Home > Wazuh > Zabbix Script for Shards Monitoring

Zabbix Script to Monitor Wazuh Shards

This guide describes how to monitor the number of Wazuh-Indexer shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.

Step 1: Create a Script on the Zabbix Server

Use the following Bash script to check the percentage of Wazuh-Indexer shards currently in the STARTED state.

Script Path

Store the script in the recommended path:

/usr/local/bin/check_wazuh_shard_usage.sh

Script Content

#!/bin/bash

ES_HOST="https://172.235.8.245:9200"   # Wazuh-Indexer endpoint
ES_USER="admin"                        # Wazuh-Indexer username
ES_PASS="<password>"                   # Replace with your actual password

MAX_SHARDS=1000  # Set your maximum shard threshold

# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)

# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
  echo 0
  exit 0
fi

# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')

# Output the usage value
echo "$usage"

Ensure the script is executable:

chmod +x /usr/local/bin/check_wazuh_shard_usage.sh

Step 2: Manually Test the Script

Run the script to validate its output:

# /usr/local/bin/check_wazuh_shard_usage.sh

Example output:

96

This means 96% of the maximum allowed shards are currently in use.

Step 3: Zabbix Configuration

Once the script is working as expected, configure Zabbix to collect this data periodically.

3.1: Login to Zabbix Web Interface

• Log in to the Zabbix Dashboard as an Admin.
• Navigate to Configuration → Hosts.
• Select your Zabbix server (or the host where the script resides).

3.2: Create a New Item

Create a Zabbix item to run the script and collect the shard usage.

• Name: Wazuh Shard Usage
• Type: Zabbix agent
• Key: wazuh.shard.usage

 (This key must be implemented in the Zabbix agent config or UserParameter)

• Type of information: Numeric (unsigned)
• Host interface: <default>
• Units: %
• Update interval: 1h (or adjust as needed)
• Timeout: <default>
• History: <default>
• Trends: <default>
• Description: Indicates the % of currently used Wazuh-Indexer shards

UserParameter Example (for Agent)

If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`):

UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh

Restart the Zabbix agent after adding this line:

systemctl restart zabbix-agent

3.3: Test the Item

After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.

Step 4: Create a Trigger

Set up a trigger to get notified when shard usage crosses a critical threshold.

• Name: Wazuh Shard Usage High
• Severity: High
• Expression:

{Zabbix server:wazuh.shard.usage.last()}>65

You can also use the Expression constructor in the UI to build and test this.

Once tested successfully, click Create to save the trigger.

Step 5: Mail Alert Output

If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met:

Problem started at 13:34:06 on 2025.07.04
Problem name: Wazuh Shard Usage
Host: Zabbix server
Severity: High
Operational data: 96 %
Original problem ID: 4420921