Ad Widget

**ingus.vilnis** · 14-02-2019, 08:40

Hi,

Awesome level of detail in your description.

Let's brake it down into two issues.
Zabbix Get first.

You can't use the zabbix_get in the unencrypted way anymore as you used to do before. Add the additional PSK info so the command looks something like this:

Code:

zabbix_get -s 10.30.3.115 -k 'proc.num[zabbix_server,zabbix]'  --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/etc/zabbix/zabbix_agentd.psk

Check the docs here: https://www.zabbix.com/documentation...cation_example

Another issue is that you get misleading messages in the logs. And they are because the Hostname setting in your zabbix_agentd.conf file is left to default "Zabbix server" whereas you need it to match the name which you defined in the web interface, in your case Hostname=graylog-srv-01

Restart the agent to apply and check the logs again.

Hope this helps!

**tienpt** · 14-02-2019, 08:58

Thank you so much @ingus.vilnis

Another issue was solved. Zabbix Get still didn't solve. I used to run the below command

skylab@graylog-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[zabbix_agentd,zabbix]' --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/etc/zabbix/zabbix_agentd.psk
zabbix_get [11511]: Warning: SSL_shutdown() with 10.30.3.115 returned error code 5: TLS read warning alert "close notify"
zabbix_get [11511]: Get value error: connection closed during read
zabbix_get [11511]: Check access restrictions in Zabbix agent configuration

Then the log generated

11445:20190213:225423.072 failed to accept an incoming connection: connection from "10.30.3.115" rejected, allowed hosts: "10.30.3.116"
11444:20190213:225429.137 failed to accept an incoming connection: connection from "10.30.3.115" rejected, allowed hosts: "10.30.3.116"
11444:20190213:225640.934 failed to accept an incoming connection: connection from "10.30.3.115" rejected, allowed hosts: "10.30.3.116"

**ingus.vilnis** · 14-02-2019, 09:06

You can't run zabbix_get on the server which you are actually monitoring. Do this on the Zabbix server.

If you still need to tun zabbix_get on the graylog-srv-01 then add 127.0.0.1 to the Server setting in zabbix_agentd.conf. But I am now not sure why you would want to do this in the first place. zabbix_get is great for testing communication typically between server and agent.

**tienpt** · 14-02-2019, 09:14

Firstly, the command still didn't succeed.

skylab@graylog-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[zabbix_agentd,zabbix]' --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/etc/zabbix/zabbix_agentd.psk
zabbix_get [11701]: Get value error: connection closed during read
zabbix_get [11701]: Check access restrictions in Zabbix agent configuration

and log

11698:20190213:230858.612 failed to accept an incoming connection: connection from "10.30.3.115" rejected, allowed hosts: "127.0.0.1,10.30.3.116"

However, the Warning: SSL_shutdown() with 10.30.3.115 returned error code 5: TLS read warning alert "close notify" have gone :-)

Another point, I got your recommendation about zabbix get. It means that I need to create a library of PSK on the Zabbix Server side? to store all of PSK of Zabbix Client. As you said before: "You can't use the zabbix_get in the unencrypted way anymore as you used to do before. Add the additional PSK info so the command looks something like this:"

Then it should look like

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[zabbix_agentd,zabbix]' --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/etc/zabbix/zabbix_agentd.psk

**tienpt** · 14-02-2019, 09:16

You are right! I have just copied the PSK of Zabbix Client to Zabbix Server, then it worked as well

skylab@graylog-srv-01:~$ scp /etc/zabbix/zabbix_agentd.psk [email protected]:/tmp

and

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[zabbix_agentd,zabbix]' --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/tmp/zabbix_agentd.psk
7

**ingus.vilnis** · 14-02-2019, 09:19

Hold on.

Don't run zabbix_get on graylog-srv-01 for now. Run it from zabbix-srv-01 !

And don't mess with PSK on Zabbix server. That was not what I meant with that comment.

**ingus.vilnis** · 14-02-2019, 09:20

Ok, now you got this running. Nice.

**tienpt** · 14-02-2019, 09:21

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[graylog-server,graylog]' --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/tmp/zabbix_agentd.psk
1

Here is what I need to do. I am going to create an script or something like that to monitor Graylog process at graylog-srv-01. On this topic, I learned from you about best practice for using Zabbix Get. I am a newbie, then my knowledge is breaking by google. [I need to read the book to structure my knowledge]

So now, of course, I don't need to run Zabbix Get on Client [graylog-srv-01]. Thus I need to organize the PSK's Client on Server.

I see that's what you want to let me know.

**ingus.vilnis** · 14-02-2019, 09:24

Ok, that's fine.

But still why you need Zabbix Get if (what I think) you really need this configured in Zabbix from web interface?

**tienpt** · 14-02-2019, 09:25

Originally posted by ingus.vilnis

And don't mess with PSK on Zabbix server. That was not what I meant with that comment.

If I don't mess with PSK on Zabbix Server, Zabbix Get could to succeed.

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[graylog-server,graylog]' --tls-connect=psk --tls-psk-identity="PSK 007" --tls-psk-file=/tmp/zabbix_agentd.psk
1

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[graylog-server,graylog]' --tls-connect=psk --tls-psk-identity="PSK 007"
zabbix_get [27289]: ERROR: parameter "--tls-psk-identity" is defined, but "--tls-psk-file" is not defined

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[graylog-server,graylog]' --tls-connect=psk
zabbix_get [27293]: ERROR: parameter "--tls-connect" value requires "--tls-psk-file", but it is not defined

skylab@zabbix-srv-01:~$ zabbix_get -s 10.30.3.115 -k 'proc.num[graylog-server,graylog]'
zabbix_get [27296]: Check access restrictions in Zabbix agent configuration

And log on Client

11698:20190213:232251.765 failed to accept an incoming connection: from 10.30.3.116: unencrypted connections are not allowed

**tienpt** · 14-02-2019, 09:27

Ah I need Zabbix Get because some guys [from result's Google] let me should use Zabbix Get to create an script to monitor Graylog process or another Linux process. Could you let me know what is best practice to monitor Linux process on Client with Zabbix?

**ingus.vilnis** · 14-02-2019, 09:32

If you just need to list the process count then use the same "proc.num[graylog-server,graylog]" item and configure it in a Zabbix Template. Are you familiar with that?

If you need something more then need to know what it is.

**tienpt** · 14-02-2019, 09:35

I don't familiar with that. But, I can read Zabbix documentation and try it. Do you have any advice for me?

**tienpt** · 14-02-2019, 09:37

My purpose is monitoring completely Linux process to keep the monitoring 24/7. Anytime, when the Linux process have any issue, then stop, I will know as soon as possible and go to fix.

Ad Widget

Communicate between Zabbix Client and Zabbix Server are having an issue with PSK

Communicate between Zabbix Client and Zabbix Server are having an issue with PSK

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment