At first, we will set up the Zabbix server, database, and frontend, all running on the same machine and using a MySQL database.

Should you use the packages or install from source? In most cases, installing from the packages will be easier. Here are a few considerations that might help you select the method:

But which version to choose? You might see several versions available in repositories, and those versions might not be equal. Since Zabbix 2.2, the concept of a Long-Term Support (LTS) release has been introduced. This determines how long support in the form of bug fixes will be available for. An LTS release is supported for 5 years, while a normal release is supported until a month after the release date of the next version. Zabbix 2.2 and 3.0 are LTS releases, while 2.4 and 3.2 are normal releases. Choose an LTS release for an installation that you don't plan to upgrade for a while and a normal release for something you intend to keep up to date. In this book, we will use Zabbix version 3.0.

The most widely used Zabbix architecture is a server that queries agents. This is what we will learn to set up initially so that we can monitor our test system.

As with most software, there are some prerequisites that we will need in order to run Zabbix components. These include requirements of hardware and other software that the Zabbix server and agent depend on. For the purpose of our installation, we will settle for running Zabbix on Linux, using a MySQL database. The specific Linux distribution does not matter much—it's best to choose the one you are most familiar with.

Hardware requirements vary wildly depending on the configuration. It is impossible to provide definite requirements, so any production installation should evaluate them individually. For our test environment, though, even as little RAM as 128 MB should be enough. CPU power in general won't play a huge role; Pentium II-class hardware should be perfectly capable of dealing with it, although generating graphs with many elements or other complex views could require more powerful hardware to operate at an acceptable speed. You can take these as a starting point as well when installing on a virtual machine.

Of course, the more resources you give to Zabbix, the snappier and happier it will be.

If you have decided to install Zabbix from the packages, package availability and the procedure will differ based on the distribution. A few distributions will be covered here—read the distribution-specific instructions for others.

# rpm -Uvh http://ftp.colocall.net/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

# yum install zabbix22-agent zabbix22-dbfiles-mysql zabbix22-server-mysql zabbix22-web-mysql

# rpm -ivh http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm

# yum install zabbix-server-mysql zabbix-web-mysql zabbix-agent

# zypper addrepo http://download.opensuse.org/repositories/server:monitoring/openSUSE_Leap_42.1/server:monitoring.repo
# zypper refresh

# zypper install zabbix-server-mysql zabbix-agent zabbix-phpfrontend

If you have decided to install Zabbix from source, you will need to obtain the source, configure it, and compile it. After the daemons are put in place, the frontend will have to be set up manually as well.

$ cd ~/zabbix; tar -zxvf zabbix-3.0.0.tar.gz

$ cd zabbix-3.0.0
$ ./configure --enable-server --with-mysql --with-net-snmp --with-libcurl --with-openipmi --enable-agent --with-libxml2 --with-unixodbc --with-ssh2 --with-openssl

    Enable server:         yes
  Server details:
    With database:         MySQL
    WEB Monitoring:        cURL
    SNMP:                  yes
    IPMI:                  yes
    SSH:                   yes
    TLS:                   OpenSSL
    ODBC:                  yes
    
Enable agent:          yes

$ make

# make install

Depending on the method of installation, you might get Zabbix binaries and configuration files using either a dash (minus) or an underscore, like this:

While Zabbix itself uses an underscore, many distributions will replace it with a dash to follow their own guidelines. There is no functional difference; you just have to keep in mind the character that your installation uses. In this book, we will reference binaries and files using an underscore.

After compilation, we have to configure some basic parameters for the server and agent. Default configuration files are provided with Zabbix. The location of these files will depend on the installation method you chose:

On other distributions, the files might be located in a different directory. In this book, we will reference binaries and configuration files using relative names, except in situations where the absolute path is recommended or required.

To configure the Zabbix agent, we don't have to do anything. The default configuration will do just fine for now. That was easy, right?

For the server, we will need to make some changes. Open the zabbix_server.conf file in your favorite editor (you will need to edit it as the root user) and find the following entries in the file:

DBName should be zabbix by default; we can leave it as is. DBUser is set to root, and we don't like that, so let's change it to zabbix. For DBPassword, choose any password. You won't have to remember it, so be creative.

For the Zabbix server to store the data, we have to create a database. Start a MySQL client:

$ mysql -u root -p

Enter the root user's password for MySQL (you will have set this during the installation of MySQL, or the password could be something that is the default for your distribution). If you do not know the password, you can try omitting -p. This switch will tell the client to attempt to connect without a password (or with an empty password).

Now, let's create the database. Add the user that Zabbix would connect to the database as, and grant the necessary permissions to this user:

mysql> create database zabbix character set utf8 collate utf8_bin;
Query OK, 1 row affected (0.01 sec)
mysql> grant all privileges on zabbix.* to 'zabbix'@'localhost' identified by 'mycreativepassword';
Query OK, 0 rows affected (0.12 sec)

Use the password you set in the zabbix_server.conf file instead of mycreativepassword.

Quit the MySQL client by entering the following command:

mysql> quit

Let's populate the newly created database with a Zabbix schema and initial data. The following commands refer to the files as they appear in the Zabbix source. When installing from packages, these files could be located in a directory such as /usr/share/doc/zabbix-server-mysql-3.0.0/create/ or /usr/share/zabbix-server-mysql:

$ mysql -u zabbix -p zabbix < database/mysql/schema.sql
$ mysql -u zabbix -p zabbix < database/mysql/images.sql
$ mysql -u zabbix -p zabbix < database/mysql/data.sql

All three importing processes should complete without any messages. If there are any errors, review the messages, fix the issue, and retry the failed operation. If the import is interrupted in the middle of the process, you might have to clear the database—the easiest way to do this is to delete the database by typing this:

mysql> drop database zabbix;
Query OK, 0 rows affected (0.00 sec)

By now, we should have the Zabbix server and agent installed and ready to start.

You should never start the Zabbix server or agent as root, which is common sense for most daemon processes. If you installed Zabbix from distribution packages, system users should have been created already—if not, let's create a new user to run these processes. You can use tools provided by your distribution or use the most widely available command—useradd, which we need to execute as root:

# useradd -m -s /bin/bash zabbix

This will create a user named zabbix with a home directory in the default location, /home/zabbix usually, and a shell at /bin/bash.

If you installed from source, let's try the direct approach—running the binaries. The location of the binaries will depend on the chosen method of installation. Installing from the source without any extra parameters will place agent and server binaries in /usr/local/sbin; distribution packages are likely to place them in /usr/sbin. Assuming they are in your path, you can determine where the binaries are by running this:

# which zabbix_server

This will show something similar to the following:

/usr/sbin/zabbix_server

Alternatively, the whereis command can also list configuration and other related files:

# whereis zabbix_server

This would likely list the binary, the configuration file, and the manpage:

zabbix_server: /usr/sbin/zabbix_server /usr/local/etc/zabbix_server.conf /usr/share/man/man3/zabbix_server

Once you know the exact location of the binaries, execute the following as root user:

# <path>/zabbix_agentd

This will start the Zabbix agent daemon, which should start up silently and daemonize. If the command produces errors, resolve them before proceeding. If it succeeds, continue by starting the Zabbix server:

# <path>/zabbix_server

If you installed from the packages, execute this:

# service zabbix-agentd start
Starting zabbix agent daemon
done
# service zabbix-server start
Starting zabbix server daemon
done

That should get the agent and server started. On OpenSUSE, you can also use a different, shorter syntax:

# rczabbix-agentd start
# rczabbix-server start

Feel free to experiment with other parameters, such as stop and restart—it should be obvious what these two do.

You can verify whether services are running with the status parameter. For a service that is not running, you would get the following:

# service zabbix-server status
Checking for service Zabbix server daemon
unused

A running service would yield the following:

# service zabbix-agentd status
Checking for service Zabbix agent daemon
running

Some distributions might have another parameter called probe. This will check whether the corresponding service has been restarted since the last configuration file changes.

If it has been restarted, no output will be produced. If the service has not been restarted (thus possibly missing some configuration changes), the reload string will be output.

While it's nice to have Zabbix processes running, it's hardly a process one expects to do manually upon each system boot, so the server and agent should be added to your system's startup sequence. This is fairly distribution specific, so all possible variations can't be discussed here. With RHEL or CentOS, a command like this should help:

# chkconfig --level 345 zabbix-agent on
# chkconfig --level 345 zabbix-server on

This will add both services to be started at runlevels 3, 4, and 5. For OpenSUSE, the following should work:

# chkconfig -s zabbix-server 35
# chkconfig -s zabbix-agentd 35

This will add both services to be started at runlevel 3 and runlevel 5, which are used for multiuser and networked environments. The previous commands might work on other distributions, too, although some distributions might use runlevel 4 instead of runlevel 5 for a graphical environment—consult your distribution's documentation when in doubt. There's usually no need to start Zabbix in single-user or non-networked runlevels (1 and 2), as data gathering requires network connectivity.

With some init scripts in some distributions, it is even simpler than that:

# chkconfig -a zabbix_server zabbix_agentd

This will add both services as specified in the corresponding init scripts, which in our case should be runlevels 3 and 5, configured by the Default-Start parameter in the init script. If the command succeeds, you'll see the following output:

zabbix_server          0:off  1:off  2:off  3:on   4:off  5:on   6:off
zabbix_agentd          0:off  1:off  2:off  3:on   4:off  5:on   6:off

Now that we have the Zabbix server and agent either compiled and installed or installed from the distribution packages, and both daemons are running, you probably have a feeling that something's missing. We have only configured some low-level behavior, so where's the meat?

That's what the frontend is for. While, in theory, Zabbix can have multiple frontends, the only one with full functionality so far is the Zabbix web frontend, which is written in PHP. We have to set it up to configure Zabbix and get to those nice graphs everybody likes.

# cp -r frontends/php /srv/www/htdocs/zabbix

The web frontend has a wizard that helps you to configure its basics. Let's go through the simple steps it offers.

Now, it's time to fire up a browser and navigate to Zabbix's address: http://<server_ip_or_name>/zabbix. It should work just fine in the latest versions of most browsers, including Firefox, Chrome, Safari, Opera, Konqueror, and Internet Explorer.

Step 1 – welcome

If everything has been configured properly, you should be greeted by the installation wizard:

If you are not, there are several things that could have gone wrong.

If the connection fails completely, make sure Apache is started up and there is no firewall blocking access. If you see a blank page or some PHP code, make sure that PHP is properly installed and configured to parse files ending with the .php extension through the AddType application/x-httpd-php directive. If you see a file and directory listing instead of the installation wizard, make sure you have added index.php to the DirectoryIndex directive. If these hints do not help, check the PHP documentation at http://www.php.net/manual/en/.

This screen doesn't offer us much to configure, so just click on Next step.

Step 2 – PHP prerequisites

In this step, the installation wizard checks PHP-related prerequisites. If you are lucky, all will have been satisfied, and you will be greeted with all green entries:

If so, just click on the Next step button to continue to Step 3.

However, more often than not, one or more entries will have a red Fail warning listed next to them. This is where things get more interesting. Problems at this point fall into two categories: PHP installation or configuration.

Entries such as PHP version, PHP databases support, PHP bcmath, PHP mbstring, PHP gd, PHP gd PNG/JPEG/FreeType support, and others that are not listed as an option are PHP installation problems. To solve these, either install the appropriate distribution packages (sometimes called php5-bcmath, php5-gd, php5-mysql, and so on), or recompile PHP with the corresponding options.

PHP option "memory_limit", PHP option "post_max_size", PHP option "upload_max_filesize", PHP option "max_execution_time", PHP option "max_input_time", and PHP time zone are configuration issues that are all set in the php.ini configuration file. This file is usually located at /etc/php5 or similar for distribution packages and /usr/local/lib for PHP source installations. Set the following options:

memory_limit = 128M
post_max_size = 16M
max_execution_time = 300
max_input_time = 300
upload_max_filesize = 2M

Note

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Zabbix-Network-Monitoring-Second-Edition. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

For the time zone, set the date.timezone option to a time zone that best matches your environment. The default for Zabbix is Europe/Riga, and you can see valid options at http://www.php.net/manual/en/timezones.php.

Make sure you restart Apache after changing the PHP configuration file. If you can't find php.ini, or you make changes but the installation wizard does not pick them up, create a file named test.php in the htdocs directory with only this content:

<?php phpinfo() ?>

Navigate to this file using your browser and check the value for a Configuration File (php.ini) Path entry—this is where you should look for php.ini.

Once everything is fixed, click on the Next step button to continue.

Step 3 – database access

Remember the database we created earlier? That's the information we'll supply here:

We already configured database credentials for the Zabbix server, but the Zabbix frontend uses a different configuration file. The default Database type, Database host, and Database port values should work for us. Set both Database name and User to zabbix. If you have forgotten the Password, just look it up or copy it from zabbix_server.conf. After entering the data, click on the Next step button. If all the information is correct, the wizard should proceed to the next step.

Step 4 – Zabbix server details

The next screen lets you specify the Zabbix server's location:

The defaults for the host and port are suitable for us, but we could benefit from filling in the Name field. The contents of this field will be used for page titles and a label in the upper-right corner of the Zabbix interface—this could be really handy if we had multiple Zabbix installations. Feel free to enter any name here, but for this book, we'll call the server Zabbix One. When you're done, it's over to the Next step again. The next screen is a summary of the choices made in the previous screens.

Step 5 – summary

If you left the defaults where appropriate and your database connection test was successful, it should be safe to continue by clicking on Next step:

Step 6 – writing the configuration file

It is quite likely that in the next screen, you will be greeted with failure:

The installation wizard attempted to save the configuration file, but with the access rights that it has, it should not be possible. Previous versions of Zabbix explained two alternatives for proceeding. Unfortunately, Zabbix 3.0 has lost the explanation for one of those. The two possible solutions are as follows:

1. Click on Download the configuration file and manually place this file in the htdocs/zabbix/conf directory.

2. Make the htdocs/zabbix/conf directory writable by the web server user (execute as root). Use these commands:

   # chown <username> /path/to/htdocs/zabbix/conf
   # chmod 700 /path/to/htdocs/zabbix/conf
   

Obviously, we need to insert the correct username and directory in these commands. Remember, common locations are /srv/www/htdocs and /usr/local/apache2/htdocs—use the one you copied the Zabbix frontend code to. Common users are wwwrun, www-data, nobody, and daemon—you can find out which one the correct user is for your system by running this:

$ ps aux | grep http

You could also run this:

$ ps aux | grep apache

The username that most httpd processes are running under will be the correct one. Once the permissions have been changed, click on Finish. That should successfully save the configuration file.

Note

You can also skip the configuration wizard by copying zabbix.conf.php.example in the conf directory to zabbix.conf.php and editing it directly. In this case, you should manually verify that the PHP installation and configuration requirements have been met.

It is suggested that you restrict the permissions on this file afterwards to be readable only by the web server user, by issuing these commands as root:

# chmod 440 /path/to/htdocs/zabbix/conf/zabbix.conf.php
# chown root /path/to/htdocs/zabbix/conf/

The file contains the database password, which is best kept secret.

Step 7 – finishing the wizard

Congratulations, this is the last wizard screen, which only wants you to be friendly to it and press Finish:

Step 8 – logging in

Immediately after clicking on Finish, you should see a login form:

The Zabbix database data that we inserted previously also supplied the default username and password. The default credentials are as follows:

• Username: Admin

• Password: zabbix

That should get you to the initial frontend screen, which drops you into a quite empty dashboard:

Congratulations! The web frontend is now set up and we have logged in.

Note

It is possible to easily change the Zabbix frontend configuration later. The zabbix.conf.php configuration file can be edited to change database access details, the Zabbix server host and port, and the server name that we entered in the fourth step as well. Most of the parameters in that file should be self-explanatory; for example, $ZBX_SERVER_NAME will change the server name.

If you take a closer look at the upper-right corner, you'll spot something familiar—it's the server name we entered earlier in the configuration wizard. This makes it easier to distinguish this installation from other Zabbix instances, for example, if you had a testing and a production instance. Additionally, this name is also used in the page title—and thus in the tab title in most modern browsers. When multiple tabs are open, you should be able to see the instance name right there in the tab. There's no need to click on each tab individually and check the URL or upper-right corner of the Zabbix frontend:

The dashboard isn't too exciting right now, except maybe for that table, labeled Status of Zabbix. The same view is also available somewhere else, though—click on Reports and then click on Status of Zabbix, the very first report:

Now we can concentrate on this widget. The frontend successfully sees that the Zabbix server is running and displays the host and port to which it is trying to connect. It also knows some basic things about Zabbix's configuration—there are 39 hosts configured in total. Wait, what's that? We have only set it up and have not configured anything; how can there be 39 hosts already? Let's take a closer look at the DETAILS column. These values correspond to the descriptions in parentheses located in the PARAMETER column. So, there are 0 monitored hosts, 1 that is not monitored, and 38 templates. Now that makes more sense—38 of those 39 are templates, not actual hosts. Still, there's one host that isn't monitored, what's up with that?

Click on Configuration and choose Hosts. You should see this:

Note

The first thing to do here: click on that large Filter button in the middle of the page. In older versions of Zabbix, it was a very tiny button that was hard to spot. Unfortunately, the Zabbix team overshot with solving that problem—the button is now huge, and all filters are open by default. We will discuss and use filters later. For now, whenever you see a huge filter preceding the information we came for, just close it.

So, there it is. It turns out that the default Zabbix database already has one server configured: the local Zabbix server. It is disabled by default, as indicated in the Status of Zabbix screen and here by the Disabled string in the STATUS column.

Note

There's a lot of technical detail in the Zabbix online manual at https://www.zabbix.com/documentation/3.0/.

Before we venture deeper into these categories, it might be worth visiting the profile section—see the person-like icon in the upper-right corner:

Clicking on it should open your profile:

Here, you can set some options concerning your user account, for example, changing the password, the frontend language, or the frontend theme. As we will be using an English (en_GB) frontend, I suggested you to leave that at the default. Previous Zabbix versions shipped with four different themes, but that has been reduced in Zabbix 3.0; now, there are only the Blue and Dark themes. We'll stick with the default theme, but both of the themes shipped with Zabbix 3.0 seem to be visually pretty.

Notice that you can find out the user account you are currently connected as by moving the mouse cursor over the profile icon in the upper-right corner. A tooltip will show your username, as well as name and surname, as configured in the user profile. When you are not logged in, no profile icon is shown.

There are two options related to logging in: Auto-login, which will automatically log the user in using a cookie saved by their browser, and Auto-logout. By default, Auto-login should be enabled, and we will not change these options.

We won't change the URL option at present, but we'll discuss the benefits of setting a custom default URL for a particular user later. The Refresh option sets the period in seconds after which some pages in the frontend will refresh automatically to display new data. It might be beneficial to increase this parameter for huge screens, which we do not yet have.

The Rows per page option will limit the amount of entities displayed at a time. In larger installations, it might be useful to increase it, but making it too large can negatively affect performance of the frontend.

Let's make another change here—switch over to the Messaging tab:

It allows you to configure frontend messages. For now, just mark the Frontend messaging option to enable them and change Message timeout (seconds) to 180. We will discuss what the various options do later in this chapter, when the messages start to appear.

After you have changed the theme and enabled frontend messages, click on the Update button.

Instead of using this predefined host configuration, we want to understand how items work. But items can't exist in an empty space—each item has to be attached to a host.

If a host is required to attach items to, then we must create one. Head over to Configuration | Hosts and click on the Create host button, located in the top-right corner. You will be presented with a host creation screen. This time, we won't concern ourselves with the details, so let's input only some relevant information:

The fields that we changed for our host should look as follows:

When you are ready, click on the Add button at the bottom.

So, we have created our very own first host. But given that items are the basis of all the data, it's probably of little use right now. To give it more substance, we should create items, so select Linux servers from the Groups dropdown, and then click on Items next to the host we just created, A test host. This host has no items to list—click on the Create item button in the upper-right corner.

There's a form, vaguely resembling the one for host creation, so let's fill in some values:

After filling in all the required information, you will be presented with the following screen:

We will look at the other defaults in more detail later, so click on the Add button at the bottom.

You should now see your new item in the list. But we are interested in the associated data, so navigate to Monitoring | Latest data. Notice the filter that takes up half the page? This time, we will want to use it right away.

Starting with Zabbix 2.4, the Latest data page does not show any data by default for performance reasons; thus, we have to set the filter first:

In the Filter, type test in the Hosts field. Our new host should appear. Click on it, then click on the Filter button. Below the filter, expand the - other - section if it's collapsed. You might have to wait for up to a minute to pass after saving the item, and then you should see that this newly created item has already gathered some data:

What should you do if you don't see any entries at all? This usually means that data has not been gathered, which can happen for a variety of reasons. If this is the case, check for these common causes:

The Zabbix server reads into cache all the information on items to monitor every minute by default. This means that configuration changes such as adding a new item might show an effect in the data collected after one minute. This interval can be tweaked in zabbix_server.conf by changing the CacheUpdateFrequency parameter.

Once data starts arriving, you might see no value in the Change column. This means you moved to this display quickly, and the item managed to gather a single value only; thus, there's no change yet. If that is the case, waiting a bit should result in the page automatically refreshing (look at the page title—remember the 30-second refresh we left untouched in the user profile?), and the Change column will be populated. So, we are now monitoring a single value: the UNIX system load. Data is automatically retrieved and stored in the database. If you are not familiar with the concept, it might be a good idea to read the overview at https://en.wikipedia.org/wiki/Load_(computing).

If you went away to read about system load, several minutes should have passed. Now is a good time to look at another feature in Zabbix—Graphs. Graphs are freely available for any monitored numeric item, without any additional configuration.

You should still be on the Latest data screen with the CPU load item visible, so click on the link named Graph. You'll get something like this:

While you will probably get less data, unless reading about system load took you more than an hour, your screen should look very similar overall. Let's explore some basic graph controls.

The Zoom controls in the upper-left corner allow you to quickly switch the displayed period. Clicking on any of the entries will make the graph show data for the chosen duration. At first, Zabbix is a bit confused about us having so little data; it thus shows all the available time periods here. As more data is gathered, only the relevant periods will be shown, and longer zoom periods will gradually become available.

Below these controls are options that seek through time periods; clicking on them will move the displayed period by the exact time period that was clicked on.

The scrollbar at the top allows you to make small changes to the displayed period: drag it to the left (and notice the period at the top of the graph changing) and then release, and the graph is updated to reflect the period changes. Notice the arrows at both ends of the scrollbar: they allow you to change the duration displayed. Drag these with your mouse just like the scrollbar. You can also click on the buttons at both ends for exact adjustments. Using these buttons moves the period back and forth by the time period that we currently have displayed.

The date entries in the upper-right corner show the start and end times for the currently displayed data, and they also provide calendar widgets that allow a wider range of arbitrary period settings. Clicking on one of these time periods will open a calendar, where you can enter the time and date and have either the start or end time set to this choice:

Try entering a time in the past for the starting (leftmost) calendar. This will move the displayed period without changing its length. This is great if we are interested in a time period of a specific length, but what if we want to look at a graph for the previous day, from 08:30 till 17:00? For this, the control (fixed) in the lower-right corner of the scrollbar will help. Click on it once—it changes to (dynamic). If you now use calendar widgets to enter the start or end time for the displayed period, only this edge of the period will be changed.

For example, if a 1-hour period from 10:00 to 11:00 is displayed, setting the first calendar to 09:00 while in (fixed) mode will display the period from 09:00 till 10:00. If the same is done while in (dynamic) mode, a two-hour period from 09:00 till 11:00 will be displayed. The end edge of the period is not moved in the second case.

Clicking and dragging over the graph area will zoom in to the selected period once the mouse button is released. This is handy for a quick drilldown to some problematic or interesting period:

The yellow area denotes the time period we selected by clicking, holding down the mouse button, and dragging over the graph area. When we release the mouse button, the graph is zoomed to the selected period.

Now that we have an item successfully gathering data, we can look at it and verify whether it is reporting as expected (in our case, that the system is not overloaded). Sitting and staring at a single parameter would make for a very boring job. Doing that with thousands of parameters doesn't sound too entertaining, so we are going to create a trigger. In Zabbix, a trigger is an entry containing an expression to automatically recognize problems with monitored items.

Navigate to Configuration | Hosts, click on Triggers next to A test host, and click on Create trigger.

Here, only two fields need to be filled in:

It is important to get the expression correct down to the last symbol. Once done, click on the Add button at the bottom. Don't worry about understanding the exact trigger syntax yet; we will get to that later.

Notice how our trigger expressions refer to the item key, not the name. Whenever you have to reference an item inside Zabbix, it will be done by the item key.

The trigger list should be now displayed, with a single trigger—the one we just created. Let's take a look at what we just added: open Monitoring | Triggers. You should see our freshly added trigger, hopefully already updated, with a green OK flashing in the STATUS column:

You might see PROBLEM in the STATUS field. This means exactly what the trigger name says—the CPU load too high on A test host for last 3 minutes.

Notice the big filter?

We can filter displayed triggers, but why is our OK trigger displayed even though the default filter says Recent problem? The thing is, by default, Zabbix shows triggers that have recently changed their state with the status indicator flashing. Such triggers show for 30 minutes, and then they obey normal filtering rules. Click on Filter to close the filter. We will explore this filter in more detail later.

You could take a break now and notice how, in 30 minutes, there are no triggers displayed. With the filter set to only show problems, this screen becomes quite useful for a quick overview of all issues concerning monitored hosts. While that sounds much better than staring at plain data, we would still want to get some more to-the-point notifications delivered.

The most common notification method is e-mail. Whenever something interesting happens in Zabbix, some action can be taken, and we will set it up so that an e-mail is sent to us. Before we decide when and what should be sent, we have to tell Zabbix how to send it.

To configure the parameters for e-mail sending, open Administration | Media types and click on Email in the NAME column. You'll get a simple form to fill in with appropriate values for your environment:

Change the SMTP server, SMTP helo, and SMTP email fields to use a valid e-mail server. The SMTP email address will be used as the From address, so make sure it's set to something your server will accept. If needed, configure the SMTP authentication, and then click on the Update button.

We have configured the server to send e-mail messages and set what the From address should be, but it still doesn't know the e-mail addresses that our defined users have, which is required to send alerts to them. To assign an e-mail address to a user, open Administration | Users. You should see only two users: Admin and Guest. Click on Admin in the ALIAS column and switch to the Media tab:

Click on the Add button:

The only thing you have to enter here is a valid e-mail address in the Send to textbox—preferably yours. Once you are done, click on Add and then Update in the user properties screen.

That finishes the very basic configuration required to send out notifications through e-mail for this user.

And now, it's time to tie all this together and tell Zabbix that we want to receive e-mail notifications when our test box is under heavy load.

Things that tell the Zabbix server to do something upon certain conditions are called actions. An action has three main components:

To configure actions, open Configuration | Actions and click on Create action. A form is presented that lets you configure preconditions and the action to take:

First, enter a NAME for our new action, such as Test action, and check the Recovery message checkbox. Next, we should define the operation to perform, so switch to the Operations tab. In the Operation tab, insert 3600 in Default operation step duration, as shown in the following screenshot:

In here, click on New in the Action operations block. This will open the Operation details block:

In the Send to Users section, click on the Add control. In the resulting popup, click on the Admin user. Now, locate the Add control for the Operation details block. This can be a bit confusing as the page has four controls or buttons called Add right now. The correct one is highlighted here:

Click on the highlighted Add control. Congratulations! You have just configured the simplest possible action, so click on the Add button in the Action block.

Let's take a look at the generic categories that we can keep an eye on. Of course, this is not an exhaustive list of things to monitor—consider this as an example subset of interesting parameters. You'll soon discover many more areas to add in your Zabbix configuration.

As explored before, Zabbix gathers all its data within items. But surely, we'll want to get information in more ways than just through the Zabbix agent. What are our options? Let's have a look:

This is the item type configuration dropdown when editing an item. We pretty much skipped this selection when creating our item because the default value suited us. Let's take a quick look at the types available now:

While all these types might look a bit confusing at this point, an important thing to remember is that they are available for your use, but you don't have to use them. You can have a host with a single ICMP ping item, but if you want to monitor more, the advanced functionality will always be there.

As you might have noticed, the item type is set per individual item, not per host. This allows great flexibility when setting up monitored hosts. For example, you can use ICMP to check general availability, a Zabbix agent to check the status of some services and simple TCP checks for others, a trapper to receive custom data, and IPMI to monitor parameters through the management adapter—all on the same host. The choice of item type will depend on network connectivity, the feature set of the monitored host, and the ease of implementation. Zabbix will allow you to choose the best fit for each item.

While that covered categories and item types, we skipped some other parameters when creating the item, so it might be helpful to learn about basic values that will have to be set for most item types. Let's take a quick look at the fields in the item creation/editing window:

Don't worry if these short descriptions didn't answer all of your questions about each option. We'll dig deeper into each of these later, and there are more options available for other item types as well.

The item we created before was a so-called passive item, which means that the Zabbix server initiates a connection to the agent every time a value has to be collected. In most locations, they are simply referred to as being of the Zabbix agent type.

An easy way to remember what's passive or active in Zabbix is to think from the agent's perspective. If the agent connects to the server, it's active. If not, it's passive:

Let's create another passive item to check for the remote host. Go to Configuration | Hosts, click on Items next to the host you just created, click on the Create item button, and fill in these values:

The end result should be as follows:

But what's up with that ,,80 added to the service name? Click on the Select button next to the Key field. This opens a window with a nice list of keys to choose from, along with a short description of each:

The Type dropdown in the upper-right corner will allow you to switch between several item types—we'll discuss the other types later. For now, find net.tcp.service in the list and look at the description. There are two things to learn here: firstly, we didn't actually have to add that 80—it's a port, and given that the default already is 80, adding it was redundant. However, it is useful if you have a service running on a nonstandard port. Secondly, there's a key list just one click away to give you a quick hint in case you have forgotten a particular key or what its parameters should be like.

This key, net.tcp.service, is a bit special: it tries to verify that the corresponding service actually does respond in a standard manner, which means the service must be explicitly supported. As of writing this, Zabbix supports the following services for the net.tcp.service key:

The TCP service is a bit special in its own way. While others perform service-specific checks, TCP is not really a service; it just checks the TCP connection. It's closer to a key you can see a couple of rows above in the item list, net.tcp.port. As the description says, this one just tries to open a TCP connection to any arbitrary port without performing any service-specific checks on the returned value. If you try to use an arbitrary service string that is not supported, you would simply get an error message saying that such an item key is not supported.

Feel free to look at the other available keys—we will use a couple of them later as well—then close this popup and click on the Add button at the bottom.

You have probably already noticed the green strip at the top of the screen when some operation successfully completes. This time, there's also a control called Details available; click on it to expand the details:

You can click on Details again to collapse the contents. Of course, this can be done whenever the Details link is available after some operation.

Now, we could go over to Monitoring | Latest data and wait for the values appearing there, but that would be useless. Instead, after a couple of minutes, you should visit Configuration | Hosts. Depending on your network configuration, you might see a red ZBX marker next to this host. This icon represents errors that have occurred when attempting to gather data from a passive Zabbix agent.

To see the actual error message, move your mouse cursor over the icon, and a tooltip will open. Clicking on the error icon will make the tooltip permanent and allow you to copy the error message.

If you see an error message similar to Get value from agent failed: cannot connect to [[192.168.56.11]:10050]: [111] Connection refused (most likely with a different IP address), it means that the Zabbix server was unable to connect to the agent daemon port. This can happen because of a variety of reasons, the most common being a firewall—either a network one between the Zabbix server and the remote host or a local one on the remote host. Make sure to allow connections from the Zabbix server to the monitored machine on port 10050.

If you did this correctly (or if you did not have a firewall blocking the connection), you could again go to Monitoring | Latest data—only that would be pointless, again. To see why, refresh the host list. Soon, you should see the Zabbix agent status icon turn red again, and moving your mouse cursor over it will reveal another error message, Received empty response from Zabbix Agent at [192.168.56.11], assuming that the agent dropped the connection because of access permissions. Now that's different. What access permissions is it talking about, and why did they work for our first host?

From the Zabbix server, execute this:

$ telnet 192.168.56.11 10050

Replace the IP address with the one of your remote host. You should see the following output, and the connection should immediately be closed:

Trying 192.168.56.11...
Connected to 192.168.56.11.
Escape character is '^]'.
Connection closed by foreign host.

Now, try the same with localhost:

$ telnet localhost 10050
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Notice how this time the connection is not closed immediately, so there's a difference in the configuration. The connection will most likely be closed a bit later—3 seconds later, to be more specific. If this does not happen for some reason, press Ctrl+], as instructed, then enter quit—this should close the connection:

^]
telnet> quit
Connection closed.

It turns out that configuring the Zabbix agent daemon on another machine is going to be a tiny bit harder than before.

As opposed to the installation on the Zabbix server, we have to edit the agent daemon configuration file on the remote machine. Open zabbix_agentd.conf as root in your favorite editor and take a look at the Server parameter. It is currently set to 127.0.0.1, which is the reason we didn't have to touch it on the Zabbix server. As the comment states, this parameter should contain the Zabbix server IP address, so replace 127.0.0.1 with the correct server address here.

Save the file and restart the agent daemon. How exactly this is done depends on the installation method, again. If you installed from the distribution packages, the following will most likely work:

# service zabbix-agentd restart

If you installed from the source and did not create or adapt some init scripts, you will have to manually stop and start the agent process:

# killall -15 zabbix_agentd; sleep 3; zabbix_agentd

The preceding command will stop all processes called zabbix_agentd on the system. This should not be used if multiple agents are running on the system. Additionally, the delay of 3 seconds should be more than enough in most cases, but if the agent does not start up after this, check its logfile for potential reasons.

To verify the change, try telnetting to the remote machine again:

$ telnet 192.168.56.11 10050

This time, the outcome should be the same as we had with the localhost: the connection should be opened and then closed approximately 3 seconds later.

Finally, it should be worth opening Monitoring | Latest data. We will only see our previously created item, though; the reason is the same filter we changed earlier. We explicitly filtered for one host; thus, the second host we created does not show up at all. In the filter, which should still be expanded, clear the host field and select Linux servers in the Host groups field, and then click on Filter:

We should see two monitored hosts now, each having a single item:

Notice how we can click the triangle icon next to each entry or in the header to collapse and expand either an individual entry or all of the entries.

Cloning items

Let's try to monitor another service now, for example, the one running on port 22, SSH. To keep things simple for us, we won't create an item from scratch this time; instead, go back to Configuration | Hosts, click on Items next to Another host, and click on Web server status in the NAME column. This will open the item editing screen, showing all the values we entered before. This time, there are different buttons available at the bottom. Among other changes, instead of the Add button, there's an Update one.

Note

Notice how one of the previously seen buttons is different. What was labeled Add previously is Update now. This change identifies the operation that we are going to perform: either adding a new entity or updating an existing one. One might open a configuration form intending to clone the entity, scan the fields, change some values, but forget to click on the Clone button. In the end, the existing item will be changed. The difference in the labels of the Add and Update buttons might help spot such mistakes before they are made.

There's also Delete, which, obviously, deletes the currently open item. We don't want to do that now. Instead, click on Clone:

Notice how the opened form proposes to create a new item, but this time, all values are set to those that the original item we cloned had. The Update button is changed to Add as well. Click on the Add button—it should fail. Remember, we talked about the key being unique per host; that's what the error message says as well:

The item editing form is still open, so we can correct our mistake. Make the following modifications:

• Name: Change it to SSH server status

• Key: Change http,,80 to ssh so that it looks like this—net.tcp.service[ssh]

That's all we have to do for now, so click on the Add button at the bottom again. This time, the item should be added successfully. Now, navigate to Monitoring | Latest data, where Another host should have two items listed: SSH server status and Web server status. Their status will depend on which services are running on the remote host. As it's remote, SSH most likely is running (and thus has a value of 1), but whether or not the web server is running will be specific to your situation.

Note

The monitoring of a port is often done to make sure the service on it is available, but that is not a strict requirement. If some system is not supposed to have SSH available through the Internet, we could use such a check to verify that it has not been accidentally exposed either by the inadvertent starting of the SSH daemon or an unfortunate change in the firewall.

$ zabbix_get -s 127.0.0.1 -k system.cpu.load

Passive Zabbix items are fine if you can connect to all the monitored hosts from the Zabbix server, but what if you can't allow incoming connections to the monitored hosts because of security or network topology reasons?

This is where active items come into play. As opposed to passive items, for active items, it's the agent that connects to the server; the server never connects to the agent. When connecting, the agent downloads a list of items to check and then reports the new data to the server periodically. Let's create an active item, but this time, we'll try to use some help when selecting the item key.

Go to Configuration | Hosts, click on Items next to Another host, and click on Create item. For now, use these values:

We'll do something different with the Key field this time. Click on the Select button, and in the upcoming dialog that we saw before, click on net.if.in[if,<mode>]. This will fill in the chosen string, as follows:

If your system has a different network interface name, use that here instead of eth0. You can find out the interface names with the ifconfig or ip addr show commands. In many modern distributions, the standard ethX naming scheme has been changed to one that will result in various different interface names. Further, replace any occurrences of eth0 with the correct interface name.

Go to Monitoring | Latest data and check whether new values have arrived:

Well, it doesn't look like they have. You could wait a bit to be completely sure, but most likely, no data will appear for this new active item, which means we're in for another troubleshooting session.

First, we should test basic network connectivity. Remember: active agents connect to the server, so we have to know which port they use (by default, it's port 10051). So, let's start by testing whether the remotely monitored machine can connect to the Zabbix server:

$ telnet <Zabbix server IP or DNS name> 10051

This should produce output similar to the following:

Trying <Zabbix server IP>...
Connected to <Zabbix server IP or DNS name>.
Escape character is '^]'.

Press Ctrl + ] and enter quit in the resulting prompt:

telnet> quit
Connection closed.

Such a sequence indicates that the network connection is working properly. If it isn't, verify possible network configuration issues, including network firewalls and the local firewall on the Zabbix server. Make sure to allow incoming connections on port 10051.

So, there might be something wrong with the agent—let's take a closer look. We could try to look at the agent daemon's logfile, so find the LogFile configuration parameter. If you're using the default configuration files from the source archive, it should be set to log to /tmp/zabbix_agentd.log. If you installed from packages, it is likely to be in /var/log/zabbix or similar. Open this logfile and look for any interesting messages regarding active checks. Each line will be prefixed with a PID and timestamp in the syntax PID:YYYYMMDD:HHMMSS. You'll probably see lines similar to these:

 15794:20141230:153731.992 active check configuration update from [127.0.0.1:10051] started to fail (cannot connect to [[127.0.0.1]:10051]: [111] Connection refused)

The agent is trying to request the active check list, but the connection fails. The attempt seems to be wrong—our Zabbix server should be on a different system than the localhost. Let's see how we can fix this. On the remote machine, open the zabbix_agentd.conf configuration file and check the ServerActive parameter. The default configuration file will have a line like this:

ServerActive=127.0.0.1

This parameter tells the agent where it should connect to for active items. In our case, the localhost will not work as the Zabbix server is on a remote machine, so we should modify this. Replace 127.0.0.1 with the IP address or DNS name of the Zabbix server, and then restart the agent either using an init script or the manual method killall.

While you have the configuration file open, take a look at another parameter there—StartAgents. This parameter controls how many processes are handling incoming connections for passive items. If set to 0, it will prevent the agent from listening on incoming connections from the server. This enables you to customize agents to support either or both of the methods. Disabling passive items can be better from a security perspective, but they are very handy for testing and debugging various problems. Active items can be disabled by not specifying (commenting out) ServerActive. Disabling both active and passive items won't work; the agent daemon will complain and refuse to start up, and it's correct—starting with both disabled would be a pointless thing to do. Take a look:

zabbix-agentd [16208]: ERROR: either active or passive checks must be enabled

We could wait for values to appear on the frontend again, but again, they would not. Let's return to the agent daemon logfile and see whether there is any hint about what's wrong:

15938:20141230:154544.559 no active checks on server [10.1.1.100:10051]: host [Zabbix server] not monitored

If we carefully read the entry, we will notice that the agent is reporting its hostname as Zabbix server, but that is the hostname of the default host, which we decided not to use and left disabled. The log message agrees: it says that the host is not monitored.

If we look at the startup messages, there's even another line mentioning this:

15931:20141230:154544.552 Starting Zabbix Agent [Zabbix server]. Zabbix 3.0.0 (revision 58567).

As that is not the host name we want to use, let's check the agent daemon configuration file again. There's a parameter named Hostname, which currently reads Zabbix server. Given that the comment for this parameter says "Required for active checks and must match hostname as configured on the server.", it has to be what we're after. Change it to Another host, save and close the configuration file, and then restart the Zabbix agent daemon. Check for new entries in the zabbix_agentd.log file—there should be no more errors.

While we're at it, let's update the agent configuration on A test host as well. Modify zabbix_agentd.conf and set Hostname=A test host and restart the agent daemon.

If there still are errors about the host not being found on the server, double-check that the hostname in the Zabbix frontend host properties and agent daemon configuration file (the one we just changed) match.

It's now time to return to the frontend and see whether data has started flowing in at the Monitoring | Latest data section:

If you see no data and the item shows up unsupported in the configuration section, check the network interface name.

Great, data is indeed flowing, but the values look really weird. If you wait for a while, you'll see how the number in the LAST VALUE column just keeps on increasing. So what is it? Well, network traffic keys gather data from interface counters, that is, the network interface adds up all traffic, and this total data is fed into the Zabbix database. This has one great advantage: even when data is polled at large intervals, traffic spikes will not go unnoticed as the counter data is present, but it also makes data pretty much unreadable for us, and graphs would also look like an ever-growing line (if you feel like it, click on the Graph link for this item). We could even call them "hill graphs". Luckily, Zabbix provides a built-in capability to deal with data counters like this. Go to Configuration | Hosts, then click on Items next to Another host, and click on Incoming traffic on interface eth0 in the NAME column. Change the Store value dropdown to read Delta (speed per second), and then click on Update.

We will have to wait a bit for the changes to take effect, so now is a good moment to discuss our choice for the Type of information option for this item. We set it to Numeric (unsigned), which accepts integers. The values that this item originally receives are indeed integers—they are counter values denoting how many bytes have been received on this interface. The Store value option we changed to Delta (speed per second), though, will almost always result in some decimal part being there—it is dividing the traffic between two values according to the number of seconds passed between them. In cases where Zabbix has a decimal number and has to store it in an integer field, the behavior will differ depending on how it got that decimal value, as follows:

This behavior is depicted in the following figure:

Why is there a difference like this, and why did we leave this item as an integer if doing so results in a loss of precision? Decimal values in the Zabbix database schema have a smaller number of significant digits available before the decimal point than integer values. On a loaded high-speed interface, we might overflow that limit, and it would result in values being lost completely. It is usually better to lose a tiny bit of precision—the decimal part—than the whole value. Note that precision is lost on the smallest unit: a byte or bit. Even if Zabbix shows 5 Gbps in the frontend, the decimal part will be truncated from this value in bits; thus, this loss of precision should be really, really insignificant. It is suggested to use integers for items that have a risk like this, at least until database schema limits are increased.

Check out Monitoring | Latest data again:

That's better; Zabbix now automatically calculates the change between every two checks (that's what the delta is for) and stores it, but the values still don't seem to be too user friendly. Maybe they're better in the graph—let's click on the Graph link to find out:

Ouch. While we can clearly see the effect our change had, it has also left us with very ugly historical data. The Y axis of that graph represents the total counter value (thus showing the total since the monitored system was started up), but the X axis represents the correct (delta) data. You can also take a look at the values numerically—go to the dropdown in the upper-right portion, which currently reads Graph. Choose 500 latest values from there. You'll get the following screen:

In this list, we can nicely see the change in data representation as well as the exact time when the change was performed. But those huge values have come from the counter data, and they pollute our nice, clean graph by being so much out of scale—we have to get rid of them. Go to Configuration | Hosts and click on Items next to Another host, then mark the checkbox next to the Incoming traffic on interface eth0 item, and look at the buttons positioned at the bottom of the item list:

The third button from the left, named Clear history, probably does what we want. Notice the 3 selected text to the left of the activity buttons—it shows the amount of entries selected, so we always know how many elements we are operating on. Click on the Clear history button. You should get a JavaScript popup asking for confirmation to continue. While history cleaning can take a long time with large datasets, in our case, it should be nearly instant, so click on the OK button to continue. This should get rid of all history values for this item, including the huge ones.

Still, looking at the Y axis in that graph, we see the incoming values being represented as a number without any explanation of what it is, and larger values get K, M and other multiplier identifiers applied. It would be so much better if Zabbix knew how to calculate it in bytes or a similar unit. Right, so navigate to Configuration | Hosts and click on Items next to Another host, and then click on the Incoming traffic on the eth0 interface in the NAME column. Edit the Units field and enter Bps, and then click on Update.

Let's check whether there's any improvement in the Monitoring | Latest data:

Wonderful; data is still arriving. Even better, notice how Zabbix now automatically calculates KB, MB, and so on where appropriate. Well, it would in our example host if there were more traffic. Let's look at the network traffic; click on Graph:

Take a look at the Y axis—if you have more traffic, units will be calculated there as well to make the graph readable, and unit calculations are retroactively applied to the previously gathered values.

One parameter that we set, the update interval, could have been smaller, thus resulting in a better-looking graph. But it is important to remember that the smaller the intervals you have on your items, the more data Zabbix has to retrieve, and each second, more data has to be inserted into the database and more calculations have to be performed when displaying this data. While it would have made no notable difference on our test system, you should try to keep intervals as large as possible.

So far, we have created items that gathered numeric data—either integers or decimal values. Let's create another one, a bit different this time. As usual, go to Configuration | Hosts and click on Items next to Another host. Before continuing with item creation, let's look at what helpful things are available in the configuration section, particularly for items. If we look above the item list, we can see the navigation and information bar:

This area provides quick and useful information about the currently selected host: the hostname, whether the host is monitored, and its availability. Even more importantly, on the right-hand side, it provides quick shortcuts back to the host list and other elements associated with the current host: applications, items, triggers, graphs, discovery rules, and web scenarios. This is a handy way to switch between element categories for a single host without going through the host list all the time. But that's not all yet—click on the Filter button to open the filter we got thrown in our face before. The sophisticated filter appears again:

Using this filter, we can make complex rules about what items to display. Looking at the top-left corner of the filter, we can see that we are not limited to viewing items from a single host; we can also choose a Host group. When we need to, we can make filter choices and click on the Filter link underneath. Currently, it has only one condition: the Host field contains Another host, so the Items link from the host list we used was the one that set this filter. Clear out the Host field, choose Linux servers from the Host group field, and click on the Filter button below the filter.

Now, look right below the main item filter—that is a Subfilter, which, as its header informs, only affects data already filtered by the main filter.

The entries in the subfilter work like toggles—if we switch one on, it works as a filter on the data in addition to all other toggled subfilter controls. Let's click on Zabbix agent (active) now. Notice how the item list now contains only one item—this is what the number 1 represented next to this Subfilter toggle. But the subfilter itself now also looks different:

The option we enabled, Zabbix agent, has been highlighted. Numeric (float), on the other hand, is greyed out and disabled, as activating this toggle in addition to already active ones results in no items being displayed at all. While the Numeric (unsigned) toggle still has 1 listed next to it, which shows that enabling it will result in those many items being displayed, the Zabbix agent toggle instead has +3 next to it. This form represents the fact that activating this toggle will display three more items than are currently being displayed, and it is used for toggles in the same category. Currently, the subfilter has five entries, as it only shows existing values. Once we have additional and different items configured, this subfilter will expand. We have finished exploring these filters, so choose Another host from the Host field, click on the Filter button under the filter, and click on Create item.

When you have many different hosts monitored by Zabbix, it's quite easy to forget which version of the Zabbix agent daemon each host has, and even if you have automated software deploying in place, it is nice to be able to see which version each host is at, all in one place.

Use the following values:

When done! Click on the Add button. There are two notable things we did. Firstly, we set the information type to Character, which reloaded the form, slightly changing available options. Most notably, fields that are relevant for numeric information were hidden, such as units, multiplier, and trends.

Secondly, we entered a very large update interval, 86400, which is equivalent to 24 hours. While this might seem excessive, remember what we will be monitoring here—the Zabbix agent version, so it probably (hopefully) won't be changing several times per day. Depending on your needs, you might set it to even larger values, such as a week.

To check out the results of our work, go to Monitoring | Latest data:

If you don't see the data, wait a while; it should appear eventually. When it does, you should see the version of the Zabbix agent installed on the listed remote machine, and it might be a higher number than displayed here, as newer versions of Zabbix have been released. Notice one minor difference: while all the items we added previously have links named Graph on the right-hand side, the last one has one called History. The reason is simple: for textual items, graphs can't be drawn, so Zabbix does not even attempt to do that.

Now, about that waiting—why did we have to wait for the data to appear? Well, remember how active items work? The agent queries the server for the item list it should report on and then sends in data periodically, but this checking of the item list is also done periodically. To find out how often, open the zabbix_agentd.conf configuration file on the remote machine and look for the RefreshActiveChecks parameter. The default is 2 minutes, which is configured in seconds, thus listing 120 seconds. So, in the worst case, you might have had to wait for nearly 3 minutes to see any data as opposed to normal or passive items, where the server would have queried the agent as soon as the configuration change was available in its cache. In a production environment with many agents using active items, it might be a good idea to increase this value. Usually, item parameters aren't changed that often.

The way we configured ServerActive in the agent daemon configuration file, it connects to a single Zabbix server and sends data on items to the server. An agent can also work with multiple servers at the same time; we only have to specify additional addresses here as a comma-separated list. In that case, the agent will internally spawn individual processes to work with each server individually. This means that one server won't know what the other server is monitoring—values will be sent to each of them independently. On the other hand, even if several servers request data on individual items, this data will be collected several times, once for each server.

Working with multiple servers in active mode can be useful when migrating from one Zabbix instance to another. For a while, an agent could report to both the old and new servers. Yet another case where this is useful is a customer environment where the customer might have a local Zabbix server performing full-fledged monitoring, while an external company might want to monitor some aspects related to an application they are delivering.

For passive items, allowing incoming connections from multiple Zabbix servers is done the same way: by adding multiple IP addresses to the Server parameter.

We created some items that use the Zabbix agent in both directions and gather data. But those are hardly the only ones available. You could check out the list while creating an item again (go to Configuration | Hosts, click on Items for any host, and click on the Create item button, followed by the Select button next to the Key field) in order to see which items are built in for Zabbix agents, along with a short description for most of them.

Looking at the list, we can find out which categories of items Zabbix agents support natively: system configuration, network traffic, network services, system load and memory usage, filesystem monitoring, and others. But that does not mean everything you see there will work on any system that the Zabbix agent daemon runs on. As every platform has a different way of exposing this information and some parameters might even be platform-specific, it isn't guaranteed that every key will work on every host.

For example, when the disk drive statistics report changes to the userspace, the Zabbix agent has to specifically implement support for the new method; thus, older agent versions will support fewer parameters on recent Linux systems. If you are curious about whether a specific parameter works on a specific version of a specific operating system, the best way to find out is to check the Zabbix manual and then test it. Some of the most common agent item keys are as follows:

For most of these, various parameters an be specified to filter the result or choose a particular piece of information. For example, proc.num[,zabbix] will count all processes that the Zabbix user is running.

Even though we discussed Zabbix agents being active or passive, an agent really is neither one nor the other: the direction of the connections is determined by the item level. An agent can (and, by default, does) work in both modes at the same time. Nevertheless, we will have to choose which item type—active or passive—to use. The short version: active items are recommended.

To understand why, let's compare how the connections are made. With a passive agent, it is very simple:

One value means one connection. An active agent is a bit more complicated. Remember: in the active mode, the agent connects to the server; thus, the agent first connects to the Zabbix server and asks for a list of items to be monitored. The server then responds with items, their intervals, and any other relevant information:

At this point, the connection is closed and the agent starts collecting the information. Once it has some values collected, it sends them to the server:

Note that an active agent can send multiple values in one connection. As a result, active agents will usually result in a lower load on the Zabbix server and a smaller amount of network connections.

The availability icon in the host list represents passive items only; active items do not affect it at all. If a host has active items only, this icon will stay grey. In previous Zabbix versions, if you added passive items that failed and then converted them all to active items, this icon would still stay red. Zabbix 3.0.0 is the first version in which the icon is automatically reset back to grey.

Of course, there are some drawbacks to active items and benefits to passive items too. Let's try to summarize what each item type offers and in which situation they might be better.

The benefits of active items are as follows:

Here are the benefits of passive items:

We will discuss using and modifying templates in Chapter 8, Simplifying Complex Configuration with Templates.

What if we care only about the basic reachability of a host, such as a router or switch that is out of our control? ICMP ping (echo request and reply) would be an appropriate method for monitoring in that case, and Zabbix supports such simple checks. Usually, these won't work right away; to use them, we'll have to set up a separate utility, fping, which Zabbix uses for ICMP checks. It should be available for most distributions, so just install it using your distribution's package-management tools. If not, you'll have to download and compile fping manually; it's available at http://fping.sourceforge.net/.

Once fping is properly installed, Zabbix server must know where to find it and be able to execute it. On the Zabbix server, open zabbix_server.conf and look for the FpingLocation parameter. It is commented out by default, and it defaults to /usr/sbin/fping. You can quickly find the fping binary location with this command:

$ which fping

If one of the results is /usr/sbin/fping, you don't have to change this parameter. If not, modify the parameter to point to the correct fping location and restart the Zabbix server so that it knows about the configuration change. That's not it yet. Zabbix also needs to be able to run fping with administrative privileges, so execute the following as root:

# chgrp zabbix /usr/sbin/fping
# chmod 4710 /usr/sbin/fping

As the fping binary should have been owned by root before, this should be enough to allow its use by the Zabbix group as required; let's verify that.

As usual, navigate to Configuration | Hosts, click on Items next to Another host, and click on Create item. Set the following details:

When all fields have been correctly set, click on the Add button at the bottom. Perform the usual round trip to Monitoring | Latest data—ICMP ping should be recording data already. If you wait for a few minutes, you can also take a look at a relatively interesting graph to notice any changes in the network performance.

Here, we set up ICMP ping measuring network latency in seconds. If you wanted to simply test host connectivity, you would have chosen the icmpping key, which would only record whether the ping was successful or not. That's a simple way to test connectivity on a large scale, as it puts a small load on the network (unless you use ridiculously small intervals). Of course, there are things to be aware of, such as doing something different to test Internet connectivity—it wouldn't be enough to test the connection to your router, firewall, or even your provider's routers. The best way would be to choose several remote targets to monitor that are known to have a very good connection and availability.

For ICMP ping items, several parameters can be specified. For example, the full icmpping key syntax is as follows:

icmpping[<target>,<packets>,<interval>,<size>,<timeout>]

By default, target is taken from the host this item is assigned to, but that can be overridden. The packets parameter enables you to specify how many packets each invocation should issue—usually, the fping default is 3. The interval parameter enables you to configure the interval between these packets—usually, the fping default is 1 second against the same target, specified in milliseconds. As for size, here, the default of a single packet could differ based on the fping version, architecture, and maybe other parameters. And the last one—timeout—sets individual target timeouts, with a common default being 500 milliseconds.

Note that one should not set ICMP ping items with very large timeouts or packet counts; it can lead to weird results. For example, setting the packet count to 60 and using a 60-second interval on an item will likely result in that item missing every second value.

If you set up several ICMP ping items against the same host, Zabbix invokes the fping utility only once. If multiple hosts have ICMP ping items, Zabbix will invoke fping once for all hosts that have to be pinged at the same time with the same parameters (such as packet, size, and timeout).

Zabbix key parameters are comma-delimited and enclosed in square brackets. This means that any other character can be used in the parameters as is. If your parameters include commas or square brackets, they will have to be in quote marks. Here are a few examples:

What's up with the last one ? Well, Zabbix item keys are not shell-interpreted. Zabbix specifically supports double quotes for key parameter quoting. Single quotes are treated like any other character.

While we're working with items, let's explore some more tricks. Go to Configuration | Hosts, click on Items next to Another host, and then click on Incoming traffic on interface eth0 in the NAME column. In the item-editing form, click on the Clone button at the bottom. In the new form, modify the Key field so that it reads net.if.in[lo], and then click on the Add button at the bottom.

You might notice it right away, or go to Monitoring | Latest data and look at the list. Despite the fact that we only modified the key, the item name was updated accordingly as well:

That's what the $1 part in the item Name field is doing. It's working like a common positional parameter, taking the first parameter of the item key. If we had more parameters, we could access those for inclusion in the name with $2, $3, and so on. This is mostly useful in cases where you want to create several items that monitor different entities so that when cloning the items, you have to change only a single instance of the identifier. It's easier than it seems to miss some change when there are multiple locations, thus creating items with mismatched configuration.

Now that we have some more items configured, it's worth looking at another monitoring view. While we spent most of our time in Monitoring | Latest data, this time, navigate to Monitoring | Overview. The Type dropdown in the upper-right corner currently lists Triggers, which does not provide a very exciting view for us: we only have a single trigger created. But we did create several items, so switch this dropdown to Data:

This time, the overview page is a bit more interesting: we can see which hosts have which items and item values.

Now this looks quite good—we can see all of the monitored data in a compact form. Those 1 results that denote the status for various servers—what do they mean? Was 1 for a running state, or was it an error, like with exit codes? They surely aren't intuitive enough, so let's try to remedy that. Go to Configuration | Hosts, and click on Items for Another host. Select all three server status items (SMTP, SSH, and Web), and then look at the buttons at the bottom of the item list:

This time, we will want to make a single change for all the selected items, so the second button from the right looks like what we need—it says Mass update. Click on it:

Now that's an interesting screen—it allows us to change some parameters for multiple items at once. While doing that, only changes that are marked and specified are performed, so we can change some common values for otherwise wildly differing items. It allows us to set things such as the Update interval or any other parameter together for the selected items.

This time, we are interested in only one value—the one that decides how the value is displayed to us. Mark the checkbox next to the Show value entry to see the available options.

Looks like somebody has already defined entries here, but let's find out what it actually means before making a decision. Click on the Show value mappings link to the right on the same line:

Looking at the list, we can see various names, each of them having a list of mapped references. Look at the NAME column, where the predefined entries have hints about what they are good for. You can see UPS-related mappings, generic status/state, SNMP, and Windows service-related mappings. The VALUE MAP column shows the exact mappings that are assigned to each entry. But what exactly are they? Looking at the entries, you can see things such as 0 => Down or 1 => Up. Data arriving for an item that has a value mapping assigned will expose the descriptive mappings. You are free to create any mapping you desire. To create a new category of mapped data, you need to use the button in the upper-right corner called Create value map. We won't do that now, because one of the available mappings covers our needs quite well. Look at the entries—remember the items we were curious about? They were monitoring a service and they used 1 to denote a service that is running and 0 to denote a service that is down. Looking at the list, we can see an entry, Service state, which defines 0 as Down and 1 as Up—exactly what we need. Well, that means we don't have to create or modify any entries, so simply close this window.

Back in the mass-update screen, recall the mapping entries we just saw and remember which entry fit our requirements the best. Choose Service state from the dropdown for the only entry whose checkbox we marked—Show value:

When you are done, click on the Update button. This operation should complete successfully. You can click on the Details control in the upper-left corner to verify that all three items we intended were updated.

Let's see how our change affected information display. Configured and assigned value mappings are used in most Zabbix frontend locations where it makes sense. For example, let's visit that old friend of ours, Monitoring | Latest data. Take a close look at the various server status entries—Zabbix still shows numeric values for the reference, but each has conveniently listed an appropriate "friendly name" mapped value:

We have currently stopped the SMTP server to verify whether both 1 => Up and 0 => Down mappings work—as we can see, they do. Value mapping will be useful for returned data that works like code values—service states, hardware states (such as batteries), and other similar monitored data. We saw some predefined examples in the value-mapping configuration screen before, and you are free to modify or create new mappings according to your needs.

Value mapping can be used for integers, decimal values (floats), and strings. One use case for strings could be the mapping of different backup levels that a backup software might return:

Navigate back to Monitoring | Overview and again, look at the various server status entries for ANOTHER HOST:

While value mapping doesn't seem too useful when you have to remember a single monitored characteristic with only two possible states, it becomes very useful when there are many different possible states and many possible mappings so that in most locations, you will have a quick hint about what each numeric value means and you are always free to invent your own mappings for custom-developed solutions.

We previously configured units for some items, using values such as B or ms. While the effect was visible in the monitoring section quite easily, there are some subtle differences in the handling of different units.

Units is a freeform field. You can type anything in there, but some units will change their behavior when data is displayed:

Interestingly, for our ICMP ping item, we did not use any of these; we used ms instead. The reason is that in certain cases of a very small roundtrip, a value in seconds might be too small to properly store in the Zabbix database schema. By applying the multiplier of 1,000 in the item configuration, we converted the incoming value in seconds to milliseconds, which should never exceed the limits of the database schema. One downside would be that if a ping takes a long time, the value will not be displayed in seconds—we will have to figure it out from the millisecond value.

Another item property that we just briefly discussed was custom intervals. Most item types have their intervals configurable, which determines how often the item values should be collected. But what if we would like to change this interval based on the day of the week or the time of day? That is exactly what custom intervals enable us to do. There are two modes for custom intervals:

Flexible intervals

Flexible intervals override the normal interval for the specified time. For example, an item could collect values every 60 seconds, but that item might not be important during the weekend. In that case, a flexible interval could be added with an interval of 3600 and time specification of 6-7,00:00-24:00. During Saturdays and Sundays, this item would only be checked once an hour:

Note

Up to seven flexible intervals may be added for a single item.

Days are represented with the numbers 1-7 and a 24-hour clock notation of HH:MM-HH:MM is used.

Note

In case you were wondering, the week starts with a Monday here.

It is also possible to set the normal interval to 0 and configure flexible intervals. In this case, the item will only be checked at the times specified in the flexible intervals. This functionality can be used to check some item on a specific weekday only or even to simulate a crude scheduler. If an item is added with a normal interval of 0, a flexible interval of 60 seconds, and a time specification of 1,09:00-09:01, this item will be checked on Monday morning at 9 o'clock.

Note

Overlapping flexible intervals

If two flexible intervals with different values overlap, during the overlap period, the smallest value is used. For example, if flexible intervals with periods 1-5,00-24:00 and 5-6,12:00-24:00 are added to the same item, during Friday, from 12:00 to 24:00, the one that has the smallest interval will be used.

Custom scheduling

The example of having a flexible interval of 1 minute works, but it's not very precise. For more exact timing, the other custom interval type can be used: scheduling. This enables you to obtain item values at an exact time. It also has one major difference from flexible intervals. Flexible intervals change how an item is polled, but custom scheduling does not change the existing polling. Scheduled checks are executed in addition to the normal or flexible intervals.

It may sound a lot like crontab, but Zabbix custom scheduling uses its own syntax. The time prefix is followed by a filter entry. Multiple time prefix and filter values are concatenated, going from the biggest to the smallest. The supported time prefixes are:

• md: month days

• wd: weekdays

• h: hours

• m: minutes

• s: seconds

For example, an entry of m13 will schedule this item to be polled every hour at the beginning of minute 13. If it is combined with a weekday specification as wd3m13, it will be polled every hour at the beginning of minute 13 on Wednesdays only. Changing the weekday reference to the month day—or date—reference as md13m13 would make this item be polled every hour at the beginning of minute 13 on the thirteenth day only.

The example of polling the item on Monday morning at 09:00 we looked at before would be wd1h9:

The filter can also be a range. For example, polling an item at 09:00 on Monday, Tuesday, and Wednesday would be done as wd1-3h9.

At the end of the filter, we can also add a step through a slash. For example, wd1-5h6-10/2 would poll the item from Monday to Friday, starting at 06:00 every other hour until 10:00. The item would get polled at 06:00, 08:00 and 10:00. To make an item be polled every other hour all day long on all days, the syntax of h/2 can be used.

Multiple custom intervals may also be specified by separating them with a semicolon—wd1-5/2 and wd1;wd3;wd5 would both poll an item at the beginning of Monday, Wednesday, and Friday.

Looking at the same overview screen, the data seems easier to understand with textual hints provided for previously cryptic numeric values, but there's still a bit of not-so-perfect displaying. Notice the dashes displayed for the CPU load item for Another host and all other values for A test host. We didn't create corresponding items on both hosts, and item data is displayed here, which means missing items should be created for each host to gather the data. But recreating all items would be very boring. Luckily, there's a simple and straightforward solution to this problem.

Go to Configuration | Hosts and click on Items next to A test host. We had only a single item configured for this host, so mark the checkbox next to this item. Let's look at the available buttons at the bottom of the list again:

This time, we don't want to update selected items, but copy them to another host, so click on the Copy button. We want to copy these items to a specific host, so choose Hosts in the Target type dropdown and select Linux servers in the Group dropdown, which should leave us with a short list of hosts. We are copying from A test host to Another host; mark the checkbox next to the Another host entry and click on the Copy button:

When the operation has completed, change the Host filter field (expand the filter if it is closed) to Another host, and then click on Filter below the filter itself. Notice how the CPU load item has appeared in the list. This time, mark all the items except CPU load, because that's the only item A test host has. You can use the standard range selection functionality here—mark the checkbox next to the ICMP ping performance item (the first item in the range we want to select), hold down Shift on the keyboard, and click on the checkbox next to the Zabbix agent version (the last item in the range we want to select). This should select all the items between the two checkboxes we clicked on.

With those items selected, click on Copy below the item list. Choose Hosts in the Target type dropdown, choose Linux servers in the Group dropdown, mark only the checkbox next to A test host, and click on Copy. After that, click on the Details link in the upper-right corner. Notice how all the copied items are listed here. Let's take another look at Monitoring | Overview:

Great, that's much better! We can see all the data for the two hosts, with the numeric status nicely explained. Basically, we just cross-copied items that did not exist on one host from the other one.

But it only gets better—mouseover to the displayed values. Notice how the chosen row is highlighted. Let's click on one of the CPU load values:

As you can see, the overview screen not only shows you data in a tabular form, it also allows quick access to common timescale graphs and the Latest values for the item. Feel free to try that out.

When you have looked at the data, click on one of the Zabbix agent version values:

Notice how this time there are no entries for graphs. Remember: graphs were only available for numeric data, so Monitoring | Latest data and these overview screen pop-up menus offer the value history only.

The latest version of SNMP, version 3, is still not that common yet, and it is somewhat more complex than the previous versions. Device implementations can also vary in quality, so it might be useful to test your configuration of Zabbix against a known solution: Net-SNMP daemon. Let's add an SNMPv3 user to it and get a value. Make sure Net-SNMP is installed and that snmpd starts up successfully.

To configure SNMPv3, first stop snmpd, and then, as root, run this:

# net-snmp-create-v3-user -ro zabbix

This utility will prompt for a password. Enter a password of at least eight characters—although shorter passwords will be accepted here, it will fail the default length requirement later. Start snmpd again, and test the retrieval of values using version 3:

$ snmpget -u zabbix -A zabbixzabbix -v 3 -l authNoPriv localhost SNMPv2-MIB::sysDescr.0

This should return data successfully, as follows:

SNMPv2-MIB::sysDescr.0 = STRING: Linux another 3.11.10-29-default #1 SMP Thu Mar 5 16:24:00 UTC 2015 (338c513) x86_64

We don't need to configure versions 1 or 2c separately, so now we have a general SNMP agent, providing all common versions for testing or exploring.

In case you can't or don't want to copy vendor-specific MIB files to the Zabbix server, you can always use numeric OIDs, like we did before. While not being as descriptive, they are guaranteed to work even if the copied MIBs are not available for some reason or are removed during a system upgrade.

But how do we derive the corresponding numeric OID from a textual one? While we could use snmpget to retrieve the particular value and output it in numeric form, that requires the availability of the device and network roundtrip. Fortunately, there's an easier way: the snmptranslate command. To find out the numeric form of the OID, we can use PowerNet-MIB::upsAdvIdentSerialNumber.0:

$ snmptranslate -On PowerNet-MIB::upsAdvIdentSerialNumber.0
.1.3.6.1.4.1.318.1.1.1.1.2.3.0

You must have MIBs placed correctly and pass their names to Net-SNMP tools for translation to work.

The default output format for Net-SNMP tools is the short textual one, which only outputs the MIB name and object name. If you would like to find out the corresponding textual name, use the following:

$ snmptranslate .1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0

You can also use the -Of flag to output an OID in full notation:

$ snmptranslate -Of PowerNet-MIB::upsAdvIdentSerialNumber.0
.iso.org.dod.internet.private.enterprises.apc.products.hardware.ups.upsIdent.upsAdvIdent.upsAdvIdentSerialNumber.0

Previously, we monitored incoming traffic on the eth0 device using an active Zabbix agent daemon item. If we have snmpd set up and running, we can also try retrieving outgoing traffic, but this time, let's try to use SNMP for that.

Monitoring network traffic using the Zabbix agent daemon is usually easier, but SNMP monitoring is the only way to obtain this information for many network devices, such as switches and routers. If you have such a device available, you can try monitoring it instead, though the network interface name will most likely differ.

One way to find the item we are interested in would be to redirect the output of snmpwalk to a file and then examine that file. Looking at the output, there are lines such as these:

IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0

Great, so the desired interface, eth0 in this case, has an index of 2. Nearby, we can find actual information we are interested in—traffic values:

IF-MIB::ifOutOctets.1 = Counter32: 1825596052
IF-MIB::ifOutOctets.2 = Counter32: 1533857263

So, theoretically, we could add an item with the OID IF-MIB::ifOutOctets.2 and name it appropriately. Unfortunately, there are devices that change interface index now and then. Also, the index for a particular interface is likely to differ between devices, thus potentially creating a configuration nightmare. This is where dynamic index support in Zabbix comes into use.

Let's look at what a dynamic index item OID would look like in this case:

The index that this search will return will be added to the database OID, and the following queries will gather values from the resulting OID.

You can easily view the index to determine the correct string to search for with Net-SNMP tools:

$ snmpwalk -v 2c -c public localhost .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifDescr
IF-MIB::ifDescr.1 = STRING: lo
IF-MIB::ifDescr.2 = STRING: eth0
IF-MIB::ifDescr.3 = STRING: sit0

As can be seen, this machine has three interfaces: loopback, Ethernet, and a tunnel. The picture will be very different for some other devices. For example, an HP ProCurve switch would return (with the output shortened) the following:

$ snmpwalk -v 2c -c public 10.196.2.233 .iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifDescr
IF-MIB::ifDescr.1 = STRING: 1
IF-MIB::ifDescr.2 = STRING: 2
...
IF-MIB::ifDescr.49 = STRING: 49
IF-MIB::ifDescr.50 = STRING: 50
IF-MIB::ifDescr.63 = STRING: DEFAULT_VLAN
IF-MIB::ifDescr.4158 = STRING: HP ProCurve Switch software loopback interface

Now that we know the OID to use for dynamic index items, let's create one such item in Zabbix. Navigate to Configuration | Hosts, click on Items next to the correct host you want to create the item for, and click on Create item. Fill in the following values:

Same as before, replace eth0 with an interface name that exists on the target system. When you are done, click on the Add button at the bottom.

The newly added item should start gathering data, so let's look at Monitoring | Latest data. If you don't see this item or the data for it, navigate back to Configuration | Hosts and click on Items next to the corresponding host—there should be an error message displayed that should help with fixing the issue. If you have correctly added the item, you'll see the traffic data, as follows:

Dynamic index items are quite common. Many network devices have fixed port names but varying indexes. Host-based SNMP agents place things such as disk usage and memory statistics in dynamic indexes; thus, if you have such devices to monitor, Zabbix support for them will be handy.

Using dynamic index items can slightly increase overall load, as two SNMP values are required to obtain the final data. Zabbix caches retrieved index information, so the load increase should not be noticeable.

A dynamic SNMP index enables us to easily monitor a specific interface or other entity by name, but it would not be a very efficient method for monitoring a larger number of interfaces. We will discuss an automated solution, low-level discovery, in Chapter 11, Advanced Item Monitoring.

You might have spotted the checkbox next to the SNMP interfaces section, Use bulk requests:

When requesting values from SNMP hosts, Zabbix may request one value at a time or multiple values in one go. Getting multiple values in one go is more efficient, so this is what Zabbix will try to do by default—it will ask for more and more values in one connection against a device until all SNMP items can be queried in one go or the device fails to respond. This approach enables us to find the number of values that a device is configured to return, or is technically capable of returning, in one go. No more than 128 values will be requested in one attempt, however.

Only items with identical parameters on the same interface will be queried at the same time—for example, if the community or the port is different, Zabbix will not try to get such values in one attempt.

There are quite a lot of devices that do not work properly when multiple values are requested; thus, it is possible to disable this functionality per interface.

Using embedded Perl code in snmptrapd is the easiest method to set up. Unless you need extra functionality, it is suggested to stick with this method.

We'll start by configuring snmptrapd to pass information to Zabbix. There is an example script in the Zabbix sources called misc/snmptrap/zabbix_trap_receiver.pl. Place this file in some reasonable location—perhaps a bin subdirectory in the Zabbix home directory. If the directory does not exist, create it, as follows:

# mkdir -p /home/zabbix/bin; chown zabbix /home/zabbix

Place the zabbix_trap_receiver.pl file in this directory:

# cp misc/snmptrap/zabbix_trap_receiver.pl /home/zabbix/bin

Now, on to instructing snmptrapd to use that script. We only need to tell the trap daemon to process all the received traps with this script. To do this, you'll have to find the location where your distribution places the Net-SNMP configuration files—usually, /etc/snmp/. In this directory, look for a file named snmptrapd.conf. If it's there, edit it (create a backup copy before you do anything); if it's missing, create it. Edit it as root and make it look as follows:

authCommunity execute public
perl do "/home/zabbix/bin/zabbix_trap_receiver.pl";

This will accept all traps that have the community set to public and pass them to the Perl receiver script.

Start or restart the trap daemon. It might be worth taking a quick look at the zabbix_trap_receiver.pl file. Notice the line that specifies the path:

$SNMPTrapperFile = '/tmp/zabbix_traps.tmp';

Behind the scenes, traps are passed to the Zabbix server through a temporary file. We'll discuss this in a bit more detail later in this chapter.

Filtering values by received data

Now on to the items on the Zabbix side. To test the most simple thing first, we will try to send values from the Zabbix server. Navigate to Configuration | Hosts, click on A test host in the NAME column, and click on Add in the SNMP interfaces section. Click on the Update button at the bottom, and then click on Items next to A test host. Click on Create item and enter these values:

• Name: SNMP trap tests

• Type: SNMP trap

• Key: snmptrap[test]

• Type of information: Character

When you're done, it should look like this:

This item will collect all traps that this host gets, if the traps contain the string test. We have the trap daemon configured to place traps in a file, and we have the item to place these traps in. What's left is telling the Zabbix server where to get the traps. Open zabbix_server.conf and modify the StartSNMPTrapper parameter:

StartSNMPTrapper=1

There is a special process in Zabbix that reads traps from a temporary file. This process is not started by default, so we changed that part of the configuration. Take a look at the parameter just above this one:

SNMPTrapperFile=/tmp/zabbix_traps.tmp

Notice how it matches the file in the Perl script. A change in the script should be matched by a change in this configuration file and vice versa. At this time, we will not change the location of this temporary file.

After these changes have been made, restart the Zabbix server daemon.

Now, we are ready to test this item. Let's send a trap by executing the following from the Zabbix server:

$ snmptrap -Ci -v 2c -c public localhost "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "test"

This slightly non-optimal Net-SNMP syntax will attempt to send an SNMP trap to localhost using the public community and some nonsense OID. It will also wait for a response to verify that snmptrapd has received the trap successfully—this is achieved by the -Ci flag. It uses the default port, 162, so make sure the port is open in your firewall configuration on the Zabbix server to receive traps.

Note

Waiting for confirmation also makes snmptrap retransmit the trap. If the receiving host is slow to respond, the trap might be received multiple times before the sender receives confirmation.

If the command is successful, it will finish without any output. If it fails with the snmpinform: Timeout error message, then several things could have gone wrong. As well as double-checking that UDP port 162 is open for incoming data, verify that the community in the /etc/snmp/snmptrapd.conf file matches the one used in the snmptrap command and that the snmptrapd daemon is actually running.

If everything goes well, we should be able to see this item with a value on the latest data page:

Now, let's send a different trap. Still on the Zabbix server, run this:

$ snmptrap -Ci -v 2c -c public localhost "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "some other trap"

This trap will not appear in the item we created. What happened to it? As the value that we sent did not contain the string test, this value did not match the one in the item. By default, such traps are logged in the server logfile. If we check the logfile, it should have something similar to the following:

9872:20160318:232004.319 unmatched trap received from "127.0.0.1": 23:20:02 2016/03/18 PDU INFO:
 requestid                      253195749
 messageid                      0
 transactionid                  5
 version                        1
 notificationtype               INFORM
 community                      public
 receivedfrom                   UDP: [127.0.0.1]:54031→[127.0.0.1]:162
 errorindex                     0
 errorstatus                    0
VARBINDS:
 DISMAN-EVENT-MIB::sysUpTimeInstance type=67 value=Timeticks: (2725311) 7:34:13.11
 SNMPv2-MIB::snmpTrapOID.0      type=6  value=OID: NET-SNMP-MIB::netSnmpExperimental
 NET-SNMP-MIB::netSnmpExperimental type=4  value=STRING: "some other trap"

This is not so easy to trigger on, or even see in, the frontend at all. We will improve the situation and tell Zabbix to handle such unmatched traps for this host by placing them in a special item. Navigate to Configuration | Hosts, click on Items next to A test host, click on Create item, and then fill in these values:

• Name: SNMP trap fallback

• Type: SNMP trap

• Key: snmptrap.fallback

• Type of information: Character

When you're done, click on the Add button at the bottom.

The key we used here, snmptrap.fallback, is a special one. Any trap that does not match any of the snmptrap[] items will be placed here. Retry sending our previously unmatched trap:

$ snmptrap -Ci -v 2c -c public localhost "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "some other trap"

Let's check the latest data page again:

The fallback item got the value this time. To see what the value looks like, let's click on the History link next to one of these items:

It contains quite a lot of information, but it also looks a bit strange, almost as if the value was cut. Turns out, with this method, the trap information that is recorded in the database is quite verbose and the character information type does not offer enough space for it—this type is limited to 255 characters. We cannot even see the string we sent in the trap that matched or failed to match the filter. Let's try to fix this with the mass update functionality again. Go to Configuration | Hosts and click on Items next to A test host. Mark the checkboxes next to both SNMP trap items and click on the Mass update button. In the resulting form, mark the checkbox next to Type of information and choose Text:

Click on the Update button. This should have fixed it, but we don't know that for sure yet. Let's verify—send both of these traps again:

$ snmptrap -Ci -v 2c -c public localhost "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "test"
$ snmptrap -Ci -v 2c -c public localhost "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "some other trap"

If we look at the history of one of these items now, we will see that this change has indeed helped, and much more information is displayed—including the custom string we used for distributing these values across items:

Note

If the value is still cut, you might have to wait a bit more for the configuration cache to be updated and resend the trap.

The first item we created, with the snmptrap[test] key, can actually have a regular expression as the item parameter. This allows us to perform more advanced filtering, such as getting a link up and down traps in a single item. If a trap matches expressions from multiple items, it would get copied to all of those items.

Filtering values by originating host

We figured out how to get values in specific items, but how did Zabbix know that it should place these values in A test host? This happens because the address of the host that the trap came from matches the address in the SNMP interface for these items. To test this, let's copy the trap items to Another host. Navigate to Configuration | Hosts and click on Items next to A test host. Mark the checkboxes next to both SNMP trap items and click on the Copy to button. Choose Hosts from the Target type dropdown and mark the checkbox next to Another host. Then, click on Copy.

Note

If you added an SNMP interface to Another host earlier, this operation might succeed.

Looks like that failed, and Zabbix complains that it can not find an interface. Another host did not have an SNMP interface; thus, these items can not be attached to any interface at all. Go to Configuration | Hosts, click on Another host, then add a new SNMP interface with the address that this host has, and click on Update. Try to copy the SNMP trap items from A test host to Another host the same way as done previously, and it should succeed now:

With the items in place, let's test them. Send two test traps from Another host, the same way we sent them from the Zabbix server before:

$ snmptrap -Ci -v 2c -c public <Zabbix server> "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "test"
$ snmptrap -Ci -v 2c -c public <Zabbix server> "" "NET-SNMP-MIB::netSnmpExperimental" NET-SNMP-MIB::netSnmpExperimental s "some other trap"

Replace <Zabbix server> with the IP or DNS name of the Zabbix server. These commands should complete without any error messages.

The traps should be placed properly in the items on Another host.