Global Scripts

Video Lecture

Description

In this lecture, I demonstrate how to use Global Scripts (A.K.A. Administration Scripts) from the Zabbix Server, Zabbix Proxy and Zabbix Agents.

Configuration depends on

from which process, on which server, the script will actually be executed
whether remote commands are enabled for the process executing the script
whether the Zabbix user will require sudo privileges for any part of the script command
whether the agent has any working passive checks

In this video, I demonstrate how to set up and problem solve the pre-existing global scripts ping, and detect operating system.

Open the Zabbix server configuration file,

nano /etc/zabbix/zabbix_server.conf

and set,

EnableGlobalScripts=1

Restart the Zabbix server process and check the status.

service zabbix-server restart
service zabbix-server status

When calling the ping global script for a host behind a Zabbix Proxy, the Zabbix Proxy configuration will also need to be updated with EnableGlobalScripts=1 to allow remote commands. This is because the ping will be executed from the Zabbix proxy itself. You should also restart the Zabbix proxy after any configuration change.

For the global script used to detect the operating system, the nmap executable will be used from either the Zabbix Server or Zabbix Proxy, and it will need to be installed on the server or proxy first, and you will also need to allow the Zabbix user sudo privileges to execute it.

visudo

Add the line,

zabbix ALL=(ALL) NOPASSWD: /usr/bin/nmap

Press Ctrl-X and Y to save.

I will also demonstrate creating a script that runs from the Zabbix agents themselves. This will use the free command to list available memory.

To make the FREE global script work on the Zabbix agent, I needed to add an AllowKey option to the configuration file.

# for classic zabbix agent
nano /etc/zabbix/zabbix_agentd.conf
# for zabbix agent 2
nano /etc/zabbix/zabbix_agent2.conf

AllowKey=system.run[free]

Troubleshooting

For Zabbix Proxy 5.01 and earlier, if you want it to be able to pass remote commands from the Zabbix server onto the hosts that it is monitoring, then you only need to set EnableRemoteCommands=1. And you have restarted your agent/proxy after making the change.

For Zabbix Proxy 5.02 and later, you should set the AllowKey and/or DenyKey options and then restart the proxy.

On Zabbix Proxy 5.01, when doing a config_cache_reload, you may see the warning Warning: EnableRemoteCommands parameter is deprecated, use AllowKey=system.run[] or DenyKey=system.run[] instead

You can ignore the warning.

For Zabbix Proxy 5.01 and earlier, if you want it to be able to pass remote commands from the Zabbix server onto the hosts that it is monitoring, then you only need to set EnableRemoteCommands=1

If you were to add AllowKey or DenyKey to the proxy config for Zabbix 5.01, you would now get the errors unknown parameter "AllowKey" in config file "/etc/zabbix/zabbix_proxy.conf" and/or unknown parameter "DenyKey" in config file "/etc/zabbix/zabbix_proxy.conf" depending on what you added.

It is only important use AllowKey or DenyKey if you are using Zabbix Proxy 5.02 or later.

Also,

If you see get the error,

Unsupported item key.
Cannot execute script

It could be many things. It may also be because your agent is connected to the server with only Active checks. The server is unable to find your agent by IP address or domain name, possibly due to it being on a different network with no firewall rule configuration to forward the request from the server. If your agent is behind a firewall, and is using a Zabbix Proxy, then you won't need to configure the firewall as long as your Proxy is also running in Active mode (default).

Stopping Starting Windows Services

You can create global scripts to stop/start/restart Windows services.

Restart Print Spool Example

The above image shows an example global script to restart the windows print spool.

The command is

powershell -NoProfile -ExecutionPolicy bypass Restart-Service -Name 'Spooler'

If you would rather explicitly stop or start the print spool service, for example,

powershell -NoProfile -ExecutionPolicy bypass Stop-Service -Name 'Spooler'

powershell -NoProfile -ExecutionPolicy bypass Start-Service -Name 'Spooler'

You can get the status of a service, using the command

powershell -NoProfile -ExecutionPolicy bypass Get-Service -Name 'Spooler'

Note that these commands are executed on the host using the Zabbix agent. See the above image.

If you stop the Zabbix agent however, using the above method, then you won't be able to restart it again.

eg, this will fail.

powershell -NoProfile -ExecutionPolicy bypass Restart-Service -Name 'Zabbix Agent'

The agent will stop, but not start.

To cause the Zabbix agent to restart, you will need to create a separate service that runs independently of the Zabbix agent, and has the required host privileges to stop and start the Zabbix Agent.

If you just create a script to execute, it is unlikely to finish executing, since the parent process which started it(Zabbix Agent) was prematurely stopped before it could continue and finish by starting the new Zabbix Agent process.

Note

If you want to try these commands locally on the host, you will need to start cmd or PowerShell with admin privileges.

PowerShell is discussed later in the course in more detail at PowerShell Windows Updates.

Useful Links

Global Scripts

Running Docker Commands with Administration Scripts

Design Patterns in Python
		Kindle Edition Paperback
Design Patterns in TypeScript
		Kindle Edition Paperback

Design Patterns in Python
		Kindle Edition Paperback
Design Patterns in TypeScript
		Kindle Edition Paperback

Global Scripts

Video Lecture

Description

Troubleshooting

Stopping Starting Windows Services

Useful Links

Comments