smartmachine 1.2.3 → 1.3.0

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/dovecot-sql.conf.ext

@@ -0,0 +1,163 @@
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-sql.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/SQL
+#
+# For the sql passdb module, you'll need a database with a table that
+# contains fields for at least the username and password. If you want to
+# use the user@domain syntax, you might want to have a separate domain
+# field as well.
+#
+# If your users all have the same uig/gid, and have predictable home
+# directories, you can use the static userdb module to generate the home
+# dir based on the username and domain. In this case, you won't need fields
+# for home, uid, or gid in the database.
+#
+# If you prefer to use the sql userdb module, you'll want to add fields
+# for home, uid, and gid. Here is an example table:
+#
+# CREATE TABLE users (
+#     username VARCHAR(128) NOT NULL,
+#     domain VARCHAR(128) NOT NULL,
+#     password VARCHAR(64) NOT NULL,
+#     home VARCHAR(255) NOT NULL,
+#     uid INTEGER NOT NULL,
+#     gid INTEGER NOT NULL,
+#     active CHAR(1) DEFAULT 'Y' NOT NULL
+# );
+
+# Database driver: mysql, pgsql, sqlite
+#driver = 
+##### SmartMachine Begin.
+driver = mysql
+##### SmartMachine Close.
+
+# Database connection string. This is driver-specific setting.
+#
+# HA / round-robin load-balancing is supported by giving multiple host
+# settings, like: host=sql1.host.org host=sql2.host.org
+#
+# pgsql:
+#   For available options, see the PostgreSQL documentation for the
+#   PQconnectdb function of libpq.
+#   Use maxconns=n (default 5) to change how many connections Dovecot can
+#   create to pgsql.
+#
+# mysql:
+#   Basic options emulate PostgreSQL option names:
+#     host, port, user, password, dbname
+#
+#   But also adds some new settings:
+#     client_flags           - See MySQL manual
+#     connect_timeout        - Connect timeout in seconds (default: 5)
+#     read_timeout           - Read timeout in seconds (default: 30)
+#     write_timeout          - Write timeout in seconds (default: 30)
+#     ssl_ca, ssl_ca_path    - Set either one or both to enable SSL
+#     ssl_cert, ssl_key      - For sending client-side certificates to server
+#     ssl_cipher             - Set minimum allowed cipher security (default: HIGH)
+#     ssl_verify_server_cert - Verify that the name in the server SSL certificate
+#                              matches the host (default: no)
+#     option_file            - Read options from the given file instead of
+#                              the default my.cnf location
+#     option_group           - Read options from the given group (default: client)
+# 
+#   You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
+#   Note that currently you can't use spaces in parameters.
+#
+# sqlite:
+#   The path to the database file.
+#
+# Examples:
+#   connect = host=192.168.1.1 dbname=users
+#   connect = host=sql.example.com dbname=virtual user=virtual password=blarg
+#   connect = /etc/dovecot/authdb.sqlite
+#
+#connect =
+##### SmartMachine Begin.
+connect = host=%<mysql_host>s port=%<mysql_port>s dbname=%<mysql_database_name>s user=%<mysql_user>s password=%<mysql_password>s
+##### SmartMachine Close.
+
+# Default password scheme.
+#
+# List of supported schemes is in
+# http://wiki2.dovecot.org/Authentication/PasswordSchemes
+#
+#default_pass_scheme = MD5
+
+# passdb query to retrieve the password. It can return fields:
+#   password - The user's password. This field must be returned.
+#   user - user@domain from the database. Needed with case-insensitive lookups.
+#   username and domain - An alternative way to represent the "user" field.
+#
+# The "user" field is often necessary with case-insensitive lookups to avoid
+# e.g. "name" and "nAme" logins creating two different mail directories. If
+# your user and domain names are in separate fields, you can return "username"
+# and "domain" fields instead of "user".
+#
+# The query can also return other fields which have a special meaning, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#
+# Commonly used available substitutions (see http://wiki2.dovecot.org/Variables
+# for full list):
+#   %u = entire user@domain
+#   %n = user part of user@domain
+#   %d = domain part of user@domain
+# 
+# Note that these can be used only as input to SQL query. If the query outputs
+# any of these substitutions, they're not touched. Otherwise it would be
+# difficult to have eg. usernames containing '%' characters.
+#
+# Example:
+#   password_query = SELECT userid AS user, pw AS password \
+#     FROM users WHERE userid = '%u' AND active = 'Y'
+#
+#password_query = \
+#  SELECT username, domain, password \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+##### SmartMachine Begin.
+password_query = SELECT password FROM virtual_users WHERE email='%u'
+##### SmartMachine Close.
+
+# userdb query to retrieve the user information. It can return fields:
+#   uid - System UID (overrides mail_uid setting)
+#   gid - System GID (overrides mail_gid setting)
+#   home - Home directory
+#   mail - Mail location (overrides mail_location setting)
+#
+# None of these are strictly required. If you use a single UID and GID, and
+# home or mail directory fits to a template string, you could use userdb static
+# instead. For a list of all fields that can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#
+# Examples:
+#   user_query = SELECT home, uid, gid FROM users WHERE userid = '%u'
+#   user_query = SELECT dir AS home, user AS uid, group AS gid FROM users where userid = '%u'
+#   user_query = SELECT home, 501 AS uid, 501 AS gid FROM users WHERE userid = '%u'
+#
+#user_query = \
+#  SELECT home, uid, gid \
+#  FROM users WHERE username = '%n' AND domain = '%d'
+##### SmartMachine Begin.
+user_query = SELECT email as user, \
+  concat('*:bytes=', quota_bytes) AS quota_rule, \
+  '/var/vmail/%d/%n' AS home, \
+  5000 AS uid, 5000 AS gid \
+  FROM virtual_users WHERE email='%u'
+##### SmartMachine Close.
+
+# If you wish to avoid two SQL lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb sql in dovecot.conf. In that case you'll
+# also have to return userdb fields in password_query prefixed with "userdb_"
+# string. For example:
+#password_query = \
+#  SELECT userid AS user, password, \
+#    home AS userdb_home, uid AS userdb_uid, gid AS userdb_gid \
+#  FROM users WHERE userid = '%u'
+
+# Query to get a list of all usernames.
+#iterate_query = SELECT username AS user FROM users
+##### SmartMachine Begin.
+iterate_query = SELECT email AS user FROM virtual_users
+##### SmartMachine Close.

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-ham.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/sa-learn --ham

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-ham.sieve

@@ -0,0 +1,5 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables"];
+if string "${mailbox}" "Trash" {
+  stop;
+}
+pipe :copy "learn-ham.sh";

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-spam.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/sa-learn --spam

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve/learn-spam.sieve

@@ -0,0 +1,2 @@
+require ["vnd.dovecot.pipe", "copy", "imapsieve"];
+pipe :copy "learn-spam.sh";

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/dovecot/sieve-after/spam-to-folder.sieve

@@ -0,0 +1,6 @@
+require ["fileinto"];
+
+if header :contains "X-Spam-Flag" "YES" {
+ fileinto "Junk";
+ stop;
+}

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/haproxy/haproxy.cfg

@@ -0,0 +1,58 @@
+global
+	log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+##### SmartMachine Begin.
+frontend myfrontend
+        bind :80
+	acl oracle_ips_listed str("%<oracle_ips_allowed>s") -m len gt 0
+	acl oracle_ip_allowed req.hdr(X-Real-IP) -m ip %<oracle_ips_allowed>s
+	http-request redirect code 302 location %<oracle_deflect_url>s unless oracle_ips_listed oracle_ip_allowed
+	http-request redirect code 302 location /oracle/monit/ if { path /oracle/monit }
+	use_backend monitbackend if { path_beg -i /oracle/monit/ }
+	stats enable
+	stats uri /oracle/haproxy
+        stats refresh 30s
+	stats admin if oracle_ips_listed oracle_ip_allowed
+
+backend monitbackend
+        balance roundrobin
+        option forwardfor
+        http-request add-header X-Forwarded-Proto https if { ssl_fc }
+        http-request set-header X-Forwarded-Host %[req.hdr(Host)]
+        http-request set-header X-Forwarded-Port %[dst_port]
+	http-request replace-path /oracle/monit(/)?(.*) /\2
+        option httpchk GET /
+        server s1 127.0.0.1:2812 check
+##### SmartMachine Close.

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/monit/conf.d/services.cfg

@@ -0,0 +1,70 @@
+# system
+check system $HOST
+  if loadavg (5min) > 3 then alert
+  if loadavg (15min) > 1 then alert
+  if memory usage > 90% for 4 cycles then alert
+  if swap usage > 60% for 4 cycles then alert
+  # Test the user part of CPU usage
+  if cpu usage (user) > 80% for 2 cycles then alert
+  # Test the system part of CPU usage
+  if cpu usage (system) > 20% for 2 cycles then alert
+  # Test the i/o wait part of CPU usage
+  if cpu usage (wait) > 80% for 2 cycles then alert
+  # Test CPU usage including user, system and wait. Note that
+  # multi-core systems can generate 100% per core
+  # so total CPU usage can be more than 100%
+  if cpu usage > 200% for 4 cycles then alert
+
+# rsyslog
+check process rsyslog with pidfile /run/rsyslogd.pid
+  start program = "/usr/sbin/service rsyslog start"
+  stop  program = "/usr/sbin/service rsyslog stop"
+
+# rsyslog.syslog
+check file rsyslog.syslog with path /var/log/syslog
+  if timestamp > 65 minutes then alert
+
+# haproxy
+check process haproxy with pidfile /run/tmpfs/haproxy.pid
+  start program = "/usr/sbin/haproxy -W -f /etc/haproxy/haproxy.cfg -p /run/tmpfs/haproxy.pid -S /run/haproxy-master.sock"
+  stop  program = "/bin/bash -c '/bin/kill --signal SIGUSR1 `cat /run/tmpfs/haproxy.pid`'"
+
+# spamassassin
+check process spamassassin with pidfile /home/spamd/spamd.pid
+  start program = "/usr/sbin/spamd -d --pidfile=/home/spamd/spamd.pid --create-prefs --max-children 5 --username spamd --helper-home-dir /home/spamd/ -s /home/spamd/spamd.log"
+  stop  program = "/bin/bash -c '/bin/kill --signal SIGTERM `cat /home/spamd/spamd.pid`'"
+  if cpu usage > 99% for 5 cycles then alert
+  if mem usage > 99% for 5 cycles then alert
+
+# spamassassin.update
+check program spamassassin.update with path "/bin/bash -c '/usr/bin/sa-update && /bin/kill --signal SIGHUP `cat /home/spamd/spamd.pid`'"
+  every "0-15 12-1 * * *"
+  if changed status then alert
+
+# opendkim
+check process opendkim with pidfile /var/run/opendkim/opendkim.pid
+  start program = "/usr/sbin/opendkim"
+  stop  program = "/bin/bash -c '/bin/kill --signal SIGTERM `cat /var/run/opendkim/opendkim.pid`'"
+
+# postfix
+check process postfix with pidfile /var/spool/postfix/pid/master.pid
+  start program = "/bin/bash -c '/usr/lib/postfix/configure-instance.sh - && /usr/sbin/postmulti -i - -p start'"
+  stop  program = "/usr/sbin/postmulti -i - -p stop"
+  if failed port 25 protocol smtp then restart
+
+# dovecot
+check process dovecot with pidfile /run/dovecot/master.pid
+  start program = "/usr/sbin/dovecot"
+  stop  program = "/usr/bin/doveadm stop"
+  if failed host %<fqdn>s port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
+
+# certbot
+check file certbot.fullchain with path /etc/letsencrypt/live/%<fqdn>s/fullchain.pem
+  if changed checksum then exec "/bin/bash -c '/usr/sbin/postfix reload && /usr/sbin/dovecot reload'"
+check file certbot.key with path /etc/letsencrypt/live/%<fqdn>s/key.pem
+  if changed checksum then exec "/bin/bash -c '/usr/sbin/postfix reload && /usr/sbin/dovecot reload'"
+
+# monit
+check process monit with pidfile /var/run/tmpfs/monit.pid
+  start program = "/usr/bin/monit"
+  stop  program = "/usr/bin/monit quit"

data/lib/smart_machine/templates/dotsmartmachine/config/emailer/etc/monit/monitrc

@@ -0,0 +1,344 @@
+###############################################################################
+## Monit control file
+###############################################################################
+##
+## Comments begin with a '#' and extend through the end of the line. Keywords
+## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
+##
+## Below you will find examples of some frequently used statements. For
+## information about the control file and a complete list of statements and
+## options, please have a look in the Monit manual.
+##
+##
+###############################################################################
+## Global section
+###############################################################################
+##
+## Start Monit in the background (run as a daemon):
+#
+  set daemon 120            # check services at 2-minute intervals
+#   with start delay 240    # optional: delay the first check by 4-minutes (by
+#                           # default Monit check immediately after Monit start)
+#
+#
+## Set syslog logging. If you want to log to a standalone log file instead,
+## specify the full path to the log file
+#
+  set log /var/log/monit.log
+
+#
+#
+## Set the location of the Monit lock file which stores the process id of the
+## running Monit instance. By default this file is stored in $HOME/.monit.pid
+#
+# set pidfile /var/run/monit.pid
+##### SmartMachine Begin.
+set pidfile /run/tmpfs/monit.pid
+##### SmartMachine Close.
+#
+## Set the location of the Monit id file which stores the unique id for the
+## Monit instance. The id is generated and stored on first Monit start. By
+## default the file is placed in $HOME/.monit.id.
+#
+# set idfile /var/.monit.id
+  set idfile /var/lib/monit/id
+#
+## Set the location of the Monit state file which saves monitoring states
+## on each cycle. By default the file is placed in $HOME/.monit.state. If
+## the state file is stored on a persistent filesystem, Monit will recover
+## the monitoring state across reboots. If it is on temporary filesystem, the
+## state will be lost on reboot which may be convenient in some situations.
+#
+  set statefile /var/lib/monit/state
+#
+#
+
+## Set limits for various tests. The following example shows the default values:
+##
+# set limits {
+#     programOutput:     512 B,      # check program's output truncate limit
+#     sendExpectBuffer:  256 B,      # limit for send/expect protocol test
+#     fileContentBuffer: 512 B,      # limit for file content test
+#     httpContentBuffer: 1 MB,       # limit for HTTP content test
+#     networkTimeout:    5 seconds   # timeout for network I/O
+#     programTimeout:    300 seconds # timeout for check program
+#     stopTimeout:       30 seconds  # timeout for service stop
+#     startTimeout:      30 seconds  # timeout for service start
+#     restartTimeout:    30 seconds  # timeout for service restart
+# }
+
+## Set global SSL options (just most common options showed, see manual for
+## full list).
+#
+# set ssl {
+#     verify     : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
+#     selfsigned : allow   # allow self signed SSL certificates (reject by default)
+# }
+#
+#
+## Set the list of mail servers for alert delivery. Multiple servers may be
+## specified using a comma separator. If the first mail server fails, Monit
+# will use the second mail server in the list and so on. By default Monit uses
+# port 25 - it is possible to override this with the PORT option.
+#
+# set mailserver mail.bar.baz,               # primary mailserver
+#                backup.bar.baz port 10025,  # backup mailserver on port 10025
+#                localhost                   # fallback relay
+##### SmartMachine Begin.
+set mailserver %<monit_smtp_host>s port %<monit_smtp_port>s username "%<monit_smtp_username>s" password "%<monit_smtp_password>s" using SSL using HOSTNAME %<container_name>s.%<fqdn>s
+##### SmartMachine Close.
+#
+#
+## By default Monit will drop alert events if no mail servers are available.
+## If you want to keep the alerts for later delivery retry, you can use the
+## EVENTQUEUE statement. The base directory where undelivered alerts will be
+## stored is specified by the BASEDIR option. You can limit the queue size
+## by using the SLOTS option (if omitted, the queue is limited by space
+## available in the back end filesystem).
+#
+  set eventqueue
+      basedir /var/lib/monit/events # set the base directory where events will be stored
+      slots 100                     # optionally limit the queue size
+#
+#
+## Send status and events to M/Monit (for more information about M/Monit
+## see https://mmonit.com/). By default Monit registers credentials with
+## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
+## have to register Monit credentials manually in M/Monit. It is possible to
+## disable credential registration using the commented out option below.
+## Though, if safety is a concern we recommend instead using https when
+## communicating with M/Monit and send credentials encrypted. The password
+## should be URL encoded if it contains URL-significant characters like
+## ":", "?", "@". Default timeout is 5 seconds, you can customize it by
+## adding the timeout option.
+#
+# set mmonit http://monit:monit@192.168.1.10:8080/collector
+#     # with timeout 30 seconds              # Default timeout is 5 seconds
+#     # and register without credentials     # Don't register credentials
+#
+#
+## Monit by default uses the following format for alerts if the mail-format
+## statement is missing::
+## --8<--
+## set mail-format {
+##   from:    Monit <monit@$HOST>
+##   subject: monit alert --  $EVENT $SERVICE
+##   message: $EVENT Service $SERVICE
+##                 Date:        $DATE
+##                 Action:      $ACTION
+##                 Host:        $HOST
+##                 Description: $DESCRIPTION
+##
+##            Your faithful employee,
+##            Monit
+## }
+## --8<--
+##
+## You can override this message format or parts of it, such as subject
+## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
+## are expanded at runtime. For example, to override the sender, use:
+#
+# set mail-format { from: monit@foo.bar }
+##### SmartMachine Begin.
+set mail-format {
+  from:    %<monit_smtp_email_name>s <%<monit_smtp_email_address>s>
+  subject: Monit | $SERVICE | $EVENT
+  message:
+While monitoring the system, I observed a change and have performed the actions you had asked.
+
+Date:        $DATE
+Timezone:    %<timezone>s
+Host:        $HOST
+FQDN:        %<fqdn>s
+Container:   %<container_name>s
+Service:     $SERVICE
+Event:       $EVENT
+Action:      $ACTION
+Description: $DESCRIPTION
+
+Please check if you need to do something about it further.
+
+Your Faithful Employee,
+Monit
+}
+##### SmartMachine Close.
+#
+#
+## You can set alert recipients whom will receive alerts if/when a
+## service defined in this file has errors. Alerts may be restricted on
+## events by using a filter as in the second example below.
+#
+# set alert sysadm@foo.bar                       # receive all alerts
+##### SmartMachine Begin.
+set alert %<sysadmin_email>s
+##### SmartMachine Close.
+#
+## Do not alert when Monit starts, stops or performs a user initiated action.
+## This filter is recommended to avoid getting alerts for trivial cases.
+#
+# set alert your-name@your.domain not on { instance, action }
+#
+#
+## Monit has an embedded HTTP interface which can be used to view status of
+## services monitored and manage services from a web interface. The HTTP
+## interface is also required if you want to issue Monit commands from the
+## command line, such as 'monit status' or 'monit restart service' The reason
+## for this is that the Monit client uses the HTTP interface to send these
+## commands to a running Monit daemon. See the Monit Wiki if you want to
+## enable SSL for the HTTP interface.
+#
+# set httpd port 2812 and
+#     use address localhost  # only accept connection from localhost (drop if you use M/Monit)
+#     allow localhost        # allow localhost to connect to the server and
+#     allow admin:monit      # require user 'admin' with password 'monit'
+#     #with ssl {            # enable SSL/TLS and set path to server certificate
+#     #    pemfile: /etc/ssl/certs/monit.pem
+#     #}
+##### SmartMachine Begin.
+set httpd port 2812 and
+     use address localhost
+     allow localhost
+##### SmartMachine Close.
+
+###############################################################################
+## Services
+###############################################################################
+##
+## Check general system resources such as load average, cpu and memory
+## usage. Each test specifies a resource, conditions and the action to be
+## performed should a test fail.
+#
+#  check system $HOST
+#    if loadavg (1min) per core > 2 for 5 cycles then alert
+#    if loadavg (5min) per core > 1.5 for 10 cycles then alert
+#    if cpu usage > 95% for 10 cycles then alert
+#    if memory usage > 75% then alert
+#    if swap usage > 25% then alert
+#
+#
+## Check if a file exists, checksum, permissions, uid and gid. In addition
+## to alert recipients in the global section, customized alert can be sent to
+## additional recipients by specifying a local alert handler. The service may
+## be grouped using the GROUP option. More than one group can be specified by
+## repeating the 'group name' statement.
+#
+#  check file apache_bin with path /usr/local/apache/bin/httpd
+#    if failed checksum and
+#       expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor
+#    if failed permission 755 then unmonitor
+#    if failed uid "root" then unmonitor
+#    if failed gid "root" then unmonitor
+#    alert security@foo.bar on {
+#           checksum, permission, uid, gid, unmonitor
+#        } with the mail-format { subject: Alarm! }
+#    group server
+#
+#
+## Check that a process is running, in this case Apache, and that it respond
+## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
+## and number of children. If the process is not running, Monit will restart
+## it by default. In case the service is restarted very often and the
+## problem remains, it is possible to disable monitoring using the TIMEOUT
+## statement. This service depends on another service (apache_bin) which
+## is defined above.
+#
+#  check process apache with pidfile /usr/local/apache/logs/httpd.pid
+#    start program = "/etc/init.d/httpd start" with timeout 60 seconds
+#    stop program  = "/etc/init.d/httpd stop"
+#    if cpu > 60% for 2 cycles then alert
+#    if cpu > 80% for 5 cycles then restart
+#    if totalmem > 200.0 MB for 5 cycles then restart
+#    if children > 250 then restart
+#    if disk read > 500 kb/s for 10 cycles then alert
+#    if disk write > 500 kb/s for 10 cycles then alert
+#    if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart
+#    if failed port 443 protocol https with timeout 15 seconds then restart
+#    if 3 restarts within 5 cycles then unmonitor
+#    depends on apache_bin
+#    group server
+#
+#
+## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O.
+## Other services, such as databases, may depend on this resource and an automatically
+## graceful stop may be cascaded to them before the filesystem will become full and data
+## lost.
+#
+#  check filesystem datafs with path /dev/sdb1
+#    start program  = "/bin/mount /data"
+#    stop program  = "/bin/umount /data"
+#    if failed permission 660 then unmonitor
+#    if failed uid "root" then unmonitor
+#    if failed gid "disk" then unmonitor
+#    if space usage > 80% for 5 times within 15 cycles then alert
+#    if space usage > 99% then stop
+#    if inode usage > 30000 then alert
+#    if inode usage > 99% then stop
+#    if read rate > 1 MB/s for 5 cycles then alert
+#    if read rate > 500 operations/s for 5 cycles then alert
+#    if write rate > 1 MB/s for 5 cycles then alert
+#    if write rate > 500 operations/s for 5 cycles then alert
+#    if service time > 10 milliseconds for 3 times within 5 cycles then alert
+#    group server
+#
+#
+## Check a file's timestamp. In this example, we test if a file is older
+## than 15 minutes and assume something is wrong if its not updated. Also,
+## if the file size exceed a given limit, execute a script
+#
+#  check file database with path /data/mydatabase.db
+#    if failed permission 700 then alert
+#    if failed uid "data" then alert
+#    if failed gid "data" then alert
+#    if timestamp > 15 minutes then alert
+#    if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba
+#
+#
+## Check directory permission, uid and gid.  An event is triggered if the
+## directory does not belong to the user with uid 0 and gid 0.  In addition,
+## the permissions have to match the octal description of 755 (see chmod(1)).
+#
+#  check directory bin with path /bin
+#    if failed permission 755 then unmonitor
+#    if failed uid 0 then unmonitor
+#    if failed gid 0 then unmonitor
+#
+#
+## Check a remote host availability by issuing a ping test and check the
+## content of a response from a web server. Up to three pings are sent and
+## connection to a port and an application level network check is performed.
+#
+#  check host myserver with address 192.168.1.1
+#    if failed ping then alert
+#    if failed port 3306 protocol mysql with timeout 15 seconds then alert
+#    if failed port 80 protocol http
+#       and request /some/path with content = "a string"
+#    then alert
+#
+#
+## Check a network link status (up/down), link capacity changes, saturation
+## and bandwidth usage.
+#
+#  check network public with interface eth0
+#    if failed link then alert
+#    if changed link then alert
+#    if saturation > 90% then alert
+#    if download > 10 MB/s then alert
+#    if total uploaded > 1 GB in last hour then alert
+#
+#
+## Check custom program status output.
+#
+#  check program myscript with path /usr/local/bin/myscript.sh
+#    if status != 0 then alert
+#
+#
+###############################################################################
+## Includes
+###############################################################################
+##
+## It is possible to include additional configuration parts from other files or
+## directories.
+#
+   include /etc/monit/conf.d/*
+   include /etc/monit/conf-enabled/*
+#