Difference between revisions of "Zabbix Script for Shards Monitoring"

From Notes_Wiki
 
Line 1: Line 1:
[[Main Page | Home]] > [[Wazuh]] > [[Zabbix Script for Shards Monitoring]]
[[Main Page | Home]] > [[Wazuh]] > [[Zabbix Script for Shards Monitoring]]
= Zabbix Script to Monitor Wazuh Shards =
This guide describes how to monitor the number of Elasticsearch shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.
== Step 1: Create a Script on the Zabbix Server ==
Use the following Bash script to check the percentage of Elasticsearch shards currently in the STARTED state.
=== Script Path ===
Store the script in the recommended path:
<pre>
/usr/local/bin/check_wazuh_shard_usage.sh
</pre>
=== Script Content ===
<pre>
#!/bin/bash
ES_HOST="https://172.235.8.245:9200"  # Elasticsearch endpoint
ES_USER="admin"                        # Elasticsearch username
ES_PASS="<password>"                  # Replace with your actual password
MAX_SHARDS=1000  # Set your maximum shard threshold
# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)
# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
  echo 0
  exit 0
fi
# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')
# Output the usage value
echo "$usage"
</pre>
Ensure the script is executable:
<pre>
chmod +x /usr/local/bin/check_wazuh_shard_usage.sh
</pre>
== Step 2: Manually Test the Script ==
Run the script to validate its output:
<pre>
# /usr/local/bin/check_wazuh_shard_usage.sh
</pre>
'''Example output:'''
<pre>
96
</pre>
This means 96% of the maximum allowed shards are currently in use.
== Step 3: Zabbix Configuration ==
Once the script is working as expected, configure Zabbix to collect this data periodically.
=== 3.1: Login to Zabbix Web Interface ===
* Log in to the Zabbix Dashboard as an Admin.
* Navigate to '''Configuration → Hosts'''.
* Select your Zabbix server (or the host where the script resides).
=== 3.2: Create a New Item ===
Create a Zabbix item to run the script and collect the shard usage.
* '''Name:''' Wazuh Shard Usage
* '''Type:''' Zabbix agent
* '''Key:''' <code>wazuh.shard.usage</code> 
  (This key must be implemented in the Zabbix agent config or UserParameter)
* '''Type of information:''' Numeric (unsigned)
* '''Host interface:''' &lt;default&gt;
* '''Units:''' %
* '''Update interval:''' 1h (or adjust as needed)
* '''Timeout:''' &lt;default&gt;
* '''History:''' &lt;default&gt;
* '''Trends:''' &lt;default&gt;
* '''Description:''' Indicates the % of currently used Elasticsearch shards
==== UserParameter Example (for Agent) ====
If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`):
<pre>
UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh
</pre>
Restart the Zabbix agent after adding this line:
<pre>
systemctl restart zabbix-agent
</pre>
=== 3.3: Test the Item ===
After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.
== Step 4: Create a Trigger ==
Set up a trigger to get notified when shard usage crosses a critical threshold.
* '''Name:''' Wazuh Shard Usage High
* '''Severity:''' High
* '''Expression:'''
<pre>
{Zabbix server:wazuh.shard.usage.last()}>65
</pre>
You can also use the '''Expression constructor''' in the UI to build and test this.
Once tested successfully, click '''Create''' to save the trigger.
== Step 5: Mail Alert Output ==
If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met:
<pre>
Problem started at 13:34:06 on 2025.07.04
Problem name: Wazuh Shard Usage
Host: Zabbix server
Severity: High
Operational data: 96 %
Original problem ID: 4420921
</pre>

Revision as of 13:10, 8 July 2025

Home > Wazuh > Zabbix Script for Shards Monitoring

Zabbix Script to Monitor Wazuh Shards

This guide describes how to monitor the number of Elasticsearch shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.

Step 1: Create a Script on the Zabbix Server

Use the following Bash script to check the percentage of Elasticsearch shards currently in the STARTED state.

Script Path

Store the script in the recommended path: 

/usr/local/bin/check_wazuh_shard_usage.sh

Script Content

#!/bin/bash

ES_HOST="https://172.235.8.245:9200"   # Elasticsearch endpoint
ES_USER="admin"                        # Elasticsearch username
ES_PASS="<password>"                   # Replace with your actual password

MAX_SHARDS=1000  # Set your maximum shard threshold

# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)

# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
  echo 0
  exit 0
fi

# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')

# Output the usage value
echo "$usage"

Ensure the script is executable: 

chmod +x /usr/local/bin/check_wazuh_shard_usage.sh

Step 2: Manually Test the Script

Run the script to validate its output: 

# /usr/local/bin/check_wazuh_shard_usage.sh

Example output: 

96

This means 96% of the maximum allowed shards are currently in use.

Step 3: Zabbix Configuration

Once the script is working as expected, configure Zabbix to collect this data periodically.

3.1: Login to Zabbix Web Interface

  • Log in to the Zabbix Dashboard as an Admin.
  • Navigate to Configuration → Hosts.
  • Select your Zabbix server (or the host where the script resides).

3.2: Create a New Item

Create a Zabbix item to run the script and collect the shard usage.

  • Name: Wazuh Shard Usage
  • Type: Zabbix agent
  • Key: wazuh.shard.usage
 (This key must be implemented in the Zabbix agent config or UserParameter)
  • Type of information: Numeric (unsigned)
  • Host interface: <default>
  • Units: %
  • Update interval: 1h (or adjust as needed)
  • Timeout: <default>
  • History: <default>
  • Trends: <default>
  • Description: Indicates the % of currently used Elasticsearch shards

UserParameter Example (for Agent)

If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`): 

UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh

Restart the Zabbix agent after adding this line: 

systemctl restart zabbix-agent

3.3: Test the Item

After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.

Step 4: Create a Trigger

Set up a trigger to get notified when shard usage crosses a critical threshold.

  • Name: Wazuh Shard Usage High
  • Severity: High
  • Expression:
{Zabbix server:wazuh.shard.usage.last()}>65

You can also use the Expression constructor in the UI to build and test this.

Once tested successfully, click Create to save the trigger.

Step 5: Mail Alert Output

If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met: 

Problem started at 13:34:06 on 2025.07.04
Problem name: Wazuh Shard Usage
Host: Zabbix server
Severity: High
Operational data: 96 %
Original problem ID: 4420921
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Zabbix_Script_for_Shards_Monitoring&oldid=9061"