Hi, welcome and thank you for your interest in my Zabbix book. I wrote the Zabbix cookbook and co wrote with Richards Zabbix 4 Network Monitoring a few years ago for PackPub.
The cookbook the first of it's kind probably outdated and will be replaced by the Zabbix 7 IT Infrastructure Monitoring Cookbook, written by Brian and Nathan, 2 people I like a lot to work with and can higly recommend. There are many more books available from Packt about Zabbix a complete overview can be found here Zabbix books at pack. Or if you like to find some non English books Amazon has some books form Packt and other Publishers in Chinese, Spanish and maybe some other languages as well. Other books
As Zabbix is an opensource product and making money out of the books was never my intention, it got me thinking how to do things different. How to make a new book without using a publisher like I had done before. After a while, I came up with the idea to make a book that would be free and that would be updated when new versions came out. Since I am a huge fan of documentation in markdown or asciidoc I came up with the idea to share the book in git and use markdown. The only problem left was how to make those markdown files readable in an easy way like a book ? After some searching trying to look for a good solution I found MkDocs. MkDocs is a Python-Markdown library that can convert everything to HTML and can be templated. So the problem was solved and a new book was born.
"},{"location":"#who-am-i","title":"Who am I ?","text":"My name is Patrik Uytterhoeven and I work for a Belgium company named Open-Future. I started at this company at Januari 2013 and that's when my journey started with Zabbix as well. They gave me the opportunity to build my experience and to get certified as Zabbix trainer. Since this year I am officially 10y Zabbix trainer. If you would like to follow one of my trainings feel free to register for a training at our website www.open-future.be. Why would you follow a training if you can read this book for free are you now thinking? Because trainings just like the book explain you all the details on how to set up and do things but also give you valueable tips and feedback that you never get from a book. Books just can't cover everything.
"},{"location":"#what-os-do-i-need","title":"What OS do I need ?","text":"Since I work mostly with RHEL based systems and since I am convinced that RHEL is the better choice in Production environments I have chosen to focus on using one of the forks that is available for free. Zabbix is supported on Ubuntu, Debian, Suse, Raspberry .... and it can be compiled on any OS that is Unix based so it's almost impossible to cover them all. However the book is Opensource and in GIT so feel free to contribute the code for your favorite flavour :). I will use Rocky Linux 9 in this book, but it should work for most of the other installations as well.
"},{"location":"#what-version-of-zabbix-is-used-in-this-book","title":"What version of Zabbix is used in this book ?","text":"Since we are almost at the release of Zabbix 7, I will focus on version 7 since it will be the new LTS. It should also apply to most other versions but of course there will be minor changes. In the future, if there is enough support from the community to update this book together, it would be great if we could build a book for every LTS version available.
"},{"location":"#how-to-use-this-book","title":"How to use this book ?","text":"The book will try to cover all the topics, feel free to let me know if something is missing or feel free to make a pull request. There is no need to start from page 1 and read the book till the end. Some people will be looking for basic knowledge others might want to skip to the fun part, so I want the book to be useful for everyone. Therefor I will try to explain as best as possible in every topic the exact steps needed to reproduce.
There will be moments in the book where you need to type some code, I will show the commands you need to type in a box just like here.
# some command \nNotes to some useful documentation will be added at the bottom of the page.
Here is a simple footnote1. With some additional text after it.
In case there is some important information to share I will add notes in the documentation like can be seen here :
NoteLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
InfoLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
TipLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
QuestionLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
WarningLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
BugLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
ExampleLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
My reference.\u00a0\u21a9
https://support.zabbix.com/browse/ZBXNEXT-6876
"},{"location":"authentication/zabbix-saml/","title":"Authentication with SAML","text":""},{"location":"automation/automating-configuration/","title":"Automating configuration","text":""},{"location":"configuration/Dashboard/","title":"Zabbix Interface","text":"This chapter is going to cover the basics we need to know when it comes to the Zabbix userinterface and the thing we need to know before we can start to fully dive into our monitoring tool. We will see how the userinteface works how to add a host, groups users, items ... so that we have a good understanding of the basics. This is something that is sometimes missed and can lead to frustrations not knowing why things don't work like we had expected them to work. So even if you are an advanced user it may be usefull to have a look into this chapter.
"},{"location":"configuration/Dashboard/#overview-of-the-interface","title":"Overview of the interface","text":"With Zabbix 7 the user interface after logging in is a bit changed. Our menu on the left side of the screen has has a small overhaul. Let's dive into it. When we login into our Zabbix setup the first time with our Admin user we see a page like this where we have our main window in green our main menu marked in red and our links marked in yellow.
The main menu can be hidden by collapsing it completely or to reduce it to a set of small icons.
When we click on the button with the 2 arrows to the left:
You will see that the menu collapses to a set of small icons. Pressing \">>\" will bring the main menu back to it's original state. Pressing the box with the arrow sticking out next to the \"<<\" button will hide the main menu completely.
To get the main menu back it's not too difficult we just look for the button on the left with three horizontal lines and click it. This will bring the menu back and clicking on the box with the arrow agian will bring the main menu back.
Yet another way to make the screen bigger that is quit useful for monitors in NOK teams for example is the kiosk mode button. This one is however located on the left side of your screen and looks like 4 arrows pointing to every corner of the screen. Pressing this button will remove all the menus and leave only main window to focus on.
When wanting to leave the kios mode the button will be changed to 2 arrows poiting to the inside of the screen. Pressing this button will revert us back to the original state.
TipWe can also enter and exit kiosk mode by making use of parameters in our Zabbix url: /zabbix.php?action=dashboard.view&kiosk=1 - activate kiosk mode or /zabbix.php?action=dashboard.view&kiosk=0 - activate normal mode
There are many other page parameters we can use. A full list can be found here
Zabbix also has a global search menu that we can use to find hosts, host groups and templates.
If we look in the search box for server you will see that we get an overview of all templates, host groups and hosts with the name server in it.
Our main menu on the left consists of a few sections, 9 to be exact:
Menu Name Details Dashboards Contains an overview of all the dashboards we have access to. Monitoring Shows us the hosts, problems, latest data, maps, ... Services An overview of all the Services and SLA settings. Inventory An overview of our collected inventory data. Reports Shows us the system information, scheduled reports, audit logs, action logs, etc . Data collection Contains all things related to collecting data like hosts, templates, maintenance, discovery, ... Alert The configuration of our media types, scripts and actions Users User configuration like user roles, user groups, authentication, API tokes, ... Administration The administration part containing all global settings, housekeeper, proxies, queue, ..."},{"location":"configuration/Dashboard/#links-menu","title":"Links menu","text":"Our last part the links part contain a set of useful links that we can use:
There are still a few buttons that we need to cover on the right side of our screen
The edit button allows us to change our dashboard. This is something we will cover later. On the far left side there is a \"?\" this will bring you to the Zabbix documentation page that explains everything about the dashboard. The button on the right side with the 3 horizontal lines is the one to share, rename, delete, ... our dashboards.
"},{"location":"configuration/Dashboard/#system-information","title":"System Information","text":"There is also a box on the dashboard called System Information. This widget will show you the current System status of your Zabbix setup. Let's go over the different lines of information as they are important to understand.
Zabbix server so the version you see at the bottom of your screen is the one from the Zabbix frontend and can be different but should be in the same major version. Version Number Zabbix frontend version This is the version of the frontend and should match with what you see at the bottom of your screen. Version Number Number of hosts (enabled/disabled) The total number of hosts configured on our system How many of those are enabled and disabled Number of templates The number of templates installed on our Zabbix server. Number of items (enabled/disabled/not supported) This line shows us the number of items we have configured in total in this case 99 90 are enabled and 0 are disabled but 9 of them are unsupported. This last number is important as those are items not working. We will look into this later why it happens and how to fix it. For now remember that a high number of unsupported items is not a good idea. Number of triggers (Enabled/disabled[problem/ok]) The number of triggers configured Number of enabled and disabled triggers. Just as with items we also see if there are triggers that are in a problem state or ok state. A trigger in a problem state is a non working trigger something we need to monitor and fix. We will cover this also later. Number of users (online) Here we see the number of users that are configured on our system The nunber of users currently online. Required server performance, nvps The number of new values per second that Zabbix will process per second. This is just an estimated number as some values we get are unknown so the real value is probably higher. So we can have some indication about how many IOPS we need and how busy our database is. A better indication is probably the internal item zabbix[wcache,values,all] High availability cluser It will show us if we are running on a Zabbix HA cluster or not Failover delay once HA is activated Tip System information may display some additonal warnings like when your database doesnt have the correct character set or collation UTF-8. Also when the database you used is lower or higher then the recommended version or when there are misconfigurations on housekeeper or TimescaleDB. Another warning you can see is about database history tables that aren't upgraded or primary keys that have not been set. This is possible if you are coming from an older version before Zabbix 6 and never did the upgrade.
"},{"location":"configuration/Dashboard/#the-main-menu-explained","title":"The main menu explained","text":"It's important to know that we have so far seen our dashboard with the Admin user and that this user is a Zabbix Super Admin user. This means that the user has no restrictions. Zabbix works with 3 different levels of users we have the regular users, Zabbix Admin and Zabbix Super Admin users. Let's have a look
* A ```Zabbix User``` will only see the <font color='red'>red</font> part of our ```main menu``` and will only be able to see our collected data.\n* A ```Zabbix Admin``` will see the red part and the <font color='gold'>yellow</font> part of the ```main menu``` and is able to change our configuration.\n* A ```Zabbix Super Admin``` will see the complete ```main menu``` and so is able to change the configuration and all the global settings.\n- Problems: This page will give us an overview of all the problems. With filter we can look at recent problems past problems and problems that are active now. There are many more filters tor drill down more.\n- Hosts: This will give us a quick overview page with whats happening on our hosts and allows us to quickly go to the latest data, graphs and dashboards.\n- Latest data: This page I probably use the most, it shows us all the information collected from all our hosts.\n- Maps: The location where we can create map that are an oveview of our IT infrastructure very useful to get a high level overview of the network.\n- Discovery: When we run a network discovery this is the place where we can find the results.\n- Services This page will give us a high level overview of all services configured in Zabbix.\n- SLA: An overview of all the SLAs configured in Zabbix.\n- SLA Report: Here we can watch all SLA reports based on our filters.\n- Overview: A place where we can watch all our iventory data that we have retrieved from our hosts.\n- Hosts: Here we can filter by host and watch all inventory data for the hosts we have selected.\n- System information: System information is a summary of key Zabbix server and system data.\n- Scheduled reports: The place where we can schedule our reports, a pdf of the dashboard that will be sent at a specified time and date.\n- Availability report: A nice overview where we can see what trigger has been in ok/nok state for how much % of the time \n- Top 100 triggers: Another page I visit a lot here we have our top list with triggers that have been in a nok state.\n- Audit log: An overview of the user activity that happend on our system. Useful if we want to know who did what and when.\n- Action log: A detailed overview of our actions can be found here. What mail was sent to who and when ...?\n- Notifications: A quick overview of the number of notifications sent to each user.\n- Template groups: A place to logical group all templates together in different groups. Before it was mixed together with hosts in host groups.\n- Host groups: A logical collection of different hosts put together. Host groups are used for our permissions.\n- Templates: A set off entities like items and triggers can be grouped together on a template, A template can be applied to one or more hosts.\n- Hosts: What we need in Zabbix to monitor A host, application, service ...\n- Maintenance: The place to configure our maintenance windows. A maintenance can be planned in this location.\n- Event correlation: When we have multiple events that fires triggers related we can configure correlations in this place.\n- Discovery: Sometimes we like to use Zabbix to discover devices, services,... on our network. This can be done here.\n- Actions:\n- Media types:\n- Scripts:\n- User groups:\n- User roles:\n- Users:\n- API tokens:\n- Authentication: \n- General: \n- Audit log:\n- Housekeeping:\n- Proxies:\n- Macros:\n- Queue:\nMore information can be found in the online Zabbix documentation here
InfoYou will see that Zabbix is using the modal forms in the frontend on many places. The problem is that they are not movable. This module created by one of the Zabbix devs UI Twix will solve this problem for you.
At time of writing there is no Dashboard import/export functionality in zabbix. So when upgrading dashboards need to be created for admin by hand. This should be fixed in 7 onces it comes out. If not feel free to track https://support.zabbix.com/browse/ZBXNEXT-5419
"},{"location":"configuration/zabbix-agent/","title":"Zabbix Agent","text":""},{"location":"configuration/zabbix-agent/#zabbix-agent-linux","title":"Zabbix agent Linux","text":""},{"location":"configuration/zabbix-agent/#zabbix-agent-windows","title":"Zabbix agent windows","text":""},{"location":"configuration/zabbix-dataflow/","title":"Data Flow","text":""},{"location":"configuration/zabbix-dataflow/#data-collection","title":"Data Collection","text":""},{"location":"configuration/zabbix-dataflow/#simple-checks","title":"Simple Checks","text":""},{"location":"configuration/zabbix-hostgroups/","title":"Host groups","text":"Let's have look at the concepts of host groups and what the benifits are that they provide. We have seen that Host groups can be created directly when we create a new Zabbix host. Another way to create them is by a Super Admin going to Data collection -> Host groups. Next press the button Create host group in the upper right corner of the screen. Host groups exists to make a logical group so we can add all hosts that belong together in one group or more. Ex all Linux server, all PostgreSQL server, or all the servers that belong to one team.
When going to our menu data collection you notice that there are Host groups and Template groups. If you come from an older Zabbix version you will be happy to read that Zabbix made a specific group for Templates. If you are new to Zabbix don't panic :). In older versions Zabbix had mixed Templates and host in one group. This mixing was sometimes confusing especially for new users, as Zabbix doesnt link templates to groups.
When you click on the menu Data collection -> Host groups. You will notice that some groups are already made. You will also see that there are some names behind the host groups with numbers in front. These names are the names from the hosts that are in the group. The number in fron is the number of hosts that are in the host group. To make life more easy you can click on the names of the hosts and Zabbix will bring you directly to the configuration screen for this host.
Zabbix allows the creation of nested groups. As you can see we are using forward slashes in our group name. When you make use of nested group you can use the '/' to separate groups.
Once our group or set of nested groups is made you can click again from the host group overview on the group. You will notice that there is now a box that says Apply permissions and tag filters to all subgroups. When pressing this button, all right that are this group will be applied to the sub-groups. So if we have a user John for example in a user group that has rights to see everything in the Host group with the name Europe/Belgium and we apply the option to the subgroups then our user John will suddenly see also the hosts in all our nestet groups and the tags on this host.
When creating nested groups, Parent groups don't have to exist. So we can have only the group open-future without any of the parent groups. It's up to the user to create them or not. Also group names cannot have / in their names. We cannot escape the / character. Also leading and trailing slashes and multiple slashes in a row are not allowed.
Have you tried to put emoticons in fields like host group yet ?
"},{"location":"configuration/zabbix-hosts/","title":"Zabbix hosts","text":"To understand how Zabbix works, it's important to know that Hosts in Zabbix are a reference to anything we would like to monitor. It can be a physical host, a virtual machine, an application, a device, or even just a dummy host used to calculate data from existing hosts into something new.
It's probably one of the first tasks that we will do as an Admin when we first login to Zabbix because we need a host if we would like to monitor some metrics. It's however, important to know that hosts cannot be created without being in a hostgroup.
With this said, let's see how to create our first host.
Let's go to the menu on your left and select Data Collection -> Hosts. We see that there is already a host configured and that the availability icon is \"RED\". Don't worry about it, this is normal. We have no Zabbix agent installed or configured.
To add a new host to our system, we have to press Create host, this button can be found in the upper right corner of our screen.
We now get a modal form where we need to fill in some information about our host. The fields marked with a red asterisk \"*\" are the fields that are mandatory.
ParameterDescription Host nameHere we need to enter the Host name of the machine we would like to add. The name can contain alphanumerics, spaces, dots, dashes, and underscores. HOWEVER you are not allowed to use leading and trailing spaces. The Host name in the frontend is what we need later for the configuration of our Zabbix agent, so make sure you remember it. Visible nameThe host name, as we have seen, is needed to configure our Zabbix agent. So in case you like to give it a unique name or one that is randomly generated, ... you can add a visible name here. This name will then be used on the frontend instead of what we call the technical name host name. This name has support for UTF-8, so special characters are supported. This name will be used in all the places like maps, the latest data, inventory, ... TemplatesTemplates are like blueprints that we can use on our hosts to add items, triggers, etc. We explain more about it in the topic Zabbix templates. You can start typing the name of the template, and Zabbix will start to show a list with matches, or you can press the ```Select``` box and choose one from the list. Host groupsEvery host must belong to atleast one ```host group```. This is because permissions are set on host groups. You can type the name of the host group, and a list of matching groups will start to appear. Another way is to select a host group from an existing list by pressing the Select button. Or you can create a new group by just typing the name and pressing on the box that shows the name of the group you typed with (new) behind it InterfacesZabbix supports several host interfaces, like the Zabbix agent, SNMP, JMX, and IPMI. By default, when we create a host, no interface is added. To add an interface, press Add and fill in the needed information, like IP or DNS, depending on the host interface chosen. When an interface is in use (items created that use the interface), then the interface cannot be removed. DescriptionA place to enter a short description about our host. Monitored by proxyIf we have proxies configured, we can select them here if we like to monitor our host through a proxy. EnabledMark the checkbox to enable the host. This will keep it monitored by Zabbix. When unchecked, the host will not be monitored."},{"location":"configuration/zabbix-hosts/#host-menu-details","title":"Host menu details","text":"Before we add a host ourselves, there are a few things we need to know first. When we click on a host that we have already configured, there are a few things that we will notice. First of all, we see a blue line under Host. This means that we are on the current tab of the host page. As you can see, there are multiple tabs that we can click on, like IPMI, Tags, Macros,...
The next thing we see is that next to the tab Macros, there is a number 2. This is because there are two macros configured in the macro tab. So when we add information to tabs like macros or tags ... , Zabbix will show how many items we have added to these tabs by showing next to the tab name the number.
When looking at the encryption tab, we notice the green dot. This shows us that an option on the tab has been activated. Now that we know this, let's get a quick overview of every tab and see what it does.
So looking at the IPMI tab, there are a few things we need to fill in when working with an IPMI interface. IPMI stands for Intelligent Platform Management Interface and is basically a set of standards to manage hardware platforms. In short, it allows us to monitor and manage our servers hardware even if the server is not turned on yet. IPMI is better known as ILO on HP servers and DRAC on Dell servers.
We will cover IPMI in more detail later in the Chapter IPMI Monitoring
"},{"location":"configuration/zabbix-hosts/#tags","title":"Tags","text":"To Do
"},{"location":"configuration/zabbix-interfaces/","title":"Interfaces","text":""},{"location":"configuration/zabbix-items/","title":"Items","text":""},{"location":"configuration/zabbix-macros/","title":"Macros","text":""},{"location":"configuration/zabbix-templates/","title":"templates","text":""},{"location":"configuration/zabbix-users/","title":"Zabbix Users & User groups","text":"Now that we know how the Zabbix dashboard is build up our first task will be to create a user. In case you missed it the standard Zabbix (yes the capital Z here is eeded to login.) user is Admin and has the password zabbix so we need to change this ASAP. The most confusing part is probably that the user Admin in zabbix is actually a super admin but more about that later.
In our menu on the right side of the screen, click the Users section, and then choose users. As you can see here in the screenshot.
You will now see a list of all the users that are created on the system when installing a new Zabbix instance. Here you will always see a list of all users that are configured on the system.
To change the password, do the following steps: - Click user Admin - Click on the button Change password. - Fill in the current password, zabbix - Fill in the new password twice and press Update at the bottom of the page.
Before we create new users, it's important to know that Zabbix has three user types that are built-in.
User typeDescription Zabbix UserThis is a normal user that only has read-only permissions if given. So there are no permissions assigned by default. Zabbix AdminA user with read/write permissions. Just like the Zabbix user, there are no permissions by default. However access can be denied to some groups. Zabbix Super AdminA user with group read/write permissions. The user will have read/write access to all host and template groups. Access can't be revoked by denying access to groups, like with a normal admin.Besides these differences, these users also have different access rights to our menu. Let's have a closer look.
Admin user will have more rights than a regular user and will be able to make some configuration changes in Zabbix. A Super Admin user will have unlimted right and see every part of the menu. The only way to limit a Super Admin will be by making use of roles. Something we cover later.Admin user will have more rights than a regular user and will be able to make some configuration changes in Zabbix.Super Admin can access all parts of the menu. This table gives an overview of all the permissions a Zabbix user, admin, and super admin have in the Zabbix menu:
Zabbix UserZabbix AdminZabbix Super Admin Dashboards\u2705\u2705\u2705 Monitoring\u2705\u2705\u2705 - Problems\u2705\u2705\u2705 - Hosts\u2705\u2705\u2705 - Latest data\u2705\u2705\u2705 - Maps\u2705\u2705\u2705 - Discovery\u274c\u2705\u2705 Services\u2705\u2705\u2705 - Services\u2705\u2705\u2705 - SLA\u274c\u2705\u2705 - SLA Report\u2705;\u2705\u2705 Inventory\u2705\u2705\u2705 - Overview\u2705\u2705\u2705 - Hosts\u2705\u2705\u2705 Reports\u2705\u2705\u2705 - System information\u274c\u274c\u2705 - Scheduled reports\u274c\u2705\u2705 - Availability report\u2705\u2705\u2705 - Triggers top 100\u2705\u2705\u2705 - Audit log\u274c\u274c\u2705 - Action log\u274c\u274c\u2705 - Notifications\u274c\u2705\u2705 Data Collection\u274c\u2705\u2705 - Template groups\u274c\u2705\u2705 - Host groups\u274c\u2705\u2705 - Templates\u274c\u2705\u2705 - Hosts\u274c\u2705\u2705 - Maintenance\u274c\u2705\u2705 - Event correlation\u274c\u274c\u2705 - Discovery\u274c\u2705\u2705 Alerts\u274c\u2705\u2705 - Trigger actions\u274c\u2705\u2705 - Service actions\u274c\u2705\u2705 - Autoregistration actions\u274c\u2705\u2705 - Internal actions\u274c\u2705\u2705 - Media types\u274c\u274c\u2705 - Scripts\u274c\u274c\u2705 Users\u274c\u274c\u2705 - User groups\u274c\u274c\u2705 - User roles\u274c\u274c\u2705 - Users\u274c\u274c\u2705 - Api tokens\u274c\u274c\u2705 - Authentication\u274c\u274c\u2705 Administration\u274c\u274c\u2705 - General\u274c\u274c\u2705 - Audit log\u274c\u274c\u2705 - Housekeeping\u274c\u274c\u2705 - Proxies\u274c\u274c\u2705 - Macros\u274c\u274c\u2705 - Queue\u274c\u274c\u2705Admin user will have more rights than a regular user and will be able to make some configuration changes in Zabbix.Super Admin can access all parts of the menu. So now that we are in the users section of Zabbix, it's probably a good time to create a new user for our system. If you skipped the previous step, go to the menu Users -> Users.
Click on the top right on Create user and fill in the details of your new users. You will see that some fields have red asterisks in front of them, like Username and Password, ... this means that those fields are mandatory to fill in.
Zabbix passwords rely on a minimum length of 8 characters and also block a list of easy-to-guess passwords. We can make our passwords more secure by telling Zabbix that our passwords must contain uppercase and lowercase characters, a digit, and a special character. This policy is a global policy that will be enforced, and we have to set this policy as Super Admin. Go to the menu Users -> Authentication. In older versions, you can find it under Administration Authentication.
ParameterDescription UsernameA unique name that will be used as username when we login. NameThe users firstname this field is optional visible in acknowledgment information and notification recipient information if set. Last NameUsers last name. Optional, this field is optional visible in acknowledgment information and notification recipient information if set. GroupsSelect what group the user will belong to. Atleast 1 group needs to be selected. This feeld will auto complete or you can press the '''Select''' button at the end of the field. PasswordThere are 2 password fields they can only be used for internal authentication but more about this later. If the user has the Super admin role then clicking on the Change password button opens an additional field to entering the current (old) password. On a successful password change, the user for which the password was changed will be logged out of all active sessions. LanguageLanguage of the frontend. The php gettext extension is required for the translations to work. And the language needs to be configured on the system. See the chapter \"Installing Zabbix\" in case you forgot. TimezoneSelect the time zone per user or use the default timezone that is configured on the Zabbix server. ThemeHere users can select their own look and feel by choosing one of the 4 themes provided by Zabbix or another custom made theme. Default will switch to the default theme chosen by the admin. Auto-LoginCheck this box so that the user will be remembered for 30 days. The browser must accept cookies for this to work. Auto-LogoutChecking this box makes sure the user gets logged out automatically, after the set amount of seconds (minimum 90 seconds, maximum 1 day). Time suffixes are supported, e.g. 90s, 5m, 2h, 1d. Note that this option will not work if :The tab ''' Media ''' contains a list of all media that are defined for our user. Media is used for sending notifications to the user. We can click the Add button.
Adding the media here is not enough to receive notification; we also need to configure our media properly, and we still need to configure actions as well. When pressing the ''' Add ''' button, we get a popup where we can select some information.
ParameterDescription TypeA drop down list with the names of all media types. When a media type is disabled it will be in red. Send toHere we can provide contact information. For an email media type it is possible to add several addresses by clicking on '''Add''' below the address field. In this case, the notification will be sent to all email addresses provided. It's also possible to specify recipient name in the Send to field of the email recipient in a format 'Recipient name <address1@company.com>'. Note that if a recipient name is provided, an email address should be wrapped in angle brackets (<>). UTF-8 characters in the name are supported, quoted pairs and comments are not. For example: John Doe <manager@open-future.com> and manager@nycdatacenter.com are both valid formats. Incorrect examples: John Doe manager@open-future.com, %%\"Zabbix\\@\\<H(comment)Q\\>\" zabbix@company.com %%. when activeThe time when media will be active from monday till sundat, 1-7 and the time from 00:00 till 24:00 for example only in weekends from 6 in the morning till 5 in the evening: 6-7,06-17:00i. This is based on the user his timezone Use if severityA list of checkboxes from the severities you would like to recieve notifications from. Selected severities will be displayed in color. !! Read the warning below!! StatusStatus of the media we have selected either enabled or disabled ( in use or not ) WarningWhen selecting the different severity levels, be aware that you have to select Not classified if you want to receive notifications about non-trigger events, like internal events. For more information, check out Event Sources. This is something that is not obvious, and Zabbix documentation could be better at explaining this.
When we go to the Permissions tab in our Users, we will get an overview of all permissions our users had in the menu structure. Or when creating a new user, we have the option to select a User Role. Zabbix has four different User Roles built-in. There is a User role, Admin role, Super admin role, and a Guest role.
The Guest role is a role with very strict access limitations. Its role is intended for users to access Zabbix without any user account. I never advise using this role unless you know what you are doing. When you open your GUI to users without any authorization, this could leak potential sensitive data like hostnames, IPs, etc.
Choosing a User type is one thing; based on the User type we choose, our users will have more or less rights in our main menu. But there is another important part when choosing the User Type. This also has an impact on the rights each user has over host groups. For example, a regular user can only have read rights or no rights. A Zabbix admin user can have full, read-only, or no rights, and a Zabbix Super Admin always has full rights on host groups, and his rights on the host groups cannot be revoked.
Here is an overview of every user and his rights:
Group rightsZabbix UserZabbix AdminZabbix Super Admin Read/WriteRead OnlyFullFull Read onlyRead OnlyRead OnlyFull DenyNoneNoneFull NoteWith all this knowledge, we now know that if we want to create a regular user who also has access to certain parts of the Administration menu, that it's not possible. We can never create a user that has only RO access to certain host groups and RW access to the Administration part. What we could do, however, is create a Super Administrator account and remove access from the menu for certain parts of the Administrationmenu by creating a special role. There is no limit on the number of roles you can create.
Also, be aware that when you click on an item on the dashboard on Update, you will see a modal window popup with some options to change the severity, close a problem, etc., so some will be greyed out. This is because the user needs write permissions. For example, a user needs write permissions to close a problem and change the severity level.
With Zabbix 7 Permission checks have been made much faster. This was made possible by making some improvements on how permissions are stored. This should make the frontend faster when when we have permission havy pages to load like the ones with hosts or problems widgets. - New tables have been introduced for the check of non-privileged users. - The new tables will keep hashes (SHA-256) of user group sets and host group sets for each user/host. - Also a new permission table was introduced for storing only the accessible combinations of users and hosts, specified by the hash IDs. - Hashes and permissons are not calculated for Super Admin users.
"},{"location":"configuration/zabbix-users/#user-roles","title":"User Roles","text":"User roles have been in Zabbix since version 5.2 and make our lives easier by allowing us to make some custom adjustments to the standard defind user types in Zabbix.
When we go to our Permissions tab, we can see a box Role. Press the Select box to see a popup with a list of roles to choose from. There are four standard roles to choose from. You can create your own list of rules by going to the menu Users -> User Roles and create your own limited user.
The box is marked with an asterisk in front, so you need to select a user role for every user you create.
WarningBe aware that no permissions can be added to user roles only permissions can be revoked.
"},{"location":"configuration/zabbix-users/#user-groups","title":"User Groups","text":"A user always needs to be member of one or more User groups. We will not set any user rights directly on Users in Zabbix but we do this on User groups. So if a User needs the permission to view or edit a host or a template then this is set on the User group wich has the permisson to view or edit a host or template group and never on a host or a template directly.
Zabbix has a few different rights we can use on group level, as we have seen above. To make it easier for you I add them again:
Group rightsZabbix UserZabbix AdminZabbix Super Admin Read/WriteRead OnlyFullFull Read onlyRead OnlyRead OnlyFull DenyNoneNoneFullWhen it comes to permissions in Zabbix groups, the highest level will win. A user that has read and read-write rights on the same host will get read-write permissions. Except for Deny, Deny will always overrule. So if we have a Zabbix Admin user then this user can have Read/Write rights, if we add a host in a hostgroup where our usergroup has read rigths, and the same server is in another hostgroup with Read/Write rights, then our user will have Read/Write permissions on the hosts. However if the same host is only in the Read hostgroup then our user will only have read rights. If we also add host in a Hostgroup where our usergroup has Deny rights then the server will not be visible.
Let's have a look at our User groups, for this go to the menu Users -> User groups and click on one of the existing users. I used Guest in this case.
Under the tab User group we see the following options:
Frontend Access : How users of the group will authenticate with Zabbix.
The next tab next to User group is the tab Template permissions. Here we can define what User group will have access to what template group. We can define if a User group has read, read-write permissions or if all access must be denied. When selecting a template group don't forget to press the Add button first so that you see the Template group appear in the Permissions box. Then when you are ready confirm again at the bottom of the page with Updqte.
Hosts permissions tab allows us to specify what User group```` will have what kind of access on the selectedHost groupsthis can again be read, read-write or explicit deny. Just as with theTemplates permissionstab don't forget to clickAddfirst and when you are ready defining all the permissions clickUpdate``` at the bottom. The name is a bit confusing as we don't select permissions for a host but a host group.If we add multiple lines with the same host group or template group with different permissions Zabbix will apply the strongest permission. Alow be aware that a Super admin user can enforce nested groups to have the same level of permissions as the parent group. It can be done in the host group or template group configuration.
Problem tag filter allows us to filter problems based on tags and their value. It also allows us to separate the access to host groups from our possibility to see only the problems we want.Let us make three Host groups, go to the Data collection menu -> Host groups and create a Host group for read , read-write, and deny.
Next step is to create a host and add the host in our three groups. Go to the Data collection menu -> Hosts and press Create host on the right. Add a Host name, the name is not that important and add the three Host groups we just made.
The only thing we need to do now is create our User and User group and give the correct rights. Go to our menu Users -> Users group and click on the top right to Create user group. Let's call this group our Admin Group as we need a Zabbix Admin that we can give read, read-write and later deny to show this.
Next go to the tab Host permissions and start typing the name of our group read in the search box or press the Select button and select the correct group. Next before we do anything select also the correct permissions Deny and press the add just below NOT the button. Do this also for the group read-write and deny. If everything looks like in our screenshot then press the Add button
Now for the final step let's create a user. Go to the menu Users -> Users and create a new user, in the field Username we can add our fictive user with the name Brian. In the Groups box we select our Users group this was Admin Group. Don't forget also to add a Password we need to do this twice. Next go to the tab Permissions and select the role Admin role. You will see directly once selected that our users bridan has read, write and deny on the correct groups. Press Add at the bottom.
Now it's time to check if everything is as expected. Our user Brian if all goes well shouldn't have any rights as we explicitly denied accesss. Press Sign out at the bottom left and then login as user Brian. Go to the menu Monitoring -> Hosts. Select all the hosts groups, you should normally only see read, and read-write. Our host group Deny is not visible and our host postgres is not visible either.
Now log back in as user Admin, our Zabbix Super Admin and remove the deny group from our Admin group. This can be done by selecting the None permissions for the group Deny in the Host permissions tab from our User group.
Log back in as our user Brian go back to the Monitoring menu to Hosts. If all goes well our groups read and read-write are still selected if nog you just select them again. You will see that our host postgres is visisble and that you can click on it to edit the host propreties.
As final test you can try to remove the group read-write same as we did before with the Deny group. This time only the read group will be visible for our user and Brian will not be able to edit our host postgres anymore.
Now let's add tags into the mix. Imagine that we only like to see problems with a tag read-write and value off. Go to User groups select our Admin Group again and go to the tab Problem tag filter and fill in the needed tag read-write and value off.
Now we need to create a problem for this we will add an item and a trigger to our host postgres. Go to the menu Data collection -> Hosts and click on items behind our host postgres. On the top right you will see a button Create item click on it and fill in the same data as in the screenshot below. Don't worry if you don't understand anything we will come to items later.
In this item we just tell our Zabbix server to do a ping to IP 192.168.10.1 make sure this IP doesn't exist in your lan so try to ping it first to be sure you don't get a reply back. If you do get a reply back change the IP with some address that is not pingable for you.
Next step once you have filled in all the data is to save the item and click on top on Triggers. You will also notice now that there is a 1 next to Items. This indicates that we have made 1 item on our host postgres. Now that we are in the trigger tab click in the top right corner on the button Create trigger. Once again copy over all the data from the screenshot and save the trigger. If you changed the IP in the item make sure you use same IP in the trigger.
Next let's add a tag on our host postgres that tells Zabbix to mark everything on the host with a tag read-write and value on. Remember we added a value off in our User group problem tag filter tab. So we only want to see everything with a tag read-write and value off.
When you go now to the Problem page in the menu Monitoring you should see after some time a warning that there is a problem on our host postgres. You will also see that the problem got a tag read-write with value on.
You can clearly see that under our Zabbix super admin user the problem is visible. Now do the same but as user Brian. You will notice that there is no visible problem for our user even he has read-write access to the hostgroup where our server postgres belongs to.
Now as user Brian I would like to see the problem so let's go to our menu Data collection and click on our host postgres. Go to the Tags tab and change the value from our tag read-write from on to off. So now everything on our host should get the tags read-write with value off. So now Brian should be able to see the problem right ? Sadly Brian is still not able to see the problem in our Problem page. This is because the problem was already created in Zabbix and has already received the tag. So the only way to fix this is to close the problem first and let Zabbix create a new problem again.
As Super Admin log back in and go to our trigger Ping and mark the box Allow manual close and press Update. Go back to the dashboard and behind the problem ping you will see Update. Click on it and selec the option Close problem and press Update.
Log back in as our user Brian and go to the problem dashboard. We will see that the problem is back. Even we closed the problem before Zabbix opened a new problem because the issue was not resolved. This time our issue has the tag with the correct value.
A Zabbix user needs to be created with a user role. You cannot create one without.
WarningBe careful if you use the API at the time of writing it's possible to create a Zabbix user with the API without a role. When created by the API the user can even be saved by the frontend afterwards !
InfoMore information can be found in the online Zabbix documentation here
"},{"location":"extra-monitoring/SNMP-monitoring/","title":"Monitoring SNMP,IPMI and JAVA","text":""},{"location":"installation/Requirements/","title":"Requirements","text":"Zabbix has a set of requirements that need to be met on the hardware level and software level. These requirements can change over time and also depends on the size of your setup and the software you choose. So before you start buying metal or installing a random database version have a look at the Zabbix documentation and check the latest requirements for the version you want to install. The latest requirements can be found here. Don't forget to select your correct Zabbix version from the list.
If you don't plan to run anything big just a small setup or a test setup Zabbix will run happy on a system with 2cpu and 8G ram. But all depends on how big your setup will be and how many items you will monitor, triggers you will create and for how long you want to keep that data. My advice in the days of Virtualization is you can start small and add more later.
For the setup you can choose to install all components on 1 server or every component on a different server. For the ease of use just make a few notes for yourself:.
server ip zabbix server database server web server TipWhile zabbix uses dashes \"-\" in it's names when we need to install packages like zabbix-get or zabbix-sender it's binaries use \"_\". like zabbix_sender or zabbix_server. This of course can vary depending if you use the packages from the original Zabbix repositories or not. Just be aaware that it's sometimes rather confusing and that if you installed somepackage with a dash that maybe the binary is with an underscore.
"},{"location":"installation/Requirements/#basic-os-configuration","title":"Basic OS configuration","text":""},{"location":"installation/Requirements/#firewall","title":"firewall","text":"It's important for our Zabbix server to have an OS that is well prepared before we start to install our monitoring tool. First we need to make sure our firewall is installed.
# dnf install firewalld --now
Our firewall is installed now, and we are ready to configure the needed ports. For our Zabbix server, we need to allow access to port 10051/tcp this is the port where our Zabbix trapper listens on for incoming data. So we need to open this port in our firewall to allow access to our Zabbix trapper.
# firewall-cmd --add-service=Zabbix-server --permanent
or if the service is not known
# firewall-cmd --add-port=10051/tcp --permanent
firewalld
\"Firewalld is the replacement of iptables in Redhat and allows us to make changes available immediately without the need to restart a service. It's possible that your distribution is not using Firewalld in this case you have to look to the documentation of your OS.\"
"},{"location":"installation/Requirements/#timeserver","title":"timeserver","text":"Another thing we need to configure is the setup of timeserver and sync our Zabbix server to the timeserver by making use of an ntp client. This needs to be done for the Zabbix server but also for the devices we will monitor as time is very important for Zabbix. Imagine one of our hosts having a time zone that is wrong we could end up looking for a problem in Zabbix that happened 6h ago while it had happened maybe only 2h ago.
# dnf install chronyd --now
Chrony should be installed now and enabled and running. This can be verified with the command:
# systemctl status chronyd
dnf
\"dnf is a packagemanager from RedHat you need to replace dnf with your correct packagemanager like zyper, apt, yum, ... chrony is a replacement for ntpd and does a better job being faster and more accurate. If your OS does not support chrony then maybe ntpd is still available.\"
Once Chrony is installed we also need to setup our correct time zone. We can have a look first with 'timedatectl' to see how our time is configured
# timedatectl\n Local time: Thu 2023-11-16 15:09:14 UTC\n Universal time: Thu 2023-11-16 15:09:14 UTC\n RTC time: Thu 2023-11-16 15:09:15\n Time zone: UTC (UTC, +0000)\nSystem clock synchronized: yes\n NTP service: active\n RTC in local TZ: no\nMake sure that the service cronyd is active, see above on how to do if you missed it. We can choose the correct time zone from a list that we can lookup with the following command:
# timedatectl list-time zones\nThis will give us a list with all available time zones. Choose the one closest to you.
Africa/Abidjan\nAfrica/Accra\n\n...\n\nPacific/Tongatapu\nPacific/Wake\nPacific/Wallis\nUTC\nWe can now configure our correct time zone with the following command:
timedatectl set-time zone Europe/Brussels\nWhen we look again we should see our time zone properly configured.
# timedatectl\n Local time: Thu 2023-11-16 16:13:35 CET\n Universal time: Thu 2023-11-16 15:13:35 UTC\n RTC time: Thu 2023-11-16 15:13:36\n Time zone: Europe/Brussels (CET, +0100)\nSystem clock synchronized: yes\n NTP service: active\n RTC in local TZ: no\n\"Some people like to install all servers in the UTC time zone so that all server logs are in the same time zone when having servers all over the world. Zabbix supports user based time zone settings so it's possible to keep the time zone in UTC on the server and then add the correct time zone in the user interface if you like.\"
We can test if Chrony is syncronizing with the correct timeservers as well by running the command chronyc
# chronyc\nchrony version 4.2\nCopyright (C) 1997-2003, 2007, 2009-2021 Richard P. Curnow and others\nchrony comes with ABSOLUTELY NO WARRANTY. This is free software, and\nyou are welcome to redistribute it under certain conditions. See the\nGNU General Public License version 2 for details.\n\nchronyc>\nThen we type sources
chronyc> sources\nMS Name/IP address Stratum Poll Reach LastRx Last sample\n===============================================================================\n^- 51-15-20-83.rev.poneytel> 2 9 377 354 +429us[ +429us] +/- 342ms\n^- 5.255.99.180 2 10 377 620 +7424us[+7424us] +/- 37ms\n^- hachi.paina.net 2 10 377 412 +445us[ +445us] +/- 39ms\n^* leontp1.office.panq.nl 1 10 377 904 +6806ns[ +171us] +/- 2336us\nHere we can see that we are using a bunch of ntp servers that are not in our own country so we better swicht to some timeservers in our local country or if we have a timeserver in our company we could use this one. We can find some local timeservers here : https://www.ntppool.org/
To change this we have to edit our config file \"/etc/chrony.conf\" and replace the existing ntp server with our local one
# Use public servers from the pool.ntp.org project.\n# Please consider joining the pool (http://www.pool.ntp.org/join.html).\npool 2.centos.pool.ntp.org iburst\nAnd change it to a local server:
# Use public servers from the pool.ntp.org project.\n# Please consider joining the pool (http://www.pool.ntp.org/join.html).\npool be.pool.ntp.org iburst\nDon't forget to restart the ntpd client of course.
# systemctl restart chronyd\nWhen we look again we will see that we are now using our local timeservers.
chronyc> sources\n\nMS Name/IP address Stratum Poll Reach LastRx Last sample\n===============================================================================\n^- ntp1.unix-solutions.be 2 6 17 43 -375us[ -676us] +/- 28ms\n^* ntp.devrandom.be 2 6 17 43 -579us[ -880us] +/- 2877us\n^+ time.cloudflare.com 3 6 17 43 +328us[ +27us] +/- 2620us\n^+ time.cloudflare.com 3 6 17 43 +218us[ -83us] +/- 2815us\nIn this topic we will setup Zabbix in a High Available setup. This feature was added in Zabbix 6 and was one of the most important features added that time. The idea about this functionallity is that if your Zabbix server fails that another Zabbix server can take over. In this setup we will use 2 Zabbix servers but you are not limited to this you can add as many as you like.
The HA setup in Zabbix is rather basic but works like a charm so don't expect fancy things like load balancing.
Just like we did in our basic setup we will make a few notes again about the setup of the servers we have. I added the IP's that we will use here don't forgot to make notes of your own ip adresses.
Server IP Zabbix Server 1 192.168.0.130 Zabbix Server 2 192.168.0.131 Postgres DB 192.168.0.132 Virtual IP 192.168.0.135 NoteAs you notice our DB is not HA this is not a Zabbix component you have to implement your own solution this can be a HA SAN or you DB in a HA cluster setup. The cluster setup of our DB is out of the scope and not related to Zabbix so we will not cover this here.
"},{"location":"installation/installing-zabbix-ha/#lets-install-our-postgres-db","title":"Let's install our Postgres DB","text":"NoteIf you are not running on x86 or like to try on another OS, then have a look at https://www.postgresql.org/download/ for the commands you need.
WarningIn this exercise we will take some shortcuts for the installation of the PostgreSQLDB and the OS. Look at our previous topics to get a better understanding where to tweak.
# Install the repository RPM:\nsudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm\n\n# Disable the built-in PostgreSQL module:\nsudo dnf -qy module disable postgresql\n\n# Install PostgreSQL:\nsudo dnf install -y postgresql16-server\n\n# Initialize the database and enable automatic start:\nsudo /usr/pgsql-16/bin/postgresql-16-setup initdb\nsudo systemctl enable postgresql-16 --now\nPostgreSQL works a bit different then MySQL or MariaDB and this applies aswell to how we manage access permissions. Postgres works with a file with the name pg_hba.conf where we have to tell who can access our database from where and what encryption is used for the password. So let's edit this file to allow our frontend and zabbix server to access the database.
# vi /var/lib/pgsql/16/data/pg_hba.conf\n# \"local\" is for Unix domain socket connections only\nlocal all all trust\n# IPv4 local connections:\nhost zabbix zabbix 192.168.0.130/32 scram-sha-256\nhost zabbix zabbix 192.168.0.131/32 scram-sha-256\nhost all all 127.0.0.1/32 scram-sha-256\nAfter we changed the pg_hba file don't forget to restart postgres else the settings will not be applied. But before we restart let us also edit the file postgresql.conf and allow our database to listen on our network interface for incomming connections from the zabbix server. Postgresql will standard only allow connections from the socket.
# vi /var/lib/pgsql/16/data/postgresql.conf\nReplace the line with listen_addresses so that PostgreSQL will listen on all interfaces and not only on our localhost.
listen_addresses = '*'\nWhen done restart the PostgreSQL cluster and see if it comes back online in case of an error check the pg_hba.conf file you just edited for typos.
# systemctl restart postgresql-16\nFor our Zabbix server we need to create tables in the database for this we need ot install the Zabbix repository like we did for our Zabbix server and install the Zabbix package containing all the database tables images icons, ....
"},{"location":"installation/installing-zabbix-ha/#add-the-zabbix-repository-and-populate-the-db","title":"Add the Zabbix repository and populate the DB","text":"Add the Zabbix repo to your server (Don't forget to select the correct repo for your OS and Zabbix version) for this go to www.zabbix.com/download
# rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\n# dnf install zabbix-sql-scripts -y\nNext we have to unzip the database schema files. Run as user root followin command::
# gzip -d /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz\nNow we are ready to create our Zabbix users for the server and the frontend. If you like to separate users for frontend and server have a look at the basic installation guide.
# su - postgres\n# createuser --pwprompt zabbix\nEnter password for new role: <server-password>\nEnter it again: <server-password>\nWe are now ready to create our database zabbix. Become user postgres again and run next command to create the database as our user zabbix:
# su - postgres\n# createdb -E Unicode -O zabbix zabbix\nLet's upload the Zabbix SQL file we extracted earlier to populate our database with the needed schemas images users etc ... For this we need to connect to the DB as user zabbix.
# psql -U zabbix -W zabbix\nPassword:\npsql (16.2)\nType \"help\" for help.\n\nzabbix=> SELECT session_user, current_user;\n session_user | current_user\n--------------+--------------\n zabbix | zabbix\n(1 row)\n\nzabbix=> \\i /usr/share/zabbix-sql-scripts/postgresql/server.sql\nCREATE TABLE\nCREATE INDEX\nCREATE TABLE\n....\n....\nINSERT 0 1\nDELETE 80424\nCOMMIT\nMake sure the owner of your tables is the user zabbix;
zabbix=> \\dt\n List of relations\n Schema | Name | Type | Owner\n--------+----------------------------+-------+--------\n public | acknowledges | table | zabbix\n public | actions | table | zabbix\n...\n...\n...\n\nzabbix=> \\q\n\nOne last thing we need to do is open the firewall and allow incoming connections for the PostgreSQL database from our Zabbix server because at the moment we dont accept any connections yet.
# firewall-cmd --new-zone=postgresql-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal nm-shared postgresql-access public trusted work\n\n# firewall-cmd --zone=postgresql-access --add-source=<zabbix-serverip 1> --permanent\n# firewall-cmd --zone=postgresql-access --add-source=<zabbix-serverip 1> --permanent\n\nsuccess\n# firewall-cmd --zone=postgresql-access --add-port=5432/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --zone=postgresql-access --list-all\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task
"},{"location":"installation/installing-zabbix-ha/#install-our-zabbix-cluster","title":"Install our Zabbix Cluster","text":"Setting up a Zabbix cluster is not really different from setting up a regular Zabbix server obviously we need more then one. And there are also a few parameters that we need to configure.
Let's start by adding our Zabbix 7.0 repositories to our 2 Zabbix servers.
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\nOnce this is done we can install our Zabbix servers on both systems.
dnf install zabbix-server-pgsql -y\nWe will now edit the config file on our first zabbix server. Run the next command:
vi /etc/zabbix/zabbix_server.conf\nOnce in the file edit the following lines to make our Zabbix server 1 connnect to the database
DBHost=<zabbix db ip>\nDBName=zabbix\nDBUser=zabbix\nDBPassword=<your secret password>\nIn the same file we also have to edit another parameter to activate HA on this host.
HANodeName=zabbix1 (or whatever you like)\nWe are not done yet. We also have to tell Zabbix in case of a node fail to what server the frontend needs to connect.
NodeAddress=<Zabbix server 1 ip>>:10051\nWe are now done with the configuration of our 1st Zabbix server. Now let's do the same for our second server. I case you have more then 2 servers you can update them as well.
When you are done patching the config of your servers you can start the zabbix-server service on both servers
systemctl enable zabbix-server --now\nLet's have a look at the log files from both servers to see if it came online as we had hoped. on our first server we can run:
#grep HA /var/log/zabbix/zabbix_server.log\n\n22597:20240309:155230.353 starting HA manager\n22597:20240309:155230.362 HA manager started in active mode\nNow do the same on our other node(s)
# grep HA /var/log/zabbix/zabbix_server.log\n22304:20240309:155331.163 starting HA manager\n22304:20240309:155331.174 HA manager started in standby mode\nFirst things first before we can install and configure our webserver we need to install keepalived. Keepalived allows us to use a VIP for our frontends. Keepalived provides frameworks for both load balancing and high availability.
InfoSome useful documentation on the subject you might like. https://www.redhat.com/sysadmin/advanced-keepalived and https://keepalived.readthedocs.io/en/latest/introduction.html
"},{"location":"installation/installing-zabbix-ha/#setup-keepalived","title":"Setup keepalived","text":"So let's get started. On both our servers we have to install keepalived.
dnf install keepalived\nWe also need to adapt the configuration of keepalived on both servers. The configuration for both servers needs to be a bit changed so let's start with our server 1. Edit the config file with the following command:
# vi /etc/keepalived/keepalived.conf\nDelete everything and replace it with the following lines:
vrrp_track_process track_nginx {\n process nginx\n weight 10\n}\n\nvrrp_instance VI_1 {\n state MASTER\n interface enp0s1\n virtual_router_id 51\n priority 244\n advert_int 1\n authentication {\n auth_type PASS\n auth_pass 12345\n }\n virtual_ipaddress {\n 192.168.0.135\n }\n track_process {\n track_nginx\n }\n}\nReplace enp0s1 with the interface name of your machine and replace the password with something secure. For the virual_ipaddress use aa free IP from your network. Now do the same thing for our second Zabbix server.
# vi /etc/keepalived/keepalived.conf\nDelete everything and replace it with the following lines:
vrrp_track_process track_nginx {\n process nginx\n weight 10\n}\n\nvrrp_instance VI_1 {\n state BACKUP\n interface enp0s1\n virtual_router_id 51\n priority 243\n advert_int 1\n authentication {\n auth_type PASS\n auth_pass 12345\n }\n virtual_ipaddress {\n 192.168.0.135\n }\n track_process {\n track_nginx\n }\n}\nJust as with our 1st Zabbix server, replace enp0s1 with the interface name of your machine and replace the password with something secure. For the virual_ipaddress use aa free IP from your network.
On both servers we can run the following commands to install our webserver and the zabbix frontend packages:
dnf install nginx zabbix-web-pgsql zabbix-nginx-conf\nAlso let's not forget to configure our firewall
firewall-cmd --add-service=http --permanent\nfirewall-cmd --add-service=zabbix-server --permanent\nfirewall-cmd --reload\nAnd now we can start our keepalived and enable it so that it comes up next reboot
systemctl enable keepalived nginx --now\nClick next till you see the following page and fill in the ip of your DB server. The port can be 0 this means we will use the default port. fill in the database name, user and password you used for the database. Make sure you deselect TLS encryption and select store passwords as plaintext. When you click next it won't work because we did not disable SELinux. Run the following command first on both Zabbix servers.
setsebool -P httpd_can_network_connect_db on\nsetsebool -P httpd_can_connect_zabbix on\nThis will allow your webservers to communicate with our database over the network. Now when we click next it should work.
We are almost ready the only thing left here is now to add the name of our server and configure the default timezone.
Since you\u2019re using a host-based firewall, you need to add the necessary rules to permit IP protocol 112 traffic. Otherwise, Keepalived\u2019s advertisement method won\u2019t work.
firewall-cmd --add-rich-rule='rule protocol value=\"112\" accept' --permanent\nNow that this is all taken care of stop keepalived on our server and repeat the same steps on the second server. After this is finished start keepalived again.
Congratulations you have a HA Zabbix server now .
"},{"location":"installation/installing-zabbix/","title":"Installing Zabbix","text":"Before we can install Zabbix we first have to know how the design is. The Zabbix server has been build op modular based on 3 components.
All these components can be installed on 1 server or can be split over 3 different servers. The Zabbix server itself is the brain this part is doing all the trigger calculations and sending all the alert. The database is where the Zabbix server stores its config and all the data that we have gathered. The web server provides us with a front-end. Note that Zabbix has a API and that this is also located on the front-end and not on the Zabbix server side.
All these parts have to work together so as you can see in our image above. The Zabbix server needs to read the config and store the data in our database and the Zabbix front-end needs to be able to write the configuration in the database as well. The Zabbix front-end also needs to check the online status of our Zabbix server and needs to read some other information as well.
For our setup, we will use 2 VM's, 1 VM with a Zabbix server and our Zabbix web server and another VM with our Zabbix database.
"},{"location":"installation/installing-zabbix/#installing-the-zabbix-server","title":"Installing the Zabbix Server","text":"Before you start to install your Zabbix server make sure the server is properly configure as we explained in our topic Basic OS configuration before we start. Something else that is important in this case is that we need to disable SELinux. We will see later in chapter Securing Zabbix how to do this properly. We can check the status of SELinux with the command sestatus :
# sestatus\nSELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux root directory: /etc/selinux\nLoaded policy name: targeted\nCurrent mode: enforcing\nMode from config file: enforcing\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMemory protection checking: actual (secure)\nMax kernel policy version: 33\nAs you can see we are now in enforcing mode. To disable SELinux just run setenforce 0 to disable it.
# setenforce 0\n# sestatus\n\nSELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux root directory: /etc/selinux\nLoaded policy name: targeted\nCurrent mode: permissive\nMode from config file: enforcing\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMemory protection checking: actual (secure)\nMax kernel policy version: 33\nAs you can see our current mode is now permissive. However this is not persistent so we also need to alter our SELinux configuration file. This can be done by altering the file /etc/config/selinux and replacing enforcing by permissive. A more easy way is to run the following command :
sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config\nThis line will alter the config file for you. So when we run sestatus again we will see that we are in permissive mode and that our config file is also in permissive mode.
We can verify this with our cat commando.
# cat /etc/selinux/config\n\n# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive - SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded.\n# See also:\n# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes\n#\n# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also\n# fully disable SELinux during boot. If you need a system with SELinux\n# fully disabled instead of SELinux running with no policy loaded, you\n# need to pass selinux=0 to the kernel command line. You can use grubby\n# to persistently set the bootloader to boot with selinux=0:\n#\n# grubby --update-kernel ALL --args selinux=0\n#\n# To revert back to SELinux enabled:\n#\n# grubby --update-kernel ALL --remove-args selinux\n#\nSELINUX=permissive\n# SELINUXTYPE= can take one of these three values:\n# targeted - Targeted processes are protected,\n# minimum - Modification of targeted policy. Only selected processes are protected.\n# mls - Multi Level Security protection.\nSELINUXTYPE=targeted\nAnd we can also verify it with our commando setstatus
# sestatus\n\nSELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux root directory: /etc/selinux\nLoaded policy name: targeted\nCurrent mode: permissive\nMode from config file: permissive\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMemory protection checking: actual (secure)\nMax kernel policy version: 33\nFrom the Zabbix Download page select the correct Zabbix version you would like to install. In our case it will be 7.0 LTS. Select the correct OS distribution as well. This will be Rocky Linux 9 in our case. We are going to install the Server and will be using NGINX.
Our first step is to disable Zabbix packages provided by EPEL, if you have it installed. Edit file /etc/yum.repos.d/epel.repo and add the following statement.
[epel]\n...\nexcludepkgs=zabbix*\nHaving the EPEL repository enabled is a bad practice and could be dangerous if you use EPEL it's best to disable the repo and use dnf install --enablerepo=epel. This way you will never overwrite or install unwanted packages by accident.
Our next task is to install the Zabbix repository on our OS and do a dnf cleanup so that old cache files from our repository metadata is cleaned up.
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\ndnf clean all\nA repository is a config in Linux that you can add to make packages available for you OS to install. The best way to look at it is maybe to think of it like an APP store that you add where you can find the software of your vendor. In this case the repository form Zabbix. There are many repositories you can add but you should be sure that they can be trusted. So it's always a good idea to stick to the repositories of your OS and only add extra repositories when you are sure they are to be trusted and needed. In our case the repository is from our vendor Zabbix so it should be safe to add. Epel is another popular repository for RedHat systems that is considered to be safe.
"},{"location":"installation/installing-zabbix/#installing-the-zabbix-server-for-mysqlmariadb","title":"Installing the Zabbix server for MySQL/MariaDB","text":"Now that we have our repository with software added to our system we are ready to install our Zabbix server and webserver. Remember the webserver could be installed on another system. There is no need to install both on the same server.
dnf install zabbix-server-mysql zabbix-web-mysql
Now that we have installed our packages for the Zabbix server and our frontend we still need to change the configuration of our Zabbix server so that we can connect to our database. Open the file /etc/zabbix/zabbix_server.conf and replace the following lines:
DBHost=<ip or dns of your MariaDB server>\nDBName=<the name of your database>\nDBUser=<the user that will connect to the database>\nDBPassword=<your super secret password>\nMake sure you don't have a '#' in front of the config parameter else Zabbix will see this as text and not as a parameter. Also make sure that there are not extra duplicate lines Zabbix will always take the last config parameter if there is more then 1 line with the same parameter
In our case the config will look like this:
# vi /etc/zabbix/zabbix_server.conf\n\nDBHost=<ip or dns of your MariaDB server>\nDBName=zabbix\nDBUser=zabbix-srv\nDBPassword=<your super secret password>\nDBPort=3306\nThe Zabbix server configuration file has the option to include an extra config file with parameters you like to alter or add. In production it's probably better to not touch the configuration file but to add a new file and include the parameters you like to change. This way you never have to edit your original configuration file after an upgrade it will also make your life more easy when working with configuration tools like Ansible, Puppet, SaltStack, .... The only thing that needs to be done is remove the # in front of the line '# Include=/usr/local/etc/zabbix_server.conf.d/*.conf' and make sure the path exists with a customized config file of your won that is readable by the user zabbix.
Ok now that we have changed the configuration of you Zabbix server so that it is able to connect to our DB we are ready to start. Run the following command to enable the Zabbix server and make it active on boot next time.
systemctl enable zabbix-server --now
Our Zabbix server service will start and if everything goes well you should see in the Zabbix server log file the following output
tail /var/log/zabbix/zabbix_server.log
1123:20231120:110604.440 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 1123:20231120:110604.440 ****** Enabled features ******\n 1123:20231120:110604.440 SNMP monitoring: YES\n 1123:20231120:110604.440 IPMI monitoring: YES\n 1123:20231120:110604.440 Web monitoring: YES\n 1123:20231120:110604.440 VMware monitoring: YES\n 1123:20231120:110604.440 SMTP authentication: YES\n 1123:20231120:110604.440 ODBC: YES\n 1123:20231120:110604.440 SSH support: YES\n 1123:20231120:110604.440 IPv6 support: YES\n 1123:20231120:110604.440 TLS support: YES\n 1123:20231120:110604.440 ******************************\n 1123:20231120:110604.440 using configuration file: /etc/zabbix/zabbix_server.conf\n 1123:20231120:110604.470 current database version (mandatory/optional): 06050143/06050143\n 1123:20231120:110604.470 required mandatory version: 06050143\n 1124:20231120:110604.490 starting HA manager\n 1124:20231120:110604.507 HA manager started in active mode\n 1123:20231120:110604.508 server #0 started [main process]\n 1126:20231120:110604.509 server #2 started [configuration syncer #1]\n 1125:20231120:110604.510 server #1 started [service manager #1]\n 1133:20231120:110604.841 server #9 started [lld worker #1]\n 1132:20231120:110604.841 server #8 started [lld manager #1]\n 1134:20231120:110604.841 server #10 started [lld worker #2]\nIf there was an error and the server was not able to connect to the database you would see something like this in the server log file :
10773:20231118:213248.570 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 10773:20231118:213248.570 ****** Enabled features ******\n 10773:20231118:213248.570 SNMP monitoring: YES\n 10773:20231118:213248.570 IPMI monitoring: YES\n 10773:20231118:213248.570 Web monitoring: YES\n 10773:20231118:213248.570 VMware monitoring: YES\n 10773:20231118:213248.570 SMTP authentication: YES\n 10773:20231118:213248.570 ODBC: YES\n 10773:20231118:213248.570 SSH support: YES\n 10773:20231118:213248.570 IPv6 support: YES\n 10773:20231118:213248.570 TLS support: YES\n 10773:20231118:213248.570 ******************************\n 10773:20231118:213248.570 using configuration file: /etc/zabbix/zabbix_server.conf\n 10773:20231118:213248.574 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213248.574 database is down: reconnecting in 10 seconds\n 10773:20231118:213258.579 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213258.579 database is down: reconnecting in 10 seconds\nLet's check the Zabbix server service to see if it's enabled so that it survives a reboot
# systemctl status zabbix-server\n\n\u25cf zabbix-server.service - Zabbix Server\n Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; preset: disabled)\n Active: active (running) since Mon 2023-11-20 11:06:04 CET; 1h 2min ago\n Main PID: 1123 (zabbix_server)\n Tasks: 59 (limit: 12344)\n Memory: 52.6M\n CPU: 20.399s\n CGroup: /system.slice/zabbix-server.service\n \u251c\u25001123 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf\n \u251c\u25001124 \"/usr/sbin/zabbix_server: ha manager\"\n \u251c\u25001125 \"/usr/sbin/zabbix_server: service manager #1 [processed 0 events, updated 0 event tags, deleted 0 problems, synced 0 service updates, idle 5.008686 sec during 5.016382 sec]\"\n \u251c\u25001126 \"/usr/sbin/zabbix_server: configuration syncer [synced configuration in 0.092797 sec, idle 10 sec]\"\n \u251c\u25001127 \"/usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.027620 sec during 5.027828 sec]\"\n \u251c\u25001128 \"/usr/sbin/zabbix_server: alerter #1 started\"\n \u251c\u25001129 \"/usr/sbin/zabbix_server: alerter #2 started\"\n \u251c\u25001130 \"/usr/sbin/zabbix_server: alerter #3 started\"\n \u251c\u25001131 \"/usr/sbin/zabbix_server: preprocessing manager #1 [queued 1, processed 2 values, idle 5.490312 sec during 5.490555 sec]\"\n \u251c\u25001132 \"/usr/sbin/zabbix_server: lld manager #1 [processed 1 LLD rules, idle 5.028973sec during 5.029123 sec]\"\n \u251c\u25001133 \"/usr/sbin/zabbix_server: lld worker #1 [processed 1 LLD rules, idle 60.060180 sec during 60.085009 sec]\"\n \u251c\u25001134 \"/usr/sbin/zabbix_server: lld worker #2 [processed 1 LLD rules, idle 60.065526 sec during 60.095165 sec]\"\n \u251c\u25001135 \"/usr/sbin/zabbix_server: housekeeper [deleted 0 hist/trends, 0 items/triggers, 0 events, 0 sessions, 0 alarms, 0 audit items, 0 autoreg_host, 0 records in 0.019108 sec, idle for 1 hour(s)]\"\n \u251c\u25001136 \"/usr/sbin/zabbix_server: timer #1 [updated 0 hosts, suppressed 0 events in 0.002856 sec, idle 59 sec]\"\n \u251c\u25001137 \"/usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000059 sec, idle 5 sec]\"\n \u251c\u25001138 \"/usr/sbin/zabbix_server: discovery manager #1 [processing 0 rules, 0.000000% of queue used, 0 unsaved checks]\"\n \u251c\u25001139 \"/usr/sbin/zabbix_server: history syncer #1 [processed 0 values, 0 triggers in 0.000036 sec, idle 1 sec]\"\n \u251c\u25001140 \"/usr/sbin/zabbix_server: history syncer #2 [processed 1 values, 0 triggers in 0.005016 sec, idle 1 sec]\"\n \u251c\u25001141 \"/usr/sbin/zabbix_server: history syncer #3 [processed 0 values, 0 triggers in 0.000031 sec, idle 1 sec]\"\n \u251c\u25001142 \"/usr/sbin/zabbix_server: history syncer #4 [processed 0 values, 0 triggers in 0.000014 sec, idle 1 sec]\"\n \u251c\u25001143 \"/usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.005587 sec, idle 3 sec]\"\n \u251c\u25001144 \"/usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000010 sec, idle 5 sec]\"\n \u251c\u25001145 \"/usr/sbin/zabbix_server: self-monitoring [processed data in 0.000016 sec, idle 1 sec]\"\n \u251c\u25001146 \"/usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.002511 sec, idle 5 sec]\"\n \u251c\u25001147 \"/usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000009 sec, idle 1 sec]\"\n \u251c\u25001148 \"/usr/sbin/zabbix_server: poller #2 [got 1 values in 0.000232 sec, idle 1 sec]\"\n \u251c\u25001149 \"/usr/sbin/zabbix_server: poller #3 [got 0 values in 0.000015 sec, idle 1 sec]\"\n \u251c\u25001150 \"/usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000010 sec, idle 1 sec]\"\nThis concludes our chapter on installing and configuring our Zabbix server. Next we have to configure our frontend. You can have a look at Installing Zabbix frontend with Nginx or Installing Zabbix frontend with Apache
"},{"location":"installation/installing-zabbix/#installing-the-zabbix-server-for-postgresql","title":"Installing the Zabbix server for PostgreSQL","text":"Now that we have our repository with software added to our system we are ready to install our Zabbix server and webserver. Remember the webserver could be installed on another system. There is no need to install both on the same server.
dnf install zabbix-server-pgsql zabbix-web-pgsql
Now that we have installed our packages for the Zabbix server and our frontend we still need to change the configuration of our Zabbix server so that we can connect to our database. Open the file /etc/zabbix/zabbix_server.conf and replace the following lines:
DBHost=<ip or dns of your PostgreSQL server>\nDBName=<the name of your database>\nDBSchema=<our PostgreSQL schema name>\nDBUser=<the user that will connect to the database>\nDBPassword=<your super secret password>\nMake sure you don't have a '#' in front of the config parameter else Zabbix will see this as text and not as a parameter. Also make sure that there are not extra duplicate lines Zabbix will always take the last config parameter if there is more then 1 line with the same parameter
In our case the config will look like this:
# vi /etc/zabbix/zabbix_server.conf\n\nDBHost=<ip or dns of your MariaDB server>\nDBName=zabbix\nDBSchema=zabbix_server\nDBUser=zabbix-srv\nDBPassword=<your super secret password>\nDBPort=5432\nThe Zabbix server configuration file has the option to include an extra config file with parameters you like to alter or add. In production it's probably better to not touch the configuration file but to add a new file and include the parameters you like to change. This way you never have to edit your original configuration file after an upgrade it will also make your life more easy when working with configuration tools like Ansible, Puppet, SaltStack, .... The only thing that needs to be done is remove the # in front of the line '# Include=/usr/local/etc/zabbix_server.conf.d/*.conf' and make sure the path exists with a customized config file of your won that is readable by the user zabbix.
Ok now that we have changed the configuration of you Zabbix server so that it is able to connect to our DB we are ready to start. Run the following command to enable the Zabbix server and make it active on boot next time.
systemctl enable zabbix-server --now
Our Zabbix server service will start and if everything goes well you should see in the Zabbix server log file the following output
tail /var/log/zabbix/zabbix_server.log
1123:20231120:110604.440 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 1123:20231120:110604.440 ****** Enabled features ******\n 1123:20231120:110604.440 SNMP monitoring: YES\n 1123:20231120:110604.440 IPMI monitoring: YES\n 1123:20231120:110604.440 Web monitoring: YES\n 1123:20231120:110604.440 VMware monitoring: YES\n 1123:20231120:110604.440 SMTP authentication: YES\n 1123:20231120:110604.440 ODBC: YES\n 1123:20231120:110604.440 SSH support: YES\n 1123:20231120:110604.440 IPv6 support: YES\n 1123:20231120:110604.440 TLS support: YES\n 1123:20231120:110604.440 ******************************\n 1123:20231120:110604.440 using configuration file: /etc/zabbix/zabbix_server.conf\n 1123:20231120:110604.470 current database version (mandatory/optional): 06050143/06050143\n 1123:20231120:110604.470 required mandatory version: 06050143\n 1124:20231120:110604.490 starting HA manager\n 1124:20231120:110604.507 HA manager started in active mode\n 1123:20231120:110604.508 server #0 started [main process]\n 1126:20231120:110604.509 server #2 started [configuration syncer #1]\n 1125:20231120:110604.510 server #1 started [service manager #1]\n 1133:20231120:110604.841 server #9 started [lld worker #1]\n 1132:20231120:110604.841 server #8 started [lld manager #1]\n 1134:20231120:110604.841 server #10 started [lld worker #2]\nIf there was an error and the server was not able to connect to the database you would see something like this in the server log file :
10773:20231118:213248.570 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 10773:20231118:213248.570 ****** Enabled features ******\n 10773:20231118:213248.570 SNMP monitoring: YES\n 10773:20231118:213248.570 IPMI monitoring: YES\n 10773:20231118:213248.570 Web monitoring: YES\n 10773:20231118:213248.570 VMware monitoring: YES\n 10773:20231118:213248.570 SMTP authentication: YES\n 10773:20231118:213248.570 ODBC: YES\n 10773:20231118:213248.570 SSH support: YES\n 10773:20231118:213248.570 IPv6 support: YES\n 10773:20231118:213248.570 TLS support: YES\n 10773:20231118:213248.570 ******************************\n 10773:20231118:213248.570 using configuration file: /etc/zabbix/zabbix_server.conf\n 10773:20231118:213248.574 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213248.574 database is down: reconnecting in 10 seconds\n 10773:20231118:213258.579 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213258.579 database is down: reconnecting in 10 seconds\nLet's check the Zabbix server service to see if it's enabled so that it survives a reboot
# systemctl status zabbix-server\n\u25cf zabbix-server.service - Zabbix Server\n Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; preset: disabled)\n Active: active (running) since Mon 2023-11-20 11:06:04 CET; 1h 2min ago\n Main PID: 1123 (zabbix_server)\n Tasks: 59 (limit: 12344)\n Memory: 52.6M\n CPU: 20.399s\n CGroup: /system.slice/zabbix-server.service\n \u251c\u25001123 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf\n \u251c\u25001124 \"/usr/sbin/zabbix_server: ha manager\"\n \u251c\u25001125 \"/usr/sbin/zabbix_server: service manager #1 [processed 0 events, updated 0 event tags, deleted 0 problems, synced 0 service updates, idle 5.008686 sec during 5.016382 sec]\"\n \u251c\u25001126 \"/usr/sbin/zabbix_server: configuration syncer [synced configuration in 0.092797 sec, idle 10 sec]\"\n \u251c\u25001127 \"/usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.027620 sec during 5.027828 sec]\"\n \u251c\u25001128 \"/usr/sbin/zabbix_server: alerter #1 started\"\n \u251c\u25001129 \"/usr/sbin/zabbix_server: alerter #2 started\"\n \u251c\u25001130 \"/usr/sbin/zabbix_server: alerter #3 started\"\n \u251c\u25001131 \"/usr/sbin/zabbix_server: preprocessing manager #1 [queued 1, processed 2 values, idle 5.490312 sec during 5.490555 sec]\"\n \u251c\u25001132 \"/usr/sbin/zabbix_server: lld manager #1 [processed 1 LLD rules, idle 5.028973sec during 5.029123 sec]\"\n \u251c\u25001133 \"/usr/sbin/zabbix_server: lld worker #1 [processed 1 LLD rules, idle 60.060180 sec during 60.085009 sec]\"\n \u251c\u25001134 \"/usr/sbin/zabbix_server: lld worker #2 [processed 1 LLD rules, idle 60.065526 sec during 60.095165 sec]\"\n \u251c\u25001135 \"/usr/sbin/zabbix_server: housekeeper [deleted 0 hist/trends, 0 items/triggers, 0 events, 0 sessions, 0 alarms, 0 audit items, 0 autoreg_host, 0 records in 0.019108 sec, idle for 1 hour(s)]\"\n \u251c\u25001136 \"/usr/sbin/zabbix_server: timer #1 [updated 0 hosts, suppressed 0 events in 0.002856 sec, idle 59 sec]\"\n \u251c\u25001137 \"/usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000059 sec, idle 5 sec]\"\n \u251c\u25001138 \"/usr/sbin/zabbix_server: discovery manager #1 [processing 0 rules, 0.000000% of queue used, 0 unsaved checks]\"\n \u251c\u25001139 \"/usr/sbin/zabbix_server: history syncer #1 [processed 0 values, 0 triggers in 0.000036 sec, idle 1 sec]\"\n \u251c\u25001140 \"/usr/sbin/zabbix_server: history syncer #2 [processed 1 values, 0 triggers in 0.005016 sec, idle 1 sec]\"\n \u251c\u25001141 \"/usr/sbin/zabbix_server: history syncer #3 [processed 0 values, 0 triggers in 0.000031 sec, idle 1 sec]\"\n \u251c\u25001142 \"/usr/sbin/zabbix_server: history syncer #4 [processed 0 values, 0 triggers in 0.000014 sec, idle 1 sec]\"\n \u251c\u25001143 \"/usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.005587 sec, idle 3 sec]\"\n \u251c\u25001144 \"/usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000010 sec, idle 5 sec]\"\n \u251c\u25001145 \"/usr/sbin/zabbix_server: self-monitoring [processed data in 0.000016 sec, idle 1 sec]\"\n \u251c\u25001146 \"/usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.002511 sec, idle 5 sec]\"\n \u251c\u25001147 \"/usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000009 sec, idle 1 sec]\"\n \u251c\u25001148 \"/usr/sbin/zabbix_server: poller #2 [got 1 values in 0.000232 sec, idle 1 sec]\"\n \u251c\u25001149 \"/usr/sbin/zabbix_server: poller #3 [got 0 values in 0.000015 sec, idle 1 sec]\"\n \u251c\u25001150 \"/usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000010 sec, idle 1 sec]\"\nThis concludes our chapter on installing and configuring our Zabbix server. Next we have to configure our frontend. You can have a look at Installing Zabbix frontend with Nginx or Installing Zabbix frontend with Apache
"},{"location":"installation/installing-zabbix/#installing-zabbix-frontend-with-nginx","title":"Installing Zabbix frontend with Nginx","text":"Before we can configure our frontend we need to install our package first. If you run the frontend on the same server as the Zabbix server then there is nothing else you have to do you can just run the following command on your server to install the packages needed for our frontend to install:
dnf install zabbix-nginx-conf and zabbix-web-mysql or if you used Postgres dnf install zabbix-web-pgsql\nIn case the frontend is on another server installed you need to add the Zabbix repository first like we did on our Zabbix server. In case you forgot or just skipped to this topic and don't know how to do this have a look at Adding the Zabbix repository
First thing we have to do is alter the Nginx configuration file so that we don't use the standard config.
vi /etc/nginx/nginx.conf\nIn this config look for the followin block that starts with :
server {\n listen 80;\n listen [::]:80;\n server_name _;\n root /usr/share/nginx/html;\n\n # Load configuration files for the default server block.\n include /etc/nginx/default.d/*.conf;\nAnd place the following lines in comment:
server {\n# listen 80;\n# listen [::]:80;\n# server_name _;\n# root /usr/share/nginx/html;\nWe now have to alter the Zabbix configuration file so that it matches our setup. Edit the following file:
vi /etc/nginx/conf.d/zabbix.conf\nserver {\n listen 8080;\n server_name example.com;\n\n root /usr/share/zabbix;\n\n index index.php;\nReplace the first 2 lines with the correct port and domain for your frontend in case you don't have a domain you can replace server_name with _; like in the exaple below:
server {\n# listen 8080;\n# server_name example.com;\n listen 80;\n server_name _;\n\n root /usr/share/zabbix;\n\n index index.php;\nWe are now ready to start our websever and enable it so that it comes online after a reboot.
systemctl enable php-fpm --now\nsystemctl enable nginx --now\nLet's verify if the service is properly started and enabled so that it survives our reboot next time.
# systemctl status nginx\n\n\u25cf nginx.service - The nginx HTTP and reverse proxy server\n Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)\n Drop-In: /usr/lib/systemd/system/nginx.service.d\n \u2514\u2500php-fpm.conf\n Active: active (running) since Mon 2023-11-20 11:42:18 CET; 30min ago\n Main PID: 1206 (nginx)\n Tasks: 2 (limit: 12344)\n Memory: 4.8M\n CPU: 38ms\n CGroup: /system.slice/nginx.service\n \u251c\u25001206 \"nginx: master process /usr/sbin/nginx\"\n \u2514\u25001207 \"nginx: worker process\"\n\nNov 20 11:42:18 zabbix-srv systemd[1]: Starting The nginx HTTP and reverse proxy server...\nNov 20 11:42:18 zabbix-srv nginx[1204]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok\nNov 20 11:42:18 zabbix-srv nginx[1204]: nginx: configuration file /etc/nginx/nginx.conf test is successful\nNov 20 11:42:18 zabbix-srv systemd[1]: Started The nginx HTTP and reverse proxy server.\nThe service is running and enabled so there is only 1 thing left to do before we can start the configuration in the GUI and that is to configure our firewall to allow incoming communication to the webserver.
firewall-cmd --add-service=http --permanent\nfirewall-cmd --reload\nOpen your browser and go to the url or ip of your frontend :
http://<ip or dns of the zabbix frontend server>/\nIf all goes well you should be greeted with a Zabbix welcome page. In case you have an error check the configuration again or have a look at the nginx log file :
/var/log/nginx/error.log
or run
journalctl -xe
This should help you in locating the errors you made.
When you point your browser to the correct URL you should be greeted with a page like here :
As you see there is only a limited list of local translations available on our Zabbix frontend to choose from
What if we want to install Chinese as language or another language from the list ? Run the next command to get a list of all locales available for your OS.
dnf list glibc-langpack-*
This will give you a list like
Installed Packages\nglibc-langpack-en.x86_64\nAvailable Packages\nglibc-langpack-aa.x86_64\n...\n\nglibc-langpack-zu.x86_64\nLet's search for our Chinese locale to see if it is available. As you can see the code starts with zh
# dnf list glibc-langpack-* | grep zh\nglibc-langpack-zh.x86_64\nglibc-langpack-lzh.x86_64\nThe command returns us 2 lines but as we have seen that the code was zh_CN we only have to install the first package.
# dnf install glibc-langpack-zh.x86_64 -y\nWhen we return now to our frontend we are able to select the Chinese language.
NoteIf your language is not available in the frontend don't panic it just means that there is no translation or that the translation was not 100% complete. Zabbis is free and relies on the community for it's translations so you can help in creating the translation. Go to the page https://translate.zabbix.com/ and help us to make Zabbix get better. Once the translation is complete the next Zabbix minor patch version should have your language included.
Click next when you are satisfied with the transaltions available. You will arrive at a screen to verifiy if all pre-requisites are met. If not fix them first but normaly it should be fine and you should be just able to click Next
The next page will show you a page with the connection parameters for our database.
First you select your DB type 'MySQL' or 'PostgreSQL' and fill in the IP or DNS name of the location of your database server. Use port 3306 for MariaDB/MySQL or 5432 if you used PostgreSQL.
Fill in the correct database name, in our case it was zabbix. If you used PostgreSQL then you also need to fill in the correct schema name in our case it was zabbix_server
Next line will ask you for the DB users here we created a user zabbix-web. Enter it in the correct field and fill in the password that you used for this user.
Make sure the option Database TLS encryption is not selected and press Next step.
We are almost there. The only thing that rests us to do is give our instance a name, select our timezone and select a default time we like to use.
Press Next step again you will see a page that tells you that the configuration is successful. Press Finish to end the configuration.
We are now ready to login :
Login : Admin Password : zabbix
If you like to secure the frontend with SSL then checkout the following topic
Securing Zabbix
"},{"location":"installation/installing-zabbix/#installing-zabbix-frontend-with-apache","title":"Installing Zabbix frontend with Apache","text":"Before we can configure our frontend we need to install our package first. If you run the frontend on the same server as the Zabbix server then there is nothing else you have to do you can just run the following command on your server to install the packages needed for our frontend to install:
dnf install zabbix-apache-conf and zabbix-web-mysql or if you used Postgres dnf install zabbix-web-pgsql\nIn case the frontend is on another server installed you need to add the Zabbix repository first like we did on our Zabbix server. In case you forgot or just skipped to this topic and don't know how to do this have a look at Adding the Zabbix repository
We are now ready to start our websever and enable it so that it comes online after a reboot.
systemctl enable php-fpm --now\nsystemctl enable httpd --now\nLet's verify if the service is properly started and enabled so that it survives our reboot next time.
# systemctl status httpd\n\n\u25cf httpd.service - The Apache HTTP Server\n Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)\n Drop-In: /usr/lib/systemd/system/httpd.service.d\n \u2514\u2500php-fpm.conf\n Active: active (running) since Mon 2024-03-04 08:50:17 CET; 7min ago\n Docs: man:httpd.service(8)\n Main PID: 690 (httpd)\n Status: \"Total requests: 96; Idle/Busy workers 100/0;Requests/sec: 0.213; Bytes served/sec: 560 B/sec\"\n Tasks: 278 (limit: 22719)\n Memory: 39.6M\n CPU: 1.132s\n CGroup: /system.slice/httpd.service\n \u251c\u2500 690 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 736 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 737 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 738 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 739 /usr/sbin/httpd -DFOREGROUND\n \u2514\u25004534 /usr/sbin/httpd -DFOREGROUND\n\nMar 04 08:50:17 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...\nMar 04 08:50:17 localhost.localdomain httpd[690]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set th>\nMar 04 08:50:17 localhost.localdomain httpd[690]: Server configured, listening on: port 80\nMar 04 08:50:17 localhost.localdomain systemd[1]: Started The Apache HTTP Server.x\nThe service is running and enabled so there is only 1 thing left to do before we can start the configuration in the GUI and that is to configure our firewall to allow incoming communication to the webserver.
firewall-cmd --add-service=http --permanent\nfirewall-cmd --reload\nOpen your browser and go to the url or ip of your frontend :
http://<ip or dns of the zabbix frontend server>/zabbix/\nIf all goes well you should be greeted with a Zabbix welcome page. In case you have an error check the configuration again or have a look at the Apache log file :
/var/log/httpd/error_log
or run
journalctl -xe
This should help you in locating the errors you made.
When you point your browser to the correct URL you should be greeted with a page like here :
As you see there is only a limited list of local translations available on our Zabbix frontend to choose from
What if we want to install Chinese as language or another language from the list ? Run the next command to get a list of all locales available for your OS.
dnf list glibc-langpack-*
This will give you a list like
Installed Packages\nglibc-langpack-en.x86_64\nAvailable Packages\nglibc-langpack-aa.x86_64\n...\n\nglibc-langpack-zu.x86_64\nLet's search for our Chinese locale to see if it is available. As you can see the code starts with zh
# dnf list glibc-langpack-* | grep zh\nglibc-langpack-zh.x86_64\nglibc-langpack-lzh.x86_64\nThe command returns us 2 lines but as we have seen that the code was zh_CN we only have to install the first package.
# dnf install glibc-langpack-zh.x86_64 -y\nWhen we return now to our frontend we are able to select the Chinese language.
NoteIf your language is not available in the frontend don't panic it just means that there is no translation or that the translation was not 100% complete. Zabbis is free and relies on the community for it's translations so you can help in creating the translation. Go to the page https://translate.zabbix.com/ and help us to make Zabbix get better. Once the translation is complete the next Zabbix minor patch version should have your language included.
Click next when you are satisfied with the transaltions available. You will arrive at a screen to verifiy if all pre-requisites are met. If not fix them first but normaly it should be fine and you should be just able to click Next
The next page will show you a page with the connection parameters for our database.
First you select your DB type 'MySQL' or 'PostgreSQL' and fill in the IP or DNS name of the location of your database server. Use port 3306 for MariaDB/MySQL or 5432 if you used PostgreSQL.
Fill in the correct database name, in our case it was zabbix. If you used PostgreSQL then you also need to fill in the correct schema name in our case it was zabbix_server
Next line will ask you for the DB users here we created a user zabbix-web. Enter it in the correct field and fill in the password that you used for this user.
Make sure the option Database TLS encryption is not selected and press Next step.
We are almost there. The only thing that rests us to do is give our instance a name, select our timezone and select a default time we like to use.
Press Next step again you will see a page that tells you that the configuration is successful. Press Finish to end the configuration.
We are now ready to login :
Login : Admin Password : zabbix
In case you are like me and don't like the /zabbix path at the end of you url then there is an easy way to remove this. Edit you httpd config file and add the lines below and replace it with your own domain:
vi /etc/httpd/conf/httpd.conf\nNameVirtualHost 172.1.11.21:80\n\n<VirtualHost \"your ip or dns\":80>\n ServerName zabbixserver.mydomain.org\n ServerAlias zabbixserver\n DocumentRoot /usr/share/zabbix\n</VirtualHost>\nDon't forget to restart the httpd service
systemctl restart httpd\nLet us start with the installation of the MariaDB server, you need to create a MariaDB repository configuration file mariadb.repo manually in the following path /etc/yum.repos.d/. To create a MariaDB repository file, you can use the following command.
# vi /etc/yum.repos.d/mariadb.repo\nThe above command will create a new repository file, Once it is created, you need to add the following configuration into the file. Make sure your version, in this case 10.11, is supported by Zabbix by looking at the latest requirements for your version.
# MariaDB 10.11 RedHatEnterpriseLinux repository list - created 2023-11-01 14:20 UTC\n# https://mariadb.org/download/\n[mariadb]\nname = MariaDB\n# rpm.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.\n# baseurl = https://rpm.mariadb.org/10.11/rhel/$releasever/$basearch\nbaseurl = https://mirror.23m.com/mariadb/yum/10.11/rhel/$releasever/$basearch\n# gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB\ngpgkey = https://mirror.23m.com/mariadb/yum/RPM-GPG-KEY-MariaDB\ngpgcheck = 1\n\n\nLets update our OS first with the latest patches
# dnf update -y\nNow we are ready to install our MariaDB database.
# dnf install MariaDB-server MariaDB-client\nWe are now ready to enable and start or MariaDB database.
# systemctl enable mariadb --now\nOnce the installation is complete, you can verify the version of the MariaDB server by using the following command:
# mysql -V\nThe output should look like this:
mysql Ver 15.1 Distrib 10.11.6-MariaDB, for Linux (x86_64) using EditLine wrapper\nAnd when we ask the status of our MariaDB server we should get an output like this:
# systemctl status mariadb\n\n\u25cf mariadb.service - MariaDB 10.11.6 database server\n Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; preset: disabled)\n Drop-In: /etc/systemd/system/mariadb.service.d\n \u2514\u2500migrated-from-my.cnf-settings.conf\n Active: active (running) since Sat 2023-11-18 19:19:36 CET; 2min 13s ago\n Docs: man:mariadbd(8)\n https://mariadb.com/kb/en/library/systemd/\n Process: 41986 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)\n Process: 41987 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=`cd /usr/bin/..; /usr/bin/galera_recovery`; [ $? -eq 0 ] && systemctl set-environment _WSREP_START>\n Process: 42006 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)\n Main PID: 41995 (mariadbd)\n Status: \"Taking your SQL requests now...\"\n Tasks: 9 (limit: 12344)\n Memory: 206.8M\n CPU: 187ms\n\n\nIt's time to secure our database by removing the test database and user and set our own root password. Run the command mariadb-secure-installation, you should get the following output.
\n\n# mariadb-secure-installation\n\nNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB\n SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!\n\nIn order to log into MariaDB to secure it, we'll need the current\npassword for the root user. If you've just installed MariaDB, and\nhaven't set the root password yet, you should just press enter here.\n\nEnter current password for root (enter for none):\nOK, successfully used password, moving on...\n\nSetting the root password or using the unix_socket ensures that nobody\ncan log into the MariaDB root user without the proper authorisation.\n\nYou already have your root account protected, so you can safely answer 'n'.\n\nSwitch to unix_socket authentication [Y/n] n\n ... skipping.\n\nYou already have your root account protected, so you can safely answer 'n'.\n\nChange the root password? [Y/n] y\nNew password:\nRe-enter new password:\nPassword updated successfully!\nReloading privilege tables..\n ... Success!\n\n\nBy default, a MariaDB installation has an anonymous user, allowing anyone\nto log into MariaDB without having to have a user account created for\nthem. This is intended only for testing, and to make the installation\ngo a bit smoother. You should remove them before moving into a\nproduction environment.\n\nRemove anonymous users? [Y/n] y\n ... Success!\n\nNormally, root should only be allowed to connect from 'localhost'. This\nensures that someone cannot guess at the root password from the network.\n\nDisallow root login remotely? [Y/n] y\n ... Success!\n\nBy default, MariaDB comes with a database named 'test' that anyone can\naccess. This is also intended only for testing, and should be removed\nbefore moving into a production environment.\n\nRemove test database and access to it? [Y/n] y\n - Dropping test database...\n ... Success!\n - Removing privileges on test database...\n ... Success!\n\nReloading the privilege tables will ensure that all changes made so far\nwill take effect immediately.\n\nReload privilege tables now? [Y/n] y\n ... Success!\n\nCleaning up...\n\nAll done! If you've completed all of the above steps, your MariaDB\ninstallation should now be secure.\n\nThanks for using MariaDB!\n# mysql -uroot -p\npassword\n\nMariaDB [(none)]> CREATE DATABASE zabbix CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;\nMariaDB [(none)]> CREATE USER 'zabbix-web'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nMariaDB [(none)]> CREATE USER 'zabbix-srv'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nMariaDB [(none)]> GRANT ALL PRIVILEGES ON zabbix.* TO 'zabbix-srv'@'<zabbix server ip>';\nMariaDB [(none)]> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zabbix-web'@'<zabbix server ip>';\nMariaDB [(none)]> SET GLOBAL log_bin_trust_function_creators = 1;\nMariaDB [(none)]> QUIT\n\n\"The Zabbix documentation explicitly mentions that deterministic triggers need to be created during the import of schema. On MySQL and MariaDB, this requires GLOBAL log_bin_trust_function_creators = 1 to be set if binary logging is enabled and there is no superuser privileges and log_bin_trust_function_creators = 1 is not set in MySQL configuration file.\"
"},{"location":"installation/installing-zabbixdb/#add-the-zabbix-repository-and-populate-the-db","title":"Add the Zabbix repository and populate the DB","text":"# rpm -Uvh https://repo.zabbix.com/zabbix/6.5/rocky/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\n# dnf clean all\n# dnf install zabbix-sql-scripts\nUpload the data from zabbix (db structure, images, user, ... )
# zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uroot -p zabbix\n\"Depending on the speed of your hardware or VM this can take a few seconds upto a few minutes so please don't cancel just sit and wait for the prompt.\"
Log back into your MariaDB Database as root
# mysql -uroot -p\nRemove the global parameter again as its not needed anymore and also for security reasons.
MariaDB [(none)]> SET GLOBAL log_bin_trust_function_creators = 0;\nQuery OK, 0 rows affected (0.001 sec)\nOne last thing we need to do is open the firewall and allow incoming connections for the MariaDB database from our Zabbix server because at the moment we dont accept any connections yet.
# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: enp0s3 enp0s8\n sources:\n services: cockpit dhcpv6-client ssh\n ports:\n protocols:\n forward: yes\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nFirst we will create an appropriate zone for our MariaDB and open port 3306/tcp but only for the ip from our Zabbix server.
# firewall-cmd --new-zone=mariadb-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal mariadb-access nm-shared public trusted work\n\n# firewall-cmd --zone=mariadb-access --add-source=<zabbix-serverip> --permanent\n\nsuccess\n# firewall-cmd --zone=mariadb-access --add-port=3306/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --zone=mariadb-access --list-all\nmariadb-access (active)\n target: default\n icmp-block-inversion: no\n interfaces:\n sources: <ip from zabbix-server>\n services:\n ports: 3306/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task Installing the Zabbix Server
"},{"location":"installation/installing-zabbixdb/#installing-zabbix-with-mysql","title":"Installing Zabbix with MySQL","text":"Let us start with the installation of the MySQL server, you need to create a MySQL repository first so that we can install the proper files for our MySQL server It's alwqys best to check the Zabbix documentation to see what version is supported so you don't install a version that is not supported or is not supported anymore.
"},{"location":"installation/installing-zabbixdb/#add-the-mysql-repo","title":"Add the MySQL repo","text":"Run the following command to install the MySQL repo for version 8.0
# dnf -y install https://dev.mysql.com/get/mysql80-community-release-el9-1.noarch.rpm
\"If you install this on RedHat 8 and higher or alternatives like CentOS, Rocky or Alma 8 then you need to disable the mysql module by running 'module disable mysql'.\"
Let's update our OS first with the latest patches
# dnf update -y
# dnf -y install mysql-community-server
We are now ready to enable and start or MySQL database.
# systemctl enable mysqld --now
Once the installation is complete, you can verify the version of the MySQL server by using the following command:
# mysql -V
The output should look like this:
mysql Ver 8.0.35 for Linux on x86_64 (MySQL Community Server - GPL)
And when we ask the status of our MariaDB server we should get an output like this:
# systemctl status mysqld\n\n\u25cf mysqld.service - MySQL Server\n Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; preset: disabled)\n Active: active (running) since Mon 2023-11-20 22:15:51 CET; 1min 15s ago\n Docs: man:mysqld(8)\n http://dev.mysql.com/doc/refman/en/using-systemd.html\n Process: 44947 ExecStartPre=/usr/bin/mysqld_pre_systemd (code=exited, status=0/SUCCESS)\n Main PID: 45012 (mysqld)\n Status: \"Server is operational\"\n Tasks: 37 (limit: 12344)\n Memory: 448.3M\n CPU: 4.073s\n CGroup: /system.slice/mysqld.service\n \u2514\u250045012 /usr/sbin/mysqld\n\nNov 20 22:15:43 mysql-db systemd[1]: Starting MySQL Server...\nNov 20 22:15:51 mysql-db systemd[1]: Started MySQL Server.\nMySQL will secure our database with a random root password that is generated when we install the database. First thing we need to do is replace it with our own password. To find what the password is we need to read the log file with the followin command:
# grep 'temporary password' /var/log/mysqld.log
Change the root password as soon as possible by logging in with the generated, temporary password and set a custom password for the superuser account:
# mysql -uroot -p\nmysql> ALTER USER 'root'@'localhost' IDENTIFIED BY '<my mysql password>';\nmysql> quit\nNext we can run the command mysql_secure_installation, you should get the following output:
Note\"There is no need to reset the root password for MySQL again as we have reset it already. The next step is optional but recommended.\"
# mysql_secure_installation\n\nSecuring the MySQL server deployment.\n\nEnter password for user root:\nThe 'validate_password' component is installed on the server.\nThe subsequent steps will run with the existing configuration\nof the component.\nUsing existing password for root.\n\nEstimated strength of the password: 100\nChange the password for root ? ((Press y|Y for Yes, any other key for No) : n\n\n ... skipping.\nBy default, a MySQL installation has an anonymous user,\nallowing anyone to log into MySQL without having to have\na user account created for them. This is intended only for\ntesting, and to make the installation go a bit smoother.\nYou should remove them before moving into a production\nenvironment.\n\nRemove anonymous users? (Press y|Y for Yes, any other key for No) : y\nSuccess.\n\n\nNormally, root should only be allowed to connect from\n'localhost'. This ensures that someone cannot guess at\nthe root password from the network.\n\nDisallow root login remotely? (Press y|Y for Yes, any other key for No) : y\nSuccess.\n\nBy default, MySQL comes with a database named 'test' that\nanyone can access. This is also intended only for testing,\nand should be removed before moving into a production\nenvironment.\n\n\nRemove test database and access to it? (Press y|Y for Yes, any other key for No) : y\n - Dropping test database...\nSuccess.\n\n - Removing privileges on test database...\nSuccess.\n\nReloading the privilege tables will ensure that all changes\nmade so far will take effect immediately.\n\nReload privilege tables now? (Press y|Y for Yes, any other key for No) : y\nSuccess.\n\nAll done!\nLet's create our DB users and the correct permissions in the database:
mysql -uroot -p
mysql> CREATE DATABASE zabbix CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;\nmysql> CREATE USER 'zabbix-web'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nmysql> CREATE USER 'zabbix-srv'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nmysql> GRANT ALL PRIVILEGES ON zabbix.* TO 'zabbix-srv'@'<zabbix server ip>';\nmysql> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zabbix-web'@'<zabbix server ip>';\nmysql> SET GLOBAL log_bin_trust_function_creators = 1;\nmysql> QUIT\n\"The Zabbix documentation explicitly mentions that deterministic triggers need to be created during the import of schema. On MySQL and MariaDB, this requires GLOBAL log_bin_trust_function_creators = 1 to be set if binary logging is enabled and there is no superuser privileges and log_bin_trust_function_creators = 1 is not set in MySQL configuration file.\"
"},{"location":"installation/installing-zabbixdb/#add-the-zabbix-repository-and-populate-the-db_1","title":"Add the Zabbix repository and populate the DB","text":"# rpm -Uvh https://repo.zabbix.com/zabbix/6.5/rocky/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\n# dnf clean all\n# dnf install zabbix-sql-scripts\n\nNow let;s upload the data from zabbix (db structure, images, user, ... )
# zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uroot -p zabbix\nEnter password:\n\"Depending on the speed of your hardware or VM this can take a few seconds upto a few minutes so please don't cancel just sit and wait for the prompt.\"
Log back into your MySQL Database as root\n\n# mysql -uroot -p\nRemove the global parameter again as its not needed anymore and also for security reasons.
mysql> SET GLOBAL log_bin_trust_function_creators = 0;\nQuery OK, 0 rows affected, 1 warning (0.00 sec)\nOne last thing we need to do is open the firewall and allow incoming connections from our Zabbix server to our MySQL database because at the moment we dont accept any connections yet.
# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: enp0s3 enp0s8\n sources:\n services: cockpit dhcpv6-client ssh\n ports:\n protocols:\n forward: yes\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nFirst we will create an appropriate zone for our MySQL Database and open port 3306/tcp but only for the IP from our Zabbix server. This way no one unallowed is able to connect.
# firewall-cmd --new-zone=mysql-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal mysql-access nm-shared public trusted work\n\n# firewall-cmd --zone=mysql-access --add-source=<zabbix-serverip> --permanent\n\nsuccess\n# firewall-cmd --zone=mysql-access --add-port=3306/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --list-all --zone=mysql-access\nmysql-access (active)\n target: default\n icmp-block-inversion: no\n interfaces:\n sources: <ip from the zabbix-server>\n services:\n ports: 3306/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task Installing the Zabbix Server
"},{"location":"installation/installing-zabbixdb/#installing-zabbix-with-postgresql","title":"Installing Zabbix with PostgreSQL","text":"For our DB setup with PostgreSQL we need to add our PostgreSQL repository first to the system. As of writing PostgreSQL 13-16 are supported but best is to have a look before you install it as new versions may be supported and older maybe unsupported both by Zabbix and PostgreSQL. Usually it's a good idea to go with the latest version that is supported by Zabbix. Zabbix also supports the extension TimescaleDB this is someting we will talk later about. As you will see the setup from PostgreSQL is very different from MySQL not only the installation but also securing the DB.
The table of compatibility can be found here.
"},{"location":"installation/installing-zabbixdb/#add-the-postgresql-repo","title":"Add the PostgreSQL repo","text":"So let us start first setting up our PostgreSQL repository with the folowing commands.
# Install the repository RPM:\nsudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm\n\n# Disable the built-in PostgreSQL module:\nsudo dnf -qy module disable postgresql\n\n# Install PostgreSQL:\nsudo dnf install -y postgresql16-server\n\n# Initialize the database and enable automatic start:\nsudo /usr/pgsql-16/bin/postgresql-16-setup initdb\nsudo systemctl enable postgresql-16 --now\nAs i told you PostgreSQL works a bit different then MySQL or MariaDB and this applies aswell to how we manage access permissions. Postgres works with a file with the name pg_hba.conf where we have to tell who can access our database from where and what encryption is used for the password. So let's edit this file to allow our frontend and zabbix server to access the database.
Note\"Client authentication is configured by a configuration file with the name pg_hba.conf. HBA here stands for host based authentication. For more information feel free to check the PostgreSQL documentation.\"
Add the following lines, the order here is important.
# vi /var/lib/pgsql/16/data/pg_hba.conf\n# \"local\" is for Unix domain socket connections only\nlocal zabbix zabbix-srv scram-sha-256\nlocal all all peer\n# IPv4 local connections:\nhost zabbix zabbix-srv <ip from zabbix server/24> scram-sha-256\nhost zabbix zabbix-web <ip from zabbix server/24> scram-sha-256\nhost all all 127.0.0.1/32 scram-sha-256\nAfter we changed the pg_hba file don't forget to restart postgres else the settings will not be applied. But before we restart let us also edit the file postgresql.conf and allow our database to listen on our network interface for incomming connections from the zabbix server. Postgresql will standard only allow connections from the socket.
# vi /var/lib/pgsql/16/data/postgresql.conf\nand replace the line with listen_addresses so that PostgreSQL will listen on all interfaces and not only on our localhost.
#listen_addresses = 'localhost' with listen_addresses = '*'\nWhen done restart the PostgreSQL cluster and see if it comes back online in case of an error check the pg_hba.conf file you just edited for typos.
# systemctl restart postgresql-16\nFor our Zabbix server we need to create tables in the database for this we need ot install the Zabbix repository like we did for our Zabbix server and install the Zabbix package containing all the database tables images icons, ....
"},{"location":"installation/installing-zabbixdb/#add-the-zabbix-repository-and-populate-the-db_2","title":"Add the Zabbix repository and populate the DB","text":"# dnf install https://repo.zabbix.com/zabbix/6.0/rhel/9/x86_64/zabbix-release-6.0-4.el9.noarch.rpm -y\n# dnf install zabbix-sql-scripts -y\nNow we are ready to create our Zabbix users for the server and the frontend:
# su - postgres \n# createuser --pwprompt zabbix-srv\nEnter password for new role: <server-password>\nEnter it again: <server-password>\nLet's do the same for our frontend let's create a user to connect to the database:
# createuser --pwprompt zabbix-web\nEnter password for new role: <frontend-password>\nEnter it again: <frontend-password>\nNext we have to unzip the database schema files. Run as user root followin command::
# gzip -d /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz\nWe are now ready to create our database zabbix. Become user postgres again and run next command to create the database as our user zabbix-srv:
# su - postgres\n# createdb -E Unicode -O zabbix-srv zabbix\nLet's verify that we are really connected to the database with the correct session. Login from the Postgres shell on the zabbix database
# psql -d zabbix -U zabbix-srv\nMake sure we are logged in with our correct user zabbix-srv.
zabbix=> SELECT session_user, current_user;\n session_user | current_user\n--------------+--------------\n zabbix-srv | zabbix-srv\n(1 row)\nPostgreSQL works a bit different then MySQL or MariaDB when it comes to almost everything :) One of the things that it has that MySQL not has are for example shemas. If you like to know more about it i can recommend this URI. It explains in detail what it is and why we need it. But in short ... In PostgreSQL schema enables a multi-user environment that allows multiple users to access the same database without interference. Schemas are important when several users use the application and access the database in their way or when various applications utilize the same database. There is a standard schema that you can use but the better way is to create our own schema.
Note\"There is a standard schema public that you can use but the better way is to create our own schema this was if later something else is installed next to the Zabbix database it will be easier to create users with only access to the newly created database tables.\"
zabbix=> CREATE SCHEMA zabbix_server AUTHORIZATION \"zabbix-srv\";\nCREATE SCHEMA\nzabbix=> set search_path to \"zabbix_server\";\nzabbix=> \\dn\n List of schemas\n Name | Owner\n---------------+-------------------\n public | pg_database_owner\n zabbix_server | zabbix-srv\n(2 rows)\n\n\nNow we have our DB ready with correct permissions for user zabbix-srv but not yet for our user zabbix-web. Let's fix this first and give the rights to connect to our schema.
zabbix=# GRANT USAGE ON SCHEMA zabbix_server TO \"zabbix-web\";\nGRANT\nThe user zabbix-web has now the rights to connect to our schema but cannot to anything yet lets fix this but also don't give too many rights.
zabbix=# GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA zabbix_server TO \"zabbix-web\";\nGRANT\nzabbix=# GRANT SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA zabbix_server TO \"zabbix-web\";\nGRANT\nThere we go both users are created with the correct permissons. We are now ready to populate the database with the Zabbix table structures etc ... log back in as user postgres and run the following commands
Let's upload the Zabbix SQL file we extracted earlier to populate our database with the needed schemas images users etc ...
Warning\"Depending on the speed of your hardware or VM this can take a few seconds upto a few minutes so please don't cancel just sit and wait for the prompt.\"
zabbix=# \\i /usr/share/zabbix-sql-scripts/postgresql/server.sql\nCREATE TABLE\nCREATE INDEX\n...\n...\nINSERT 0 1\nINSERT 0 1\nINSERT 0 1\nINSERT 0 1\nCOMMIT\nzabbix=#\n\"If the import fails with psql:/usr/share/zabbix-sql-scripts/postgresql/server.sql:7: ERROR: no schema has been selected to create in then you probably made an error in the line where you set the search path.\"
Lets verify that our tables are properly created with the correct permissions
zabbix=# \\dt\n List of relations\n Schema | Name | Type | Owner\n---------------+----------------------------+-------+------------\n zabbix_server | acknowledges | table | zabbix-srv\n zabbix_server | actions | table | zabbix-srv\n zabbix_server | alerts | table | zabbix-srv\n zabbix_server | auditlog | table | zabbix-srv\n zabbix_server | autoreg_host | table | zabbix-srv\n...\n...\n zabbix_server | usrgrp | table | zabbix-srv\n zabbix_server | valuemap | table | zabbix-srv\n zabbix_server | valuemap_mapping | table | zabbix-srv\n zabbix_server | widget | table | zabbix-srv\n zabbix_server | widget_field | table | zabbix-srv\n(173 rows)\n\"If you are like me and don't like to set the search path every time you logon with the user zabbix-srv to the correct search path you can run the following SQL. zabbix=> alter role \"zabbix-srv\" set search_path = \"$user\", public, zabbix_server ;\"
If you are ready you can exit the database and return as user root.
zabbix=> \\q\n# exit\nOne last thing we need to do is open the firewall and allow incoming connections for the PostgreSQL database from our Zabbix server because at the moment we dont accept any connections yet.
# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: enp0s3 enp0s8\n sources:\n services: cockpit dhcpv6-client ssh\n ports:\n protocols:\n forward: yes\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nFirst we will create an appropriate zone for our PostgreSQL DB and open port 5432/tcp but only for the ip from our Zabbix server.
# firewall-cmd --new-zone=postgresql-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal nm-shared postgresql-access public trusted work\n\n# firewall-cmd --zone=postgresql-access--add-source=<zabbix-serverip> --permanent\n\nsuccess\n# firewall-cmd --zone=postgresql-access --add-port=5432/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --zone=postgresql-access --list-all\npostgresql-access (active)\n target: default\n icmp-block-inversion: no\n interfaces:\n sources: 192.168.56.18\n services:\n ports: 5432/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task Installing the Zabbix Server
"},{"location":"maintenance/maintaining-zabbix/","title":"Maintaining Zabbix","text":""},{"location":"permissions/managing-permissions/","title":"Managing Permissions","text":""},{"location":"problems/zabbix-triggers/","title":"Triggers","text":""},{"location":"proxies/installing-proxies/","title":"Monitoring with Proxies","text":""},{"location":"security/securing-zabbix/","title":"Securing Zabbix Frontend","text":"The frontend is what we use to login into our system. The Zabbix frontend will connect to our Zabbix server and our database. But we also send information from our laptop to the frontend. It's important that when we enter our credentials that we can do this in a safe way. So it makes sense to make use of certificates and one way to do this is by making use of Self-Signed certificates.
To give you a better understanding of why your browser will warn you when using self signed certificates, we have to know that when we request an SSL certificate from an official Certificate Authority (CA) that you submit a Certificate Signing Reauest (CSR) to them. They in return provide you with a Signed SSL certificate. For this they make use of their root certificate and private key. Our browser comes with a copy of the root certificate (CA) from various authorities or it can access it from the OS. This is why our self signed certificates are not trusted by our browser, we don't have any CA validation. Our only workaround is to create our own root certificate and private key.
"},{"location":"security/securing-zabbix/#understanding-the-concepts","title":"Understanding the concepts","text":""},{"location":"security/securing-zabbix/#how-to-create-an-ssl-certificate","title":"How to create an SSL certificate","text":""},{"location":"security/securing-zabbix/#how-ssl-works-client-server-flow","title":"How SSL works - Client - Server flow","text":"NoteBorrowed the designs from https://www.youtube.com/watch?v=WqgzYuHtnIM this video explains well how SSL works.
"},{"location":"security/securing-zabbix/#securing-the-frontend-with-self-signed-ssl-on-nginx","title":"Securing the Frontend with Self signed SSL on Nginx","text":"To configure this there are a few steps that we need to follow:
- Generate a private key for the CA ( Certificate Authority )\n- Generate a root certficate\n- Generating CA-Authenticated Certificates\n- Generate a Certificate Signing Request (CSR)\n- Generate an X509 V3 certificate extension configuration file\n- Generate the certificate using our CSR, the CA private key, the CA certificate, and the config file\n- Copy the SSL certificates to our Virtual Host\n- Adapt your Nginx Zabbix config\nFirst step is to make a folder named SSL so we can create our certificates and safe them:
>- mkdir ~/ssl\n>- cd ~/ssl\n>- openssl ecparam -out myCA.key -name prime256v1 -genkey\nLet's explain all the options;
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem\nLet's explain all the options;
The information you enter is not so important but it's best to fill it in as good as possible. Just make sure you enter for CN you IP or DNS.
You are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:BE\nState or Province Name (full name) []:vlaams-brabant\nLocality Name (eg, city) [Default City]:leuven\nOrganization Name (eg, company) [Default Company Ltd]:\nOrganizational Unit Name (eg, section) []:\nCommon Name (eg, your name or your server's hostname) []:192.168.0.134\nEmail Address []:\nIt's probably good practice to use de dns name of your webiste in the name fo the private key. As we use in this case no DNS but an IP address I will use the fictive dns zabbix.mycompany.internal.
openssl genrsa -out zabbix.mycompany.internal.key 2048\nopenssl req -new -key zabbix.mycompany.internal.key -out zabbix.mycompany.internal.csr\nYou will be asked the same set of questions as above. Once again your answers hold minimal significance and in our case no one will inspect the certificate so they matter even less.
You are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:BE\nState or Province Name (full name) []:vlaams-brabant\nLocality Name (eg, city) [Default City]:leuven\nOrganization Name (eg, company) [Default Company Ltd]:\nOrganizational Unit Name (eg, section) []:\nCommon Name (eg, your name or your server's hostname) []:192.168.0.134\nEmail Address []:\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\n# vi zabbix.mycompany.internal.ext\nAdd the following lines in your certificate extension file. Replace IP or DNS with your own values.
authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]\nIP.1 = 192.168.0.133\n#DNS.1 = MYDNS (You can use DNS if you have a dns name if you use IP then use the above line)\nopenssl x509 -req -in zabbix.mycompany.internal.csr -CA myCA.pem -CAkey myCA.key \\\n-CAcreateserial -out zabbix.mycompany.internal.crt -days 825 -sha256 -extfile zabbix.mycompany.internal.ext\ncp zabbix.mycompany.internal.crt /etc/pki/tls/certs/. \ncp zabbix.mycompany.internal.key /etc/pki/tls/private/.\nWe need to update the CA certificate\u2019s, run the below command to update the CA certs.
cp myCA.pem /etc/pki/ca-trust/source/anchors/myCA.crt\nupdate-ca-trust extract\nYou also need to import the myCA.crt file in your OS we are not an official CA so we have to import it in our OS and tell it to trust this Certificate. This action depends on the OS you use.
As you are using OpenSSL, you should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients. You can do this by typing:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048\nAdd the following lines to your Nginx configuration, modifying the file paths as needed. Replace the the already existing lines with port 80 with this configuration. This will enable SSL and HTTP2.
# vi /etc/nginx/conf.d/zabbix.conf\nserver {\n listen 443 http2 ssl;\n listen [::]:443 http2 ssl;\n server_name <ip qddress>;\n ssl_certificate /etc/ssl/certs/zabbix.mycompany.internal.crt;\n ssl_certificate_key /etc/pki/tls/private/zabbix.mycompany.internal.key;\n ssl_dhparam /etc/ssl/certs/dhparam.pem;\nTo redirect traffic from port 80 to 443 we can add the following lines above our https block:
server {\n listen 80;\n server_name _; #dns or ip is also possible\n return 301 https://$host$request_uri;\n}\nsystemctl restart php-fpm.service\nsystemctl restart nginx\n\nfirewall-cmd --add-service=https --permanent\nfirewall-cmd --reload\nWhen we go to our url http://<IP or DNS>/ we get redirected to our https:// page and when we check we can see that our site is secure:
Hi, welcome and thank you for your interest in my Zabbix book. I wrote the Zabbix cookbook and co wrote with Richards Zabbix 4 Network Monitoring a few years ago for PackPub.
The cookbook the first of it's kind probably outdated and will be replaced by the Zabbix 7 IT Infrastructure Monitoring Cookbook, written by Brian and Nathan, 2 people I like a lot to work with and can higly recommend. There are many more books available from Packt about Zabbix a complete overview can be found here Zabbix books at pack. Or if you like to find some non English books Amazon has some books form Packt and other Publishers in Chinese, Spanish and maybe some other languages as well. Other books
As Zabbix is an opensource product and making money out of the books was never my intention, it got me thinking how to do things different. How to make a new book without using a publisher like I had done before. After a while, I came up with the idea to make a book that would be free and that would be updated when new versions came out. Since I am a huge fan of documentation in markdown or asciidoc I came up with the idea to share the book in git and use markdown. The only problem left was how to make those markdown files readable in an easy way like a book ? After some searching trying to look for a good solution I found MkDocs. MkDocs is a Python-Markdown library that can convert everything to HTML and can be templated. So the problem was solved and a new book was born.
"},{"location":"#who-am-i","title":"Who am I ?","text":"My name is Patrik Uytterhoeven and I work for a Belgium company named Open-Future. I started at this company at Januari 2013 and that's when my journey started with Zabbix as well. They gave me the opportunity to build my experience and to get certified as Zabbix trainer. Since this year I am officially 10y Zabbix trainer. If you would like to follow one of my trainings feel free to register for a training at our website www.open-future.be. Why would you follow a training if you can read this book for free are you now thinking? Because trainings just like the book explain you all the details on how to set up and do things but also give you valueable tips and feedback that you never get from a book. Books just can't cover everything.
"},{"location":"#what-os-do-i-need","title":"What OS do I need ?","text":"Since I work mostly with RHEL based systems and since I am convinced that RHEL is the better choice in Production environments I have chosen to focus on using one of the forks that is available for free. Zabbix is supported on Ubuntu, Debian, Suse, Raspberry .... and it can be compiled on any OS that is Unix based so it's almost impossible to cover them all. However the book is Opensource and in GIT so feel free to contribute the code for your favorite flavour :). I will use Rocky Linux 9 in this book, but it should work for most of the other installations as well.
"},{"location":"#what-version-of-zabbix-is-used-in-this-book","title":"What version of Zabbix is used in this book ?","text":"Since we are almost at the release of Zabbix 7, I will focus on version 7 since it will be the new LTS. It should also apply to most other versions but of course there will be minor changes. In the future, if there is enough support from the community to update this book together, it would be great if we could build a book for every LTS version available.
"},{"location":"#how-to-use-this-book","title":"How to use this book ?","text":"The book will try to cover all the topics, feel free to let me know if something is missing or feel free to make a pull request. There is no need to start from page 1 and read the book till the end. Some people will be looking for basic knowledge others might want to skip to the fun part, so I want the book to be useful for everyone. Therefor I will try to explain as best as possible in every topic the exact steps needed to reproduce.
There will be moments in the book where you need to type some code, I will show the commands you need to type in a box just like here.
# some command \nNotes to some useful documentation will be added at the bottom of the page.
Here is a simple footnote1. With some additional text after it.
In case there is some important information to share I will add notes in the documentation like can be seen here :
NoteLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
InfoLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
TipLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
QuestionLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
WarningLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
BugLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
ExampleLorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
My reference.\u00a0\u21a9
https://support.zabbix.com/browse/ZBXNEXT-6876
"},{"location":"authentication/zabbix-saml/","title":"Authentication with SAML","text":""},{"location":"automation/automating-configuration/","title":"Automating configuration","text":""},{"location":"configuration/Dashboard/","title":"Zabbix Interface","text":"This chapter is going to cover the basics we need to know when it comes to the Zabbix userinterface and the thing we need to know before we can start to fully dive into our monitoring tool. We will see how the userinteface works how to add a host, groups users, items ... so that we have a good understanding of the basics. This is something that is sometimes missed and can lead to frustrations not knowing why things don't work like we had expected them to work. So even if you are an advanced user it may be usefull to have a look into this chapter.
"},{"location":"configuration/Dashboard/#overview-of-the-interface","title":"Overview of the interface","text":"With Zabbix 7 the user interface after logging in is a bit changed. Our menu on the left side of the screen has has a small overhaul. Let's dive into it. When we login into our Zabbix setup the first time with our Admin user we see a page like this where we have our main window in green our main menu marked in red and our links marked in yellow.
The main menu can be hidden by collapsing it completely or to reduce it to a set of small icons.
When we click on the button with the 2 arrows to the left:
You will see that the menu collapses to a set of small icons. Pressing \">>\" will bring the main menu back to it's original state. Pressing the box with the arrow sticking out next to the \"<<\" button will hide the main menu completely.
To get the main menu back it's not too difficult we just look for the button on the left with three horizontal lines and click it. This will bring the menu back and clicking on the box with the arrow agian will bring the main menu back.
Yet another way to make the screen bigger that is quit useful for monitors in NOK teams for example is the kiosk mode button. This one is however located on the left side of your screen and looks like 4 arrows pointing to every corner of the screen. Pressing this button will remove all the menus and leave only main window to focus on.
When wanting to leave the kios mode the button will be changed to 2 arrows poiting to the inside of the screen. Pressing this button will revert us back to the original state.
TipWe can also enter and exit kiosk mode by making use of parameters in our Zabbix url: /zabbix.php?action=dashboard.view&kiosk=1 - activate kiosk mode or /zabbix.php?action=dashboard.view&kiosk=0 - activate normal mode
There are many other page parameters we can use. A full list can be found here
Zabbix also has a global search menu that we can use to find hosts, host groups and templates.
If we look in the search box for server you will see that we get an overview of all templates, host groups and hosts with the name server in it.
Our main menu on the left consists of a few sections, 9 to be exact:
Menu Name Details Dashboards Contains an overview of all the dashboards we have access to. Monitoring Shows us the hosts, problems, latest data, maps, ... Services An overview of all the Services and SLA settings. Inventory An overview of our collected inventory data. Reports Shows us the system information, scheduled reports, audit logs, action logs, etc . Data collection Contains all things related to collecting data like hosts, templates, maintenance, discovery, ... Alert The configuration of our media types, scripts and actions Users User configuration like user roles, user groups, authentication, API tokes, ... Administration The administration part containing all global settings, housekeeper, proxies, queue, ..."},{"location":"configuration/Dashboard/#links-menu","title":"Links menu","text":"Our last part the links part contain a set of useful links that we can use:
There are still a few buttons that we need to cover on the right side of our screen
The edit button allows us to change our dashboard. This is something we will cover later. On the far left side there is a \"?\" this will bring you to the Zabbix documentation page that explains everything about the dashboard. The button on the right side with the 3 horizontal lines is the one to share, rename, delete, ... our dashboards.
"},{"location":"configuration/Dashboard/#system-information","title":"System Information","text":"There is also a box on the dashboard called System Information. This widget will show you the current System status of your Zabbix setup. Let's go over the different lines of information as they are important to understand.
Zabbix server so the version you see at the bottom of your screen is the one from the Zabbix frontend and can be different but should be in the same major version. Version Number Zabbix frontend version This is the version of the frontend and should match with what you see at the bottom of your screen. Version Number Number of hosts (enabled/disabled) The total number of hosts configured on our system How many of those are enabled and disabled Number of templates The number of templates installed on our Zabbix server. Number of items (enabled/disabled/not supported) This line shows us the number of items we have configured in total in this case 99 90 are enabled and 0 are disabled but 9 of them are unsupported. This last number is important as those are items not working. We will look into this later why it happens and how to fix it. For now remember that a high number of unsupported items is not a good idea. Number of triggers (Enabled/disabled[problem/ok]) The number of triggers configured Number of enabled and disabled triggers. Just as with items we also see if there are triggers that are in a problem state or ok state. A trigger in a problem state is a non working trigger something we need to monitor and fix. We will cover this also later. Number of users (online) Here we see the number of users that are configured on our system The nunber of users currently online. Required server performance, nvps The number of new values per second that Zabbix will process per second. This is just an estimated number as some values we get are unknown so the real value is probably higher. So we can have some indication about how many IOPS we need and how busy our database is. A better indication is probably the internal item zabbix[wcache,values,all] High availability cluser It will show us if we are running on a Zabbix HA cluster or not Failover delay once HA is activated Tip System information may display some additonal warnings like when your database doesnt have the correct character set or collation UTF-8. Also when the database you used is lower or higher then the recommended version or when there are misconfigurations on housekeeper or TimescaleDB. Another warning you can see is about database history tables that aren't upgraded or primary keys that have not been set. This is possible if you are coming from an older version before Zabbix 6 and never did the upgrade.
"},{"location":"configuration/Dashboard/#the-main-menu-explained","title":"The main menu explained","text":"It's important to know that we have so far seen our dashboard with the Admin user and that this user is a Zabbix Super Admin user. This means that the user has no restrictions. Zabbix works with 3 different levels of users we have the regular users, Zabbix Admin and Zabbix Super Admin users. Let's have a look
* A ```Zabbix User``` will only see the <font color='red'>red</font> part of our ```main menu``` and will only be able to see our collected data.\n* A ```Zabbix Admin``` will see the red part and the <font color='gold'>yellow</font> part of the ```main menu``` and is able to change our configuration.\n* A ```Zabbix Super Admin``` will see the complete ```main menu``` and so is able to change the configuration and all the global settings.\n- Problems: This page will give us an overview of all the problems. With filter we can look at recent problems past problems and problems that are active now. There are many more filters tor drill down more.\n- Hosts: This will give us a quick overview page with whats happening on our hosts and allows us to quickly go to the latest data, graphs and dashboards.\n- Latest data: This page I probably use the most, it shows us all the information collected from all our hosts.\n- Maps: The location where we can create map that are an oveview of our IT infrastructure very useful to get a high level overview of the network.\n- Discovery: When we run a network discovery this is the place where we can find the results.\n- Services This page will give us a high level overview of all services configured in Zabbix.\n- SLA: An overview of all the SLAs configured in Zabbix.\n- SLA Report: Here we can watch all SLA reports based on our filters.\n- Overview: A place where we can watch all our iventory data that we have retrieved from our hosts.\n- Hosts: Here we can filter by host and watch all inventory data for the hosts we have selected.\n- System information: System information is a summary of key Zabbix server and system data.\n- Scheduled reports: The place where we can schedule our reports, a pdf of the dashboard that will be sent at a specified time and date.\n- Availability report: A nice overview where we can see what trigger has been in ok/nok state for how much % of the time \n- Top 100 triggers: Another page I visit a lot here we have our top list with triggers that have been in a nok state.\n- Audit log: An overview of the user activity that happend on our system. Useful if we want to know who did what and when.\n- Action log: A detailed overview of our actions can be found here. What mail was sent to who and when ...?\n- Notifications: A quick overview of the number of notifications sent to each user.\n- Template groups: A place to logical group all templates together in different groups. Before it was mixed together with hosts in host groups.\n- Host groups: A logical collection of different hosts put together. Host groups are used for our permissions.\n- Templates: A set off entities like items and triggers can be grouped together on a template, A template can be applied to one or more hosts.\n- Hosts: What we need in Zabbix to monitor A host, application, service ...\n- Maintenance: The place to configure our maintenance windows. A maintenance can be planned in this location.\n- Event correlation: When we have multiple events that fires triggers related we can configure correlations in this place.\n- Discovery: Sometimes we like to use Zabbix to discover devices, services,... on our network. This can be done here.\n- Actions:\n- Media types:\n- Scripts:\n- User groups:\n- User roles:\n- Users:\n- API tokens:\n- Authentication: \n- General: \n- Audit log:\n- Housekeeping:\n- Proxies:\n- Macros:\n- Queue:\nMore information can be found in the online Zabbix documentation here
InfoYou will see that Zabbix is using the modal forms in the frontend on many places. The problem is that they are not movable. This module created by one of the Zabbix devs UI Twix will solve this problem for you.
At time of writing there is no Dashboard import/export functionality in zabbix. So when upgrading dashboards need to be created for admin by hand. This should be fixed in 7 onces it comes out. If not feel free to track https://support.zabbix.com/browse/ZBXNEXT-5419
"},{"location":"configuration/zabbix-agent/","title":"Zabbix Agent","text":""},{"location":"configuration/zabbix-agent/#zabbix-agent-linux","title":"Zabbix agent Linux","text":""},{"location":"configuration/zabbix-agent/#zabbix-agent-windows","title":"Zabbix agent windows","text":""},{"location":"configuration/zabbix-dataflow/","title":"Data Flow","text":""},{"location":"configuration/zabbix-dataflow/#data-collection","title":"Data Collection","text":""},{"location":"configuration/zabbix-dataflow/#simple-checks","title":"Simple Checks","text":""},{"location":"configuration/zabbix-hostgroups/","title":"Host groups","text":"Let's have look at the concepts of host groups and what the benifits are that they provide. We have seen that Host groups can be created directly when we create a new Zabbix host. Another way to create them is by a Super Admin going to Data collection -> Host groups. Next press the button Create host group in the upper right corner of the screen. Host groups exists to make a logical group so we can add all hosts that belong together in one group or more. Ex all Linux server, all PostgreSQL server, or all the servers that belong to one team.
When going to our menu data collection you notice that there are Host groups and Template groups. If you come from an older Zabbix version you will be happy to read that Zabbix made a specific group for Templates. If you are new to Zabbix don't panic :). In older versions Zabbix had mixed Templates and host in one group. This mixing was sometimes confusing especially for new users, as Zabbix doesnt link templates to groups.
When you click on the menu Data collection -> Host groups. You will notice that some groups are already made. You will also see that there are some names behind the host groups with numbers in front. These names are the names from the hosts that are in the group. The number in fron is the number of hosts that are in the host group. To make life more easy you can click on the names of the hosts and Zabbix will bring you directly to the configuration screen for this host.
Zabbix allows the creation of nested groups. As you can see we are using forward slashes in our group name. When you make use of nested group you can use the '/' to separate groups.
Once our group or set of nested groups is made you can click again from the host group overview on the group. You will notice that there is now a box that says Apply permissions and tag filters to all subgroups. When pressing this button, all right that are this group will be applied to the sub-groups. So if we have a user John for example in a user group that has rights to see everything in the Host group with the name Europe/Belgium and we apply the option to the subgroups then our user John will suddenly see also the hosts in all our nestet groups and the tags on this host.
When creating nested groups, Parent groups don't have to exist. So we can have only the group open-future without any of the parent groups. It's up to the user to create them or not. Also group names cannot have / in their names. We cannot escape the / character. Also leading and trailing slashes and multiple slashes in a row are not allowed.
Have you tried to put emoticons in fields like host group yet ?
"},{"location":"configuration/zabbix-hosts/","title":"Zabbix hosts","text":"To understand how Zabbix works, it's important to know that Hosts in Zabbix are a reference to anything we would like to monitor. It can be a physical host, a virtual machine, an application, a device, or even just a dummy host used to calculate data from existing hosts into something new.
It's probably one of the first tasks that we will do as an Admin when we first login to Zabbix because we need a host if we would like to monitor some metrics. It's however, important to know that hosts cannot be created without being in a hostgroup.
With this said, let's see how to create our first host.
Let's go to the menu on your left and select Data Collection -> Hosts. We see that there is already a host configured and that the availability icon is \"RED\". Don't worry about it, this is normal. We have no Zabbix agent installed or configured.
To add a new host to our system, we have to press Create host, this button can be found in the upper right corner of our screen.
We now get a modal form where we need to fill in some information about our host. The fields marked with a red asterisk \"*\" are the fields that are mandatory.
ParameterDescription Host nameHere we need to enter the Host name of the machine we would like to add. The name can contain alphanumerics, spaces, dots, dashes, and underscores. HOWEVER you are not allowed to use leading and trailing spaces. The Host name in the frontend is what we need later for the configuration of our Zabbix agent, so make sure you remember it. Visible nameThe host name, as we have seen, is needed to configure our Zabbix agent. So in case you like to give it a unique name or one that is randomly generated, ... you can add a visible name here. This name will then be used on the frontend instead of what we call the technical name host name. This name has support for UTF-8, so special characters are supported. This name will be used in all the places like maps, the latest data, inventory, ... TemplatesTemplates are like blueprints that we can use on our hosts to add items, triggers, etc. We explain more about it in the topic Zabbix templates. You can start typing the name of the template, and Zabbix will start to show a list with matches, or you can press the ```Select``` box and choose one from the list. Host groupsEvery host must belong to atleast one ```host group```. This is because permissions are set on host groups. You can type the name of the host group, and a list of matching groups will start to appear. Another way is to select a host group from an existing list by pressing the Select button. Or you can create a new group by just typing the name and pressing on the box that shows the name of the group you typed with (new) behind it InterfacesZabbix supports several host interfaces, like the Zabbix agent, SNMP, JMX, and IPMI. By default, when we create a host, no interface is added. To add an interface, press Add and fill in the needed information, like IP or DNS, depending on the host interface chosen. When an interface is in use (items created that use the interface), then the interface cannot be removed. DescriptionA place to enter a short description about our host. Monitored by proxyIf we have proxies configured, we can select them here if we like to monitor our host through a proxy. EnabledMark the checkbox to enable the host. This will keep it monitored by Zabbix. When unchecked, the host will not be monitored."},{"location":"configuration/zabbix-hosts/#host-menu-details","title":"Host menu details","text":"Before we add a host ourselves, there are a few things we need to know first. When we click on a host that we have already configured, there are a few things that we will notice. First of all, we see a blue line under Host. This means that we are on the current tab of the host page. As you can see, there are multiple tabs that we can click on, like IPMI, Tags, Macros,...
The next thing we see is that next to the tab Macros, there is a number 2. This is because there are two macros configured in the macro tab. So when we add information to tabs like macros or tags ... , Zabbix will show how many items we have added to these tabs by showing next to the tab name the number.
When looking at the encryption tab, we notice the green dot. This shows us that an option on the tab has been activated. Now that we know this, let's get a quick overview of every tab and see what it does.
So looking at the IPMI tab, there are a few things we need to fill in when working with an IPMI interface. IPMI stands for Intelligent Platform Management Interface and is basically a set of standards to manage hardware platforms. In short, it allows us to monitor and manage our servers hardware even if the server is not turned on yet. IPMI is better known as ILO on HP servers and DRAC on Dell servers.
We will cover IPMI in more detail later in the Chapter IPMI Monitoring
"},{"location":"configuration/zabbix-hosts/#tags","title":"Tags","text":"To Do
"},{"location":"configuration/zabbix-interfaces/","title":"Interfaces","text":""},{"location":"configuration/zabbix-items/","title":"Items","text":""},{"location":"configuration/zabbix-macros/","title":"Macros","text":""},{"location":"configuration/zabbix-templates/","title":"templates","text":""},{"location":"configuration/zabbix-users/","title":"Zabbix Users & User groups","text":"Now that we know how the Zabbix dashboard is build up our first task will be to create a user. In case you missed it the standard Zabbix (yes the capital Z here is eeded to login.) user is Admin and has the password zabbix so we need to change this ASAP. The most confusing part is probably that the user Admin in zabbix is actually a super admin but more about that later.
In our menu on the right side of the screen, click the Users section, and then choose users. As you can see here in the screenshot.
You will now see a list of all the users that are created on the system when installing a new Zabbix instance. Here you will always see a list of all users that are configured on the system.
To change the password, do the following steps: - Click user Admin - Click on the button Change password. - Fill in the current password, zabbix - Fill in the new password twice and press Update at the bottom of the page.
Before we create new users, it's important to know that Zabbix has three user types that are built-in.
User typeDescription Zabbix UserThis is a normal user that only has read-only permissions if given. So there are no permissions assigned by default. Zabbix AdminA user with read/write permissions. Just like the Zabbix user, there are no permissions by default. However access can be denied to some groups. Zabbix Super AdminA user with group read/write permissions. The user will have read/write access to all host and template groups. Access can't be revoked by denying access to groups, like with a normal admin.Besides these differences, these users also have different access rights to our menu. Let's have a closer look.
Admin user will have more rights than a regular user and will be able to make some configuration changes in Zabbix. A Super Admin user will have unlimted right and see every part of the menu. The only way to limit a Super Admin will be by making use of roles. Something we cover later.Admin user will have more rights than a regular user and will be able to make some configuration changes in Zabbix.Super Admin can access all parts of the menu. This table gives an overview of all the permissions a Zabbix user, admin, and super admin have in the Zabbix menu:
Zabbix UserZabbix AdminZabbix Super Admin Dashboards\u2705\u2705\u2705 Monitoring\u2705\u2705\u2705 - Problems\u2705\u2705\u2705 - Hosts\u2705\u2705\u2705 - Latest data\u2705\u2705\u2705 - Maps\u2705\u2705\u2705 - Discovery\u274c\u2705\u2705 Services\u2705\u2705\u2705 - Services\u2705\u2705\u2705 - SLA\u274c\u2705\u2705 - SLA Report\u2705;\u2705\u2705 Inventory\u2705\u2705\u2705 - Overview\u2705\u2705\u2705 - Hosts\u2705\u2705\u2705 Reports\u2705\u2705\u2705 - System information\u274c\u274c\u2705 - Scheduled reports\u274c\u2705\u2705 - Availability report\u2705\u2705\u2705 - Triggers top 100\u2705\u2705\u2705 - Audit log\u274c\u274c\u2705 - Action log\u274c\u274c\u2705 - Notifications\u274c\u2705\u2705 Data Collection\u274c\u2705\u2705 - Template groups\u274c\u2705\u2705 - Host groups\u274c\u2705\u2705 - Templates\u274c\u2705\u2705 - Hosts\u274c\u2705\u2705 - Maintenance\u274c\u2705\u2705 - Event correlation\u274c\u274c\u2705 - Discovery\u274c\u2705\u2705 Alerts\u274c\u2705\u2705 - Trigger actions\u274c\u2705\u2705 - Service actions\u274c\u2705\u2705 - Autoregistration actions\u274c\u2705\u2705 - Internal actions\u274c\u2705\u2705 - Media types\u274c\u274c\u2705 - Scripts\u274c\u274c\u2705 Users\u274c\u274c\u2705 - User groups\u274c\u274c\u2705 - User roles\u274c\u274c\u2705 - Users\u274c\u274c\u2705 - Api tokens\u274c\u274c\u2705 - Authentication\u274c\u274c\u2705 Administration\u274c\u274c\u2705 - General\u274c\u274c\u2705 - Audit log\u274c\u274c\u2705 - Housekeeping\u274c\u274c\u2705 - Proxies\u274c\u274c\u2705 - Macros\u274c\u274c\u2705 - Queue\u274c\u274c\u2705Admin user will have more rights than a regular user and will be able to make some configuration changes in Zabbix.Super Admin can access all parts of the menu. So now that we are in the users section of Zabbix, it's probably a good time to create a new user for our system. If you skipped the previous step, go to the menu Users -> Users.
Click on the top right on Create user and fill in the details of your new users. You will see that some fields have red asterisks in front of them, like Username and Password, ... this means that those fields are mandatory to fill in.
Zabbix passwords rely on a minimum length of 8 characters and also block a list of easy-to-guess passwords. We can make our passwords more secure by telling Zabbix that our passwords must contain uppercase and lowercase characters, a digit, and a special character. This policy is a global policy that will be enforced, and we have to set this policy as Super Admin. Go to the menu Users -> Authentication. In older versions, you can find it under Administration Authentication.
ParameterDescription UsernameA unique name that will be used as username when we login. NameThe users firstname this field is optional visible in acknowledgment information and notification recipient information if set. Last NameUsers last name. Optional, this field is optional visible in acknowledgment information and notification recipient information if set. GroupsSelect what group the user will belong to. Atleast 1 group needs to be selected. This feeld will auto complete or you can press the '''Select''' button at the end of the field. PasswordThere are 2 password fields they can only be used for internal authentication but more about this later. If the user has the Super admin role then clicking on the Change password button opens an additional field to entering the current (old) password. On a successful password change, the user for which the password was changed will be logged out of all active sessions. LanguageLanguage of the frontend. The php gettext extension is required for the translations to work. And the language needs to be configured on the system. See the chapter \"Installing Zabbix\" in case you forgot. TimezoneSelect the time zone per user or use the default timezone that is configured on the Zabbix server. ThemeHere users can select their own look and feel by choosing one of the 4 themes provided by Zabbix or another custom made theme. Default will switch to the default theme chosen by the admin. Auto-LoginCheck this box so that the user will be remembered for 30 days. The browser must accept cookies for this to work. Auto-LogoutChecking this box makes sure the user gets logged out automatically, after the set amount of seconds (minimum 90 seconds, maximum 1 day). Time suffixes are supported, e.g. 90s, 5m, 2h, 1d. Note that this option will not work if :The tab ''' Media ''' contains a list of all media that are defined for our user. Media is used for sending notifications to the user. We can click the Add button.
Adding the media here is not enough to receive notification; we also need to configure our media properly, and we still need to configure actions as well. When pressing the ''' Add ''' button, we get a popup where we can select some information.
ParameterDescription TypeA drop down list with the names of all media types. When a media type is disabled it will be in red. Send toHere we can provide contact information. For an email media type it is possible to add several addresses by clicking on '''Add''' below the address field. In this case, the notification will be sent to all email addresses provided. It's also possible to specify recipient name in the Send to field of the email recipient in a format 'Recipient name <address1@company.com>'. Note that if a recipient name is provided, an email address should be wrapped in angle brackets (<>). UTF-8 characters in the name are supported, quoted pairs and comments are not. For example: John Doe <manager@open-future.com> and manager@nycdatacenter.com are both valid formats. Incorrect examples: John Doe manager@open-future.com, %%\"Zabbix\\@\\<H(comment)Q\\>\" zabbix@company.com %%. when activeThe time when media will be active from monday till sundat, 1-7 and the time from 00:00 till 24:00 for example only in weekends from 6 in the morning till 5 in the evening: 6-7,06-17:00i. This is based on the user his timezone Use if severityA list of checkboxes from the severities you would like to recieve notifications from. Selected severities will be displayed in color. !! Read the warning below!! StatusStatus of the media we have selected either enabled or disabled ( in use or not ) WarningWhen selecting the different severity levels, be aware that you have to select Not classified if you want to receive notifications about non-trigger events, like internal events. For more information, check out Event Sources. This is something that is not obvious, and Zabbix documentation could be better at explaining this.
When we go to the Permissions tab in our Users, we will get an overview of all permissions our users had in the menu structure. Or when creating a new user, we have the option to select a User Role. Zabbix has four different User Roles built-in. There is a User role, Admin role, Super admin role, and a Guest role.
The Guest role is a role with very strict access limitations. Its role is intended for users to access Zabbix without any user account. I never advise using this role unless you know what you are doing. When you open your GUI to users without any authorization, this could leak potential sensitive data like hostnames, IPs, etc.
Choosing a User type is one thing; based on the User type we choose, our users will have more or less rights in our main menu. But there is another important part when choosing the User Type. This also has an impact on the rights each user has over host groups. For example, a regular user can only have read rights or no rights. A Zabbix admin user can have full, read-only, or no rights, and a Zabbix Super Admin always has full rights on host groups, and his rights on the host groups cannot be revoked.
Here is an overview of every user and his rights:
Group rightsZabbix UserZabbix AdminZabbix Super Admin Read/WriteRead OnlyFullFull Read onlyRead OnlyRead OnlyFull DenyNoneNoneFull NoteWith all this knowledge, we now know that if we want to create a regular user who also has access to certain parts of the Administration menu, that it's not possible. We can never create a user that has only RO access to certain host groups and RW access to the Administration part. What we could do, however, is create a Super Administrator account and remove access from the menu for certain parts of the Administrationmenu by creating a special role. There is no limit on the number of roles you can create.
Also, be aware that when you click on an item on the dashboard on Update, you will see a modal window popup with some options to change the severity, close a problem, etc., so some will be greyed out. This is because the user needs write permissions. For example, a user needs write permissions to close a problem and change the severity level.
With Zabbix 7 Permission checks have been made much faster. This was made possible by making some improvements on how permissions are stored. This should make the frontend faster when when we have permission havy pages to load like the ones with hosts or problems widgets. - New tables have been introduced for the check of non-privileged users. - The new tables will keep hashes (SHA-256) of user group sets and host group sets for each user/host. - Also a new permission table was introduced for storing only the accessible combinations of users and hosts, specified by the hash IDs. - Hashes and permissons are not calculated for Super Admin users.
"},{"location":"configuration/zabbix-users/#user-roles","title":"User Roles","text":"User roles have been in Zabbix since version 5.2 and make our lives easier by allowing us to make some custom adjustments to the standard defind user types in Zabbix.
When we go to our Permissions tab, we can see a box Role. Press the Select box to see a popup with a list of roles to choose from. There are four standard roles to choose from. You can create your own list of rules by going to the menu Users -> User Roles and create your own limited user.
The box is marked with an asterisk in front, so you need to select a user role for every user you create.
WarningBe aware that no permissions can be added to user roles only permissions can be revoked.
"},{"location":"configuration/zabbix-users/#user-groups","title":"User Groups","text":"A user always needs to be member of one or more User groups. We will not set any user rights directly on Users in Zabbix but we do this on User groups. So if a User needs the permission to view or edit a host or a template then this is set on the User group wich has the permisson to view or edit a host or template group and never on a host or a template directly.
Zabbix has a few different rights we can use on group level, as we have seen above. To make it easier for you I add them again:
Group rightsZabbix UserZabbix AdminZabbix Super Admin Read/WriteRead OnlyFullFull Read onlyRead OnlyRead OnlyFull DenyNoneNoneFullWhen it comes to permissions in Zabbix groups, the highest level will win. A user that has read and read-write rights on the same host will get read-write permissions. Except for Deny, Deny will always overrule. So if we have a Zabbix Admin user then this user can have Read/Write rights, if we add a host in a hostgroup where our usergroup has read rigths, and the same server is in another hostgroup with Read/Write rights, then our user will have Read/Write permissions on the hosts. However if the same host is only in the Read hostgroup then our user will only have read rights. If we also add host in a Hostgroup where our usergroup has Deny rights then the server will not be visible.
Let's have a look at our User groups, for this go to the menu Users -> User groups and click on one of the existing users. I used Guest in this case.
Under the tab User group we see the following options:
Frontend Access : How users of the group will authenticate with Zabbix.
The next tab next to User group is the tab Template permissions. Here we can define what User group will have access to what template group. We can define if a User group has read, read-write permissions or if all access must be denied. When selecting a template group don't forget to press the Add button first so that you see the Template group appear in the Permissions box. Then when you are ready confirm again at the bottom of the page with Updqte.
Hosts permissions tab allows us to specify what User group```` will have what kind of access on the selectedHost groupsthis can again be read, read-write or explicit deny. Just as with theTemplates permissionstab don't forget to clickAddfirst and when you are ready defining all the permissions clickUpdate``` at the bottom. The name is a bit confusing as we don't select permissions for a host but a host group.If we add multiple lines with the same host group or template group with different permissions Zabbix will apply the strongest permission. Alow be aware that a Super admin user can enforce nested groups to have the same level of permissions as the parent group. It can be done in the host group or template group configuration.
Problem tag filter allows us to filter problems based on tags and their value. It also allows us to separate the access to host groups from our possibility to see only the problems we want.Let us make three Host groups, go to the Data collection menu -> Host groups and create a Host group for read , read-write, and deny.
Next step is to create a host and add the host in our three groups. Go to the Data collection menu -> Hosts and press Create host on the right. Add a Host name, the name is not that important and add the three Host groups we just made.
The only thing we need to do now is create our User and User group and give the correct rights. Go to our menu Users -> Users group and click on the top right to Create user group. Let's call this group our Admin Group as we need a Zabbix Admin that we can give read, read-write and later deny to show this.
Next go to the tab Host permissions and start typing the name of our group read in the search box or press the Select button and select the correct group. Next before we do anything select also the correct permissions Deny and press the add just below NOT the button. Do this also for the group read-write and deny. If everything looks like in our screenshot then press the Add button
Now for the final step let's create a user. Go to the menu Users -> Users and create a new user, in the field Username we can add our fictive user with the name Brian. In the Groups box we select our Users group this was Admin Group. Don't forget also to add a Password we need to do this twice. Next go to the tab Permissions and select the role Admin role. You will see directly once selected that our users bridan has read, write and deny on the correct groups. Press Add at the bottom.
Now it's time to check if everything is as expected. Our user Brian if all goes well shouldn't have any rights as we explicitly denied accesss. Press Sign out at the bottom left and then login as user Brian. Go to the menu Monitoring -> Hosts. Select all the hosts groups, you should normally only see read, and read-write. Our host group Deny is not visible and our host postgres is not visible either.
Now log back in as user Admin, our Zabbix Super Admin and remove the deny group from our Admin group. This can be done by selecting the None permissions for the group Deny in the Host permissions tab from our User group.
Log back in as our user Brian go back to the Monitoring menu to Hosts. If all goes well our groups read and read-write are still selected if nog you just select them again. You will see that our host postgres is visisble and that you can click on it to edit the host propreties.
As final test you can try to remove the group read-write same as we did before with the Deny group. This time only the read group will be visible for our user and Brian will not be able to edit our host postgres anymore.
Now let's add tags into the mix. Imagine that we only like to see problems with a tag read-write and value off. Go to User groups select our Admin Group again and go to the tab Problem tag filter and fill in the needed tag read-write and value off.
Now we need to create a problem for this we will add an item and a trigger to our host postgres. Go to the menu Data collection -> Hosts and click on items behind our host postgres. On the top right you will see a button Create item click on it and fill in the same data as in the screenshot below. Don't worry if you don't understand anything we will come to items later.
In this item we just tell our Zabbix server to do a ping to IP 192.168.10.1 make sure this IP doesn't exist in your lan so try to ping it first to be sure you don't get a reply back. If you do get a reply back change the IP with some address that is not pingable for you.
Next step once you have filled in all the data is to save the item and click on top on Triggers. You will also notice now that there is a 1 next to Items. This indicates that we have made 1 item on our host postgres. Now that we are in the trigger tab click in the top right corner on the button Create trigger. Once again copy over all the data from the screenshot and save the trigger. If you changed the IP in the item make sure you use same IP in the trigger.
Next let's add a tag on our host postgres that tells Zabbix to mark everything on the host with a tag read-write and value on. Remember we added a value off in our User group problem tag filter tab. So we only want to see everything with a tag read-write and value off.
When you go now to the Problem page in the menu Monitoring you should see after some time a warning that there is a problem on our host postgres. You will also see that the problem got a tag read-write with value on.
You can clearly see that under our Zabbix super admin user the problem is visible. Now do the same but as user Brian. You will notice that there is no visible problem for our user even he has read-write access to the hostgroup where our server postgres belongs to.
Now as user Brian I would like to see the problem so let's go to our menu Data collection and click on our host postgres. Go to the Tags tab and change the value from our tag read-write from on to off. So now everything on our host should get the tags read-write with value off. So now Brian should be able to see the problem right ? Sadly Brian is still not able to see the problem in our Problem page. This is because the problem was already created in Zabbix and has already received the tag. So the only way to fix this is to close the problem first and let Zabbix create a new problem again.
As Super Admin log back in and go to our trigger Ping and mark the box Allow manual close and press Update. Go back to the dashboard and behind the problem ping you will see Update. Click on it and selec the option Close problem and press Update.
Log back in as our user Brian and go to the problem dashboard. We will see that the problem is back. Even we closed the problem before Zabbix opened a new problem because the issue was not resolved. This time our issue has the tag with the correct value.
A Zabbix user needs to be created with a user role. You cannot create one without.
WarningBe careful if you use the API at the time of writing it's possible to create a Zabbix user with the API without a role. When created by the API the user can even be saved by the frontend afterwards !
InfoMore information can be found in the online Zabbix documentation here
"},{"location":"extra-monitoring/SNMP-monitoring/","title":"Monitoring SNMP,IPMI and JAVA","text":""},{"location":"installation/Requirements/","title":"Requirements","text":"Zabbix has a set of requirements that need to be met on the hardware level and software level. These requirements can change over time and also depends on the size of your setup and the software you choose. So before you start buying metal or installing a random database version have a look at the Zabbix documentation and check the latest requirements for the version you want to install. The latest requirements can be found here. Don't forget to select your correct Zabbix version from the list.
If you don't plan to run anything big just a small setup or a test setup Zabbix will run happy on a system with 2cpu and 8G ram. But all depends on how big your setup will be and how many items you will monitor, triggers you will create and for how long you want to keep that data. My advice in the days of Virtualization is you can start small and add more later.
For the setup you can choose to install all components on 1 server or every component on a different server. For the ease of use just make a few notes for yourself:.
server ip zabbix server database server web server TipWhile zabbix uses dashes \"-\" in it's names when we need to install packages like zabbix-get or zabbix-sender it's binaries use \"_\". like zabbix_sender or zabbix_server. This of course can vary depending if you use the packages from the original Zabbix repositories or not. Just be aaware that it's sometimes rather confusing and that if you installed somepackage with a dash that maybe the binary is with an underscore.
"},{"location":"installation/Requirements/#basic-os-configuration","title":"Basic OS configuration","text":""},{"location":"installation/Requirements/#firewall","title":"firewall","text":"It's important for our Zabbix server to have an OS that is well prepared before we start to install our monitoring tool. First we need to make sure our firewall is installed.
# dnf install firewalld --now
Our firewall is installed now, and we are ready to configure the needed ports. For our Zabbix server, we need to allow access to port 10051/tcp this is the port where our Zabbix trapper listens on for incoming data. So we need to open this port in our firewall to allow access to our Zabbix trapper.
# firewall-cmd --add-service=Zabbix-server --permanent
or if the service is not known
# firewall-cmd --add-port=10051/tcp --permanent
firewalld
\"Firewalld is the replacement of iptables in Redhat and allows us to make changes available immediately without the need to restart a service. It's possible that your distribution is not using Firewalld in this case you have to look to the documentation of your OS.\"
"},{"location":"installation/Requirements/#timeserver","title":"timeserver","text":"Another thing we need to configure is the setup of timeserver and sync our Zabbix server to the timeserver by making use of an ntp client. This needs to be done for the Zabbix server but also for the devices we will monitor as time is very important for Zabbix. Imagine one of our hosts having a time zone that is wrong we could end up looking for a problem in Zabbix that happened 6h ago while it had happened maybe only 2h ago.
# dnf install chronyd --now
Chrony should be installed now and enabled and running. This can be verified with the command:
# systemctl status chronyd
dnf
\"dnf is a packagemanager from RedHat you need to replace dnf with your correct packagemanager like zyper, apt, yum, ... chrony is a replacement for ntpd and does a better job being faster and more accurate. If your OS does not support chrony then maybe ntpd is still available.\"
Once Chrony is installed we also need to setup our correct time zone. We can have a look first with 'timedatectl' to see how our time is configured
# timedatectl\n Local time: Thu 2023-11-16 15:09:14 UTC\n Universal time: Thu 2023-11-16 15:09:14 UTC\n RTC time: Thu 2023-11-16 15:09:15\n Time zone: UTC (UTC, +0000)\nSystem clock synchronized: yes\n NTP service: active\n RTC in local TZ: no\nMake sure that the service cronyd is active, see above on how to do if you missed it. We can choose the correct time zone from a list that we can lookup with the following command:
# timedatectl list-time zones\nThis will give us a list with all available time zones. Choose the one closest to you.
Africa/Abidjan\nAfrica/Accra\n\n...\n\nPacific/Tongatapu\nPacific/Wake\nPacific/Wallis\nUTC\nWe can now configure our correct time zone with the following command:
timedatectl set-time zone Europe/Brussels\nWhen we look again we should see our time zone properly configured.
# timedatectl\n Local time: Thu 2023-11-16 16:13:35 CET\n Universal time: Thu 2023-11-16 15:13:35 UTC\n RTC time: Thu 2023-11-16 15:13:36\n Time zone: Europe/Brussels (CET, +0100)\nSystem clock synchronized: yes\n NTP service: active\n RTC in local TZ: no\n\"Some people like to install all servers in the UTC time zone so that all server logs are in the same time zone when having servers all over the world. Zabbix supports user based time zone settings so it's possible to keep the time zone in UTC on the server and then add the correct time zone in the user interface if you like.\"
We can test if Chrony is syncronizing with the correct timeservers as well by running the command chronyc
# chronyc\nchrony version 4.2\nCopyright (C) 1997-2003, 2007, 2009-2021 Richard P. Curnow and others\nchrony comes with ABSOLUTELY NO WARRANTY. This is free software, and\nyou are welcome to redistribute it under certain conditions. See the\nGNU General Public License version 2 for details.\n\nchronyc>\nThen we type sources
chronyc> sources\nMS Name/IP address Stratum Poll Reach LastRx Last sample\n===============================================================================\n^- 51-15-20-83.rev.poneytel> 2 9 377 354 +429us[ +429us] +/- 342ms\n^- 5.255.99.180 2 10 377 620 +7424us[+7424us] +/- 37ms\n^- hachi.paina.net 2 10 377 412 +445us[ +445us] +/- 39ms\n^* leontp1.office.panq.nl 1 10 377 904 +6806ns[ +171us] +/- 2336us\nHere we can see that we are using a bunch of ntp servers that are not in our own country so we better swicht to some timeservers in our local country or if we have a timeserver in our company we could use this one. We can find some local timeservers here : https://www.ntppool.org/
To change this we have to edit our config file \"/etc/chrony.conf\" and replace the existing ntp server with our local one
# Use public servers from the pool.ntp.org project.\n# Please consider joining the pool (http://www.pool.ntp.org/join.html).\npool 2.centos.pool.ntp.org iburst\nAnd change it to a local server:
# Use public servers from the pool.ntp.org project.\n# Please consider joining the pool (http://www.pool.ntp.org/join.html).\npool be.pool.ntp.org iburst\nDon't forget to restart the ntpd client of course.
# systemctl restart chronyd\nWhen we look again we will see that we are now using our local timeservers.
chronyc> sources\n\nMS Name/IP address Stratum Poll Reach LastRx Last sample\n===============================================================================\n^- ntp1.unix-solutions.be 2 6 17 43 -375us[ -676us] +/- 28ms\n^* ntp.devrandom.be 2 6 17 43 -579us[ -880us] +/- 2877us\n^+ time.cloudflare.com 3 6 17 43 +328us[ +27us] +/- 2620us\n^+ time.cloudflare.com 3 6 17 43 +218us[ -83us] +/- 2815us\nIn this topic we will setup Zabbix in a High Available setup. This feature was added in Zabbix 6 and was one of the most important features added that time. The idea about this functionallity is that if your Zabbix server fails that another Zabbix server can take over. In this setup we will use 2 Zabbix servers but you are not limited to this you can add as many as you like.
The HA setup in Zabbix is rather basic but works like a charm so don't expect fancy things like load balancing.
Just like we did in our basic setup we will make a few notes again about the setup of the servers we have. I added the IP's that we will use here don't forgot to make notes of your own ip adresses.
Server IP Zabbix Server 1 192.168.0.130 Zabbix Server 2 192.168.0.131 Postgres DB 192.168.0.132 Virtual IP 192.168.0.135 NoteAs you notice our DB is not HA this is not a Zabbix component you have to implement your own solution this can be a HA SAN or you DB in a HA cluster setup. The cluster setup of our DB is out of the scope and not related to Zabbix so we will not cover this here.
"},{"location":"installation/installing-zabbix-ha/#lets-install-our-postgres-db","title":"Let's install our Postgres DB","text":"NoteIf you are not running on x86 or like to try on another OS, then have a look at https://www.postgresql.org/download/ for the commands you need.
WarningIn this exercise we will take some shortcuts for the installation of the PostgreSQLDB and the OS. Look at our previous topics to get a better understanding where to tweak.
# Install the repository RPM:\nsudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm\n\n# Disable the built-in PostgreSQL module:\nsudo dnf -qy module disable postgresql\n\n# Install PostgreSQL:\nsudo dnf install -y postgresql16-server\n\n# Initialize the database and enable automatic start:\nsudo /usr/pgsql-16/bin/postgresql-16-setup initdb\nsudo systemctl enable postgresql-16 --now\nPostgreSQL works a bit different then MySQL or MariaDB and this applies aswell to how we manage access permissions. Postgres works with a file with the name pg_hba.conf where we have to tell who can access our database from where and what encryption is used for the password. So let's edit this file to allow our frontend and zabbix server to access the database.
# vi /var/lib/pgsql/16/data/pg_hba.conf\n# \"local\" is for Unix domain socket connections only\nlocal all all trust\n# IPv4 local connections:\nhost zabbix zabbix 192.168.0.130/32 scram-sha-256\nhost zabbix zabbix 192.168.0.131/32 scram-sha-256\nhost all all 127.0.0.1/32 scram-sha-256\nAfter we changed the pg_hba file don't forget to restart postgres else the settings will not be applied. But before we restart let us also edit the file postgresql.conf and allow our database to listen on our network interface for incomming connections from the zabbix server. Postgresql will standard only allow connections from the socket.
# vi /var/lib/pgsql/16/data/postgresql.conf\nReplace the line with listen_addresses so that PostgreSQL will listen on all interfaces and not only on our localhost.
listen_addresses = '*'\nWhen done restart the PostgreSQL cluster and see if it comes back online in case of an error check the pg_hba.conf file you just edited for typos.
# systemctl restart postgresql-16\nFor our Zabbix server we need to create tables in the database for this we need ot install the Zabbix repository like we did for our Zabbix server and install the Zabbix package containing all the database tables images icons, ....
"},{"location":"installation/installing-zabbix-ha/#add-the-zabbix-repository-and-populate-the-db","title":"Add the Zabbix repository and populate the DB","text":"Add the Zabbix repo to your server (Don't forget to select the correct repo for your OS and Zabbix version) for this go to www.zabbix.com/download
# rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\n# dnf install zabbix-sql-scripts -y\nNext we have to unzip the database schema files. Run as user root followin command::
# gzip -d /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz\nNow we are ready to create our Zabbix users for the server and the frontend. If you like to separate users for frontend and server have a look at the basic installation guide.
# su - postgres\n# createuser --pwprompt zabbix\nEnter password for new role: <server-password>\nEnter it again: <server-password>\nWe are now ready to create our database zabbix. Become user postgres again and run next command to create the database as our user zabbix:
# su - postgres\n# createdb -E Unicode -O zabbix zabbix\nLet's upload the Zabbix SQL file we extracted earlier to populate our database with the needed schemas images users etc ... For this we need to connect to the DB as user zabbix.
# psql -U zabbix -W zabbix\nPassword:\npsql (16.2)\nType \"help\" for help.\n\nzabbix=> SELECT session_user, current_user;\n session_user | current_user\n--------------+--------------\n zabbix | zabbix\n(1 row)\n\nzabbix=> \\i /usr/share/zabbix-sql-scripts/postgresql/server.sql\nCREATE TABLE\nCREATE INDEX\nCREATE TABLE\n....\n....\nINSERT 0 1\nDELETE 80424\nCOMMIT\nMake sure the owner of your tables is the user zabbix;
zabbix=> \\dt\n List of relations\n Schema | Name | Type | Owner\n--------+----------------------------+-------+--------\n public | acknowledges | table | zabbix\n public | actions | table | zabbix\n...\n...\n...\n\nzabbix=> \\q\n\nOne last thing we need to do is open the firewall and allow incoming connections for the PostgreSQL database from our Zabbix server because at the moment we dont accept any connections yet.
# firewall-cmd --new-zone=postgresql-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal nm-shared postgresql-access public trusted work\n\n# firewall-cmd --zone=postgresql-access --add-source=<zabbix-serverip 1> --permanent\n# firewall-cmd --zone=postgresql-access --add-source=<zabbix-serverip 1> --permanent\n\nsuccess\n# firewall-cmd --zone=postgresql-access --add-port=5432/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --zone=postgresql-access --list-all\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task
"},{"location":"installation/installing-zabbix-ha/#install-our-zabbix-cluster","title":"Install our Zabbix Cluster","text":"Setting up a Zabbix cluster is not really different from setting up a regular Zabbix server obviously we need more then one. And there are also a few parameters that we need to configure.
Let's start by adding our Zabbix 7.0 repositories to our 2 Zabbix servers.
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\nOnce this is done we can install our Zabbix servers on both systems.
dnf install zabbix-server-pgsql -y\nWe will now edit the config file on our first zabbix server. Run the next command:
vi /etc/zabbix/zabbix_server.conf\nOnce in the file edit the following lines to make our Zabbix server 1 connnect to the database
DBHost=<zabbix db ip>\nDBName=zabbix\nDBUser=zabbix\nDBPassword=<your secret password>\nIn the same file we also have to edit another parameter to activate HA on this host.
HANodeName=zabbix1 (or whatever you like)\nWe are not done yet. We also have to tell Zabbix in case of a node fail to what server the frontend needs to connect.
NodeAddress=<Zabbix server 1 ip>>:10051\nWe are now done with the configuration of our 1st Zabbix server. Now let's do the same for our second server. I case you have more then 2 servers you can update them as well.
When you are done patching the config of your servers you can start the zabbix-server service on both servers
systemctl enable zabbix-server --now\nLet's have a look at the log files from both servers to see if it came online as we had hoped. on our first server we can run:
#grep HA /var/log/zabbix/zabbix_server.log\n\n22597:20240309:155230.353 starting HA manager\n22597:20240309:155230.362 HA manager started in active mode\nNow do the same on our other node(s)
# grep HA /var/log/zabbix/zabbix_server.log\n22304:20240309:155331.163 starting HA manager\n22304:20240309:155331.174 HA manager started in standby mode\nFirst things first before we can install and configure our webserver we need to install keepalived. Keepalived allows us to use a VIP for our frontends. Keepalived provides frameworks for both load balancing and high availability.
InfoSome useful documentation on the subject you might like. https://www.redhat.com/sysadmin/advanced-keepalived and https://keepalived.readthedocs.io/en/latest/introduction.html
"},{"location":"installation/installing-zabbix-ha/#setup-keepalived","title":"Setup keepalived","text":"So let's get started. On both our servers we have to install keepalived.
dnf install keepalived\nWe also need to adapt the configuration of keepalived on both servers. The configuration for both servers needs to be a bit changed so let's start with our server 1. Edit the config file with the following command:
# vi /etc/keepalived/keepalived.conf\nDelete everything and replace it with the following lines:
vrrp_track_process track_nginx {\n process nginx\n weight 10\n}\n\nvrrp_instance VI_1 {\n state MASTER\n interface enp0s1\n virtual_router_id 51\n priority 244\n advert_int 1\n authentication {\n auth_type PASS\n auth_pass 12345\n }\n virtual_ipaddress {\n 192.168.0.135\n }\n track_process {\n track_nginx\n }\n}\nReplace enp0s1 with the interface name of your machine and replace the password with something secure. For the virual_ipaddress use aa free IP from your network. Now do the same thing for our second Zabbix server.
# vi /etc/keepalived/keepalived.conf\nDelete everything and replace it with the following lines:
vrrp_track_process track_nginx {\n process nginx\n weight 10\n}\n\nvrrp_instance VI_1 {\n state BACKUP\n interface enp0s1\n virtual_router_id 51\n priority 243\n advert_int 1\n authentication {\n auth_type PASS\n auth_pass 12345\n }\n virtual_ipaddress {\n 192.168.0.135\n }\n track_process {\n track_nginx\n }\n}\nJust as with our 1st Zabbix server, replace enp0s1 with the interface name of your machine and replace the password with something secure. For the virual_ipaddress use aa free IP from your network.
On both servers we can run the following commands to install our webserver and the zabbix frontend packages:
dnf install nginx zabbix-web-pgsql zabbix-nginx-conf\nAlso let's not forget to configure our firewall
firewall-cmd --add-service=http --permanent\nfirewall-cmd --add-service=zabbix-server --permanent\nfirewall-cmd --reload\nAnd now we can start our keepalived and enable it so that it comes up next reboot
systemctl enable keepalived nginx --now\nClick next till you see the following page and fill in the ip of your DB server. The port can be 0 this means we will use the default port. fill in the database name, user and password you used for the database. Make sure you deselect TLS encryption and select store passwords as plaintext. When you click next it won't work because we did not disable SELinux. Run the following command first on both Zabbix servers.
setsebool -P httpd_can_network_connect_db on\nsetsebool -P httpd_can_connect_zabbix on\nThis will allow your webservers to communicate with our database over the network. Now when we click next it should work.
We are almost ready the only thing left here is now to add the name of our server and configure the default timezone.
Since you\u2019re using a host-based firewall, you need to add the necessary rules to permit IP protocol 112 traffic. Otherwise, Keepalived\u2019s advertisement method won\u2019t work.
firewall-cmd --add-rich-rule='rule protocol value=\"112\" accept' --permanent\nNow that this is all taken care of stop keepalived on our server and repeat the same steps on the second server. After this is finished start keepalived again.
Congratulations you have a HA Zabbix server now .
"},{"location":"installation/installing-zabbix-ha/#checking-the-database-for-ha-info","title":"Checking the Database for HA info.","text":"Now that everything is up and running there is probably something you like to know. Where can we find the info in our database ?
It's actually very straighforward we can go to our zabbix database and run the following query to see our servers: SELECT *FROM ha_node;
zabbix=# SELECT *FROM ha_node;\n ha_nodeid | name | address | port | lastaccess | status | ha_sessionid\n---------------------------+---------+---------------+-------+------------+--------+---------------------------\n cltk7h2n600017kkd1jtx6f1f | zabbix2 | 192.168.0.131 | 10051 | 1710085786 | 0 | cltlov4ly0000jkkdteikeo77\n cltk7ci340001inkc2befwg9f | zabbix1 | 192.168.0.130 | 10051 | 1710085787 | 3 | cltlov1r00000jtkcpeh9oqhp\nThis is also how our frontend is able to know what server it needs to connect to. Remember our picture in the first page ? Actually the frontend has a connection to our database and reads out the status from our zabbix server. This way it knows what server is active.
It's probably also good to know that we can have 4 statusses:
status number info Active 3 Only one node can be active Standby 0 Multiple nodes can be in standby Stopped 1 A previous detected node is nog stopped Unavailable 2 A previous dtected node was lost without being shutdown NoteZabbix agents need to have their Server and ServerActive addresses pointed to both active and passive Zabbix server. This option is supported in all agents since Zabbix 6.0
"},{"location":"installation/installing-zabbix/","title":"Installing Zabbix","text":"Before we can install Zabbix we first have to know how the design is. The Zabbix server has been build op modular based on 3 components.
All these components can be installed on 1 server or can be split over 3 different servers. The Zabbix server itself is the brain this part is doing all the trigger calculations and sending all the alert. The database is where the Zabbix server stores its config and all the data that we have gathered. The web server provides us with a front-end. Note that Zabbix has a API and that this is also located on the front-end and not on the Zabbix server side.
All these parts have to work together so as you can see in our image above. The Zabbix server needs to read the config and store the data in our database and the Zabbix front-end needs to be able to write the configuration in the database as well. The Zabbix front-end also needs to check the online status of our Zabbix server and needs to read some other information as well.
For our setup, we will use 2 VM's, 1 VM with a Zabbix server and our Zabbix web server and another VM with our Zabbix database.
"},{"location":"installation/installing-zabbix/#installing-the-zabbix-server","title":"Installing the Zabbix Server","text":"Before you start to install your Zabbix server make sure the server is properly configure as we explained in our topic Basic OS configuration before we start. Something else that is important in this case is that we need to disable SELinux. We will see later in chapter Securing Zabbix how to do this properly. We can check the status of SELinux with the command sestatus :
# sestatus\nSELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux root directory: /etc/selinux\nLoaded policy name: targeted\nCurrent mode: enforcing\nMode from config file: enforcing\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMemory protection checking: actual (secure)\nMax kernel policy version: 33\nAs you can see we are now in enforcing mode. To disable SELinux just run setenforce 0 to disable it.
# setenforce 0\n# sestatus\n\nSELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux root directory: /etc/selinux\nLoaded policy name: targeted\nCurrent mode: permissive\nMode from config file: enforcing\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMemory protection checking: actual (secure)\nMax kernel policy version: 33\nAs you can see our current mode is now permissive. However this is not persistent so we also need to alter our SELinux configuration file. This can be done by altering the file /etc/config/selinux and replacing enforcing by permissive. A more easy way is to run the following command :
sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config\nThis line will alter the config file for you. So when we run sestatus again we will see that we are in permissive mode and that our config file is also in permissive mode.
We can verify this with our cat commando.
# cat /etc/selinux/config\n\n# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive - SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded.\n# See also:\n# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes\n#\n# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also\n# fully disable SELinux during boot. If you need a system with SELinux\n# fully disabled instead of SELinux running with no policy loaded, you\n# need to pass selinux=0 to the kernel command line. You can use grubby\n# to persistently set the bootloader to boot with selinux=0:\n#\n# grubby --update-kernel ALL --args selinux=0\n#\n# To revert back to SELinux enabled:\n#\n# grubby --update-kernel ALL --remove-args selinux\n#\nSELINUX=permissive\n# SELINUXTYPE= can take one of these three values:\n# targeted - Targeted processes are protected,\n# minimum - Modification of targeted policy. Only selected processes are protected.\n# mls - Multi Level Security protection.\nSELINUXTYPE=targeted\nAnd we can also verify it with our commando setstatus
# sestatus\n\nSELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux root directory: /etc/selinux\nLoaded policy name: targeted\nCurrent mode: permissive\nMode from config file: permissive\nPolicy MLS status: enabled\nPolicy deny_unknown status: allowed\nMemory protection checking: actual (secure)\nMax kernel policy version: 33\nFrom the Zabbix Download page select the correct Zabbix version you would like to install. In our case it will be 7.0 LTS. Select the correct OS distribution as well. This will be Rocky Linux 9 in our case. We are going to install the Server and will be using NGINX.
Our first step is to disable Zabbix packages provided by EPEL, if you have it installed. Edit file /etc/yum.repos.d/epel.repo and add the following statement.
[epel]\n...\nexcludepkgs=zabbix*\nHaving the EPEL repository enabled is a bad practice and could be dangerous if you use EPEL it's best to disable the repo and use dnf install --enablerepo=epel. This way you will never overwrite or install unwanted packages by accident.
Our next task is to install the Zabbix repository on our OS and do a dnf cleanup so that old cache files from our repository metadata is cleaned up.
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\ndnf clean all\nA repository is a config in Linux that you can add to make packages available for you OS to install. The best way to look at it is maybe to think of it like an APP store that you add where you can find the software of your vendor. In this case the repository form Zabbix. There are many repositories you can add but you should be sure that they can be trusted. So it's always a good idea to stick to the repositories of your OS and only add extra repositories when you are sure they are to be trusted and needed. In our case the repository is from our vendor Zabbix so it should be safe to add. Epel is another popular repository for RedHat systems that is considered to be safe.
"},{"location":"installation/installing-zabbix/#installing-the-zabbix-server-for-mysqlmariadb","title":"Installing the Zabbix server for MySQL/MariaDB","text":"Now that we have our repository with software added to our system we are ready to install our Zabbix server and webserver. Remember the webserver could be installed on another system. There is no need to install both on the same server.
dnf install zabbix-server-mysql zabbix-web-mysql
Now that we have installed our packages for the Zabbix server and our frontend we still need to change the configuration of our Zabbix server so that we can connect to our database. Open the file /etc/zabbix/zabbix_server.conf and replace the following lines:
DBHost=<ip or dns of your MariaDB server>\nDBName=<the name of your database>\nDBUser=<the user that will connect to the database>\nDBPassword=<your super secret password>\nMake sure you don't have a '#' in front of the config parameter else Zabbix will see this as text and not as a parameter. Also make sure that there are not extra duplicate lines Zabbix will always take the last config parameter if there is more then 1 line with the same parameter
In our case the config will look like this:
# vi /etc/zabbix/zabbix_server.conf\n\nDBHost=<ip or dns of your MariaDB server>\nDBName=zabbix\nDBUser=zabbix-srv\nDBPassword=<your super secret password>\nDBPort=3306\nThe Zabbix server configuration file has the option to include an extra config file with parameters you like to alter or add. In production it's probably better to not touch the configuration file but to add a new file and include the parameters you like to change. This way you never have to edit your original configuration file after an upgrade it will also make your life more easy when working with configuration tools like Ansible, Puppet, SaltStack, .... The only thing that needs to be done is remove the # in front of the line '# Include=/usr/local/etc/zabbix_server.conf.d/*.conf' and make sure the path exists with a customized config file of your won that is readable by the user zabbix.
Ok now that we have changed the configuration of you Zabbix server so that it is able to connect to our DB we are ready to start. Run the following command to enable the Zabbix server and make it active on boot next time.
systemctl enable zabbix-server --now
Our Zabbix server service will start and if everything goes well you should see in the Zabbix server log file the following output
tail /var/log/zabbix/zabbix_server.log
1123:20231120:110604.440 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 1123:20231120:110604.440 ****** Enabled features ******\n 1123:20231120:110604.440 SNMP monitoring: YES\n 1123:20231120:110604.440 IPMI monitoring: YES\n 1123:20231120:110604.440 Web monitoring: YES\n 1123:20231120:110604.440 VMware monitoring: YES\n 1123:20231120:110604.440 SMTP authentication: YES\n 1123:20231120:110604.440 ODBC: YES\n 1123:20231120:110604.440 SSH support: YES\n 1123:20231120:110604.440 IPv6 support: YES\n 1123:20231120:110604.440 TLS support: YES\n 1123:20231120:110604.440 ******************************\n 1123:20231120:110604.440 using configuration file: /etc/zabbix/zabbix_server.conf\n 1123:20231120:110604.470 current database version (mandatory/optional): 06050143/06050143\n 1123:20231120:110604.470 required mandatory version: 06050143\n 1124:20231120:110604.490 starting HA manager\n 1124:20231120:110604.507 HA manager started in active mode\n 1123:20231120:110604.508 server #0 started [main process]\n 1126:20231120:110604.509 server #2 started [configuration syncer #1]\n 1125:20231120:110604.510 server #1 started [service manager #1]\n 1133:20231120:110604.841 server #9 started [lld worker #1]\n 1132:20231120:110604.841 server #8 started [lld manager #1]\n 1134:20231120:110604.841 server #10 started [lld worker #2]\nIf there was an error and the server was not able to connect to the database you would see something like this in the server log file :
10773:20231118:213248.570 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 10773:20231118:213248.570 ****** Enabled features ******\n 10773:20231118:213248.570 SNMP monitoring: YES\n 10773:20231118:213248.570 IPMI monitoring: YES\n 10773:20231118:213248.570 Web monitoring: YES\n 10773:20231118:213248.570 VMware monitoring: YES\n 10773:20231118:213248.570 SMTP authentication: YES\n 10773:20231118:213248.570 ODBC: YES\n 10773:20231118:213248.570 SSH support: YES\n 10773:20231118:213248.570 IPv6 support: YES\n 10773:20231118:213248.570 TLS support: YES\n 10773:20231118:213248.570 ******************************\n 10773:20231118:213248.570 using configuration file: /etc/zabbix/zabbix_server.conf\n 10773:20231118:213248.574 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213248.574 database is down: reconnecting in 10 seconds\n 10773:20231118:213258.579 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213258.579 database is down: reconnecting in 10 seconds\nLet's check the Zabbix server service to see if it's enabled so that it survives a reboot
# systemctl status zabbix-server\n\n\u25cf zabbix-server.service - Zabbix Server\n Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; preset: disabled)\n Active: active (running) since Mon 2023-11-20 11:06:04 CET; 1h 2min ago\n Main PID: 1123 (zabbix_server)\n Tasks: 59 (limit: 12344)\n Memory: 52.6M\n CPU: 20.399s\n CGroup: /system.slice/zabbix-server.service\n \u251c\u25001123 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf\n \u251c\u25001124 \"/usr/sbin/zabbix_server: ha manager\"\n \u251c\u25001125 \"/usr/sbin/zabbix_server: service manager #1 [processed 0 events, updated 0 event tags, deleted 0 problems, synced 0 service updates, idle 5.008686 sec during 5.016382 sec]\"\n \u251c\u25001126 \"/usr/sbin/zabbix_server: configuration syncer [synced configuration in 0.092797 sec, idle 10 sec]\"\n \u251c\u25001127 \"/usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.027620 sec during 5.027828 sec]\"\n \u251c\u25001128 \"/usr/sbin/zabbix_server: alerter #1 started\"\n \u251c\u25001129 \"/usr/sbin/zabbix_server: alerter #2 started\"\n \u251c\u25001130 \"/usr/sbin/zabbix_server: alerter #3 started\"\n \u251c\u25001131 \"/usr/sbin/zabbix_server: preprocessing manager #1 [queued 1, processed 2 values, idle 5.490312 sec during 5.490555 sec]\"\n \u251c\u25001132 \"/usr/sbin/zabbix_server: lld manager #1 [processed 1 LLD rules, idle 5.028973sec during 5.029123 sec]\"\n \u251c\u25001133 \"/usr/sbin/zabbix_server: lld worker #1 [processed 1 LLD rules, idle 60.060180 sec during 60.085009 sec]\"\n \u251c\u25001134 \"/usr/sbin/zabbix_server: lld worker #2 [processed 1 LLD rules, idle 60.065526 sec during 60.095165 sec]\"\n \u251c\u25001135 \"/usr/sbin/zabbix_server: housekeeper [deleted 0 hist/trends, 0 items/triggers, 0 events, 0 sessions, 0 alarms, 0 audit items, 0 autoreg_host, 0 records in 0.019108 sec, idle for 1 hour(s)]\"\n \u251c\u25001136 \"/usr/sbin/zabbix_server: timer #1 [updated 0 hosts, suppressed 0 events in 0.002856 sec, idle 59 sec]\"\n \u251c\u25001137 \"/usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000059 sec, idle 5 sec]\"\n \u251c\u25001138 \"/usr/sbin/zabbix_server: discovery manager #1 [processing 0 rules, 0.000000% of queue used, 0 unsaved checks]\"\n \u251c\u25001139 \"/usr/sbin/zabbix_server: history syncer #1 [processed 0 values, 0 triggers in 0.000036 sec, idle 1 sec]\"\n \u251c\u25001140 \"/usr/sbin/zabbix_server: history syncer #2 [processed 1 values, 0 triggers in 0.005016 sec, idle 1 sec]\"\n \u251c\u25001141 \"/usr/sbin/zabbix_server: history syncer #3 [processed 0 values, 0 triggers in 0.000031 sec, idle 1 sec]\"\n \u251c\u25001142 \"/usr/sbin/zabbix_server: history syncer #4 [processed 0 values, 0 triggers in 0.000014 sec, idle 1 sec]\"\n \u251c\u25001143 \"/usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.005587 sec, idle 3 sec]\"\n \u251c\u25001144 \"/usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000010 sec, idle 5 sec]\"\n \u251c\u25001145 \"/usr/sbin/zabbix_server: self-monitoring [processed data in 0.000016 sec, idle 1 sec]\"\n \u251c\u25001146 \"/usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.002511 sec, idle 5 sec]\"\n \u251c\u25001147 \"/usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000009 sec, idle 1 sec]\"\n \u251c\u25001148 \"/usr/sbin/zabbix_server: poller #2 [got 1 values in 0.000232 sec, idle 1 sec]\"\n \u251c\u25001149 \"/usr/sbin/zabbix_server: poller #3 [got 0 values in 0.000015 sec, idle 1 sec]\"\n \u251c\u25001150 \"/usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000010 sec, idle 1 sec]\"\nThis concludes our chapter on installing and configuring our Zabbix server. Next we have to configure our frontend. You can have a look at Installing Zabbix frontend with Nginx or Installing Zabbix frontend with Apache
"},{"location":"installation/installing-zabbix/#installing-the-zabbix-server-for-postgresql","title":"Installing the Zabbix server for PostgreSQL","text":"Now that we have our repository with software added to our system we are ready to install our Zabbix server and webserver. Remember the webserver could be installed on another system. There is no need to install both on the same server.
dnf install zabbix-server-pgsql zabbix-web-pgsql
Now that we have installed our packages for the Zabbix server and our frontend we still need to change the configuration of our Zabbix server so that we can connect to our database. Open the file /etc/zabbix/zabbix_server.conf and replace the following lines:
DBHost=<ip or dns of your PostgreSQL server>\nDBName=<the name of your database>\nDBSchema=<our PostgreSQL schema name>\nDBUser=<the user that will connect to the database>\nDBPassword=<your super secret password>\nMake sure you don't have a '#' in front of the config parameter else Zabbix will see this as text and not as a parameter. Also make sure that there are not extra duplicate lines Zabbix will always take the last config parameter if there is more then 1 line with the same parameter
In our case the config will look like this:
# vi /etc/zabbix/zabbix_server.conf\n\nDBHost=<ip or dns of your MariaDB server>\nDBName=zabbix\nDBSchema=zabbix_server\nDBUser=zabbix-srv\nDBPassword=<your super secret password>\nDBPort=5432\nThe Zabbix server configuration file has the option to include an extra config file with parameters you like to alter or add. In production it's probably better to not touch the configuration file but to add a new file and include the parameters you like to change. This way you never have to edit your original configuration file after an upgrade it will also make your life more easy when working with configuration tools like Ansible, Puppet, SaltStack, .... The only thing that needs to be done is remove the # in front of the line '# Include=/usr/local/etc/zabbix_server.conf.d/*.conf' and make sure the path exists with a customized config file of your won that is readable by the user zabbix.
Ok now that we have changed the configuration of you Zabbix server so that it is able to connect to our DB we are ready to start. Run the following command to enable the Zabbix server and make it active on boot next time.
systemctl enable zabbix-server --now
Our Zabbix server service will start and if everything goes well you should see in the Zabbix server log file the following output
tail /var/log/zabbix/zabbix_server.log
1123:20231120:110604.440 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 1123:20231120:110604.440 ****** Enabled features ******\n 1123:20231120:110604.440 SNMP monitoring: YES\n 1123:20231120:110604.440 IPMI monitoring: YES\n 1123:20231120:110604.440 Web monitoring: YES\n 1123:20231120:110604.440 VMware monitoring: YES\n 1123:20231120:110604.440 SMTP authentication: YES\n 1123:20231120:110604.440 ODBC: YES\n 1123:20231120:110604.440 SSH support: YES\n 1123:20231120:110604.440 IPv6 support: YES\n 1123:20231120:110604.440 TLS support: YES\n 1123:20231120:110604.440 ******************************\n 1123:20231120:110604.440 using configuration file: /etc/zabbix/zabbix_server.conf\n 1123:20231120:110604.470 current database version (mandatory/optional): 06050143/06050143\n 1123:20231120:110604.470 required mandatory version: 06050143\n 1124:20231120:110604.490 starting HA manager\n 1124:20231120:110604.507 HA manager started in active mode\n 1123:20231120:110604.508 server #0 started [main process]\n 1126:20231120:110604.509 server #2 started [configuration syncer #1]\n 1125:20231120:110604.510 server #1 started [service manager #1]\n 1133:20231120:110604.841 server #9 started [lld worker #1]\n 1132:20231120:110604.841 server #8 started [lld manager #1]\n 1134:20231120:110604.841 server #10 started [lld worker #2]\nIf there was an error and the server was not able to connect to the database you would see something like this in the server log file :
10773:20231118:213248.570 Starting Zabbix Server. Zabbix 7.0.0alpha7 (revision 60de6a81aca).\n 10773:20231118:213248.570 ****** Enabled features ******\n 10773:20231118:213248.570 SNMP monitoring: YES\n 10773:20231118:213248.570 IPMI monitoring: YES\n 10773:20231118:213248.570 Web monitoring: YES\n 10773:20231118:213248.570 VMware monitoring: YES\n 10773:20231118:213248.570 SMTP authentication: YES\n 10773:20231118:213248.570 ODBC: YES\n 10773:20231118:213248.570 SSH support: YES\n 10773:20231118:213248.570 IPv6 support: YES\n 10773:20231118:213248.570 TLS support: YES\n 10773:20231118:213248.570 ******************************\n 10773:20231118:213248.570 using configuration file: /etc/zabbix/zabbix_server.conf\n 10773:20231118:213248.574 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213248.574 database is down: reconnecting in 10 seconds\n 10773:20231118:213258.579 [Z3001] connection to database 'zabbix' failed: [2002] Can't connect to server on 'xxx.xxx.xxx.xxx' (115)\n 10773:20231118:213258.579 database is down: reconnecting in 10 seconds\nLet's check the Zabbix server service to see if it's enabled so that it survives a reboot
# systemctl status zabbix-server\n\u25cf zabbix-server.service - Zabbix Server\n Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; preset: disabled)\n Active: active (running) since Mon 2023-11-20 11:06:04 CET; 1h 2min ago\n Main PID: 1123 (zabbix_server)\n Tasks: 59 (limit: 12344)\n Memory: 52.6M\n CPU: 20.399s\n CGroup: /system.slice/zabbix-server.service\n \u251c\u25001123 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf\n \u251c\u25001124 \"/usr/sbin/zabbix_server: ha manager\"\n \u251c\u25001125 \"/usr/sbin/zabbix_server: service manager #1 [processed 0 events, updated 0 event tags, deleted 0 problems, synced 0 service updates, idle 5.008686 sec during 5.016382 sec]\"\n \u251c\u25001126 \"/usr/sbin/zabbix_server: configuration syncer [synced configuration in 0.092797 sec, idle 10 sec]\"\n \u251c\u25001127 \"/usr/sbin/zabbix_server: alert manager #1 [sent 0, failed 0 alerts, idle 5.027620 sec during 5.027828 sec]\"\n \u251c\u25001128 \"/usr/sbin/zabbix_server: alerter #1 started\"\n \u251c\u25001129 \"/usr/sbin/zabbix_server: alerter #2 started\"\n \u251c\u25001130 \"/usr/sbin/zabbix_server: alerter #3 started\"\n \u251c\u25001131 \"/usr/sbin/zabbix_server: preprocessing manager #1 [queued 1, processed 2 values, idle 5.490312 sec during 5.490555 sec]\"\n \u251c\u25001132 \"/usr/sbin/zabbix_server: lld manager #1 [processed 1 LLD rules, idle 5.028973sec during 5.029123 sec]\"\n \u251c\u25001133 \"/usr/sbin/zabbix_server: lld worker #1 [processed 1 LLD rules, idle 60.060180 sec during 60.085009 sec]\"\n \u251c\u25001134 \"/usr/sbin/zabbix_server: lld worker #2 [processed 1 LLD rules, idle 60.065526 sec during 60.095165 sec]\"\n \u251c\u25001135 \"/usr/sbin/zabbix_server: housekeeper [deleted 0 hist/trends, 0 items/triggers, 0 events, 0 sessions, 0 alarms, 0 audit items, 0 autoreg_host, 0 records in 0.019108 sec, idle for 1 hour(s)]\"\n \u251c\u25001136 \"/usr/sbin/zabbix_server: timer #1 [updated 0 hosts, suppressed 0 events in 0.002856 sec, idle 59 sec]\"\n \u251c\u25001137 \"/usr/sbin/zabbix_server: http poller #1 [got 0 values in 0.000059 sec, idle 5 sec]\"\n \u251c\u25001138 \"/usr/sbin/zabbix_server: discovery manager #1 [processing 0 rules, 0.000000% of queue used, 0 unsaved checks]\"\n \u251c\u25001139 \"/usr/sbin/zabbix_server: history syncer #1 [processed 0 values, 0 triggers in 0.000036 sec, idle 1 sec]\"\n \u251c\u25001140 \"/usr/sbin/zabbix_server: history syncer #2 [processed 1 values, 0 triggers in 0.005016 sec, idle 1 sec]\"\n \u251c\u25001141 \"/usr/sbin/zabbix_server: history syncer #3 [processed 0 values, 0 triggers in 0.000031 sec, idle 1 sec]\"\n \u251c\u25001142 \"/usr/sbin/zabbix_server: history syncer #4 [processed 0 values, 0 triggers in 0.000014 sec, idle 1 sec]\"\n \u251c\u25001143 \"/usr/sbin/zabbix_server: escalator #1 [processed 0 escalations in 0.005587 sec, idle 3 sec]\"\n \u251c\u25001144 \"/usr/sbin/zabbix_server: proxy poller #1 [exchanged data with 0 proxies in 0.000010 sec, idle 5 sec]\"\n \u251c\u25001145 \"/usr/sbin/zabbix_server: self-monitoring [processed data in 0.000016 sec, idle 1 sec]\"\n \u251c\u25001146 \"/usr/sbin/zabbix_server: task manager [processed 0 task(s) in 0.002511 sec, idle 5 sec]\"\n \u251c\u25001147 \"/usr/sbin/zabbix_server: poller #1 [got 0 values in 0.000009 sec, idle 1 sec]\"\n \u251c\u25001148 \"/usr/sbin/zabbix_server: poller #2 [got 1 values in 0.000232 sec, idle 1 sec]\"\n \u251c\u25001149 \"/usr/sbin/zabbix_server: poller #3 [got 0 values in 0.000015 sec, idle 1 sec]\"\n \u251c\u25001150 \"/usr/sbin/zabbix_server: poller #4 [got 0 values in 0.000010 sec, idle 1 sec]\"\nThis concludes our chapter on installing and configuring our Zabbix server. Next we have to configure our frontend. You can have a look at Installing Zabbix frontend with Nginx or Installing Zabbix frontend with Apache
"},{"location":"installation/installing-zabbix/#installing-zabbix-frontend-with-nginx","title":"Installing Zabbix frontend with Nginx","text":"Before we can configure our frontend we need to install our package first. If you run the frontend on the same server as the Zabbix server then there is nothing else you have to do you can just run the following command on your server to install the packages needed for our frontend to install:
dnf install zabbix-nginx-conf and zabbix-web-mysql or if you used Postgres dnf install zabbix-web-pgsql\nIn case the frontend is on another server installed you need to add the Zabbix repository first like we did on our Zabbix server. In case you forgot or just skipped to this topic and don't know how to do this have a look at Adding the Zabbix repository
First thing we have to do is alter the Nginx configuration file so that we don't use the standard config.
vi /etc/nginx/nginx.conf\nIn this config look for the followin block that starts with :
server {\n listen 80;\n listen [::]:80;\n server_name _;\n root /usr/share/nginx/html;\n\n # Load configuration files for the default server block.\n include /etc/nginx/default.d/*.conf;\nAnd place the following lines in comment:
server {\n# listen 80;\n# listen [::]:80;\n# server_name _;\n# root /usr/share/nginx/html;\nWe now have to alter the Zabbix configuration file so that it matches our setup. Edit the following file:
vi /etc/nginx/conf.d/zabbix.conf\nserver {\n listen 8080;\n server_name example.com;\n\n root /usr/share/zabbix;\n\n index index.php;\nReplace the first 2 lines with the correct port and domain for your frontend in case you don't have a domain you can replace server_name with _; like in the exaple below:
server {\n# listen 8080;\n# server_name example.com;\n listen 80;\n server_name _;\n\n root /usr/share/zabbix;\n\n index index.php;\nWe are now ready to start our websever and enable it so that it comes online after a reboot.
systemctl enable php-fpm --now\nsystemctl enable nginx --now\nLet's verify if the service is properly started and enabled so that it survives our reboot next time.
# systemctl status nginx\n\n\u25cf nginx.service - The nginx HTTP and reverse proxy server\n Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)\n Drop-In: /usr/lib/systemd/system/nginx.service.d\n \u2514\u2500php-fpm.conf\n Active: active (running) since Mon 2023-11-20 11:42:18 CET; 30min ago\n Main PID: 1206 (nginx)\n Tasks: 2 (limit: 12344)\n Memory: 4.8M\n CPU: 38ms\n CGroup: /system.slice/nginx.service\n \u251c\u25001206 \"nginx: master process /usr/sbin/nginx\"\n \u2514\u25001207 \"nginx: worker process\"\n\nNov 20 11:42:18 zabbix-srv systemd[1]: Starting The nginx HTTP and reverse proxy server...\nNov 20 11:42:18 zabbix-srv nginx[1204]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok\nNov 20 11:42:18 zabbix-srv nginx[1204]: nginx: configuration file /etc/nginx/nginx.conf test is successful\nNov 20 11:42:18 zabbix-srv systemd[1]: Started The nginx HTTP and reverse proxy server.\nThe service is running and enabled so there is only 1 thing left to do before we can start the configuration in the GUI and that is to configure our firewall to allow incoming communication to the webserver.
firewall-cmd --add-service=http --permanent\nfirewall-cmd --reload\nOpen your browser and go to the url or ip of your frontend :
http://<ip or dns of the zabbix frontend server>/\nIf all goes well you should be greeted with a Zabbix welcome page. In case you have an error check the configuration again or have a look at the nginx log file :
/var/log/nginx/error.log
or run
journalctl -xe
This should help you in locating the errors you made.
When you point your browser to the correct URL you should be greeted with a page like here :
As you see there is only a limited list of local translations available on our Zabbix frontend to choose from
What if we want to install Chinese as language or another language from the list ? Run the next command to get a list of all locales available for your OS.
dnf list glibc-langpack-*
This will give you a list like
Installed Packages\nglibc-langpack-en.x86_64\nAvailable Packages\nglibc-langpack-aa.x86_64\n...\n\nglibc-langpack-zu.x86_64\nLet's search for our Chinese locale to see if it is available. As you can see the code starts with zh
# dnf list glibc-langpack-* | grep zh\nglibc-langpack-zh.x86_64\nglibc-langpack-lzh.x86_64\nThe command returns us 2 lines but as we have seen that the code was zh_CN we only have to install the first package.
# dnf install glibc-langpack-zh.x86_64 -y\nWhen we return now to our frontend we are able to select the Chinese language.
NoteIf your language is not available in the frontend don't panic it just means that there is no translation or that the translation was not 100% complete. Zabbis is free and relies on the community for it's translations so you can help in creating the translation. Go to the page https://translate.zabbix.com/ and help us to make Zabbix get better. Once the translation is complete the next Zabbix minor patch version should have your language included.
Click next when you are satisfied with the transaltions available. You will arrive at a screen to verifiy if all pre-requisites are met. If not fix them first but normaly it should be fine and you should be just able to click Next
The next page will show you a page with the connection parameters for our database.
First you select your DB type 'MySQL' or 'PostgreSQL' and fill in the IP or DNS name of the location of your database server. Use port 3306 for MariaDB/MySQL or 5432 if you used PostgreSQL.
Fill in the correct database name, in our case it was zabbix. If you used PostgreSQL then you also need to fill in the correct schema name in our case it was zabbix_server
Next line will ask you for the DB users here we created a user zabbix-web. Enter it in the correct field and fill in the password that you used for this user.
Make sure the option Database TLS encryption is not selected and press Next step.
We are almost there. The only thing that rests us to do is give our instance a name, select our timezone and select a default time we like to use.
Press Next step again you will see a page that tells you that the configuration is successful. Press Finish to end the configuration.
We are now ready to login :
Login : Admin Password : zabbix
If you like to secure the frontend with SSL then checkout the following topic
Securing Zabbix
"},{"location":"installation/installing-zabbix/#installing-zabbix-frontend-with-apache","title":"Installing Zabbix frontend with Apache","text":"Before we can configure our frontend we need to install our package first. If you run the frontend on the same server as the Zabbix server then there is nothing else you have to do you can just run the following command on your server to install the packages needed for our frontend to install:
dnf install zabbix-apache-conf and zabbix-web-mysql or if you used Postgres dnf install zabbix-web-pgsql\nIn case the frontend is on another server installed you need to add the Zabbix repository first like we did on our Zabbix server. In case you forgot or just skipped to this topic and don't know how to do this have a look at Adding the Zabbix repository
We are now ready to start our websever and enable it so that it comes online after a reboot.
systemctl enable php-fpm --now\nsystemctl enable httpd --now\nLet's verify if the service is properly started and enabled so that it survives our reboot next time.
# systemctl status httpd\n\n\u25cf httpd.service - The Apache HTTP Server\n Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)\n Drop-In: /usr/lib/systemd/system/httpd.service.d\n \u2514\u2500php-fpm.conf\n Active: active (running) since Mon 2024-03-04 08:50:17 CET; 7min ago\n Docs: man:httpd.service(8)\n Main PID: 690 (httpd)\n Status: \"Total requests: 96; Idle/Busy workers 100/0;Requests/sec: 0.213; Bytes served/sec: 560 B/sec\"\n Tasks: 278 (limit: 22719)\n Memory: 39.6M\n CPU: 1.132s\n CGroup: /system.slice/httpd.service\n \u251c\u2500 690 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 736 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 737 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 738 /usr/sbin/httpd -DFOREGROUND\n \u251c\u2500 739 /usr/sbin/httpd -DFOREGROUND\n \u2514\u25004534 /usr/sbin/httpd -DFOREGROUND\n\nMar 04 08:50:17 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...\nMar 04 08:50:17 localhost.localdomain httpd[690]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set th>\nMar 04 08:50:17 localhost.localdomain httpd[690]: Server configured, listening on: port 80\nMar 04 08:50:17 localhost.localdomain systemd[1]: Started The Apache HTTP Server.x\nThe service is running and enabled so there is only 1 thing left to do before we can start the configuration in the GUI and that is to configure our firewall to allow incoming communication to the webserver.
firewall-cmd --add-service=http --permanent\nfirewall-cmd --reload\nOpen your browser and go to the url or ip of your frontend :
http://<ip or dns of the zabbix frontend server>/zabbix/\nIf all goes well you should be greeted with a Zabbix welcome page. In case you have an error check the configuration again or have a look at the Apache log file :
/var/log/httpd/error_log
or run
journalctl -xe
This should help you in locating the errors you made.
When you point your browser to the correct URL you should be greeted with a page like here :
As you see there is only a limited list of local translations available on our Zabbix frontend to choose from
What if we want to install Chinese as language or another language from the list ? Run the next command to get a list of all locales available for your OS.
dnf list glibc-langpack-*
This will give you a list like
Installed Packages\nglibc-langpack-en.x86_64\nAvailable Packages\nglibc-langpack-aa.x86_64\n...\n\nglibc-langpack-zu.x86_64\nLet's search for our Chinese locale to see if it is available. As you can see the code starts with zh
# dnf list glibc-langpack-* | grep zh\nglibc-langpack-zh.x86_64\nglibc-langpack-lzh.x86_64\nThe command returns us 2 lines but as we have seen that the code was zh_CN we only have to install the first package.
# dnf install glibc-langpack-zh.x86_64 -y\nWhen we return now to our frontend we are able to select the Chinese language.
NoteIf your language is not available in the frontend don't panic it just means that there is no translation or that the translation was not 100% complete. Zabbis is free and relies on the community for it's translations so you can help in creating the translation. Go to the page https://translate.zabbix.com/ and help us to make Zabbix get better. Once the translation is complete the next Zabbix minor patch version should have your language included.
Click next when you are satisfied with the transaltions available. You will arrive at a screen to verifiy if all pre-requisites are met. If not fix them first but normaly it should be fine and you should be just able to click Next
The next page will show you a page with the connection parameters for our database.
First you select your DB type 'MySQL' or 'PostgreSQL' and fill in the IP or DNS name of the location of your database server. Use port 3306 for MariaDB/MySQL or 5432 if you used PostgreSQL.
Fill in the correct database name, in our case it was zabbix. If you used PostgreSQL then you also need to fill in the correct schema name in our case it was zabbix_server
Next line will ask you for the DB users here we created a user zabbix-web. Enter it in the correct field and fill in the password that you used for this user.
Make sure the option Database TLS encryption is not selected and press Next step.
We are almost there. The only thing that rests us to do is give our instance a name, select our timezone and select a default time we like to use.
Press Next step again you will see a page that tells you that the configuration is successful. Press Finish to end the configuration.
We are now ready to login :
Login : Admin Password : zabbix
In case you are like me and don't like the /zabbix path at the end of you url then there is an easy way to remove this. Edit you httpd config file and add the lines below and replace it with your own domain:
vi /etc/httpd/conf/httpd.conf\nNameVirtualHost 172.1.11.21:80\n\n<VirtualHost \"your ip or dns\":80>\n ServerName zabbixserver.mydomain.org\n ServerAlias zabbixserver\n DocumentRoot /usr/share/zabbix\n</VirtualHost>\nDon't forget to restart the httpd service
systemctl restart httpd\nLet us start with the installation of the MariaDB server, you need to create a MariaDB repository configuration file mariadb.repo manually in the following path /etc/yum.repos.d/. To create a MariaDB repository file, you can use the following command.
# vi /etc/yum.repos.d/mariadb.repo\nThe above command will create a new repository file, Once it is created, you need to add the following configuration into the file. Make sure your version, in this case 10.11, is supported by Zabbix by looking at the latest requirements for your version.
# MariaDB 10.11 RedHatEnterpriseLinux repository list - created 2023-11-01 14:20 UTC\n# https://mariadb.org/download/\n[mariadb]\nname = MariaDB\n# rpm.mariadb.org is a dynamic mirror if your preferred mirror goes offline. See https://mariadb.org/mirrorbits/ for details.\n# baseurl = https://rpm.mariadb.org/10.11/rhel/$releasever/$basearch\nbaseurl = https://mirror.23m.com/mariadb/yum/10.11/rhel/$releasever/$basearch\n# gpgkey = https://rpm.mariadb.org/RPM-GPG-KEY-MariaDB\ngpgkey = https://mirror.23m.com/mariadb/yum/RPM-GPG-KEY-MariaDB\ngpgcheck = 1\n\n\nLets update our OS first with the latest patches
# dnf update -y\nNow we are ready to install our MariaDB database.
# dnf install MariaDB-server MariaDB-client\nWe are now ready to enable and start or MariaDB database.
# systemctl enable mariadb --now\nOnce the installation is complete, you can verify the version of the MariaDB server by using the following command:
# mysql -V\nThe output should look like this:
mysql Ver 15.1 Distrib 10.11.6-MariaDB, for Linux (x86_64) using EditLine wrapper\nAnd when we ask the status of our MariaDB server we should get an output like this:
# systemctl status mariadb\n\n\u25cf mariadb.service - MariaDB 10.11.6 database server\n Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; preset: disabled)\n Drop-In: /etc/systemd/system/mariadb.service.d\n \u2514\u2500migrated-from-my.cnf-settings.conf\n Active: active (running) since Sat 2023-11-18 19:19:36 CET; 2min 13s ago\n Docs: man:mariadbd(8)\n https://mariadb.com/kb/en/library/systemd/\n Process: 41986 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)\n Process: 41987 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=`cd /usr/bin/..; /usr/bin/galera_recovery`; [ $? -eq 0 ] && systemctl set-environment _WSREP_START>\n Process: 42006 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS)\n Main PID: 41995 (mariadbd)\n Status: \"Taking your SQL requests now...\"\n Tasks: 9 (limit: 12344)\n Memory: 206.8M\n CPU: 187ms\n\n\nIt's time to secure our database by removing the test database and user and set our own root password. Run the command mariadb-secure-installation, you should get the following output.
\n\n# mariadb-secure-installation\n\nNOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB\n SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!\n\nIn order to log into MariaDB to secure it, we'll need the current\npassword for the root user. If you've just installed MariaDB, and\nhaven't set the root password yet, you should just press enter here.\n\nEnter current password for root (enter for none):\nOK, successfully used password, moving on...\n\nSetting the root password or using the unix_socket ensures that nobody\ncan log into the MariaDB root user without the proper authorisation.\n\nYou already have your root account protected, so you can safely answer 'n'.\n\nSwitch to unix_socket authentication [Y/n] n\n ... skipping.\n\nYou already have your root account protected, so you can safely answer 'n'.\n\nChange the root password? [Y/n] y\nNew password:\nRe-enter new password:\nPassword updated successfully!\nReloading privilege tables..\n ... Success!\n\n\nBy default, a MariaDB installation has an anonymous user, allowing anyone\nto log into MariaDB without having to have a user account created for\nthem. This is intended only for testing, and to make the installation\ngo a bit smoother. You should remove them before moving into a\nproduction environment.\n\nRemove anonymous users? [Y/n] y\n ... Success!\n\nNormally, root should only be allowed to connect from 'localhost'. This\nensures that someone cannot guess at the root password from the network.\n\nDisallow root login remotely? [Y/n] y\n ... Success!\n\nBy default, MariaDB comes with a database named 'test' that anyone can\naccess. This is also intended only for testing, and should be removed\nbefore moving into a production environment.\n\nRemove test database and access to it? [Y/n] y\n - Dropping test database...\n ... Success!\n - Removing privileges on test database...\n ... Success!\n\nReloading the privilege tables will ensure that all changes made so far\nwill take effect immediately.\n\nReload privilege tables now? [Y/n] y\n ... Success!\n\nCleaning up...\n\nAll done! If you've completed all of the above steps, your MariaDB\ninstallation should now be secure.\n\nThanks for using MariaDB!\n# mysql -uroot -p\npassword\n\nMariaDB [(none)]> CREATE DATABASE zabbix CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;\nMariaDB [(none)]> CREATE USER 'zabbix-web'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nMariaDB [(none)]> CREATE USER 'zabbix-srv'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nMariaDB [(none)]> GRANT ALL PRIVILEGES ON zabbix.* TO 'zabbix-srv'@'<zabbix server ip>';\nMariaDB [(none)]> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zabbix-web'@'<zabbix server ip>';\nMariaDB [(none)]> SET GLOBAL log_bin_trust_function_creators = 1;\nMariaDB [(none)]> QUIT\n\n\"The Zabbix documentation explicitly mentions that deterministic triggers need to be created during the import of schema. On MySQL and MariaDB, this requires GLOBAL log_bin_trust_function_creators = 1 to be set if binary logging is enabled and there is no superuser privileges and log_bin_trust_function_creators = 1 is not set in MySQL configuration file.\"
"},{"location":"installation/installing-zabbixdb/#add-the-zabbix-repository-and-populate-the-db","title":"Add the Zabbix repository and populate the DB","text":"# rpm -Uvh https://repo.zabbix.com/zabbix/6.5/rocky/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\n# dnf clean all\n# dnf install zabbix-sql-scripts\nUpload the data from zabbix (db structure, images, user, ... )
# zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uroot -p zabbix\n\"Depending on the speed of your hardware or VM this can take a few seconds upto a few minutes so please don't cancel just sit and wait for the prompt.\"
Log back into your MariaDB Database as root
# mysql -uroot -p\nRemove the global parameter again as its not needed anymore and also for security reasons.
MariaDB [(none)]> SET GLOBAL log_bin_trust_function_creators = 0;\nQuery OK, 0 rows affected (0.001 sec)\nOne last thing we need to do is open the firewall and allow incoming connections for the MariaDB database from our Zabbix server because at the moment we dont accept any connections yet.
# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: enp0s3 enp0s8\n sources:\n services: cockpit dhcpv6-client ssh\n ports:\n protocols:\n forward: yes\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nFirst we will create an appropriate zone for our MariaDB and open port 3306/tcp but only for the ip from our Zabbix server.
# firewall-cmd --new-zone=mariadb-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal mariadb-access nm-shared public trusted work\n\n# firewall-cmd --zone=mariadb-access --add-source=<zabbix-serverip> --permanent\n\nsuccess\n# firewall-cmd --zone=mariadb-access --add-port=3306/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --zone=mariadb-access --list-all\nmariadb-access (active)\n target: default\n icmp-block-inversion: no\n interfaces:\n sources: <ip from zabbix-server>\n services:\n ports: 3306/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task Installing the Zabbix Server
"},{"location":"installation/installing-zabbixdb/#installing-zabbix-with-mysql","title":"Installing Zabbix with MySQL","text":"Let us start with the installation of the MySQL server, you need to create a MySQL repository first so that we can install the proper files for our MySQL server It's alwqys best to check the Zabbix documentation to see what version is supported so you don't install a version that is not supported or is not supported anymore.
"},{"location":"installation/installing-zabbixdb/#add-the-mysql-repo","title":"Add the MySQL repo","text":"Run the following command to install the MySQL repo for version 8.0
# dnf -y install https://dev.mysql.com/get/mysql80-community-release-el9-1.noarch.rpm
\"If you install this on RedHat 8 and higher or alternatives like CentOS, Rocky or Alma 8 then you need to disable the mysql module by running 'module disable mysql'.\"
Let's update our OS first with the latest patches
# dnf update -y
# dnf -y install mysql-community-server
We are now ready to enable and start or MySQL database.
# systemctl enable mysqld --now
Once the installation is complete, you can verify the version of the MySQL server by using the following command:
# mysql -V
The output should look like this:
mysql Ver 8.0.35 for Linux on x86_64 (MySQL Community Server - GPL)
And when we ask the status of our MariaDB server we should get an output like this:
# systemctl status mysqld\n\n\u25cf mysqld.service - MySQL Server\n Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; preset: disabled)\n Active: active (running) since Mon 2023-11-20 22:15:51 CET; 1min 15s ago\n Docs: man:mysqld(8)\n http://dev.mysql.com/doc/refman/en/using-systemd.html\n Process: 44947 ExecStartPre=/usr/bin/mysqld_pre_systemd (code=exited, status=0/SUCCESS)\n Main PID: 45012 (mysqld)\n Status: \"Server is operational\"\n Tasks: 37 (limit: 12344)\n Memory: 448.3M\n CPU: 4.073s\n CGroup: /system.slice/mysqld.service\n \u2514\u250045012 /usr/sbin/mysqld\n\nNov 20 22:15:43 mysql-db systemd[1]: Starting MySQL Server...\nNov 20 22:15:51 mysql-db systemd[1]: Started MySQL Server.\nMySQL will secure our database with a random root password that is generated when we install the database. First thing we need to do is replace it with our own password. To find what the password is we need to read the log file with the followin command:
# grep 'temporary password' /var/log/mysqld.log
Change the root password as soon as possible by logging in with the generated, temporary password and set a custom password for the superuser account:
# mysql -uroot -p\nmysql> ALTER USER 'root'@'localhost' IDENTIFIED BY '<my mysql password>';\nmysql> quit\nNext we can run the command mysql_secure_installation, you should get the following output:
Note\"There is no need to reset the root password for MySQL again as we have reset it already. The next step is optional but recommended.\"
# mysql_secure_installation\n\nSecuring the MySQL server deployment.\n\nEnter password for user root:\nThe 'validate_password' component is installed on the server.\nThe subsequent steps will run with the existing configuration\nof the component.\nUsing existing password for root.\n\nEstimated strength of the password: 100\nChange the password for root ? ((Press y|Y for Yes, any other key for No) : n\n\n ... skipping.\nBy default, a MySQL installation has an anonymous user,\nallowing anyone to log into MySQL without having to have\na user account created for them. This is intended only for\ntesting, and to make the installation go a bit smoother.\nYou should remove them before moving into a production\nenvironment.\n\nRemove anonymous users? (Press y|Y for Yes, any other key for No) : y\nSuccess.\n\n\nNormally, root should only be allowed to connect from\n'localhost'. This ensures that someone cannot guess at\nthe root password from the network.\n\nDisallow root login remotely? (Press y|Y for Yes, any other key for No) : y\nSuccess.\n\nBy default, MySQL comes with a database named 'test' that\nanyone can access. This is also intended only for testing,\nand should be removed before moving into a production\nenvironment.\n\n\nRemove test database and access to it? (Press y|Y for Yes, any other key for No) : y\n - Dropping test database...\nSuccess.\n\n - Removing privileges on test database...\nSuccess.\n\nReloading the privilege tables will ensure that all changes\nmade so far will take effect immediately.\n\nReload privilege tables now? (Press y|Y for Yes, any other key for No) : y\nSuccess.\n\nAll done!\nLet's create our DB users and the correct permissions in the database:
mysql -uroot -p
mysql> CREATE DATABASE zabbix CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;\nmysql> CREATE USER 'zabbix-web'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nmysql> CREATE USER 'zabbix-srv'@'<zabbix server ip>' IDENTIFIED BY '<password>';\nmysql> GRANT ALL PRIVILEGES ON zabbix.* TO 'zabbix-srv'@'<zabbix server ip>';\nmysql> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zabbix-web'@'<zabbix server ip>';\nmysql> SET GLOBAL log_bin_trust_function_creators = 1;\nmysql> QUIT\n\"The Zabbix documentation explicitly mentions that deterministic triggers need to be created during the import of schema. On MySQL and MariaDB, this requires GLOBAL log_bin_trust_function_creators = 1 to be set if binary logging is enabled and there is no superuser privileges and log_bin_trust_function_creators = 1 is not set in MySQL configuration file.\"
"},{"location":"installation/installing-zabbixdb/#add-the-zabbix-repository-and-populate-the-db_1","title":"Add the Zabbix repository and populate the DB","text":"# rpm -Uvh https://repo.zabbix.com/zabbix/6.5/rocky/9/x86_64/zabbix-release-6.5-2.el9.noarch.rpm\n# dnf clean all\n# dnf install zabbix-sql-scripts\n\nNow let;s upload the data from zabbix (db structure, images, user, ... )
# zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-character-set=utf8mb4 -uroot -p zabbix\nEnter password:\n\"Depending on the speed of your hardware or VM this can take a few seconds upto a few minutes so please don't cancel just sit and wait for the prompt.\"
Log back into your MySQL Database as root\n\n# mysql -uroot -p\nRemove the global parameter again as its not needed anymore and also for security reasons.
mysql> SET GLOBAL log_bin_trust_function_creators = 0;\nQuery OK, 0 rows affected, 1 warning (0.00 sec)\nOne last thing we need to do is open the firewall and allow incoming connections from our Zabbix server to our MySQL database because at the moment we dont accept any connections yet.
# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: enp0s3 enp0s8\n sources:\n services: cockpit dhcpv6-client ssh\n ports:\n protocols:\n forward: yes\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nFirst we will create an appropriate zone for our MySQL Database and open port 3306/tcp but only for the IP from our Zabbix server. This way no one unallowed is able to connect.
# firewall-cmd --new-zone=mysql-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal mysql-access nm-shared public trusted work\n\n# firewall-cmd --zone=mysql-access --add-source=<zabbix-serverip> --permanent\n\nsuccess\n# firewall-cmd --zone=mysql-access --add-port=3306/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --list-all --zone=mysql-access\nmysql-access (active)\n target: default\n icmp-block-inversion: no\n interfaces:\n sources: <ip from the zabbix-server>\n services:\n ports: 3306/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task Installing the Zabbix Server
"},{"location":"installation/installing-zabbixdb/#installing-zabbix-with-postgresql","title":"Installing Zabbix with PostgreSQL","text":"For our DB setup with PostgreSQL we need to add our PostgreSQL repository first to the system. As of writing PostgreSQL 13-16 are supported but best is to have a look before you install it as new versions may be supported and older maybe unsupported both by Zabbix and PostgreSQL. Usually it's a good idea to go with the latest version that is supported by Zabbix. Zabbix also supports the extension TimescaleDB this is someting we will talk later about. As you will see the setup from PostgreSQL is very different from MySQL not only the installation but also securing the DB.
The table of compatibility can be found here.
"},{"location":"installation/installing-zabbixdb/#add-the-postgresql-repo","title":"Add the PostgreSQL repo","text":"So let us start first setting up our PostgreSQL repository with the folowing commands.
# Install the repository RPM:\nsudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm\n\n# Disable the built-in PostgreSQL module:\nsudo dnf -qy module disable postgresql\n\n# Install PostgreSQL:\nsudo dnf install -y postgresql16-server\n\n# Initialize the database and enable automatic start:\nsudo /usr/pgsql-16/bin/postgresql-16-setup initdb\nsudo systemctl enable postgresql-16 --now\nAs i told you PostgreSQL works a bit different then MySQL or MariaDB and this applies aswell to how we manage access permissions. Postgres works with a file with the name pg_hba.conf where we have to tell who can access our database from where and what encryption is used for the password. So let's edit this file to allow our frontend and zabbix server to access the database.
Note\"Client authentication is configured by a configuration file with the name pg_hba.conf. HBA here stands for host based authentication. For more information feel free to check the PostgreSQL documentation.\"
Add the following lines, the order here is important.
# vi /var/lib/pgsql/16/data/pg_hba.conf\n# \"local\" is for Unix domain socket connections only\nlocal zabbix zabbix-srv scram-sha-256\nlocal all all peer\n# IPv4 local connections:\nhost zabbix zabbix-srv <ip from zabbix server/24> scram-sha-256\nhost zabbix zabbix-web <ip from zabbix server/24> scram-sha-256\nhost all all 127.0.0.1/32 scram-sha-256\nAfter we changed the pg_hba file don't forget to restart postgres else the settings will not be applied. But before we restart let us also edit the file postgresql.conf and allow our database to listen on our network interface for incomming connections from the zabbix server. Postgresql will standard only allow connections from the socket.
# vi /var/lib/pgsql/16/data/postgresql.conf\nand replace the line with listen_addresses so that PostgreSQL will listen on all interfaces and not only on our localhost.
#listen_addresses = 'localhost' with listen_addresses = '*'\nWhen done restart the PostgreSQL cluster and see if it comes back online in case of an error check the pg_hba.conf file you just edited for typos.
# systemctl restart postgresql-16\nFor our Zabbix server we need to create tables in the database for this we need ot install the Zabbix repository like we did for our Zabbix server and install the Zabbix package containing all the database tables images icons, ....
"},{"location":"installation/installing-zabbixdb/#add-the-zabbix-repository-and-populate-the-db_2","title":"Add the Zabbix repository and populate the DB","text":"# dnf install https://repo.zabbix.com/zabbix/6.0/rhel/9/x86_64/zabbix-release-6.0-4.el9.noarch.rpm -y\n# dnf install zabbix-sql-scripts -y\nNow we are ready to create our Zabbix users for the server and the frontend:
# su - postgres \n# createuser --pwprompt zabbix-srv\nEnter password for new role: <server-password>\nEnter it again: <server-password>\nLet's do the same for our frontend let's create a user to connect to the database:
# createuser --pwprompt zabbix-web\nEnter password for new role: <frontend-password>\nEnter it again: <frontend-password>\nNext we have to unzip the database schema files. Run as user root followin command::
# gzip -d /usr/share/zabbix-sql-scripts/postgresql/server.sql.gz\nWe are now ready to create our database zabbix. Become user postgres again and run next command to create the database as our user zabbix-srv:
# su - postgres\n# createdb -E Unicode -O zabbix-srv zabbix\nLet's verify that we are really connected to the database with the correct session. Login from the Postgres shell on the zabbix database
# psql -d zabbix -U zabbix-srv\nMake sure we are logged in with our correct user zabbix-srv.
zabbix=> SELECT session_user, current_user;\n session_user | current_user\n--------------+--------------\n zabbix-srv | zabbix-srv\n(1 row)\nPostgreSQL works a bit different then MySQL or MariaDB when it comes to almost everything :) One of the things that it has that MySQL not has are for example shemas. If you like to know more about it i can recommend this URI. It explains in detail what it is and why we need it. But in short ... In PostgreSQL schema enables a multi-user environment that allows multiple users to access the same database without interference. Schemas are important when several users use the application and access the database in their way or when various applications utilize the same database. There is a standard schema that you can use but the better way is to create our own schema.
Note\"There is a standard schema public that you can use but the better way is to create our own schema this was if later something else is installed next to the Zabbix database it will be easier to create users with only access to the newly created database tables.\"
zabbix=> CREATE SCHEMA zabbix_server AUTHORIZATION \"zabbix-srv\";\nCREATE SCHEMA\nzabbix=> set search_path to \"zabbix_server\";\nzabbix=> \\dn\n List of schemas\n Name | Owner\n---------------+-------------------\n public | pg_database_owner\n zabbix_server | zabbix-srv\n(2 rows)\n\n\nNow we have our DB ready with correct permissions for user zabbix-srv but not yet for our user zabbix-web. Let's fix this first and give the rights to connect to our schema.
zabbix=# GRANT USAGE ON SCHEMA zabbix_server TO \"zabbix-web\";\nGRANT\nThe user zabbix-web has now the rights to connect to our schema but cannot to anything yet lets fix this but also don't give too many rights.
zabbix=# GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA zabbix_server TO \"zabbix-web\";\nGRANT\nzabbix=# GRANT SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA zabbix_server TO \"zabbix-web\";\nGRANT\nThere we go both users are created with the correct permissons. We are now ready to populate the database with the Zabbix table structures etc ... log back in as user postgres and run the following commands
Let's upload the Zabbix SQL file we extracted earlier to populate our database with the needed schemas images users etc ...
Warning\"Depending on the speed of your hardware or VM this can take a few seconds upto a few minutes so please don't cancel just sit and wait for the prompt.\"
zabbix=# \\i /usr/share/zabbix-sql-scripts/postgresql/server.sql\nCREATE TABLE\nCREATE INDEX\n...\n...\nINSERT 0 1\nINSERT 0 1\nINSERT 0 1\nINSERT 0 1\nCOMMIT\nzabbix=#\n\"If the import fails with psql:/usr/share/zabbix-sql-scripts/postgresql/server.sql:7: ERROR: no schema has been selected to create in then you probably made an error in the line where you set the search path.\"
Lets verify that our tables are properly created with the correct permissions
zabbix=# \\dt\n List of relations\n Schema | Name | Type | Owner\n---------------+----------------------------+-------+------------\n zabbix_server | acknowledges | table | zabbix-srv\n zabbix_server | actions | table | zabbix-srv\n zabbix_server | alerts | table | zabbix-srv\n zabbix_server | auditlog | table | zabbix-srv\n zabbix_server | autoreg_host | table | zabbix-srv\n...\n...\n zabbix_server | usrgrp | table | zabbix-srv\n zabbix_server | valuemap | table | zabbix-srv\n zabbix_server | valuemap_mapping | table | zabbix-srv\n zabbix_server | widget | table | zabbix-srv\n zabbix_server | widget_field | table | zabbix-srv\n(173 rows)\n\"If you are like me and don't like to set the search path every time you logon with the user zabbix-srv to the correct search path you can run the following SQL. zabbix=> alter role \"zabbix-srv\" set search_path = \"$user\", public, zabbix_server ;\"
If you are ready you can exit the database and return as user root.
zabbix=> \\q\n# exit\nOne last thing we need to do is open the firewall and allow incoming connections for the PostgreSQL database from our Zabbix server because at the moment we dont accept any connections yet.
# firewall-cmd --list-all\npublic (active)\n target: default\n icmp-block-inversion: no\n interfaces: enp0s3 enp0s8\n sources:\n services: cockpit dhcpv6-client ssh\n ports:\n protocols:\n forward: yes\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nFirst we will create an appropriate zone for our PostgreSQL DB and open port 5432/tcp but only for the ip from our Zabbix server.
# firewall-cmd --new-zone=postgresql-access --permanent\nsuccess\n\n# firewall-cmd --reload\nsuccess\n\n# firewall-cmd --get-zones\nblock dmz drop external home internal nm-shared postgresql-access public trusted work\n\n# firewall-cmd --zone=postgresql-access--add-source=<zabbix-serverip> --permanent\n\nsuccess\n# firewall-cmd --zone=postgresql-access --add-port=5432/tcp --permanent\n\nsuccess\n# firewall-cmd --reload\nNow lets have a look to our firewall rules to see if they are what we expected:
# firewall-cmd --zone=postgresql-access --list-all\npostgresql-access (active)\n target: default\n icmp-block-inversion: no\n interfaces:\n sources: 192.168.56.18\n services:\n ports: 5432/tcp\n protocols:\n forward: no\n masquerade: no\n forward-ports:\n source-ports:\n icmp-blocks:\n rich rules:\nOur database server is ready now to accept connections from our Zabbix server :). You can continue with the next task Installing the Zabbix Server
"},{"location":"maintenance/maintaining-zabbix/","title":"Maintaining Zabbix","text":""},{"location":"permissions/managing-permissions/","title":"Managing Permissions","text":""},{"location":"problems/zabbix-triggers/","title":"Triggers","text":""},{"location":"proxies/installing-proxies/","title":"Monitoring with Proxies","text":""},{"location":"security/securing-zabbix/","title":"Securing Zabbix Frontend","text":"The frontend is what we use to login into our system. The Zabbix frontend will connect to our Zabbix server and our database. But we also send information from our laptop to the frontend. It's important that when we enter our credentials that we can do this in a safe way. So it makes sense to make use of certificates and one way to do this is by making use of Self-Signed certificates.
To give you a better understanding of why your browser will warn you when using self signed certificates, we have to know that when we request an SSL certificate from an official Certificate Authority (CA) that you submit a Certificate Signing Reauest (CSR) to them. They in return provide you with a Signed SSL certificate. For this they make use of their root certificate and private key. Our browser comes with a copy of the root certificate (CA) from various authorities or it can access it from the OS. This is why our self signed certificates are not trusted by our browser, we don't have any CA validation. Our only workaround is to create our own root certificate and private key.
"},{"location":"security/securing-zabbix/#understanding-the-concepts","title":"Understanding the concepts","text":""},{"location":"security/securing-zabbix/#how-to-create-an-ssl-certificate","title":"How to create an SSL certificate","text":""},{"location":"security/securing-zabbix/#how-ssl-works-client-server-flow","title":"How SSL works - Client - Server flow","text":"NoteBorrowed the designs from https://www.youtube.com/watch?v=WqgzYuHtnIM this video explains well how SSL works.
"},{"location":"security/securing-zabbix/#securing-the-frontend-with-self-signed-ssl-on-nginx","title":"Securing the Frontend with Self signed SSL on Nginx","text":"To configure this there are a few steps that we need to follow:
- Generate a private key for the CA ( Certificate Authority )\n- Generate a root certficate\n- Generating CA-Authenticated Certificates\n- Generate a Certificate Signing Request (CSR)\n- Generate an X509 V3 certificate extension configuration file\n- Generate the certificate using our CSR, the CA private key, the CA certificate, and the config file\n- Copy the SSL certificates to our Virtual Host\n- Adapt your Nginx Zabbix config\nFirst step is to make a folder named SSL so we can create our certificates and safe them:
>- mkdir ~/ssl\n>- cd ~/ssl\n>- openssl ecparam -out myCA.key -name prime256v1 -genkey\nLet's explain all the options;
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem\nLet's explain all the options;
The information you enter is not so important but it's best to fill it in as good as possible. Just make sure you enter for CN you IP or DNS.
You are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:BE\nState or Province Name (full name) []:vlaams-brabant\nLocality Name (eg, city) [Default City]:leuven\nOrganization Name (eg, company) [Default Company Ltd]:\nOrganizational Unit Name (eg, section) []:\nCommon Name (eg, your name or your server's hostname) []:192.168.0.134\nEmail Address []:\nIt's probably good practice to use de dns name of your webiste in the name fo the private key. As we use in this case no DNS but an IP address I will use the fictive dns zabbix.mycompany.internal.
openssl genrsa -out zabbix.mycompany.internal.key 2048\nopenssl req -new -key zabbix.mycompany.internal.key -out zabbix.mycompany.internal.csr\nYou will be asked the same set of questions as above. Once again your answers hold minimal significance and in our case no one will inspect the certificate so they matter even less.
You are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:BE\nState or Province Name (full name) []:vlaams-brabant\nLocality Name (eg, city) [Default City]:leuven\nOrganization Name (eg, company) [Default Company Ltd]:\nOrganizational Unit Name (eg, section) []:\nCommon Name (eg, your name or your server's hostname) []:192.168.0.134\nEmail Address []:\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\n# vi zabbix.mycompany.internal.ext\nAdd the following lines in your certificate extension file. Replace IP or DNS with your own values.
authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\nsubjectAltName = @alt_names\n\n[alt_names]\nIP.1 = 192.168.0.133\n#DNS.1 = MYDNS (You can use DNS if you have a dns name if you use IP then use the above line)\nopenssl x509 -req -in zabbix.mycompany.internal.csr -CA myCA.pem -CAkey myCA.key \\\n-CAcreateserial -out zabbix.mycompany.internal.crt -days 825 -sha256 -extfile zabbix.mycompany.internal.ext\ncp zabbix.mycompany.internal.crt /etc/pki/tls/certs/. \ncp zabbix.mycompany.internal.key /etc/pki/tls/private/.\nWe need to update the CA certificate\u2019s, run the below command to update the CA certs.
cp myCA.pem /etc/pki/ca-trust/source/anchors/myCA.crt\nupdate-ca-trust extract\nYou also need to import the myCA.crt file in your OS we are not an official CA so we have to import it in our OS and tell it to trust this Certificate. This action depends on the OS you use.
As you are using OpenSSL, you should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients. You can do this by typing:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048\nAdd the following lines to your Nginx configuration, modifying the file paths as needed. Replace the the already existing lines with port 80 with this configuration. This will enable SSL and HTTP2.
# vi /etc/nginx/conf.d/zabbix.conf\nserver {\n listen 443 http2 ssl;\n listen [::]:443 http2 ssl;\n server_name <ip qddress>;\n ssl_certificate /etc/ssl/certs/zabbix.mycompany.internal.crt;\n ssl_certificate_key /etc/pki/tls/private/zabbix.mycompany.internal.key;\n ssl_dhparam /etc/ssl/certs/dhparam.pem;\nTo redirect traffic from port 80 to 443 we can add the following lines above our https block:
server {\n listen 80;\n server_name _; #dns or ip is also possible\n return 301 https://$host$request_uri;\n}\nsystemctl restart php-fpm.service\nsystemctl restart nginx\n\nfirewall-cmd --add-service=https --permanent\nfirewall-cmd --reload\nWhen we go to our url http://<IP or DNS>/ we get redirected to our https:// page and when we check we can see that our site is secure: