Script via Zabbix frontend

-

To run any script via Zabbix frontend on a remote server:

(a) Uncomment the AllowKey=system.run[*] in Zabbix agent configuration file on Remote host.

(b) Add the rules for zabbix user in sudoers file 

      visudo

      zabbix ALL=(ALL) NOPASSWD: ALL

(c) If the script (myscript.sh) is running on /usr/local/bin, make sure the script is executable and the script is owned by the Zabbix user. 

chmod +x /path/to/myscript.sh

chown zabbix:zabbix /usr/local/bin/myscript.sh

Note: The Zabbix agent runs under a specific user account, typically zabbix. Ensure that the script file is owned by this user or has appropriate permissions for the zabbix user to access and execute it.



Significance of AllowKey and sudoersfile configuration in Zabbix_agent:

1. AllowKey=system.run[*] in Zabbix Agent Configuration

The AllowKey directive in the Zabbix agent configuration file (zabbix_agentd.conf) specifies which system.run commands are permitted to be executed via the Zabbix frontend. This directive is crucial for security reasons, as it restricts which system.run commands can be executed based on the configured patterns.

Note: setting AllowKey=system.run[*] in the Zabbix agent configuration allows all commands using the system.run key to be executed from the Zabbix frontend.

  • Purpose:

    • It restricts which system.run commands can be executed through Zabbix.
    • This helps prevent unauthorized or unsafe commands from being executed.

  • Example Configuration:

    AllowKey=system.run[*]

    This allows all system.run commands. You can specify more restrictive patterns based on your security needs.

2. sudoers File Configuration

The sudoers file controls which users can execute commands with sudo and whether they need to enter a password. Configuring this file allows specific users (like the Zabbix agent) to execute certain commands with elevated privileges.

  • Purpose:

    • It permits the Zabbix agent user to execute commands with elevated privileges.
    • This is necessary for commands that require root access or other privileged actions.

  • Example Rule:

    zabbix ALL=(ALL) NOPASSWD: /path/to/command

    This allows the Zabbix user to execute /path/to/command without a password.

Why Both Are Needed

  1. Security Control:

    • AllowKey=system.run[*]: Ensures only allowed system.run commands are executed, preventing potentially harmful or unauthorized commands.
    • sudoers File: Controls which commands can be run with elevated privileges and whether a password is required, ensuring that only authorized commands are executed with sudo.

  2. Command Execution Control:

    • AllowKey=system.run[*]: Configures Zabbix’s policy on which system.run commands can be executed. if you don't uncomment or configure AllowKey, the Zabbix agent will block system.run commands. system.run key is used in Zabbix items to specify that a system command or script should be executed on the host.
    • sudoers File: Configures Linux permissions to allow those commands to be run with sudo if necessary.

Comments

Post a Comment

Popular posts from this blog

How to enable the syslog monitoring-Zabbix

-
Steps need to be performed:  On the Syslog server side:  1. Install the rsyslog sudo yum install rsyslog 2.  Enable rsyslog service: Start and enable the rsyslog service if it’s not already running: sudo systemctl start rsyslog sudo systemctl enable rsyslog 3.  Configure rsyslog to accept remote logs: Open the rsyslog configuration file: vi /etc/rsyslog.conf Uncomment or add the following lines to enable UDP or TCP log reception: # Provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") # Provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514") 4.  Restart the rsyslog service: After saving the configuration file, restart rsyslog to apply the changes: sudo systemctl restart rsyslog 5. Ensure the firewall is configured to allow the TCP/UDP port 514 or disable the firewall service. 6. Ensure that SELinux is disable if not disable it Check the status of SELinux sestatus Disa...
Read more

Zabbix installation: Distribution setup

-
  On Zabbix core server: Step1:   Install Zabbix repository rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-latest-6.0.el8.noarch.rpm dnf clean all Step2: Install Zabbix server, frontend, agent dnf install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-selinux-policy zabbix-agent Step3:   Configure the database for Zabbix server Edit file /etc/zabbix/zabbix_server.conf DBHost= DBserver_ip DBName= DBUser= DBPassword= DBPort=3306 Step4:  Start Zabbix server and agent processes systemctl restart zabbix-server zabbix-agent httpd php-fpm systemctl enable zabbix-server zabbix-agent httpd php-fpm On Zabbix Database Server: Step1:   Install Zabbix repository rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/zabbix-release-latest-6.0.el8.noarch.rpm dnf clean all Step2: Install the sql script, zabbix agent  dnf install zabbix-sql-scripts zabbix-selinux-policy zabbix-agent Step3: Install the mysql server yum install my...
Read more

Zabbix built-in HA Vs Pacemaker/corosync

-
 Built-in HA in Zabbix Since Zabbix 7.0, Zabbix Server has built-in high availability (HA) support. This means: You can run multiple Zabbix server nodes. Only one is active at a time. The others are standby and can take over if the active one fails. Failover is handled internally by Zabbix, using database coordination (it stores node status in the DB). So why Pacemaker and Corosync then? You don’t need Pacemaker + Corosync for the Zabbix Server itself anymore if you’re using built-in HA. However, there are still scenarios where Pacemaker/Corosync may be useful: When to Use Pacemaker/Corosync Database Failover: Zabbix’s built-in HA does not handle database HA. Pacemaker/Corosync can manage MySQL/MariaDB/PostgreSQL clusters with automatic failover.        2. Frontend High Availability: Zabbix frontend (Apache/Nginx + PHP) does not have built-in HA. You can use Pacemaker/Corosync (or HAProxy/Keepalived) to manage failover of frontend nodes and virtual IPs.   ...
Read more