{"id":668,"date":"2018-10-18T07:22:56","date_gmt":"2018-10-18T07:22:56","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=668"},"modified":"2018-10-18T15:35:25","modified_gmt":"2018-10-18T15:35:25","slug":"configure-zabbix-monitoring-server-with-puppet-lisenet-com-linux-security","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/18\/configure-zabbix-monitoring-server-with-puppet-lisenet-com-linux-security\/","title":{"rendered":"Configure Zabbix Monitoring Server with Puppet | Lisenet.com :: Linux | Security"},"content":{"rendered":"

We\u2019re going to use Puppet to install and configure a Zabbix server. We will also allow active Zabbix agent auto-registration.<\/p>\n

This article is part of the Homelab Project with KVM, Katello and Puppet<\/a> series.<\/p>\n

Homelab<\/h2>\n

We have a CentOS 7 VM installed which we want to configure as a Zabbix server:<\/p>\n

monitoring.hl.local (10.11.1.13) \u2013 Zabbix server with agent auto-registration<\/p>\n

SELinux set to enforcing mode.<\/p>\n

See the image below to identify the homelab part this article applies to.<\/p>\n

\"\"<\/p>\n

Zabbix LTS and PHP<\/h2>\n

We want to use a stable Zabbix LTS release, which is Zabbix 3.0 at the time of writing.<\/p>\n

Note that Zabbix 3.0 LTS release supports PHP 5.4 or later, however PHP v7 is not supported yet. For more info, see Zabbix documentation<\/a>.<\/p>\n

Also note that PHP 5.6 will receive security support until 31 December 2018. For more info, see PHP supported versions<\/a>. We will therefore use Remi\u2019s PHP 5.6 repository served by Katello (we configured it here<\/a>).<\/p>\n

Configuration with Puppet<\/h2>\n

Puppet master runs on the Katello<\/a> server.<\/p>\n

Puppet Modules<\/h3>\n

We use puppet-zabbix<\/a> Puppet module to configure the server. We also use puppetlabs-apache<\/a> and puppetlabs-mysql<\/a> to configure frontend and backend services.<\/p>\n

Please see each module\u2019s documentation for features supported and configuration options available.<\/p>\n

Manage Firewall<\/h3>\n

We start with firewall configuration:<\/p>\n

firewall { ‘007 allow Zabbix active checks’:
\ndport => [10051],
\nsource => ‘10.11.1.0\/24’,
\nproto => tcp,
\naction => accept,
\n}->
\nfirewall { ‘008 allow Zabbix WebUI’:
\ndport => [80, 443],
\nsource => ‘10.11.1.0\/24’,
\nproto => tcp,
\naction => accept,
\n}<\/p>\n

Install Apache<\/h3>\n

We use Apache to run Zabbix frontend, and MySQL as Zabbix backend database.<\/p>\n

Do a minimal Apache install only, but make sure that a PHP module is loaded:<\/p>\n

class { ‘apache’:
\ndefault_vhost => false,
\ndefault_ssl_vhost => false,
\ndefault_mods => false,
\nmpm_module => ‘prefork’,
\nserver_signature => ‘Off’,
\nserver_tokens => ‘Prod’,
\ntrace_enable => ‘Off’,
\n}
\ninclude apache::mod::php<\/p>\n

Install MySQL<\/h3>\n

MySQL 5.7 repository is served by Katello (we configured it here<\/a>).<\/p>\n

class { ‘mysql::server’:
\npackage_name => ‘mysql-community-server’,
\nservice_name => ‘mysqld’,
\nroot_password => ‘PleaseChangeMe’,
\ncreate_root_my_cnf => true,
\nmanage_config_file => true,
\nconfig_file => ‘\/etc\/my.cnf’,
\npurge_conf_dir => true,
\nrestart => true,
\noverride_options => {
\nmysqld => {
\nbind-address => ‘127.0.0.1’,
\ndatadir => ‘\/var\/lib\/mysql’,
\nlog-error => ‘\/var\/log\/mysqld.log’,
\npid-file => ‘\/var\/run\/mysqld\/mysqld.pid’,
\nwait_timeout => ‘3600’,
\ninteractive_timeout => ‘3600’,
\n},
\nmysqld_safe => {
\nlog-error => ‘\/var\/log\/mysqld.log’,
\n},
\n},
\nremove_default_accounts => true,
\n}<\/p>\n

Install Zabbix Server<\/h3>\n

Zabbix 3.0 repository is served by Katello. Since this is the case, we set manage_repo to false.<\/p>\n

class { ‘zabbix’:
\nzabbix_version => ‘3.0’,
\nzabbix_url => ‘monitoring.hl.local’,
\ndatabase_type => ‘mysql’,
\nmanage_repo => false,
\nmanage_firewall => true,
\nmanage_vhost => true,
\napache_use_ssl => true,
\n}<\/p>\n

If all goes well, at this point Zabbix should be up and running.<\/p>\n

Configure Active Agent Auto-Registration<\/h2>\n

This part should be configured after the server has been created.<\/p>\n

It is possible to allow active Zabbix agent auto-registration, after which the server can start monitoring them. This way new hosts can be added for monitoring without configuring them manually on the server.<\/p>\n

When installed succesfully, Zabbix web interface will be accessibe and we can log in with the default credentials:<\/p>\n

    \n
  1. Username: Admin<\/li>\n
  2. Password: zabbix<\/li>\n<\/ol>\n

    In the Zabbix frontend, go to Configuration > Actions, select Auto registration as the event source and click on Create action. Use something like this:<\/p>\n

      \n
    1. Name: Linux host autoregistration<\/li>\n
    2. Conditions: none<\/li>\n
    3. Operations: Link to templates: Template OS Linux<\/li>\n<\/ol>\n

      See the image below for more info.<\/p>\n

      \"\"<\/p>\n

      We don\u2019t use any conditions here as it\u2019s optional and not really necessary for the homelab, however, we could use HostMetadataItem=system.uname if we wanted to separate say Linux servers from Windows.<\/p>\n

      Install Zabbix Agents on All Servers<\/h2>\n

      By now we should have our Zabbix server running with agent auto-registration enabled. One thing that is still left to do is to configure Puppet to install a Zabbix agent on all homelab servers, and allow Zabbix passive checks.<\/p>\n

      This needs to go in to the main environment manifest file \/etc\/puppetlabs\/code\/environments\/homelab\/manifests\/site.pp so that configuration is applied to all servers.<\/p>\n

      class { ‘zabbix::agent’:
      \nzabbix_version => ‘3.0’,
      \n## Do not use DNS, use IP address.<\/em>
      \nserver => ‘10.11.1.13’,
      \n## Do not set logtype to ‘system’ unless you want
      \n## to find yourself debugging SELinux problems.<\/em>
      \nlogtype => ‘file’,
      \nlogfile => ‘\/var\/log\/zabbix\/zabbix_agentd.log’,
      \n## Use Katello repository<\/em>
      \nmanage_repo => false,
      \nmanage_firewall => false,
      \nmanage_selinux => true,
      \n## Zabbix Agent does not work well with SELinux
      \n## See: https:\/\/support.zabbix.com\/browse\/ZBX-12592<\/em>
      \nselinux_require => [
      \n‘type kernel_t’,
      \n‘type devlog_t’,
      \n‘type zabbix_agent_t’,
      \n‘class sock_file write’,
      \n‘class process setrlimit’,
      \n‘class unix_dgram_socket ‘,
      \n],
      \nselinux_rules => { ‘zabbix_agent_t’ => [
      \n‘allow zabbix_agent_t kernel_t:unix_dgram_socket sendto’,
      \n‘allow zabbix_agent_t self:process setrlimit’,
      \n‘allow zabbix_agent_t self:unix_dgram_socket { connect create }’,
      \n]
      \n},
      \n## Allow active Zabbix agent auto-registration,
      \n## after which the server can start monitoring them.<\/em>
      \nserveractive => ‘monitoring.hl.local’,
      \nhostmetadata => ‘system.uname’,
      \n}<\/p>\n

      Configure firewall on all servers to allow Zabbix passive checks:<\/p>\n

      firewall { ‘006 allow Zabbix passive checks’:
      \nproto => ‘tcp’,
      \nsource => ‘monitoring.hl.local’,
      \ndport => ‘10050’,
      \naction => ‘accept’,
      \n}<\/p>\n

      The end result should be similar to this:<\/p>\n

      \"\"<\/p>\n

      All agents auto-register with the server.<\/p>\n

      Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

      We\u2019re going to use Puppet to install and configure a Zabbix server. We will also allow active Zabbix agent auto-registration. This article is part of the Homelab Project with KVM, Katello and Puppet series. Homelab We have a CentOS 7 VM installed which we want to configure as a Zabbix server: monitoring.hl.local (10.11.1.13) \u2013 Zabbix … <\/p>\n

      Continue reading “Configure Zabbix Monitoring Server with Puppet | Lisenet.com :: Linux | Security”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-668","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=668"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/668\/revisions"}],"predecessor-version":[{"id":797,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/668\/revisions\/797"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}