How to auto-set zabbix_host?

Philip_Brown · January 7, 2020, 1:51am

I'm trying to set up a logstash-> zabbix gateway, that collects inputs from multiple servers running filebeat.

I gather that zabbix_host is a mandatory field.
It also seems like it would be set to the ACTUAL generating host, not the one running the logstash server. So that zabbix can fire off alerts about the actual relevant host.

How can I do this?

After much searching, I stumbled across a reference to using

zabbix_host => "%{source_host}"

but apparently that isnt valid either.
What can I do here? Kinda in shock that I cant seem to find any working examples of this.

Logstash 7.5

rugenl · January 7, 2020, 4:08am

Is this for the zabbix output plugin? We don't use that plugin, but we use both ELK and Zabbix. I suspect zabbix_host would be the case sensitive host name as defined to zabbix. The agent.hostname might work, depending if it is FQDN and if you used that in Zabbix.

I think the syntax would be "%{[agent][hostname]}".

Philip_Brown · January 7, 2020, 4:16am

Hmm... "%{[agent][hostname]}" sounds potentially useful.
I was also thinking maybe [@metadata][host] ?
Is there any listof all the predefined @metadata or [agent] type variables somewhere?
I've had no luck finding those either

rugenl · January 7, 2020, 4:18am

Ha! I looked for a list of metadata items while I was writing the first reply and couldn't find it either.

You could add a stdout output and print the event in json debug format to see all the available fields.

Philip_Brown · January 7, 2020, 5:18am

actually i'm not sure stdout shows you metadata fields.

rugenl · January 7, 2020, 1:23pm

No, it doesn't. The agent fields are listed in the filebeat modules section under "beats".

Philip_Brown · January 7, 2020, 2:51pm

Pardon?
I looked at
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html
but didnt see what you mean

rugenl · January 7, 2020, 3:42pm

Oops, it's the section after modules, this should be it.

Philip_Brown · January 7, 2020, 3:45pm

Aha.

Filebeat Reference [master] » Exported fields » Beat fields

Thanks.

Might you have any insight into the [@metadata] fields as well?

Philip_Brown · January 7, 2020, 4:07pm

Hmm. Also..
the doc you referenced, mentioned
" beat.name
type: alias
alias to: host.name"

where does this "host.name" come from?
(which is presumably %[host][name] ?)

that sounds like the same thing, but even more standardized. Would be good to understand that I think.

rather important, because when I do a file dump,
i see
"beat":{"hostname":

and

"host":{"name":

but I dont see any mention of "agent".

Badger · January 7, 2020, 4:14pm

output { stdout { codec => rubydebug { metadata => true } } }

will print the [@metadata] along with the event.

rugenl · January 7, 2020, 4:19pm

These fields are being renamed for ECS "common schema".... A noble goal but a clear violation of "if it's not broke don't fix it".

I just thought there were noting that these fields are aliased in the template for used in Elasticsearch, I think you only see one in the document when it hits logstash.

Philip_Brown · January 8, 2020, 6:17pm

Hit some major weirdness.
I used that very useful ruby debug output thing.
determine that the metadata is very small. ONLY actually has:
type
beat
ip_address

So I tried using

zabbix {
zabbix_server_host => "x.x.x.x"
zabbix_host => "%{[@metadata][ip_address]}"
zabbix_key => "filebeat.XXXX"
}

But I get handed
org.jruby.exceptions.RuntimeError: (RuntimeError) Invalid FieldReference: %{[@metadata][ip_address]}

SO I tried using instead,
zabbix_host => "%{[beat][hostname]}"

but get more or less the same error.

Which is really wierd, because I CAN use

            file {
                    path => "/var/log/logstash/beattest-%{[beat][hostname]}.debug"
                    flush_interval => 1
            }

whats the difference??

Dont think it will help any, but here is the FULL trace from the logfile

[2020-01-08T10:12:50,489][FATAL][logstash.runner ] An unexpected error occurred! {:error=>java.lang.IllegalStateException: org.jruby.exceptions.RuntimeError: (RuntimeError) Invalid FieldReference: %{[beat][hostname]}, :backtrace=>["org.logstash.execution.WorkerLoop.run(org/logstash/execution/WorkerLoop.java:85)", "java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:498)", "org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(org/jruby/javasupport/JavaMethod.java:440)", "org.jruby.javasupport.JavaMethod.invokeDirect(org/jruby/javasupport/JavaMethod.java:304)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.start_workers(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:251)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:295)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:274)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:270)", "java.lang.Thread.run(java/lang/Thread.java:745)"]}

Badger · January 8, 2020, 7:44pm

Loooking at the code, it is not using event.sprintf, as any normal plugin would. It is just doing an event.get on it. So you might find that

zabbix_host => "[@metadata][ip_address]"

works.

Philip_Brown · January 8, 2020, 8:11pm

I think I tried that.
or at least, I tried "[beat][hostname]"

here's the really weird thing:
Neither of

                      zabbix_host => "[beat][hostname]"
  or
                      zabbix_host => "%{[beat][hostname]}"

seemed to work. but

 filter {
    mutate {
            add_field => { "[@metadata][zabbix_host]" => "%{[beat][hostname]}" }
    }
 }

 zabbix {
            zabbix_host => "[@metadata][zabbix_host]"
 }

kinda worked.

the ONE thing that is now stopping me from having a fully working zabbix output, is

[2020-01-08T11:20:17,173][WARN ][logstash.outputs.zabbix ][main] Field referenced by filebeat.XXXX is missing
[2020-01-08T11:20:17,431][WARN ][logstash.outputs.zabbix ][main] Zabbix server at x.x.x.x rejected all items sent. {:zabbix_host=>"xxxxxxx"}

Is this saying that I cant just do
zabbix_key => "filebeat.XXXX"

I have to do another stupid indirect reference for [@metadata][zabbix_key] or something??
What kind of whackjob plugin is this??
:-/

Badger · January 8, 2020, 9:09pm

That is weird. Is it possible you have removed the [beat] field by the time the event gets to the output?

Philip_Brown · January 8, 2020, 9:11pm

This is how I got it to work all the way to zabbix.
Ugh, stupid buggy zabbix module.

filter {
    mutate {
        add_field => { "[@metadata][zabbix_host]" => "%{[beat][hostname]}" }
    }
    if "magic-string-we-care-about" in [message] {
            mutate {
                    add_field => { "[@metadata][zabbix_key]"   => "filebeat.OUR_UNIQUEKEYHERE" }
                    add_field => { "[@metadata][sendtozabbix]" => "yes" }
            }
    }
}
output {
    if [@metadata][sendtozabbix] == "yes" {
            zabbix {
                    zabbix_server_host => "x.x.x.x"
                    zabbix_host => "[@metadata][zabbix_host]"
                    zabbix_key  => "[@metadata][zabbix_key]"
            }
    }
}

Philip_Brown · January 8, 2020, 9:13pm

Is it possible you have removed the [beat] field by the time the event gets to the output?

PS to badger: no. I checked by doing a dump-to-file of the message in parallel in the output section, after the attempt to send to zabbix.

system · February 5, 2020, 9:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Zabbix + Logstash = Field referenced by ... is missing Logstash	1	319	August 4, 2022
Monitor packetbeat via Zabbix Beats packetbeat	2	974	August 28, 2017
Facing issue in getting all the agent.hostname Logstash	1	601	February 25, 2020
Logstash-output-zabbix (3.0.5) Zabbix Version 4 ready? Logstash	2	408	January 10, 2019
Problem pushing log from logstash to zabbix Logstash	2	936	July 6, 2017

How to auto-set zabbix_host?

Related topics