Archive for August, 2018

Next procedure will enable monitoring AWS status RSS feeds

I modified this template and added troubleshooting steps for issues i experienced.

All files can be downloaded from here.

copy script to /lib/zabbix//usr/lib/zabbix/externalscripts

pip install feedparser
pip install python-dateutil
#need to change System time zone to PDT, otherwise error occurs
#/usr/lib/python2.7/site-packages/dateutil/parser/ UnknownTimezoneWarning: tzname PDT identified but not understood.  Pass `tzinfos` argument in order to correctly return a timezone-aware datetime.  In a #future version, this will raise an exception.
#/usr/lib/python2.7/site-packages/dateutil/parser/ UnknownTimezoneWarning: tzname PST identified but not understood.  Pass `tzinfos` argument in order to correctly return a timezone-aware datetime.  In a #future version, this will raise an exception.
#set PDT time zone to avoid above errors

timedatectl set-timezone America/Chicago

chmod +x
chown zabbix:zabix

./ "-i" "3600" "-b" NA '-m' "TRUE"
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000005"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000004"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000005"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000005"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000004"}
{"response":"success","info":"processed: 0; failed: 0; total: 0; seconds spent: 0.000004"}

Create 4 hosts (one for each Region) :NA,SA,EU and AP

Set Visible name same as host name and add host to TIS Templates group


Attach template to all 4 hosts

If needed, disable items for services you don’t want to monitor
If full errors can’t be seen in Zabbix dashboard edit following file (CentOS 7)

vi /usr/share/zabbix/include/
apply value mapping
switch ($item['value_type']) {
$mapping = getMappedValue($value, $item['valuemapid']);
// break; is not missing here
if ($trim && mb_strlen($value) > 80) {
$value = mb_substr($value, 0, 80).'...';

#restart Zabbix service

systemctl restart zabbix-service

If all is OK you should see something like this



Monitoring Azure resources with Zabbix

Posted: August 21, 2018 in Azure

I used this post as starting point.

Creating Azure application

(ID/keys will be used for authentication to Azure)

In Azure portal click Azure Active directory-App registrations-new App registration



In App registrations select All apps from drop-down menu-click on Zabbix application


Write down application ID (we’ll use it on scripts)


Click Settings-Keys-set a name,duration and click Save


Write down key


Write down TenantID


Write down Subscription ID-from Azure dashboard,click Cost Management + Billing under my subscription write subscription ID


Give application read rights to resource group

click on resource group-Access control (IAM)


click Add-select Reader role-Assign access to Azure AD user,group or application and select Zabbix application


Install powershell on Zabbix server (CentOS)

# Register the Microsoft RedHat repository
curl | sudo tee /etc/yum.repos.d/microsoft.repo
# Install PowerShell
sudo yum install -y powershell

Extract and copy all files in to /usr/lib/zabbix/externalscripts, make sure *.sh files are executable

Supported services are SQL,storage account,Virtual Machines and Virtual Network gateway

All available services and metric:

Time periods (monitoring intervals) are called timegrains

time_grains = {
"PT1M" => "1 Minute",
"PT5M" => "5 Minutes",
"PT1H" => "1 Hour",
"PT12H" => "12 Hours"

In trapper.ps1 and azure.ps1 substitute TenantID,applicationID, application key in appropriate sections/

Files can be downloaded from here


For VM:

./ resource group subscription vm

For SQL:

./ resource group subscription sql

For network gateway:

./ resource group subscription vng

For Storage account

./ resource group subscription storage

[root@ip-172-31-27-77 externalscripts]# ./ RG  subscriptionD storage
"{#ID}": "/subscriptions/111-222-333/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/storageaccount",
"{#STORAGEACCOUNT}": "storageaccount"
"{#ID}": "/subscriptions/111-222-333/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/storageaccount",
"{#STORAGEACCOUNT}": "storageaccount"
"{#ID}": "/subscriptions/111-222-333/resourceGroups/RG/providers/Microsoft.Storage/storageAccounts/storageaccount",
"{#STORAGEACCOUNT}": "storageaccount"

give ownership of azure.json to zabbix user:

chown zabbix:zabbix azure.json

create dummy host and attach template, specify resource group and subscription ID


Test zabbix trapper:

./ zabbix-dummy-host

if no issues,create cron job for trapper (for example to run it every 15 minutes):

*/15 * * * * /usr/lib/zabbix/externalscripts/ dummy-host

Define Bandwidth to which traffic should be limited

Policy & Objects-Create New


Define max bandwith




Create Shaping policy

Policy & Objects-Traffic shaping policy



In this example i limited bandwidth only for YouTube app so under Application i selected YouTube. Because i didn’t enable Application control in outgoing IPv4 policy i got warning

Outgoing interface:WAN interface

Shared Shaper:specify Traffic Shaper

Reverse Shaper: specify Traffic Shaper

Shared Shapers affect upload speeds and reverse shapers affect download speeds


Creating Outgoing IPv4 policy

Enable Application control edit policy


Select Social Media-Allow



If you try opening YouTube it will hang on “Loading”


Facebook, for example, opens without errors


We can see Shaping policy applied:

FortiView-Traffic Shaping


Hair-pinning (NAT loopback) is the technique where a machine accesses another machine on the LAN via an external network.

Traffic goes through LAN interface to the Internet,traffic then goes back to the same interface,connecting to it’s External IP. Traffic is then forwarded by Fortigate through virtual IP to local destination.

In this example, windows machine on LAN network hosts web server.From LAN machines, it can only be accessed by internal IP. If trying accessing Web server by public  IP (from machines on local network, it will fail


Create Virtual IP which will map Public IP to local IP of Web Server

Policy & Objects-Create new-Virtual IP

External IP range:Public IP

Mapped address range:Web Server local IP

Enable port forwarding

External Service port:Port from which traffic will be mapped

Map to port:Port to which traffic will be mapped

In this case traffic from Public IP on port 80 will be forwarded to same port on internal address



Creating IPV4 policy

Incoming and outgoing Interface:LAN interface


destination:Virtual IP created in previous step

NAT disabled



Now, from machines on LAN, web site should be accessible using Public IP


After Fortigate is installed in AWS , by default, EC2 instances behind Fortigate cannot get to the internet.We need to set default route on Fortigate firewall.

Locating AWS VPC defult gateway

Amazon VPC has default gateway which usually has 1 as in last octet, to locate it click Network-Interfaces-click on WAN interface-Edit





Now create static route


Network-Static route-Create New



Specify as destination

Gateway: IP defined in previous step

Interface:Fortigate internet faced interface

Administrative distance: it’s route metric, in my case,the highest value i could set was 4




Creating outgoing Policy 

Now we need to create outgoing policy from LAN network to the Internet

First,create Address object for defying LAN network:

Policy & Objects-Addresses-New-Create New Address





Now create outgoing route in Fortigate

Incoming Interface: LAN interface

Outgoing interface:WAN

Source:LAN subnet



Enable NAT in Firewall/Network options


Now, you should be able to browse internet from EC2 instance behind Fortigate firewall

In this example Site to Site VPN between 2 Fortigate Firewalls will be created.I simulated 2 different locations using different AWS regions




Ireland Fortigate Setup

VPN-IPsec Tunnels-Create New



click custom



For remote gateway specify Frankfurt Fortigate FW public IP, public facing interface

method (pre-shared key),Phase 1 encryption, DH groups, local and remote network



Phase 2 authentication




Now create 2 IPv4 Policies:

1.To allow outgoing traffic (from local- to remote network ( specified in VPN settings

2.To allow incoming traffic (from remote- to local-

I created 2 Address objects:LAN (for local network and Remote (for remote network)

Policy & Objects-Addresses-New Address



Creating Incoming IPV Policy (from remote to local)

Incoming interface:VPN interface

Outgoing interface:LAN insterface

Source:Remote newtork

Destination:Local network

disable nat




Outgoing IPv4 Policy (from local to remote network)

Incoming interface:Lan interface

Outgoing interface:VPN interface

Source:LAN network

Destination:Remote network

Disable NAT



Creating static route

Now we need to create route to remote network ( through VPN interface

Network-Static routes-Destination

Subnet-specify subnet

Interface:VPN interface



Creating VPN connection from Frankfurt Fortigate


Now we need to create exactly same configuration from other side (Frankfurt Firewall).Only difference is remote peer IP and local and remote network.

-create VPN tunnel

-create incoming IP policy

-create outgoing IP policy

-create static route


Creating VPN tunnel


Local network:

Remote network:


Incoming policy





and static route to through VPN interface

Now VPN conencttion should be operational





This is combination of and with some modifications from my side (added LLD for Lambda,EBS and Application Load Balancer.

IAM user  has been created with following 2 IAM policies:

"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"Resource": "*"
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"Resource": "*"


yum install epel-release
yum install python-pip
yum install jq
pip install boto
pip instal boto3

unzip cloudwatch  zip file and copy content:

aws.discovery, and cloudwatch.metric to /usr/lib/zabbix/externalscripts ,make sure files are executable (chmod +x )

Unzip content (it’s folder named scripts) and copy that folder to /usr/lib/zabbix (as in picture bellow-enter IAM user credentails in aws.conf file)


Copy content of (cloudwatch folder) to /opt/zabbix (create that folder if doesn’t exist)

Inside this folders there is file awscred, enter IAM user credentials (i was lazy to point credentials to same file 🙂 )

Make sure following files are set as executable



Test if it works:

/usr/lib/zabbix/scripts/ --account default --region eu-west-1 --service s3
/usr/lib/zabbix/scripts/ --account default --region eu-west-1 --service rds
[root@ip-172-31-27-77 scripts]# ./ --account default --region eu-west-1 --service s3
{"data": [{"{#BUCKET_NAME}": "bucket1"}, {"{#BUCKET_NAME}": "bucket2"}]}

[root@ip-172-31-27-77 scripts]# /usr/lib/zabbix/scripts/ --account default --region eu-west-1 --service rds
{"data": [{"{#RDS_ID}": "mydb", "{#STORAGE}": 111111}, {"{#RDS_ID}": "mytestore", "{#STORAGE}": 11111},]}

/opt/zabbix/cloudwatch/zabbix-cloudwatch/ -a 'default' -r 'eu-west-1' -q 'ApplicationELB' -c ''
/opt/zabbix/cloudwatch/zabbix-cloudwatch/ -a 'default' -r 'eu-west-1' -q 'EBS' -c ''
/opt/zabbix/cloudwatch/zabbix-cloudwatch/ -a 'default' -r 'eu-west-1' -q 'SNSTopics' -c ''
/opt/zabbix/cloudwatch/zabbix-cloudwatch/ -a 'default' -r 'eu-west-1' -q 'LambdaFunction' -c ''

./ -a 'default' -r 'eu-west-1' -q 'LambdaFunction' -c ''
"data": [
"{#AWS_REGION}": "eu-west-1",
"{#AWS_ACCOUNT}": "default",
"{#FUNCTION_INAME}": "myfunction",
"{#FUNCTION_NAME}": "myfunction"

If something is wrong, probably some prerequisites are not installed properly or files/folder copied to wrong path or some scripts have no +x flag

Creating Zabbix hosts

Create Zabbix hosts for every AWS region where services resides


Attaching Zabbix templates!AizscpxS0QM4hJ0d_JvivLGeu8nWxg

Create full clone of template for every region and attach it to hosts.

Every template has macros with AWS Zone, change it if needed


Create cron jobs for every resource you want to monitor for Application Load Balancer,EBS,SNS and Lambda

# Lambda monitoring


*/15 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/ "mylambda" "Ireland" "localhost" "default" "eu-west-1" &>/dev/null

# SNS monitoring


*/10 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/ " aws-config" "London" "localhost" "default" "eu-west-2" &>/dev/null

#Application Load Balancer-----------------------------------------------------------------

*/10 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/ "app/loadbalancer/" "Ireland" "localhost" "default" "eu-west-1"

#EBS monitoring----------------------------------------------------------------------
*/12 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/ "vol-11111111" "aws_north_virginia" "localhost" "default" "us-east-1" &>/dev/null


*/10 * * * * /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d/ "vol-059d78926c41b79c4" "Ireland" "localhost" "default" "eu-west-1" &>/dev/null


Make sure all files in /opt/zabbix/cloudwatch/zabbix-cloudwatch/cron.d are executable