By default, there are no ready-to-be-used actions in Zabbix such as configuration backup or firmware upgrade. The Zabbix NMS is a general system which requires special features to be implemented by RACOM or by the user himself.
We provide the user with a guide how to use and define these special features and within the RipEX template, we already prepared several examples:
Configuration backup
Displaying the current RSS
![[Note]](/images/radost/images/icons/note.png){kind=icon} | Note |
|---|---|
If you have troubles running those scripts or making your own,
contact us on |
The whole implementation can be quite time consuming, but once you successfully run the first script, the others are very similar and its implementation is straightforward.
Within the Template, there are two scripts. As you know realize, having the configuration backup files can be crucial if replacing the unit. There is nothing easier than just uploading the configuration file into a brand new RipEX unit.
Before creating and running the first scripts, you need to prepare the Zabbix server (and the Linux operating system). In this example, we configure the CentOS 7 operating system with Zabbix 3 installed via packaging system.
The following steps can be done in different order, but following this order is absolutely fine.
By default, the zabbix_server configuration file is located in the /etc/zabbix/zabbix_server.conf file. Find the line with “SSHKeyLocation” parameter and define it with this value:
SSHKeyLocation=/home/zabbix/.ssh
This is the location of the RSA private SSH key which will be used to access the RipEX units.
Restart the Zabbix server afterwards.
# systemctl restart zabbix-server
The scripts must be uploaded manually to a correct directory manually. The default directory is /usr/lib/zabbix/externalscripts/. Copy the script files from the ZIP Template file to this directory. The target state should look similar to this output:
# ls -l /usr/lib/zabbix/externalscripts/ total 48 -rwxr-xr-x. 1 zabbix zabbix 680 Mar 9 17:28 ripex_cli_cnf_textfile_get.sh -rwxr-xr-x. 1 zabbix zabbix 111 Mar 8 15:56 ripex_cli_rss_show.sh -rw-r--r--. 1 zabbix zabbix 77 Mar 15 08:31 script-log.txt -rwxr-xr-x. 1 zabbix zabbix 17200 Mar 1 13:24 snmptrap.sh
There are two executable scripts via the Zabbix web interface
(starting with “ripex_”). The LOG output of those scripts is in
script-log.txt file. There is also the
snmptrap.sh file which you should have there for the SNMP
TRAP/INFORM functionality.
Make sure that the files have the zabbix user/group and are executable.
# chown zabbix:zabbix /usr/lib/zabbix/externalscripts/* # chmod +x /usr/lib/zabbix/externalscripts/*
The Zabbix user cannot login to the bash by default. We need
modify the /etc/passwd file as follows:
# chsh -s /bin/bash zabbix # cat /etc/passwd zabbix:x:996:994:Zabbix Monitoring System:/home/zabbix:/bin/bash
Make sure that the last part after the “:” has a correct path to the bash binary.
If not already created, create the HOME directory for the Zabbix user.
# usermod -m -d /home/zabbix zabbix # chown zabbix:zabbix /home/zabbix # chmod 700 /home/zabbix
| Note |
|---|---|
You may need to run the “usermod” command once again. |
Create the directories for the saved configuration and firmware files and change the access rights.
# mkdir /home/zabbix/configuration-backup # mkdir /home/zabbix/firmware # mkdir /home/zabbix/configuration-backup/ripex # mkdir /home/zabbix/firmware/ripex # chown -R zabbix:zabbix /home/zabbix/
The directory for the SSH key should now be located in
/home/zabbix/.ssh directory. Change the current directory
to this one and login as zabbix.
# su zabbix
A new prompt appears. Because, we cannot access the RipEX units using their password via scripts, we need to upload the SSH keys into every unit we want to control. You can either have you own RSA/DSA key or you can create a new one following this example. Run
bash-4.2$ ssh-keygen -t rsa
Follow the guide of the ssh-keygen application and leave the passphrase empty.
To copy our RSA key into the RipEX units, run the following command:
bash-4.2$ ssh-copy-id admin@10.250.2.225
Just replace 10.250.2.225 with the correct RipEX IP address. The prompt will ask for the Admin password, fill it in and click Enter. Now, you should have the access into the unit without using a password. Check it via this command:
bash-4.2$ ssh admin@10.250.2.225
You should be logged in the RipEX unit without writing the password.
The script files can be downloaded within the template
ZIP file. Save them in the correct
direktory (/usr/lib/zabbix/externalscripts/) of your
Zabbix distribution. Then, the scripts must be manually created in the
Zabbix Administration – Scripts menu. See the example below and create
Zabbix scripts for all RipEX scripts.
If you open one of them, you can modify them as required.
The Type must be set to “Script” and the Execute on parameter to “Zabbix server”. The command can be modified as required. There is a full path to the script saved on the server and the parameters. The script output is appended to the mentioned log file.
The script can apply to ALL hosts or just one group – in our example, the group name is “RipEX”.
The parameters are MACROs which should be enabled by default due to our Template. Each RipEX unit uses the SSH port 22 and the SSH key saved in /home/zabbix/.ssh/id_rsa file by default. If you need to modify any of these parameters, go to the Configuration – Hosts menu and edit the particular Host’s MACROs (Inherited and host macros submenu).
To edit any of the parameters, click on the “Change” button and Update the Host.
If the operating system is CentOS 7 and has the SELinux security option enabled, the scripts will not run properly due to these restrictions.
If you run the script, but it will not run properly, check the following output via the command line:
# ausearch -m avc|tail -n 3
It can display a similar output:
time->Tue Mar 8 14:12:31 2016
type=SYSCALL msg=audit(1457442751.052:8277): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7f11466de620 a2=10 a3=56decfbf items=0 ppid=4929 pid=2936 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ssh" exe="/usr/bin/ssh" subj=system_u:system_r:zabbix_t:s0 key=(null)
type=AVC msg=audit(1457442751.052:8277): avc: denied { name_connect } for pid=2936 comm="ssh" dest=8021 scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:object_r:zope_port_t:s0 tclass=tcp_socket
The issue here is that the SSH cannot be run from the Web interface. To enable it, you can run the following commands. Note that the first command installs some binaries to control SELinux rules. If already installed, you do not need them.
# yum install policycoreutils-devel # mkdir -p /root/local-policy-modules/zabbix # cd /root/local-policy-modules/zabbix # grep "denied" /var/log/audit/audit.log|tail -n 2 > avc.log # audit2allow -M zabbix_script_ssh -R -i avc.log # semodule -i zabbix_script_ssh.pp
![[Important]](/images/radost/images/icons/important.png){kind=icon} | Important |
|---|---|
Do not rush with SELinux rules, if you understand the SELinux, make the required changes. If not, please consult us. |
A similar approach is required for the Bash, SNMP traps, logging the script output, etc.
The scripts can be tested via clicking on the Hosts in the Web interface. You can click on them when they are displayed within the Last 20 Issues on your Dashboard, or within Maps where they are always displayed.
If you click on any of the script, the corresponding script runs and the output is displayed in the pop-up window. You can test the Zabbix general ones such as “Ping” or “Traceroute” first.
| Note |
|---|---|
You may be required to change the SELinux rules or to install “traceroute” application via the command line (yum install). |
The easiest script displays the current RSS level. The level (in dBm) should be displayed within several seconds in the pop-up window.
Another script is the Configuration backup. The expected output should display a full path to the stored file (in the /home/zabbix/configuration-backup/ripex directory).
Reading the watched values script is working in a different manner. It is used as an external check Item. If you open the Application called “Watched value via script”, you will see 17 readable watched values.
Once configured correctly, running the scripts is easy. If you
need to add a new host, just copy the SSH key and you are ready to use
it. And if a new script is required, see these examples and create
your own scripts or consult creating them with our technical support
at <support@racom.eu>.
