Is this Nethserver module helpful to you?
Please consider donating to the author

Thank you kindly!

2019/03/04 12:06 · HF

Zabbix (server monitoring)

To make the Zabbix install work you need to install following versions, see

yum install --enablerepo=zabbix-frontend

Zabbix, the monitoring suite on NethServer from zabbix repo.

Install mrmarkuz repo to ease installation/updates.

You need to choose which version you like to install.

Install Zabbix 5.0 LTS (recommended):

yum -y install

Install “oldstable” Zabbix 4.0 LTS:

yum -y install

Install nethserver-zabbix:

yum -y --enablerepo=mrmarkuz,zabbix,zabbix-frontend install nethserver-zabbix

To upgrade to 5.0 LTS it is necessary to remove zabbix-web* to get the newer version with yum without conflicts. This removes nethserver-zabbix too but we will reinstall it later. I recommend a database backup in a production environment, it's included in the NethServer backup.

yum -y install
yum -y remove zabbix-web-*
yum -y install --enablerepo=mrmarkuz,zabbix,zabbix-frontend nethserver-zabbix
yum -y update --enablerepo=zabbix

After updating you may have mixed language in Zabbix. To solve it, just change the language to something else and change it back in the user settings.

Go to https://NETHSERVER/zabbix and login with username Admin and password zabbix.

Default authentication is local db. Make sure you change the Admin password directly after first login.

Changing to Samba4 AD accountprovider / LDAP accountprovider:

As Admin, go to Administration / Authentication.
Click LDAP tab.
Check LDAP authentication checkbox.
LDAP host: ldaps://ad-domain.tld (best practice is to have a not used subdomain of the domain as ad-domain)
Port: 636 for ldaps, 389 for ldap.
Search attribute: sAMAccountName for Samba4 accountprovider, uid for OpenLDAP accountprovider.
Bind DN: check servermanager for BindDN. Default is ldapservice@domain.tld
Uncheck case sensitive login (zabbix is case sensitive for accountnames, disable this if you want lower case usernames only).
Bind password: check servermanager and copy-paste it.
Test settings:
username: valid Samba4 AD / LDAP accountname
password: password of the Samba4 AD / LDAP account
Click test button.
If ok, click update.
Change authentication to LDAP:
Click Athentication tab (first Tab).
Click LDAP.
Click update.

Zabbix needs the Samba4 AD / LDAP user pre-created in the database, without password.
Go to Administration / Users
Click new user (top right)
Alias: username (equal as user in Samba4 AD / LDAP)
groups: add group you want the user to be member of.
Leave password empty
Set other preferences as you need them.
click add.

You can now log in with the Samba4 / LDAP account.

Zabbix agents for various OS can be downloaded here. For NethServer you can install the rpm nethserver-zabbix-agent

Once you have installed the agent on the host you want to monitor with Zabbix, you have to create a host inside the UI of Zabbix. You must use the exact FQDN hostname in Host name field that it is set inside the Zabbix agent. Do hostname in the terminal of the client to use the same FQDN (SystemName.DomainName).

you have also to choose what to monitor by adding templates


  • Encryption
  • Raid check (only linux raid by mdadm)
  • zabbix-agent2 (drop in replacement of zabbix-agent with more features)

Thanks to Stephane de Labrusse for creating and developing the NethServer Zabbix Agent.


yum -y install nethserver-zabbix-agent --enablerepo=mrmarkuz


Decide which zabbix-agent version you want, we cannot for backward compatibility use zabbix-agent2 by default (for now) but it brings more discovery and template like systemd monitoring that the former version cannot do. For more information you can go to the official zabbix documentation

For zabbix-agent2 (which is recommended) do :

config setprop zabbix-agent status disabled
config setprop zabbix-agent2 status enabled

Copy your plugins to the new folder of zabbix-agent2 (if you get custom plugins in your agent)

cp /etc/zabbix/zabbix_agentd.d/* /etc/zabbix/zabbix_agent2.d/

restart and configure zabbix-agent2

signal-event nethserver-zabbix-agent-update

To configure Encryption and the agent (see explanation below)

  config setprop zabbix-agent2 ServerZabbix <Zabbix server hostname or IP>
  config setprop zabbix-agent2 PskId MyHumanUnicalString
  signal-event nethserver-zabbix-agent-update


The agent needs to know its server:

config setprop zabbix-agent ServerZabbix <Zabbix server hostname or IP>
signal-event nethserver-zabbix-agent-update


If you want to enable the encryption because your zabbix agent host is on a public network and not behind your firewall, you have to use a Human readable string for identifying the agent host, a pre-shared-key is automatically created in the agent host to encrypt the communication between the agent and the remote zabbix server

config setprop zabbix-agent PskId MyHumanUnicalString
signal-event nethserver-zabbix-agent-update

Now to enable encryption between server and agent you need to set PSK from and to host, PSK identity and PSK in the Zabbix web portal of the host settings.

  • The PSK is saved on the Agent side in /etc/zabbix/psk.shared
  • The PSK identity is the property value of PskId

See this howto

Zabbix can be extended by adding some templates, for now manually

In the Zabbix Web Portal an XML file needs to be imported, see Zabbix manual how to import templates.

With this custom template, zabbix will discover your raid settings and will create an alert in case of degraded array. Only the linux raid by MDADM is supported

To check Nethserver backups, Emiliano Vavassori provides following RPM:

Follow the instructions at stephdl github

You will see three new graphs (once you have enabled the monitoring template to your host), you will receive alerts when you have too much bounce/rejected or if the smtp service is down.

To monitor systemd service you need to use the zabbix-agent2, once enabled (see above) you need to follow the instruction at stephdl github

When a service does not satisfy its conditional start but it is enabled by systemd, it is seen as failed. The default is that mdadm and iscsi services do not satisfy their conditional start, hence they are in HIGH alert. If you do not need these services (or any other service warnings) you can disabled the trigger by clicking on the alert then configuration and uncheck the enabled checkbox.

The first dicovery needs at least few time, each minute the services are probed and give back an alert if needed

Thanks to Andy Wismer for providing the map images.

Please raise Issues on NethServer Community