How to monitor privacyIDEA status and statistics?

Charburner · April 20, 2022, 9:08am

Hey guys,

I want to add the privacyIDEA 3.6.3 server to our monitoring system (Checkmk) but I’m quite confused on how to use the API endpoint (GET /monitoring) as it says “Authentifizierungsfehler. Fehlender Authentifizierungsheader.” in the response.

Do I have to create a stats_key first? Or is a dedicated user needed for authentication?
Do I have to create scheduled tasks for the simplestats and eventcounter modules?

Also, is there a proper way to check if the /ttype/push API endpoint is reachable other than just using a GET request and accepting the error message “ERR905: Missing parameter: 'serial” as OK?

Thanks in advance

Have a nice day!

cornelinux · April 21, 2022, 6:45am

You are missing an Auth Header, so you need to get one using the /auth endpoint.

Charburner · April 21, 2022, 7:37am

Alright, here is what I did:

curl -k -L --header "Content-Type: application/json" --request POST --data '{"username":"myuser","password":"mypassword"}' "https://myprivacyideaserver/auth"

I took the token which I got from the server response and tried:

curl -k -L --header "Content-Type: application/json" --header "Authorization: myauthtoken"  "https://myprivacyideaserver/monitoring"

Now I get this error message:

Authentication failure. Error during decoding your token: Signature verification failed

wwalker · April 25, 2022, 4:20pm

Signature verification failed looks like curl verifying the SSL certificate presented by the site (PI). Have you tried using --no-check-certificate with the command?

Charburner · April 29, 2022, 12:26pm

I used curl with the -k switch which is the equivalent of wget --no-check-certificate as far as I know:

-k, --insecure
(SSL) This option explicitly allows curl to perform “insecure” SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all
connections considered “insecure” fail unless -k, --insecure is used.

This is the full response from the PrivacyIDEA server:
{"detail": null, "id": 1, "jsonrpc": "2.0", "result": {"error": {"code": 4304, "message": "Authentication failure. Error during decoding your token: Signature verification failed"}, "status": false}, "time": 1651235017.0234008, "version": "privacyIDEA 3.6.3", "signature": "rsa_sha256_pss:[...]

cornelinux · May 1, 2022, 7:06am

@Charburner Did you try to remove the content-type json in the monitoring GET-request?

Charburner · May 2, 2022, 9:07am

I just tried that, but I still get the same response