Skip to content

How To Install and Configure the Zabbix Agent to Securely Monitor Accops HySecure Server

Installing and Configuring the Zabbix Agent to Securely Monitor Accops HySecure Server.

Login to the Accops HySeure Server, using putty or console.

Step 1: Run below command to install the repository configuration package for zabbix.

# sudo rpm -ivh http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm

You will see the following output:

Retrieving http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
warning: /var/tmp/rpm-tmp.jnLROO: Header V4 DSA/SHA1 Signature, key ID 79ea5ed4: NOKEY
Preparing... ################################# [100%]
Updating / installing...</br>
1:zabbix-release-3.0-1.el7 ################################# [100%]

Step 2: Install the Zabbix agent:

# sudo yum install zabbix-agent

Step 3: we are using pre-shared keys (PSK) to secure the connection between the server and agent, so first, generate a PSK , using below command.

# sudo sh -c "openssl rand -hex 32 > /etc/zabbix/zabbix_agentd.psk"

Step 4: use below command to obtain PSK (Pre-Shared Key). You will need it to configure Accops HySecure host on Zabbix Server.

# cat /etc/zabbix/zabbix_agentd.psk

The key will look something like this: Output:

bd7ebdc1ae80fb66e8102d6016671a4feabf489cf2692ee473512771c4903ed8

Step 5: Now you have to edit the Zabbix agent settings to set up its secure connection to the Zabbix server. Open the agent configuration file:

# sudo vi /etc/zabbix/zabbix_agentd.conf

First, you must edit the IP address of the Zabbix server.
Find the following section:

### Option: Server
# List of comma delimited IP addresses (or hostnames) of Zabbix servers.
# Incoming connections will be accepted only from the hosts listed here.
# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally.
#
# Mandatory: no
# Default:
# Server=
Server=127.0.0.1

Change the default value to the IP of your Zabbix server:

Server=your_zabbix_server_ip_address

Next, Find the section to configure Listen Port.

### Option: ListenPort
# Agent will listen on this port for connections from the server.
#
# Mandatory: no
# Range: 1024-32767
# Default:
# ListenPort=10050

Change the default Listen Port as per your Zabbix Server.

ListenPort=10050

Next, Find the section to configure Listen IP.

### Option: ListenIP
# List of comma delimited IP addresses that the agent should listen on.
# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
#
# Mandatory: no
# Default:
# ListenIP=0.0.0.0

Add the Listen IP as per your Accops HySecure Server IP Address.

ListenIP=Accops_HySecure_Server_IP_Address

Next, Find the section to configure Serve rActive.

##### Active checks related
### Option: ServerActive
# List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks.
# If port is not specified, default port is used.
# IPv6 addresses must be enclosed in square brackets if port for that host is specified.
# If port is not specified, square brackets for IPv6 addresses are optional.
# If this parameter is not specified, active checks are disabled.
# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
#
# Mandatory: no
# Default:
# ServerActive=

Add the ServerActive as per your zabbix_server_ip:Port.

ServerActive=zabbix_server_ip:Port

Next, Find the section to configure Hostname.

### Option: Hostname
# Unique, case sensitive hostname.
# Required for active checks and must match hostname as configured on the server.
# Value is acquired from HostnameItem if undefined.
#
# Mandatory: no
# Default:
# Hostname=

Add the below line as a host name.

(Note: This Hostname will be required while configuring the Accops HySecure Host in Zabbix Server.)

Hostname=Accops server

Next, find the section that configures the secure connection to the Zabbix server and enable pre-shared key support.

Find the TSLConnect section, which looks like this:

### Option: TLSConnect
# How the agent should connect to server or proxy. Used for active checks.
# Only one value can be specified:
# unencrypted - connect without encryption
# psk - connect using TLS and a pre-shared key
# cert - connect using TLS and a certificate
#
# Mandatory: yes, if TLS certificate or PSK parameters are defined (evenfor 'unencrypted' connection)
# Default:
# TLSConnect=unencrypted

Then add this line to configure pre-shared key support:

TLSConnect=psk

Next, locate the TLSAccept section, which looks like this:

### Option: TLSAccept
# What incoming connections to accept.
# Multiple values can be specified, separated by comma:
# unencrypted - accept connections without encryption
# psk - accept connections secured with TLS and a pre-shared key
# cert - accept connections secured with TLS and a certificate
#
# Mandatory: yes, if TLS certificate or PSK parameters are defined (evenfor 'unencrypted' connection)
# Default:
# TLSAccept=unencrypted

Configure incoming connections to support pre-shared keys by adding this line:

TLSAccept=psk

Next, find the TLSPSKIdentity section, which looks like this:

### Option: TLSPSKIdentity
# Unique, case sensitive string used to identify the pre-shared key.
#
# Mandatory: no
# Default:
# TLSPSKIdentity=

Choose a unique name to identify your pre-shared key by adding this line:

TLSPSKIdentity=PSK 001

You'll use this as the PSK ID when you add your host through the Zabbix web interface.

Then set the option which points to your previously created pre-shared key. Locate the TLSPSKFile option:

### Option: TLSPSKFile
# Full pathname of a file containing the pre-shared key.
#
# Mandatory: no
# Default:
# TLSPSKFile=

Add this line to point the Zabbix agent to your PSK file you created:

TLSPSKFile=/etc/zabbix/zabbix_agentd.psk

Save and close the file. Now you can start the Zabbix agent and set it to start at boot time:

# sudo systemctl start zabbix-agent
# sudo systemctl enable zabbix-agent

Check that the Zabbix agent is running properly:

# sudo systemctl status zabbix-agent

You will see the following status, indicating the agent is running:

Output: zabbix-agent.service - Zabbix Agent
Loaded: loaded (/usr/lib/systemd/system/zabbix-agent.service; disabled;         vendor preset: disabled)
Active: active (running) since Fri 2016-08-05 08:17:07 UTC; 5s ago
Process: 9507 ExecStart=/usr/sbin/zabbix_agentd -c $CONFFILE (code=exited, status=0/SUCCESS)
...

Zabbix agent is now installed on Accops HySecure Server and ready to send data to the Zabbix server.
But in order to use it, we have to link to it from the server's web console.

Step 6: Login to Zabbix Admin Web Console.

Next, When you have logged in, click on the Configuration, and then Hosts in the top navigation bar. Then click Create host button in the top right corner of the screen. This will open the host configuration page.

Click on "Create Host".

Next, Add Host Name which is defined in Zabbix agent config file then click on Templates.

Now Select the Template "Template App Zabbix Agent", then go to Encryption TAB.

Now Add Pre-Shared Key, which we have obtained while installing agent.

After successful communication with Accops HySecure Host, Zabbix Server will show below screen.

After several seconds you can navigate to Monitoring and then Latest data to see the data from your agent.
To ensure things are working, shut down your monitored server so you can see how Zabbix alerts you to problems. Once your monitored server is offline you will see the warning on the main dashboard:

If you have additional servers you need to monitor, log in to each host, install the Zabbix agent, generate a PSK, configure the agent, and add the host to the web interface following the same steps you followed to add your first host.