zabbix_export: version: '6.0' date: '2021-11-21T22:06:06Z' groups: - uuid: 7df96b18c230490a9a0a9e2307226338 name: Templates templates: - uuid: a5ce643571644cec9480ea7c0679f0e5 template: 'ARP Monitoring' name: 'ARP Monitoring' description: | ## Description Rafael Gustavo Gassner 02/2021 This script activelly scans arp and sends to zabbix server using zabbix_sender. arp-scan should be installed and interfaces variable should be configured for your environment. You will want to run every 10 minutes or so, using crontab. First run(s) might not populate data, since LLD items are still beeing created in zabbix server. With the script and template, you will be able to: - Detect newly connected devices on the network. - Have a history of which macs were used by which ips and vice versa. - Detect if there are multiple ips associated to the same mac. - Detect if there are multiple macs associated to the same ip address. - Identify the active period on the network for each device. Since this is designed for a small environment, the trigger for new device has no recovery expression, and should be manually disabled. You can configure the "new device" trigger disabled for initial run. After that you could disable each trigger mannualy when you have recognized the new device as not beeing a rogue one. In the zabbix template, "Allowed hosts" variable should be configured for your environment in item prototypes and in discovery rule. ## Overview This script activelly scans arp and sends to zabbix server using zabbix\_sender. arp-scan should be installed and interfaces variable should be configured for your environment. You will want to run every 10 minutes or so, using crontab. First run(s) might not populate data, since LLD items are still beeing created in zabbix server. With the script and template, you will be able to: * Detect newly connected devices on the network. * Have a history of which macs were used by which ips and vice versa. * Detect if there are multiple ips associated to the same mac. * Detect if there are multiple macs associated to the same ip address. * Identify the active period on the network for each device. Since this is designed for a small environment, the trigger for new device has no recovery expression, and should be manually disabled.

1 and find(/ARP Monitoring/arp.macIps[{#HWADDRESS}],#1,"like","lala")=0' name: 'Mac {#HWADDRESS} in use in more than one IP detected by {HOST.HOST} arp table. Adresses found {ITEM.LASTVALUE2}' priority: INFO tags: - tag: feature value: arp lld_macro_paths: - lld_macro: '{#HWADDRESS}' path: $.HWAddress - lld_macro: '{#IPADDRESS}' path: $.ipAddress