Hi Everyone,
If you have configured the email settings, you probably have noticed that you get daily emails about zpool status, security etc.
While it is good to know about these things I didn't want to get them unless there is an issue.
I looked through the forums and have found a few people in the same boat, but no real answers on what to do - so I decided to make a script to sort this out for me.
There is a scheduled task that runs at 3am daily which runs through the configured daily scripts. I changed some settings so that instead of just emailing the results out to root it will output the results to a temporary file which then has some checks applied to it. If any errors are found then it will email, otherwise it won't.
This should then cut down on the spam but still send out emails if an issue occurs.
For the people who still want daily emails so they can archive/know it is working ok, there is an option to send a replacement email daily with the subject line "OK: Daily Output Report" and "OK: Daily Security Report" which can then be filtered.
Note:The changes needed are not persistent with upgrades so will need to be re-applied if FreeNAS is upgraded.
Steps:
1. Enable SSH through the Services Tab and then SSH onto the FreeNAS box as root.
2. Run the command: 'mount -uw /' (don't copy the " ' " characters) - this enables the root filesystem to be written to and persist changes after a reboot
3. Use your favourite text editor (I like nano) to edit a file: 'nano /conf/base/etc/defaults/periodic.conf'
Update line 33
From: daily_output="root"
To: daily_output="/tmp/output.txt"
Update line 163
From: daily_status_security_output="root"
To: daily_status_security_output="/tmp/security.txt"
4. Copy the following code into a new script file at a persistent location e.g. I have created a "Scripts" dataset on my main zpool and have the script called daily-checks.sh
5. Run the command: 'chown root:wheel ./daily-check.sh; chmod 660 ./daily-check.sh' (don't copy the " ' " characters) - this just updates the permissions on the file
6. In the web interface navigate to System -> Cron Jobs -> Add Cron Job
User: root
Command: '/bin/bash <path to script>/daily-check.sh' - update <path to script> to your path
Minute -> Each Selected Minute Tab: 10 - the system scripts run at 3am so this will run 10 minutes after, update if you want
Hour -> Each Selected Hour Tab: 03 - only run at 3am
Day of Month -> Every N Day of Month Tab: 1 - everyday
Month: Check every month
Day of Week: Check every day
Redirect Stdout: Leave checked
Redirect Stderr: Leave unchecked
Enabled: Checked
7. Reboot the system to update the changes or manually do the updates in Step 3. to the file "/etc/defaults/periodic.conf"
Note: If you want to be emailed daily saying all is OK then just uncomment line 25 for the normal output checks and line 80 for the security checks.
Feel free to share any updates you find that helps and I hope this helps some people out there.
If you have configured the email settings, you probably have noticed that you get daily emails about zpool status, security etc.
While it is good to know about these things I didn't want to get them unless there is an issue.
I looked through the forums and have found a few people in the same boat, but no real answers on what to do - so I decided to make a script to sort this out for me.
There is a scheduled task that runs at 3am daily which runs through the configured daily scripts. I changed some settings so that instead of just emailing the results out to root it will output the results to a temporary file which then has some checks applied to it. If any errors are found then it will email, otherwise it won't.
This should then cut down on the spam but still send out emails if an issue occurs.
For the people who still want daily emails so they can archive/know it is working ok, there is an option to send a replacement email daily with the subject line "OK: Daily Output Report" and "OK: Daily Security Report" which can then be filtered.
Note:The changes needed are not persistent with upgrades so will need to be re-applied if FreeNAS is upgraded.
Steps:
1. Enable SSH through the Services Tab and then SSH onto the FreeNAS box as root.
2. Run the command: 'mount -uw /' (don't copy the " ' " characters) - this enables the root filesystem to be written to and persist changes after a reboot
3. Use your favourite text editor (I like nano) to edit a file: 'nano /conf/base/etc/defaults/periodic.conf'
Update line 33
From: daily_output="root"
To: daily_output="/tmp/output.txt"
Update line 163
From: daily_status_security_output="root"
To: daily_status_security_output="/tmp/security.txt"
4. Copy the following code into a new script file at a persistent location e.g. I have created a "Scripts" dataset on my main zpool and have the script called daily-checks.sh
Code:
#!/bin/bash
######################################################################
# Enter in the name of the daily report file
OUTPUT="/tmp/output.txt"
# Enter in the name of the daily security file
SECURITY="/tmp/security.txt"
######################################################################
######################################################################
# Check if the daily output report file has been created
if [ -e "$OUTPUT" ]; then
# Basic checks to see if any errors found
GROUP=`cat $OUTPUT | grep "/etc/group is fine" | wc -l`
POOL=`cat $OUTPUT | grep "all pools are healthy" | wc -l`
ALARM=`cat $OUTPUT | grep "No new alarms." | wc -l`
COUNTOUT=`echo "$GROUP"+"$POOL"+"$ALARM" | bc`
# If any error found then email daily output report to root's email address
if [ "$COUNTOUT" -lt 3 ]; then
cat "$OUTPUT" | mail -s "Error: Daily Output Report" root
# Else if no errors are found do nothing - uncomment second line to send daily email all OK
else
echo "OK: Daily Output Report"
# echo "" | mail -s "OK: Daily Output Report" root
fi
# Remove daily report file
rm "$OUTPUT"
else
echo "No daily $OUTPUT file found!" | mail -s "Error: No daily $OUTPUT file produced" root
fi
######################################################################
######################################################################
# Check if the daily security report file has been created
if [ -e "$SECURITY" ]; then
# Basic checks to see if any errors found
FILESYS=`cat $SECURITY | grep "changes in mounted filesystems:" | wc -l`
if [ "`cat $SECURITY | grep "root 0" | wc -l`" -eq "1" ]; then
ROOT=0
else
ROOT=1
fi
if [ "`grep --after-context=1 "Checking for passwordless accounts:" "$SECURITY" | grep -v "Checking for passwordless accounts:"`" == "" ]; then
NOPASS=0
else
NOPASS=1
fi
if [ "`grep --after-context=1 "Checking login.conf permissions:" "$SECURITY" | grep -v "Checking login.conf permissions:"`" = "" ]; then
LOGINCONF=0
else
LOGINCONF=1
fi
if [ "`grep --after-context=1 "Checking for ports with mismatched checksums:" "$SECURITY" | grep -v "Checking for ports with mismatched checksums:"`" = "" ]; then
PORTS=0
else
PORTS=1
fi
KERN=`cat $SECURITY | grep "kernel log messages:" | wc -l`
if [ "`grep --after-context=1 "login failures:" "$SECURITY" | grep -v "login failures:"`" = "" ]; then
LOGINFAIL=0
else
LOGINFAIL=1
fi
if [ "`grep --after-context=1 "refused connections:" "$SECURITY" | grep -v "refused connections:"`" = "" ]; then
REFCONNS=0
else
REFCONNS=1
fi
# If any error found then email daily security report to root's email address
COUNTSEC=`echo "$FILESYS"+"$ROOT"+"$NOPASS"+"$LOGINCONF"+"$PORTS"+"$KERN"+"$LOGINFAIL"+"$REFCONNS" | bc`
# If any error found then email daily security report to root's email address
if [ "$COUNTSEC" -gt 0 ]; then
cat "$SECURITY" | mail -s "Error: Daily Security Report" root
# Else if no errors are found do nothing - uncomment second line to send daily email all OK
else
echo "OK: Daily Security Report"
# echo "" | mail -s "OK: Daily Security Report" root
fi
# Remove daily report file
rm "$SECURITY"
else
echo "No daily $SECURITY file found!" | mail -s "Error: No daily $SECURITY file produced" root
fi
######################################################################
5. Run the command: 'chown root:wheel ./daily-check.sh; chmod 660 ./daily-check.sh' (don't copy the " ' " characters) - this just updates the permissions on the file
6. In the web interface navigate to System -> Cron Jobs -> Add Cron Job
User: root
Command: '/bin/bash <path to script>/daily-check.sh' - update <path to script> to your path
Minute -> Each Selected Minute Tab: 10 - the system scripts run at 3am so this will run 10 minutes after, update if you want
Hour -> Each Selected Hour Tab: 03 - only run at 3am
Day of Month -> Every N Day of Month Tab: 1 - everyday
Month: Check every month
Day of Week: Check every day
Redirect Stdout: Leave checked
Redirect Stderr: Leave unchecked
Enabled: Checked
7. Reboot the system to update the changes or manually do the updates in Step 3. to the file "/etc/defaults/periodic.conf"
Note: If you want to be emailed daily saying all is OK then just uncomment line 25 for the normal output checks and line 80 for the security checks.
Feel free to share any updates you find that helps and I hope this helps some people out there.
