Ad Widget

**kyus** · 12-02-2025, 20:13

Hey!

How exactly is everything else getting blocked if you use AllowKey?

system.run is a key that you always have to enable using AllowKey in the agent config.

**cyber** · 13-02-2025, 10:57

Originally posted by kyus

system.run is a key that you always have to enable using AllowKey in the agent config.

No, it is not... If you are not using it, you do not have to enable it "just in case"... By default it is disabled.

12 Restricting agent checks

https://www.zabbix.com/documentation/current/en/manual/config/items/restrict_checks

**kyus** · 13-02-2025, 14:09

Originally posted by cyber

No, it is not... If you are not using it, you do not have to enable it "just in case"... By default it is disabled.
https://www.zabbix.com/documentation...estrict_checks

I may have worded it badly but that's what I meant... if you want to use it you'll need to enable it.
Enabling it just for the sake of it doesn't make sense

**Manuel Simpson** · 14-02-2025, 00:44

Yes, but if I enable it with AllowKeys, the rest of commands that run all the other metrics (ex. Metric generated by commands that use Docker plugin or also system metrics) are blocked and not work anything. Not shure but if I understan well, when I create an AllowKeys directive, the config file activate the rules for the rest of commands I in that case I should explicity create rules for each commands because AllowKeys implicity enable DenyKeys=*.
Maybe I'm wrong because just started with Zabbix,

**kyus** · 14-02-2025, 14:00

You can use

Code:

AllowKey=system.run[*]

This should enable all commands/scripts that were restricted, and, if you want, you can still block specific commands with the DenyKey (this has to come before AllowKey in the conf file to blacklist some commands).

Therefore, to allow remote commands, specify an AllowKey=system.run[<command>,*] for each allowed command, * stands for wait and nowait mode. It is also possible to specify AllowKey=system.run[*] parameter to allow all commands with wait and nowait modes. To disallow specific remote commands, add DenyKey parameters with system.run[] commands before the AllowKey=system.run[*] parameter.

This is a quote from the docs that cyber posted. I recommend taking a look there, most likely it'll help to identify what isn't working.

If you want, post your agent config here.

**Manuel Simpson** · 14-02-2025, 14:25

Yes I saw that but I thought that maybe are another way because when I allow system.run[*] I'm allowing all commands over OS. My intention is keep allowing the actually default Zabbix commands, plus Docker plugin and just my needs. Denying commands of OS before, one by one (which I'm not using) its impossible. And if I use DenyKeys=* I'm denying actuallity Zabbix commands and I should allowing one by one or by regex.
Maybe I'm wrong interpreting the concepts.
Thanks, I will keep reading.

**kyus** · 14-02-2025, 14:52

But why are you using DenyKey=* ?

If you want, you can just allow specific commands to be executed aswell, you don't need to deny one by one.

Just add the AllowKey for each command you want to allow.
AllowKey=system.run[command1,*]
AllowKey=system.run[command2,*]

DenyKey=system.run[*]

**Manuel Simpson** · 14-02-2025, 16:39

Ohh, ok, I understand, my error was use DenyKey=* instead DenyKey=system.run[*].
Now I got the idea, system.run is for run commands isolated from Zabbix defaults (this not use system.run).
Thanks!

Ad Widget

How to create an Alert Script for manual exec using UserParameter instead AllowKeys

How to create an Alert Script for manual exec using UserParameter instead AllowKeys

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment