compliance-stateN/A

Prerequisites​

Please find all the prerequisites needed for Centreon to get information from Azure on the dedicated page.

Setup​

Monitoring Pack​

If the platform uses an online license, you can skip the package installation instruction below as it is not required to have the pack displayed within the Configuration > Monitoring Connector Manager menu. If the platform uses an offline license, install the package on the central server with the command corresponding to the operating system's package manager:

dnf install centreon-pack-cloud-azure-policyinsights-policystates

Whatever the license type (online or offline), install the Azure Policies States Pack through the Configuration > Monitoring Connector Manager menu.

Plugin​

Since Centreon 22.04, you can benefit from the 'Automatic plugin installation' feature. When this feature is enabled, you can skip the installation part below.

You still have to manually install the plugin on the poller(s) when:

  • Automatic plugin installation is turned off
  • You want to run a discovery job from a poller that doesn't monitor any resource of this kind yet

More information in the Installing the plugin section.

Use the commands below according to your operating system's package manager:

dnf install centreon-plugin-Cloud-Azure-PolicyInsights-PolicyStates-Api

Configuration​

Host​

  1. Log into Centreon and add a new host through Configuration > Hosts.
  2. In the IP Address/DNS field, set the following IP address: 127.0.0.1.
  3. Apply the Cloud-Azure-PolicyInsights-PolicyStates-custom template to the host.
  4. Once the template is applied, fill in the corresponding macros. Some macros are mandatory. These mandatory macros differ depending on the custom mode used.

Two methods can be used to set the macros:

  • Full ID of the Resource (/subscriptions/<subscription_id>/resourceGroups/<resourcegroup_id>/providers/XXXXX/XXXXX/<resource_name>) in the AZURERESOURCE macro.
  • Resource name in the AZURERESOURCE macro, and resource group name in the AZURERESOURCEGROUP macro.
MandatoryMacroDescriptionDefault
xAZURECLIENTIDSet Azure client ID
xAZURECLIENTSECRETSet Azure client secret
AZURERESOURCEGROUPSet resource group
xAZURESUBSCRIPTIONSet Azure subscription ID
xAZURETENANTSet Azure tenant ID
PROXYURLProxy URL
EXTRAOPTIONSAny extra option you may want to add to every command line (eg. a --verbose flag)

Service​

Once the template is applied, fill in the corresponding macros. Some macros are mandatory.

MandatoryMacroDescriptionDefault
POLICYSTATESThe virtual resource under PolicyStates resource type. In a given time range, 'latest' represents the latest policy state(s), whereas 'default' represents all policy state(s)default
RESOURCELOCATIONSet resource location (Optional)
RESOURCETYPESet resource type (Optional)
POLICYNAMESet policy name (Optional)
CRITICALCOMPLIANCESTATE%{compliance_state} eq "NonCompliant"
WARNINGCOMPLIANCESTATE
WARNINGNONCOMPLIANTPOLICIES
CRITICALNONCOMPLIANTPOLICIES
EXTRAOPTIONSAny extra option you may want to add to the command line (eg. a --verbose flag)

How to check in the CLI that the configuration is OK and what are the main options for?​

Once the plugin is installed, log into your Centreon poller's CLI using the centreon-engine user account (su - centreon-engine) and test the plugin by running the following command:

/usr/lib/centreon/plugins//centreon_azure_policyinsights_policystates_api.pl \
    --plugin=cloud::azure::policyinsights::policystates::plugin \
    --mode=compliance \
    --resource-group='' \
    --subscription='' \
    --tenant='' \
    --client-id='' \
    --client-secret='' \
    --proxyurl=''  \
    --policy-states='' \
    --resource-location='' \
    --resource-type='' \
    --policy-name='' \
    --warning-non-compliant-policies='' \
    --critical-non-compliant-policies='' \
    --warning-compliance-state='' \
    --critical-compliance-state='' \

The expected command output is shown below:

OK: Number of non compliant policies: 0 - All compliances states are ok | 'policies.non_compliant.count'=0;;;0;

Available modes​

All available modes can be displayed by adding the --list-mode parameter to the command:

/usr/lib/centreon/plugins//centreon_azure_policyinsights_policystates_api.pl \
    --plugin=cloud::azure::policyinsights::policystates::plugin \
    --list-mode

The plugin brings the following modes:

ModeLinked service template
complianceCloud-Azure-PolicyInsights-PolicyStates-Compliance-Api

Available options​

Modes options​

All modes specific options are listed here:

OptionDescriptionType
--modeChoose a mode.Global
--dyn-modeSpecify a mode with the path (separated by '::').Global
--list-modeList available modes.Global
--mode-versionCheck minimal version of mode. If not, unknown error.Global
--versionDisplay plugin version.Global
--custommodeChoose a custom mode.Global
--list-custommodeList available custom modes.Global
--multipleMultiple custom mode objects (required by some specific modes)Global
--pass-managerUse a password manager.Global
--verboseDisplay long output.Output
--debugDisplay also debug messages.Output
--filter-perfdataFilter perfdata that match the regexp.Output
--filter-perfdata-advAdvanced perfdata filter. Eg: --filter-perfdata-adv='not (%(value) == 0 and %(max) eq "")'Output
--explode-perfdata-maxPut max perfdata (if it exist) in a specific perfdata (without values: same with '_max' suffix) (Multiple options)Output
--change-perfdata --extend-perfdataChange or extend perfdata. Syntax: --extend-perfdata=searchlabel,newlabel,target[,[newuom],[min],[m ax]] Common examples: Change storage free perfdata in used: --change-perfdata=free,used,invert() Change storage free perfdata in used: --change-perfdata=used,free,invert() Scale traffic values automaticaly: --change-perfdata=traffic,,scale(auto) Scale traffic values in Mbps: --change-perfdata=traffic_in,,scale(Mbps),mbps Change traffic values in percent: --change-perfdata=traffic_in,,percent()Output
--extend-perfdata-groupExtend perfdata from multiple perfdatas (methods in target are: min, max, average, sum) Syntax: --extend-perfdata-group=searchlabel,newlabel,target[,[newuom],[m in],[max]] Common examples: Sum wrong packets from all interfaces (with interface need --units-errors=absolute): --extend-perfdata-group=',packets_wrong,sum(packets_(discard |error)_(in|out))' Sum traffic by interface: --extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traf fic_(in|out)_$1)'Output
--change-short-output --change-long-outputChange short/long output display: --change-short-output=pattern~replace~modifierOutput
--change-exitChange exit code: --change-exit=unknown=criticalOutput
--range-perfdataChange perfdata range thresholds display: 1 = start value equals to '0' is removed, 2 = threshold range is not display.Output
--filter-uomFilter UOM that match the regexp.Output
--opt-exitOptional exit code for an execution error (i.e. wrong option provided, SSH connection refused, timeout, etc) (Default: unknown).Output
--output-ignore-perfdataRemove perfdata from output.Output
--output-ignore-labelRemove label status from output.Output
--output-xmlDisplay output in XML format.Output
--output-jsonDisplay output in JSON format.Output
--output-openmetricsDisplay metrics in OpenMetrics format.Output
--output-fileWrite output in file (can be used with json and xml options)Output
--disco-formatDisplay discovery arguments (if the mode manages it).Output
--disco-showDisplay discovery values (if the mode manages it).Output
--float-precisionSet the float precision for thresholds (Default: 8).Output
--source-encodingSet encoding of monitoring sources (In some case. Default: 'UTF-8'). Microsoft Azure Rest API To connect to the Azure Rest API, you must register an application. Follow the 'How-to guide' in https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-cr eate-service-principal-portal The application needs the 'Monitoring Reader' role (See https://docs.microsoft.com/en-us/azure/azure-monitor/platform/roles-perm issions-security#monitoring-reader). This custom mode is using the 'OAuth 2.0 Client Credentials Grant Flow' For futher informations, visit https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth 2-client-creds-grant-flowOutput
--subscriptionSet Azure subscription ID.Api
--tenantSet Azure tenant ID.Api
--client-idSet Azure client ID.Api
--client-secretSet Azure client secret.Api
--login-endpointSet Azure login endpoint URL (Default: 'https://login.microsoftonline.com')Api
--management-endpointSet Azure management endpoint URL (Default: 'https://management.azure.com')Api
--timeframeSet timeframe in seconds (i.e. 3600 to check last hour).Api
--intervalSet interval of the metric query (Can be : PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H, PT24H).Api
--aggregationSet monitor aggregation (Can be multiple, Can be: 'minimum', 'maximum', 'average', 'total', 'count').Api
--zeroedSet metrics value to 0 if none. Usefull when Monitor does not return value when not defined.Api
--timeoutSet timeout in seconds (Default: 10).Api
--http-peer-addrSet the address you want to connect (Useful if hostname is only a vhost. no ip resolve)Http global
--proxyurlProxy URLHttp global
--proxypacProxy pac file (can be an url or local file)Http global
--insecureInsecure SSL connections.Http global
--http-backendSet the backend used (Default: 'lwp') For curl: --http-backend=curlHttp global
--ssl-optSet SSL Options (--ssl-opt="SSL_version => TLSv1" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE").Backend lwp
--curl-optSet CURL Options (--curl-opt="CURLOPT_SSL_VERIFYPEER => 0" --curl-opt="CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_1" ).Backend curl
--memcachedMemcached server to use (only one server).Retention
--redis-serverRedis server to use (only one server). SYntax: address[:port]Retention
--redis-attributeSet Redis Options (--redis-attribute="cnx_timeout=5").Retention
--redis-dbSet Redis database index.Retention
--failback-fileFailback on a local file if redis connection failed.Retention
--memexpirationTime to keep data in seconds (Default: 86400).Retention
--statefile-dirDirectory for statefile (Default: '/var/lib/centreon/centplugins').Retention
--statefile-suffixAdd a suffix for the statefile name (Default: '').Retention
--statefile-concat-cwdConcat current working directory with option '--statefile-dir'. Useful on Windows when plugin is compiled.Retention
--statefile-formatFormat used to store cache (can be: 'dumper', 'storable', 'json').Retention
--statefile-keyKey to encrypt/decrypt cache.Retention
--statefile-cipherCipher to encrypt cache (Default: 'AES').Retention
--policy-statesThe virtual resource under PolicyStates resource type. In a given time range, 'latest' represents the latest policy state(s), whereas 'default' represents all policy state(s).Mode
--resource-groupSet resource group (Optional).Mode
--resource-locationSet resource location (Optional).Mode
--resource-typeSet resource type (Optional).Mode
--policy-nameSet policy name (Optional).Mode
--warning- --critical-Thresholds. Can be: 'non-compliant-policies' ,'compliance-state'.Mode

All available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins//centreon_azure_policyinsights_policystates_api.pl \
    --plugin=cloud::azure::policyinsights::policystates::plugin \
    --mode=compliance \
    --help

Troubleshooting​

Please find the troubleshooting documentation for the API-based plugins in this chapter.