Difference between revisions of "Zabbix Script for Shards Monitoring"

From Notes_Wiki
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
[[Main Page | Home]] > [[Wazuh]] > [[Zabbix Script for Shards Monitoring]]
[[Main Page | Home]] > [[Wazuh]] > [[Zabbix Script for Shards Monitoring]]
= Zabbix Script to Monitor Wazuh Shards =
This guide describes how to monitor the number of Wazuh-Indexer shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.
== Step 1: Create a Script on the Zabbix Server ==
Use the following Bash script to check the percentage of Wazuh-Indexer shards currently in the STARTED state.
=== Script Path ===
Store the script in the recommended path:
<pre>
/usr/local/bin/check_wazuh_shard_usage.sh
</pre>
=== Script Content ===
<pre>
#!/bin/bash
ES_HOST="https://172.235.8.245:9200"  # Wazuh-Indexer endpoint
ES_USER="admin"                        # Wazuh-Indexer username
ES_PASS="<password>"                  # Replace with your actual password
MAX_SHARDS=1000  # Set your maximum shard threshold
# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)
# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
  echo 0
  exit 0
fi
# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')
# Output the usage value
echo "$usage"
</pre>
Ensure the script is executable:
<pre>
chmod +x /usr/local/bin/check_wazuh_shard_usage.sh
</pre>
== Step 2: Manually Test the Script ==
Run the script to validate its output:
<pre>
# /usr/local/bin/check_wazuh_shard_usage.sh
</pre>
'''Example output:'''
<pre>
96
</pre>
This means 96% of the maximum allowed shards are currently in use.
== Step 3: Zabbix Configuration ==
Once the script is working as expected, configure Zabbix to collect this data periodically.
=== 3.1: Login to Zabbix Web Interface ===
* Log in to the Zabbix Dashboard as an Admin.
* Navigate to '''Configuration → Hosts'''.
* Select your Zabbix server (or the host where the script resides).
=== 3.2: Create a New Item ===
Create a Zabbix item to run the script and collect the shard usage.
* '''Name:''' Wazuh Shard Usage
* '''Type:''' Zabbix agent
* '''Key:''' <code>wazuh.shard.usage</code> 
  (This key must be implemented in the Zabbix agent config or UserParameter)
* '''Type of information:''' Numeric (unsigned)
* '''Host interface:''' &lt;default&gt;
* '''Units:''' %
* '''Update interval:''' 1h (or adjust as needed)
* '''Timeout:''' &lt;default&gt;
* '''History:''' &lt;default&gt;
* '''Trends:''' &lt;default&gt;
* '''Description:''' Indicates the % of currently used Wazuh-Indexer shards
==== UserParameter Example (for Agent) ====
If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`):
<pre>
UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh
</pre>
Restart the Zabbix agent after adding this line:
<pre>
systemctl restart zabbix-agent
</pre>
=== 3.3: Test the Item ===
After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.
== Step 4: Create a Trigger ==
Set up a trigger to get notified when shard usage crosses a critical threshold.
* '''Name:''' Wazuh Shard Usage High
* '''Severity:''' High
* '''Expression:'''
<pre>
{Zabbix server:wazuh.shard.usage.last()}>65
</pre>
You can also use the '''Expression constructor''' in the UI to build and test this.
Once tested successfully, click '''Create''' to save the trigger.
== Step 5: Mail Alert Output ==
If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met:
<pre>
Problem started at 13:34:06 on 2025.07.04
Problem name: Wazuh Shard Usage
Host: Zabbix server
Severity: High
Operational data: 96 %
Original problem ID: 4420921
</pre>

Latest revision as of 13:14, 8 July 2025

Home > Wazuh > Zabbix Script for Shards Monitoring

Zabbix Script to Monitor Wazuh Shards

This guide describes how to monitor the number of Wazuh-Indexer shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.

Step 1: Create a Script on the Zabbix Server

Use the following Bash script to check the percentage of Wazuh-Indexer shards currently in the STARTED state.

Script Path

Store the script in the recommended path: 

/usr/local/bin/check_wazuh_shard_usage.sh

Script Content

#!/bin/bash

ES_HOST="https://172.235.8.245:9200"   # Wazuh-Indexer endpoint
ES_USER="admin"                        # Wazuh-Indexer username
ES_PASS="<password>"                   # Replace with your actual password

MAX_SHARDS=1000  # Set your maximum shard threshold

# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)

# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
  echo 0
  exit 0
fi

# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')

# Output the usage value
echo "$usage"

Ensure the script is executable: 

chmod +x /usr/local/bin/check_wazuh_shard_usage.sh

Step 2: Manually Test the Script

Run the script to validate its output: 

# /usr/local/bin/check_wazuh_shard_usage.sh

Example output: 

96

This means 96% of the maximum allowed shards are currently in use.

Step 3: Zabbix Configuration

Once the script is working as expected, configure Zabbix to collect this data periodically.

3.1: Login to Zabbix Web Interface

  • Log in to the Zabbix Dashboard as an Admin.
  • Navigate to Configuration → Hosts.
  • Select your Zabbix server (or the host where the script resides).

3.2: Create a New Item

Create a Zabbix item to run the script and collect the shard usage.

  • Name: Wazuh Shard Usage
  • Type: Zabbix agent
  • Key: wazuh.shard.usage
 (This key must be implemented in the Zabbix agent config or UserParameter)
  • Type of information: Numeric (unsigned)
  • Host interface: <default>
  • Units: %
  • Update interval: 1h (or adjust as needed)
  • Timeout: <default>
  • History: <default>
  • Trends: <default>
  • Description: Indicates the % of currently used Wazuh-Indexer shards

UserParameter Example (for Agent)

If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`): 

UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh

Restart the Zabbix agent after adding this line: 

systemctl restart zabbix-agent

3.3: Test the Item

After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.

Step 4: Create a Trigger

Set up a trigger to get notified when shard usage crosses a critical threshold.

  • Name: Wazuh Shard Usage High
  • Severity: High
  • Expression:
{Zabbix server:wazuh.shard.usage.last()}>65

You can also use the Expression constructor in the UI to build and test this.

Once tested successfully, click Create to save the trigger.

Step 5: Mail Alert Output

If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met: 

Problem started at 13:34:06 on 2025.07.04
Problem name: Wazuh Shard Usage
Host: Zabbix server
Severity: High
Operational data: 96 %
Original problem ID: 4420921
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Zabbix_Script_for_Shards_Monitoring&oldid=9062"