Ad Widget

Collapse

Zabbix is unable to check Veeam REST API

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • geschnei
    Junior Member
    • May 2023
    • 2
    #1

    Zabbix is unable to check Veeam REST API

    I'm trying to set up "Veeam Backup and Replication by HTTP" in Zabbix 6.0.

    I've set up {$VEEAM.API.URL}, {$VEEAM.USER} and {$VEEAM.PASSWORD} for our VBR server, but when I test the "Veeam: Get metrics" check I always get the result

    {"error":"Request failed with status code 403: ."}
    I looked into the check scripts and tried to do the same requests with curl and here they just work.

    Requests:
    Code:
    curl --insecure -H 'x-api-version: 1.0-rev2' -H 'Content-Type: application/x-www-form-urlencoded' --data 'grant_type=password&username=veeam-readonly&password=LONG_PASSWORD' 'https://vbr.example.com:9419/api/oauth2/token'
curl --insecure -H 'x-api-version: 1.0-rev2' -H 'Authorization: Bearer TOKEN_FROM_PREVIOUS_REQUEST' https://vbr.example.com:9419/api/v1/jobs/states
    I've given the user veeam-readonly the "Veeam Backup Viewer" role. I can successfully log in the VBR console with this user and get all information read only. I can get information from the API with this user via curl. Using this user in Zabbix results in a 403 error.

    On the other hand, when I enter my personal credentials in the user and password fields and run the test, it is successful. I removed all special characters from the password to rule this out as a problem.

    I don't think this is a permission issue on the VBR side, since the requests work fine when issued via curl.
    Can I somehow debug the actual requests Zabbix sends to the VBR REST API?

    Zabbix is running on Debian 11 if that matters, no proxy involved.​
    Tags: rest api, veeam
    • Answer selected by geschnei at 19-05-2023, 14:47.
      geschnei
      Junior Member
      • May 2023
      • 2

      Okay, I found the culprit.

      I went through every endpoint that is called through the getMetricsData() function with curl:

      Code:
      endpoints = {
    'proxies': 'api/v1/backupInfrastructure/proxies',
    'repositories': 'api/v1/backupInfrastructure/repositories',
    'managedServers': 'api/v1/backupInfrastructure/managedServers',
    'repositories_states': 'api/v1/backupInfrastructure/repositories/states',
    'services': 'api/v1/services',
    'jobs_states': 'api/v1/jobs/states',
    'backups': 'api/v1/backups',
    'backupObjects': 'api/v1/backupObjects',
    'sessions': 'api/v1/sessions?createdAfterFilter=' + encodeURIComponent(start_date)
​};
      As it turned out, they were all working except one: services

      This single endpoint requires the role Backup Administrator, while all other endpoints only need Backup Viewer.

      I simply commented the line in the Zabbix check out and the check started working with the reduced permissions.

      Code:
      //    'services': 'api/v1/services',


      While it would be nice to check the status of the services it's IMO not worth jeopardizing security for it.
        👍 2
        • Selected Answer

        Comment

        • geschnei
          Junior Member
          • May 2023
          • 2
          #2

          Okay, I found the culprit.

          I went through every endpoint that is called through the getMetricsData() function with curl:

          Code:
          endpoints = {
    'proxies': 'api/v1/backupInfrastructure/proxies',
    'repositories': 'api/v1/backupInfrastructure/repositories',
    'managedServers': 'api/v1/backupInfrastructure/managedServers',
    'repositories_states': 'api/v1/backupInfrastructure/repositories/states',
    'services': 'api/v1/services',
    'jobs_states': 'api/v1/jobs/states',
    'backups': 'api/v1/backups',
    'backupObjects': 'api/v1/backupObjects',
    'sessions': 'api/v1/sessions?createdAfterFilter=' + encodeURIComponent(start_date)
​};
          As it turned out, they were all working except one: services

          This single endpoint requires the role Backup Administrator, while all other endpoints only need Backup Viewer.

          I simply commented the line in the Zabbix check out and the check started working with the reduced permissions.

          Code:
          //    'services': 'api/v1/services',


          While it would be nice to check the status of the services it's IMO not worth jeopardizing security for it.
            👍 2
            • Selected Answer

            Comment

            • skogz0r
              Junior Member
              • Jun 2025
              • 1
              #3
              This is the first time in my decade long IT career where I have found the exact issue I currently have and the person answered it themselves with an actual solution instead of 'nvm, solved it'. Thank you

                Comment

                Previous template Next
                Working...