RipEX Scripts in Zabbix

Print version

8. RipEX Scripts in Zabbix

By default, there are no ready-to-be-used actions in Zabbix such as configuration backup or firmware upgrade. The Zabbix NMS is a general system which requires special features to be implemented by RACOM or by the user himself.

We provide the user with a guide how to use and define these special features and within the RipEX template, we already prepared several examples:

  • Configuration backup

  • Displaying the current RSS

[Note]Note

If you have troubles running those scripts or making your own, contact us on .

The whole implementation can be quite time consuming, but once you successfully run the first script, the others are very similar and its implementation is straightforward.

Within the Template, there are two scripts. As you know realize, having the configuration backup files can be crucial if replacing the unit. There is nothing easier than just uploading the configuration file into a brand new RipEX unit.

8.1. Zabbix Configuration

Before creating and running the first scripts, you need to prepare the Zabbix server (and the Linux operating system). In this example, we configure the CentOS 7 operating system with Zabbix 3 installed via packaging system.

The following steps can be done in different order, but following this order is absolutely fine.

8.1.1. Zabbix Server Configuration File

By default, the zabbix_server configuration file is located in the /etc/zabbix/zabbix_server.conf file. Find the line with “SSHKeyLocation” parameter and define it with this value:

SSHKeyLocation=/home/zabbix/.ssh

This is the location of the RSA private SSH key which will be used to access the RipEX units.

Restart the Zabbix server afterwards.

# systemctl restart zabbix-server

8.1.2. Uploading the Template Scripts

The scripts must be uploaded manually to a correct directory manually. The default directory is /usr/lib/zabbix/externalscripts/. Copy the script files from the ZIP Template file to this directory. The target state should look similar to this output:

# ls -l /usr/lib/zabbix/externalscripts/
total 48
-rwxr-xr-x. 1 zabbix zabbix    680 Mar  9 17:28 ripex_cli_cnf_textfile_get.sh
-rwxr-xr-x. 1 zabbix zabbix    111 Mar  8 15:56 ripex_cli_rss_show.sh
-rw-r--r--. 1 zabbix zabbix    77 Mar 15 08:31 script-log.txt
-rwxr-xr-x. 1 zabbix zabbix 17200 Mar  1 13:24 snmptrap.sh

There are two executable scripts via the Zabbix web interface (starting with “ripex_”). The LOG output of those scripts is in script-log.txt file. There is also the snmptrap.sh file which you should have there for the SNMP TRAP/INFORM functionality.

Make sure that the files have the zabbix user/group and are executable.

# chown zabbix:zabbix /usr/lib/zabbix/externalscripts/*
# chmod +x /usr/lib/zabbix/externalscripts/*

8.1.3. Zabbix User Configuration

The Zabbix user cannot login to the bash by default. We need modify the /etc/passwd file as follows:

# chsh -s /bin/bash zabbix
# cat /etc/passwd
zabbix:x:996:994:Zabbix Monitoring System:/home/zabbix:/bin/bash

Make sure that the last part after the “:” has a correct path to the bash binary.

If not already created, create the HOME directory for the Zabbix user.

# usermod -m -d /home/zabbix zabbix
# chown zabbix:zabbix /home/zabbix
# chmod 700 /home/zabbix
[Note]Note

You may need to run the “usermod” command once again.

Create the directories for the saved configuration and firmware files and change the access rights.

# mkdir /home/zabbix/configuration-backup
# mkdir /home/zabbix/firmware
# mkdir /home/zabbix/configuration-backup/ripex
# mkdir /home/zabbix/firmware/ripex
# chown -R zabbix:zabbix /home/zabbix/

8.1.4. SSH Access to RipEX units

The directory for the SSH key should now be located in /home/zabbix/.ssh directory. Change the current directory to this one and login as zabbix.

# su zabbix

A new prompt appears. Because, we cannot access the RipEX units using their password via scripts, we need to upload the SSH keys into every unit we want to control. You can either have you own RSA/DSA key or you can create a new one following this example. Run

bash-4.2$ ssh-keygen -t rsa

Follow the guide of the ssh-keygen application and leave the passphrase empty.

To copy our RSA key into the RipEX units, run the following command:

bash-4.2$ ssh-copy-id admin@10.250.2.225

Just replace 10.250.2.225 with the correct RipEX IP address. The prompt will ask for the Admin password, fill it in and click Enter. Now, you should have the access into the unit without using a password. Check it via this command:

bash-4.2$ ssh admin@10.250.2.225

You should be logged in the RipEX unit without writing the password.

8.1.5. Scripts in the Zabbix Web Interface

The script files can be downloaded within the template ZIP file. Save them in the correct direktory (/usr/lib/zabbix/externalscripts/) of your Zabbix distribution. Then, the scripts must be manually created in the Zabbix Administration – Scripts menu. See the example below and create Zabbix scripts for all RipEX scripts.

RipEX scripts

Fig. 8.1: RipEX scripts

If you open one of them, you can modify them as required.

Script configuration

Fig. 8.2: Script configuration

The Type must be set to “Script” and the Execute on parameter to “Zabbix server”. The command can be modified as required. There is a full path to the script saved on the server and the parameters. The script output is appended to the mentioned log file.

The script can apply to ALL hosts or just one group – in our example, the group name is “RipEX”.

The parameters are MACROs which should be enabled by default due to our Template. Each RipEX unit uses the SSH port 22 and the SSH key saved in /home/zabbix/.ssh/id_rsa file by default. If you need to modify any of these parameters, go to the Configuration – Hosts menu and edit the particular Host’s MACROs (Inherited and host macros submenu).

Host MACROs

Fig. 8.3: Host MACROs

To edit any of the parameters, click on the “Change” button and Update the Host.

8.1.6. SELinux Restrictions

If the operating system is CentOS 7 and has the SELinux security option enabled, the scripts will not run properly due to these restrictions.

If you run the script, but it will not run properly, check the following output via the command line:

# ausearch -m avc|tail -n 3

It can display a similar output:

time->Tue Mar  8 14:12:31 2016
type=SYSCALL msg=audit(1457442751.052:8277): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f11466de620 a2=10 a3=56decfbf items=0 ppid=4929 pid=2936 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1457442751.052:8277): avc:  denied  { name_connect } for  pid=2936 comm="ssh" dest=8021 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zope_port_t:s0 tclass=tcp_socket

The issue here is that the SSH cannot be run from the Web interface. To enable it, you can run the following commands. Note that the first command installs some binaries to control SELinux rules. If already installed, you do not need them.

# yum install policycoreutils-devel
# mkdir -p /root/local-policy-modules/zabbix
# cd /root/local-policy-modules/zabbix
# grep "denied" /var/log/audit/audit.log|tail -n 2 > avc.log
# audit2allow -M zabbix_script_ssh -R -i avc.log
# semodule -i zabbix_script_ssh.pp
[Important]Important

Do not rush with SELinux rules, if you understand the SELinux, make the required changes. If not, please consult us.

A similar approach is required for the Bash, SNMP traps, logging the script output, etc.

8.1.7. Testing Scripts

The scripts can be tested via clicking on the Hosts in the Web interface. You can click on them when they are displayed within the Last 20 Issues on your Dashboard, or within Maps where they are always displayed.

Scripts in the Maps

Fig. 8.4: Scripts in the Maps

If you click on any of the script, the corresponding script runs and the output is displayed in the pop-up window. You can test the Zabbix general ones such as “Ping” or “Traceroute” first.

[Note]Note

You may be required to change the SELinux rules or to install “traceroute” application via the command line (yum install).

The easiest script displays the current RSS level. The level (in dBm) should be displayed within several seconds in the pop-up window.

Another script is the Configuration backup. The expected output should display a full path to the stored file (in the /home/zabbix/configuration-backup/ripex directory).

Reading the watched values script is working in a different manner. It is used as an external check Item. If you open the Application called “Watched value via script”, you will see 17 readable watched values.

Once configured correctly, running the scripts is easy. If you need to add a new host, just copy the SSH key and you are ready to use it. And if a new script is required, see these examples and create your own scripts or consult creating them with our technical support at .