Zabbix Script for Shards Monitoring

From Notes_Wiki
Revision as of 13:14, 8 July 2025 by Sunilvarma (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > Wazuh > Zabbix Script for Shards Monitoring

Zabbix Script to Monitor Wazuh Shards

This guide describes how to monitor the number of Wazuh-Indexer shards used by Wazuh using a custom script and visualize the result in Zabbix. This helps prevent situations where excessive shards impact performance.

Step 1: Create a Script on the Zabbix Server

Use the following Bash script to check the percentage of Wazuh-Indexer shards currently in the STARTED state.

Script Path

Store the script in the recommended path: 

/usr/local/bin/check_wazuh_shard_usage.sh

Script Content

#!/bin/bash

ES_HOST="https://172.235.8.245:9200"   # Wazuh-Indexer endpoint
ES_USER="admin"                        # Wazuh-Indexer username
ES_PASS="<password>"                   # Replace with your actual password

MAX_SHARDS=1000  # Set your maximum shard threshold

# Get the number of shards that are in the 'STARTED' state
count=$(curl -ksu "$ES_USER:$ES_PASS" "$ES_HOST/_cat/shards?h=state" | grep -c STARTED)

# If the count is empty or zero, return 0
if [[ -z "$count" || "$count" -eq 0 ]]; then
  echo 0
  exit 0
fi

# Calculate shard usage percentage
usage=$(awk -v count="$count" -v max="$MAX_SHARDS" 'BEGIN { printf "%.0f", (count/max)*100 }')

# Output the usage value
echo "$usage"

Ensure the script is executable: 

chmod +x /usr/local/bin/check_wazuh_shard_usage.sh

Step 2: Manually Test the Script

Run the script to validate its output: 

# /usr/local/bin/check_wazuh_shard_usage.sh

Example output: 

96

This means 96% of the maximum allowed shards are currently in use.

Step 3: Zabbix Configuration

Once the script is working as expected, configure Zabbix to collect this data periodically.

3.1: Login to Zabbix Web Interface

  • Log in to the Zabbix Dashboard as an Admin.
  • Navigate to Configuration → Hosts.
  • Select your Zabbix server (or the host where the script resides).

3.2: Create a New Item

Create a Zabbix item to run the script and collect the shard usage.

  • Name: Wazuh Shard Usage
  • Type: Zabbix agent
  • Key: wazuh.shard.usage
 (This key must be implemented in the Zabbix agent config or UserParameter)
  • Type of information: Numeric (unsigned)
  • Host interface: <default>
  • Units: %
  • Update interval: 1h (or adjust as needed)
  • Timeout: <default>
  • History: <default>
  • Trends: <default>
  • Description: Indicates the % of currently used Wazuh-Indexer shards

UserParameter Example (for Agent)

If using `Zabbix agent`, ensure the following line exists in the Zabbix agent config file (`zabbix_agentd.conf`): 

UserParameter=wazuh.shard.usage,/usr/local/bin/check_wazuh_shard_usage.sh

Restart the Zabbix agent after adding this line: 

systemctl restart zabbix-agent

3.3: Test the Item

After creating the item, wait for the next update interval or manually update the item from the Zabbix UI. Confirm that it retrieves the correct value.

Step 4: Create a Trigger

Set up a trigger to get notified when shard usage crosses a critical threshold.

  • Name: Wazuh Shard Usage High
  • Severity: High
  • Expression:
{Zabbix server:wazuh.shard.usage.last()}>65

You can also use the Expression constructor in the UI to build and test this.

Once tested successfully, click Create to save the trigger.

Step 5: Mail Alert Output

If you have email alerts configured in Zabbix (Media types & Actions), an email similar to the following will be sent when the trigger condition is met: 

Problem started at 13:34:06 on 2025.07.04
Problem name: Wazuh Shard Usage
Host: Zabbix server
Severity: High
Operational data: 96 %
Original problem ID: 4420921
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Zabbix_Script_for_Shards_Monitoring&oldid=9062"