Ad Widget

Collapse

net.tcp.service returns 0 in web interface even though work fine in cli

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • And808
    Junior Member
    • Jan 2024
    • 11
    #1

    net.tcp.service returns 0 in web interface even though work fine in cli

    Hi, I've just installed Zabbix appliance running AlmaLinux release 9.1 (Lime Lynx); Zabbix Server 6.4 6.4.1 (DigitalOcean image) and I'm playing around with some new settings in it. I discovered that the item of the simple check with net.tcp.service returns 0 when performed from the web console, however, it works fine and returns 1 when the task is performed with cli command of Zabbix server. This is the screenshot of the test item however I faced this issue by attempting use predefined template that doesn't work for me either.

    Am I doing anything wrong?

    Click image for larger version Name: Screenshot 2024-01-12 172653.png Views: 427 Size: 13.4 KB ID: 477077
    Click image for larger version Name: Screenshot 2024-01-12 172908.png Views: 368 Size: 45.6 KB ID: 477078
    Click image for larger version Name: Screenshot 2024-01-12 173107.png Views: 375 Size: 72.5 KB ID: 477079
    Tags: None
    • Answer selected by And808 at 15-01-2024, 13:59.
      cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      In this case being root should not matter much... zabbix_get -s xx.xx.xx.xx... executes that command on the mentioned server as agent item. So your first line on first pic executes that check locally on that 134.209.x.x host. Second line executes it through the agent on localhost, as agent runs usually as user "zabbix" it really does not matter if zabbix_get is run as root.

      You are configuring it as simple check, which is not executed on any agent but directly on zabbix server/proxy. Even if that pic shows that Host interface is 127.0.0.1:10050, it is not really taken into account, as it is simple check (if you configure simple check on any other host, it will show there IF of that hosts agent... )
      So those are different processes executing that check .. agent vs server..

      There is a selinux boolean, controlling, if zabbxican connect to any ports... "setsebool -P zabbix_can_network 1" but IIRC, it still allows usage of common ports like 22 or 443... But still, verify....​
        • Selected Answer

        Comment

        • And808
          And808 commented
          15-01-2024, 13:02
          Editing a comment
          Hi cyber, thank you for such a detailed description. As I see from it the permission shouldn't be an issue for simple check to operate in web interface. Unfortunately, this doesn't give me a clue what is actually wrong and how I can make simple check of net.tcp.service work on the web interface of Zabbix server. The Squid by SNMP: Squid: Service ping template doesn't returning 0 for TCP service check, which is not correct. Also as we can see any other test of the TCP check doesn't work.

          UPD: sorry, it seems setsebool -P zabbix_can_network 1 made a trick and it works fine now. Thank you a lot
          Last edited by And808; 15-01-2024, 13:10.
        • Hamardaban
          Senior Member
          Zabbix Certified SpecialistZabbix Certified Professional
          • May 2019
          • 2713
          #2
          The difference is that from the Cli you execute a command as the root user, and the server executes as the zabbix user. Check SELinux.

            Comment

            • And808
              #2.1
              And808 commented
              13-01-2024, 13:00
              Editing a comment
              Hi Hamardaban, thank you for pointing on this difference. I didn't see anywhere any requirements for any specific permission to be given to zabbix user for this matter. If this is a case, can you please advise what exactly had to be done or should I look for by checking SElinux to let it operate? Thank you
            • Hamardaban
              Senior Member
              Zabbix Certified SpecialistZabbix Certified Professional
              • May 2019
              • 2713
              #3
              I am not a big expert in security settings and access control in Linux - therefore, I will not give advice on what exactly needs to be done. Search in this forum and on the internet.

                Comment

                • cyber
                  Senior Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • Dec 2006
                  • 4807
                  #4
                  In this case being root should not matter much... zabbix_get -s xx.xx.xx.xx... executes that command on the mentioned server as agent item. So your first line on first pic executes that check locally on that 134.209.x.x host. Second line executes it through the agent on localhost, as agent runs usually as user "zabbix" it really does not matter if zabbix_get is run as root.

                  You are configuring it as simple check, which is not executed on any agent but directly on zabbix server/proxy. Even if that pic shows that Host interface is 127.0.0.1:10050, it is not really taken into account, as it is simple check (if you configure simple check on any other host, it will show there IF of that hosts agent... )
                  So those are different processes executing that check .. agent vs server..

                  There is a selinux boolean, controlling, if zabbxican connect to any ports... "setsebool -P zabbix_can_network 1" but IIRC, it still allows usage of common ports like 22 or 443... But still, verify....​
                    • Selected Answer

                    Comment

                    • And808
                      #4.1
                      And808 commented
                      15-01-2024, 13:02
                      Editing a comment
                      Hi cyber, thank you for such a detailed description. As I see from it the permission shouldn't be an issue for simple check to operate in web interface. Unfortunately, this doesn't give me a clue what is actually wrong and how I can make simple check of net.tcp.service work on the web interface of Zabbix server. The Squid by SNMP: Squid: Service ping template doesn't returning 0 for TCP service check, which is not correct. Also as we can see any other test of the TCP check doesn't work.

                      UPD: sorry, it seems setsebool -P zabbix_can_network 1 made a trick and it works fine now. Thank you a lot
                      Last edited by And808; 15-01-2024, 13:10.
                    Previous template Next
                    Working...