Logstash integration with Zabbix server

Elastic Stack Logstash
2

The Zabbix output plugin requires the values to be stored in fields, so many of the associated configuration parameters reference fields.

The following is a sample of what the Logstash end of the configuration might look like. You need to have Zabbix trapper items already made with the same keys you configure in Logstash.

input {
  # AWS instance, using nginx
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/usr/local/etc/openssl/certs/beats.crt"
    ssl_key => "/usr/local/etc/openssl/private/beats.key"
    tags => [ "nginx_json" ]
  }

  irc {
    channels => [ "#logstash", "#elasticsearch", "#zabbix" ]
    host => "irc.freenode.org"
    nick => "mynickname"
    port => 6667
    type => "irc"
  }
}

filter {
  if "nginx_json" in [tags] {
    json {
      source => "message"
      remove_field => "message"
    }
  }
  if "_jsonparsefailure" not in [tags] {
    if "nginx_json" in [tags] {
      mutate {
        replace => { "host" => "%{vhost}" }
        remove_field => "vhost"
      }
      geoip { source => "clientip" }
      if [useragent] != ""  { useragent { source => "useragent" } }
      if [referrer]   == "-" { mutate { remove_field => "referrer" } }
      if [status] >= 400 and [host] != "localhost" {
        mutate {
          add_field => { "[@metadata][status_key]" => "status" }
          add_field => { "[@metadata][clientip_key]" => "clientip" }
          add_field => { "[@metadata][error]" => "error[%{status},]" }
          add_field => { "[@metadata][counter]" => "1" }
        }
      }
    }
  }
  if [type] == "irc" {
    if [message] =~ /^.*TESTING.*$/ {
      mutate {
        add_field => { "[@metadata][irc_key]" => "message" }
        add_field => { "[@metadata][zabbix_host]" => "irc" }
        add_tag => "testing"
      }
    }
  }
}
output {
      if "nginx_json" in [tags] {
        if [status] >= 400 {
          zabbix {
            zabbix_server_host => "127.0.0.1"
            zabbix_host => "host"
            zabbix_key => "[@metadata][error]"
            zabbix_value => "[@metadata][counter]"
          }

          zabbix {
            zabbix_server_host => "127.0.0.1"
            zabbix_host => "host"
            multi_value => [ "[@metadata][status_key]", "status", "[@metadata][clientip_key]", "clientip" ]
          }

        }
      }
      if [type] == "irc" and "testing" in [tags] {
        zabbix {
          zabbix_server_host => "172.19.73.9"
          zabbix_host => "[@metadata][zabbix_host]"
          zabbix_key => "[@metadata][irc_key]"
          zabbix_value => "message"
        }
      }
}
1 Like