Summary

  Subject:

Zabbix Monitoring on Rocky: Configure

   Updated:

2023-12-18

   Author:

Tim Hammond ([email protected])

Derek Pasnick ([email protected])

Leland Petitjean ([email protected])

   Operating Systems:

Rocky 8

   Background:

This guide was written to setup a Zabbix server to monitor network devices and servers for interuptions of service. Zabbix will be configured to also send alerts through the local mail relay. It is assumed a local mail relay is already setup and configured.

Due to the length of the content, I opted to break the article into the following sections:

  1. Rocky Zabbix: Install
  2. Rocky Zabbix: Configure
  3. Rocky Zabbix: Setting up Discoveries
  4. Rocky Zabbix: Client Agent Setup
  5. Rocky Zabbix: SNMPv3: Setup and Configure
  6. Rocky Zabbix: SNMPv3: Adding Devices
  7. Rocky Zabbix: References
  

Table of Contents

Zabbix Server

Server Config

Make a backup of the default Zabbix config.

sudo cp /etc/zabbix/zabbix_server.conf /etc/zabbix/zabbix_server.conf.bak

Add the Zabbix db pwd to the Zabbix config file. DO NOT create a sed command for this. The password would be in the bash history.

sudo sed -i 's/# DBPassword=/DBPassword=keePass/g' /etc/zabbix/zabbix_server.conf

Agent Config

Make a backup of the Zabbix agent config.

sudo cp /etc/zabbix/zabbix_agentd.conf /etc/zabbix/zabbix_agentd.conf.bak

Make the following changes to the zabbix_agentd.conf.

sudo sed -i 's/# HostMetadataItem=/HostMetadataItem=system.uname/g' /etc/zabbix/zabbix_agentd.conf

Verify the changes.

sudo cat /etc/zabbix/zabbix_agentd.conf | grep -i HostMetadataItem=

Timezone Updates

PHP runs as an isolated service when you use PHP-FPM. As PHP's publication is under the PHP licence, it is incompatible with GNU General Public License because of restrictions related to the PHP term.

Add the America/Chicago timezone to the Zabbix config.

sudo sed -i 's/; php_value\[date.timezone] = Europe\/Riga/php_value\[date.timezone] = America\/Chicago/g' /etc/php-fpm.d/zabbix.conf

SELinux

Config

There were a lot of SELinux problems getting Zabbix to work on Rocky. Use the following SELinux commands to help. See the referances section for more background.

Install SELinux aduit tool.

sudo dnf -y install policycoreutils checkpolicy setroubleshoot-server

Create a directory to store the SELinux changes.

mkdir -p /home/syseng/zabbix-selinux cd /home/syseng/zabbix-selinux

Write the following file:

sudo tee -a /home/syseng/zabbix-selinux/zabbix_server_add.te >/dev/null <<EOF module zabbix_server_add 1.1; require { type zabbix_var_run_t; type tmp_t; type zabbix_t; class sock_file { create unlink write }; class unix_stream_socket connectto; class process setrlimit; class capability dac_override; } #============= zabbix_t ============== #!!!! This avc is allowed in the current policy allow zabbix_t self:process setrlimit; #!!!! This avc is allowed in the current policy allow zabbix_t self:unix_stream_socket connectto; #!!!! This avc is allowed in the current policy allow zabbix_t tmp_t:sock_file { create unlink write }; #!!!! This avc is allowed in the current policy allow zabbix_t zabbix_var_run_t:sock_file { create unlink write }; #!!!! This avc is allowed in the current policy allow zabbix_t self:capability dac_override; EOF

Now convert the 'zabbix_server_add.te' into the policy module using the checkmodule command below.

sudo checkmodule -M -m -o zabbix_server_add.mod zabbix_server_add.te

Now compile the policy module 'zabbix_server_add.mod' using the semodule_package command.

sudo semodule_package -m zabbix_server_add.mod -o zabbix_server_add.pp

Load the compiled policy module 'zabbix_server_add.pp' to the system.

sudo semodule -i zabbix_server_add.pp

The following is recommended by Zabbix in their more detailed instructions.

sudo setsebool -P httpd_can_connect_zabbix on

These SELinux change seem to be required as well.

sudo setsebool -P httpd_can_network_connect on sudo setsebool -P zabbix_can_network on

This SELinux change is only required if the database is located on a different server than the Zabbix server.

  • sudo setsebool -P httpd_can_network_connect_db on

Troubleshooting

If after the restart zabbix-server you see "Can't open PID file /run/zabbix/zabbix_server.pid (yet?) after start: No such file or directory." Run the following commands to verify the PID is the same on both files.

sudo cat /run/zabbix/zabbix_server.pid sudo cat /var/run/zabbix/zabbix_server.pid

To verify which modules are installed:

sudo semodule -l

To further troubleshoot denies, reference this log file.

sudo grep denied /var/log/audit/audit.log

Zabbix Web Interface

Config

Give the ol' girl another reboot.

sudo reboot
  1. Go to the web interface: http://zab01.domain.local/zabbix. The default credentials are:
    • Username: Admin
    • Password: zabbix
  2. Verify all of the pre-reqs are met
  3. Click Next.
  4. Leave all of the settings default except for the database password. This includes the schema text box.
  5. Click Next.
  6. Change the name to: zab01
  7. Click Next.
  8. Verify all of the settings.
  9. Click Next.
  10. Click Finish.

User Settings

Go to: Click on the "User Settings" on the bottom left of the window.

User Tab: Password: keePass Language: English (en_US) Theme: System Default Auto-login: Unchecked Auto-logout: 60m Refresh: -default- Rows per page: 50 Url -blank- Media Tab: Leave the defaults. Messaging Tab: Leave the defaults.

Preferances

  1. Log into Zabbix web interface.
  2. Navigate to: Administration.
  3. Go to General.
  4. On the top left of the window, use the pulldown to select: Gui
  5. For the Default theme, select: Dark.
  6. Click Update.
  7. On the top left of the window, use the pulldown to select: Other.
  8. For the "Default host inventory mode" change the selection to "Automatic" and click "Update."

Configure AD Authentication

At this point, the machine should already be joined to the domain.

  1. Log into Zabbix web interface.
  2. Navigate to: Administration > Authentication > LDAP Settings and use the following settings:
Enable LDAP auth: Checked LDAP host: ldaps://domain.local Port: 636 Base DN: DC=domain,DC=com Search attribute: sAMAccountName Bind DN: CN=svc-Zabbix-Admin,OU=Service Accounts,OU=Domain Users,DC=domain,DC=com Case sensitive: Unchecked Bind Password: keePass Login: svc-Zabbix-Admin User Password: keePass
  1. Click Update.
  2. Navigate to: Administration > Authentication > Authentication. Use the following settings:
Default auth: Internal
  1. Click Update.
  2. Navigate to: Administration > User Groups. Use the following settings:
Group Name:

domain_-_admins

domain_-_read-only
Permissions:

All Groups

All Groups
Level:

Read-write

Read
  1. Click Create User. Use the following settings:
User group Tab: Group Name: See Chart Above Users: See Chart Above Frontend acess: LDAP Enabled: Checked Debug mode: Unchecked Permissions Tab: See Chart Above Users: See Chart Above
  1. In order to change permissions:
    1. Click on the Select button
    2. Check the top left button (to select all items)
    3. Click Select
    4. Check Include subgroups
    5. Click the Read button
    6. Click Add
Tag filter Tab: No Changes.
  1. Click Add.
  2. Navigate to: Administration > Users. Use the following settings:
Alias:

syseng

svc-Zabbix-Admin

thammond
Group:

domain_-_admins

domain_-_admins

domain_-_read-only
User type:

Zabbix super user

Zabbix super user

Zabbix user
  1. Click Create User. Use the following settings:
Alias: See Chart Above Name: -blank- Surname: -blank- Groups: See Chart Above Password: DO NOT ENTER (system will use AD pass-through) Language: English (en_US) Theme: System default Auto-login: Unchecked Auto-logout: Checked (60m) Rows per page: 50 URL: -blank-
  1. Click Add.

If change the default login type to LDAP and cannot login after these changes, look at the troubleshooting section of this guide for a walk-through on how to set the login back to Internal.

Configure Email Alerts

  1. Log into Zabbix web interface.
  2. Navigate to: Administration > Media types.
  3. Click on Email from the list.
  4. Click the clone button.
  5. Enter the following values:
Name: Email_-_mail01 Type: Email SMTP Server: mail01.domain.local SMTP Port: 25 SMTP helo: domain.local SMTP email: [email protected] Con Security: None Auth: None Message format: Plain text
  1. Click Add.
  2. Navigate to: Administration > Users. Use the following settings:
  3. Click on: svc-Zabbix-Admin.
User Tab: Leave the previous settings. Media Tab: Media Type: Email Send to: [email protected] When active: -default- Use if: All except "Information" Enabled: Checked Permissions Tab: Leave the previous settings.
  1. Click Add.
  2. Navigate to: Configuration > Actions.
  3. On the top left of the window, use the pulldown to select: "Trigger actions."
  4. Click on "Report problems to Zabbix administrators"
  5. Click the "Clone" button.
  6. Use the following settings for the Action Tab:
Name: [email protected] Add: -blank- Enabled: Checked
  1. Use the following settings for the Operations Tab:
    1. Click on "Step 1 Send message to..."
      1. Under Send to user groups, click "Remove" to the right of Zabbix Administrators
      2. Under Send to users, click the "Add" button and select: svc-Zabbix-Admin
      3. Leave everything else default.
      4. Click Update.
  2. Click Add.

Certificate

Creation

Certificate creation is out of the scope of this document.

Install

Make a backup of the SSL config file.

sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak

Upload the cert to /tmp.

/tmp/zab01-cert.crt /tmp/zab01-priv.crt

Set the permissions.

sudo chmod 600 /tmp/zab01-cert.crt sudo chmod 600 /tmp/zab01-priv.crt sudo chown root:root /tmp/zab01-cert.crt sudo chown root:root /tmp/zab01-priv.crt

Move the cert to its proper home.

sudo mv /tmp/zab01-cert.crt /etc/pki/tls/certs/zab01-cert.crt sudo mv /tmp/zab01-priv.crt /etc/pki/tls/private/zab01-priv.crt

Verify that "SSLEngine" is set to "on."

sudo cat /etc/httpd/conf.d/ssl.conf | grep -i "SSLEngine "

Add comments to the default values:

sudo sed -i 's/SSLCertificateFile \/etc/# SSLCertificateFile \/etc/g' /etc/httpd/conf.d/ssl.conf sudo sed -i 's/SSLCertificateKeyFile \/etc/# SSLCertificateKeyFile \/etc/g' /etc/httpd/conf.d/ssl.conf

Insert the new values below the newly commented values.

sudo sed -i '/# SSLCertificateFile \/etc/a\SSLCertificateFile \/etc\/pki\/tls\/certs\/zab01-cert.crt' /etc/httpd/conf.d/ssl.conf sudo sed -i '/# SSLCertificateKeyFile \/etc/a\SSLCertificateKeyFile \/etc\/pki\/tls\/private\/zab01-priv.crt' /etc/httpd/conf.d/ssl.conf

Verify the changes.

sudo cat /etc/httpd/conf.d/ssl.conf | grep -i "SSLEngine " sudo cat /etc/httpd/conf.d/ssl.conf | grep -i "SSLCertificateFile /" sudo cat /etc/httpd/conf.d/ssl.conf | grep -i "SSLCertificateKeyFile /"

Test the Apache config file for errors.

sudo apachectl configtest

Restart services.

sudo systemctl restart httpd sudo systemctl status httpd