Logstash integration with Zabbix server

Alan_John · June 21, 2016, 1:43pm

Hi,

I am working on with ELK and Zabbix recently. I'm stuck now with the
integration of Logstash with Zabbix server. I couldn't find a good
documentation to follow other than the slides provided by you and some
public forum posts. I already setup Zabbix server for monitoring my
openstack cluster. I have getting all the logs in Kibana Dashboard.

Could you please enlighten me, how to integrate Logstash with Zabbix server?
The path for configuration files and the steps to integrate would be
enough.

theuntergeek · June 21, 2016, 2:55pm

The Zabbix output plugin requires the values to be stored in fields, so many of the associated configuration parameters reference fields.

The following is a sample of what the Logstash end of the configuration might look like. You need to have Zabbix trapper items already made with the same keys you configure in Logstash.

input {
  # AWS instance, using nginx
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/usr/local/etc/openssl/certs/beats.crt"
    ssl_key => "/usr/local/etc/openssl/private/beats.key"
    tags => [ "nginx_json" ]
  }

  irc {
    channels => [ "#logstash", "#elasticsearch", "#zabbix" ]
    host => "irc.freenode.org"
    nick => "mynickname"
    port => 6667
    type => "irc"
  }
}

filter {
  if "nginx_json" in [tags] {
    json {
      source => "message"
      remove_field => "message"
    }
  }
  if "_jsonparsefailure" not in [tags] {
    if "nginx_json" in [tags] {
      mutate {
        replace => { "host" => "%{vhost}" }
        remove_field => "vhost"
      }
      geoip { source => "clientip" }
      if [useragent] != ""  { useragent { source => "useragent" } }
      if [referrer]   == "-" { mutate { remove_field => "referrer" } }
      if [status] >= 400 and [host] != "localhost" {
        mutate {
          add_field => { "[@metadata][status_key]" => "status" }
          add_field => { "[@metadata][clientip_key]" => "clientip" }
          add_field => { "[@metadata][error]" => "error[%{status},]" }
          add_field => { "[@metadata][counter]" => "1" }
        }
      }
    }
  }
  if [type] == "irc" {
    if [message] =~ /^.*TESTING.*$/ {
      mutate {
        add_field => { "[@metadata][irc_key]" => "message" }
        add_field => { "[@metadata][zabbix_host]" => "irc" }
        add_tag => "testing"
      }
    }
  }
}
output {
      if "nginx_json" in [tags] {
        if [status] >= 400 {
          zabbix {
            zabbix_server_host => "127.0.0.1"
            zabbix_host => "host"
            zabbix_key => "[@metadata][error]"
            zabbix_value => "[@metadata][counter]"
          }

          zabbix {
            zabbix_server_host => "127.0.0.1"
            zabbix_host => "host"
            multi_value => [ "[@metadata][status_key]", "status", "[@metadata][clientip_key]", "clientip" ]
          }

        }
      }
      if [type] == "irc" and "testing" in [tags] {
        zabbix {
          zabbix_server_host => "172.19.73.9"
          zabbix_host => "[@metadata][zabbix_host]"
          zabbix_key => "[@metadata][irc_key]"
          zabbix_value => "message"
        }
      }
}