Passive proxy¶
Lets try to setup our passive proxy
.
Things should be very simple just make sure you have a VM that you can use to install a proxy.
Zabbix Gui config¶
First we will have to add the config in our Zabbix server frontend. From our Administration menu choose the menu Proxies
.
Go to the upper right corner of the screen and press Create proxy
You will now get a pop-up like shown here. Fill in the proxy name. I have chosen for ProxyP as it will be our passive proxy. You can use for yourself whatever you like.
In production I would suggest to use names that make it easy for you to see it's a proxy and where the proxy belongs to. Ex: what vlan or what division ....
Choose Proxy mode Passive
and fill in the IP of your virtualmachine. Here besides IP we also have the option to specify a port. This is standard 10051, Zabbix proxy will listen on the same port as our Zabbix server does.
When done press Add
at the bottom.
Zabbix Proxy config¶
Ok now that this is done lets go to the VM where we like to install our proxy and add the Zabbix repository so we can install our needed packages.
rpm -Uvh https://repo.zabbix.com/zabbix/7.0/rhel/9/x86_64/zabbix-release-7.0-1.el9.noarch.rpm
Zabbix provides the proxy with the option to connecto to a SQLiteDB this can be enough for most setups. In case you need more performance from the DB there is also the option to install the Proxy with a PostgreSQL or MySQL DB. We will cover how to do with the SQLite db as this is the most easy way. We show you later what to look for if installing a proxy With MySQL or PostgreSQL.
dnf install zabbix-proxy-sqlite3 zabbix-selinux-policy -y
Once this is done let's change the proxy configuration by editing the proxy configuration file.
vi /etc/zabbix/zabbix_proxy.conf
Here a few parameters needs to be changed before we can use our proxy
- ProxyMode=
- Server=
- DBName=
- Hostname=
Change them according to your settings:
- ProxyMode=1
- Server=< zabbix server ip >
- Hostname=ProxyA ( or the name you have used in your Zabbix frontend for the Proxy )
- DBName=/tmp/zabbix_proxy.db
The parameters are explained as follows:
- ProxyMode: This is standard 0 for Active proxy we have to change this to 1 this will turn our proxy into a Passive proxy. Be careful there is a
#
in front of the parameter this needs to be removed. If not Zabbix will not read this value in stay in Active mode. - Server: Same as with passive agents. We have to specify the IP or DNS name or a list of IPs from zabbix servers that are allowed to connect to this proxy.
- DBName: This depends a bit, it is usually the name of the database like we configured on the Zabbix server in case we use PostgreSQL or MySQL. However with SQLite we need to specify dbname and location. Username and Password will be ignored when using SQLite. Just make sure SELinux is properly configured else the DB will not be created. It can help to put SELinux in permissive first.
- Hostname: This parameter is used by the proxy to identify itself to the Zabbix server. This needs to be the same name we have registered in the Zabbix frontend.
Tip
Another parameter that can be useful is ListenPort this is usually 10051 for Active and Passive proxies. But if you run for some reason the proxy on the zabbix server then you have to change this port to something else.
Note
With Zabbix 7 a new parameter has been introduced on the proxy side ProxyBufferMode
. This is standard set to Hybrid
and is what is recommended. With Hybrid the proxy will buffer will work in memory and fallback to the database if needed.
The documentation states that the proxy buffer normally works like in memory mode until it runs out of memory or the oldest record exceeds the configured age. If that happens the buffer is flushed
to database and it works like in disk mode until all data have been uploaded and it starts working with memory again. On shutdown the memory buffer is flushed to database.
Note
Don't worry about the file for the db not existing Zabbix will create it by itself.
Warning
If you use DNS names make sure there is DNS caching configured on the machine. If not Zabbix will do a lookup on the DNS server everytime it wants to make a connection.
So now that we have configured everything let's start our proxy. First disable SELinux as it will block a few things this can be done by running setenforce 0
. This is only temporary and either you keep it disabled permanent or you fix the config.
An easy way is to use sealert -a /var/log/audit/audit.log
.
Once this is done there is only 1 thing that rests us to do and that is start and enable the zabbix-proxy service.
systemctl enable zabbix-proxy --now
If you look now in the frontend of the Zabbix server you will see that the proxy we have configured is Offline.
This is because we have configured a Passive agent remember we had to specify the IP and the Port in our Zabbix frontend? So we need to open port 10051/tcp for our zabbix server.
firewall-cmd --new-zone=proxy-access --permanent
firewall-cmd --zone=proxy-access --add-source=<zabbix server ip> --permanent
firewall-cmd --zone=proxy-access --add-port=10051/tcp --permanent
firewall-cmd --reload
We can now check our access rules in the firewall:
# firewall-cmd --zone=proxy-access --list-all
proxy-access (active)
target: default
icmp-block-inversion: no
interfaces:
sources: xxx.xxx.xxx.xxx
services:
ports: 10051/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
When we now look at our frontend our proxy should be online
Note
If you like to install the proxy with MySQL or PostgreSQL as database then it is important to also install the package zabbix-sql-scripts
. There is a special shema to be used for the proxy database that can be found under /usr/share/zabbix-sql-scripts/mysql|postgresql>/proxy.sql
.
Also in this case don't forget to edit the zabbix_proxy.conf file and add DBHost, DBUser, DBPassword and DBSchema as needed.