Zabbix Script for Shards Monitoring
Home > Wazuh > Zabbix Script for Shards Monitoring
Zabbix Script to Monitor Wazuh Shards
This guide describes how to monitor the number of Wazuh-Indexer shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.
Step 1: Create a Script on the Zabbix Server
Use the following Bash script to check the percentage of Wazuh-Indexer shards currently in the STARTED state.
Script Path
Store the script in the recommended path:
/usr/local/bin/check_wazuh_shard_usage.sh
Script Content
#!/bin/bash
ES_HOST="https://172.235.8.245:9200" # Wazuh-Indexer endpoint
ES_USER="admin" # Wazuh-Indexer username
ES_PASS="<password>" # Replace with your actual password
MAX_SHARDS=1000 # Set your maximum shard threshold
# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)
# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
echo 0
exit 0
fi
# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')
# Output the usage value
echo "$usage"
Ensure the script is executable:
chmod +x /usr/local/bin/check_wazuh_shard_usage.sh
Step 2: Manually Test the Script
Run the script to validate its output:
# /usr/local/bin/check_wazuh_shard_usage.sh
Example output:
96
This means 96% of the maximum allowed shards are currently in use.
Step 3: Zabbix Configuration
Once the script is working as expected, configure Zabbix to collect this data periodically.
3.1: Login to Zabbix Web Interface
- Log in to the Zabbix Dashboard as an Admin.
- Navigate to Configuration → Hosts.
- Select your Zabbix server (or the host where the script resides).
3.2: Create a New Item
Create a Zabbix item to run the script and collect the shard usage.
- Name: Wazuh Shard Usage
- Type: Zabbix agent
- Key:
wazuh.shard.usage
(This key must be implemented in the Zabbix agent config or UserParameter)
- Type of information: Numeric (unsigned)
- Host interface: <default>
- Units: %
- Update interval: 1h (or adjust as needed)
- Timeout: <default>
- History: <default>
- Trends: <default>
- Description: Indicates the % of currently used Wazuh-Indexer shards
UserParameter Example (for Agent)
If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`):
UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh
Restart the Zabbix agent after adding this line:
systemctl restart zabbix-agent
3.3: Test the Item
After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.
Step 4: Create a Trigger
Set up a trigger to get notified when shard usage crosses a critical threshold.
- Name: Wazuh Shard Usage High
- Severity: High
- Expression:
{Zabbix server:wazuh.shard.usage.last()}>65
You can also use the Expression constructor in the UI to build and test this.
Once tested successfully, click Create to save the trigger.
Step 5: Mail Alert Output
If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met:
Problem started at 13:34:06 on 2025.07.04 Problem name: Wazuh Shard Usage Host: Zabbix server Severity: High Operational data: 96 % Original problem ID: 4420921
