Archive for November, 2007

Zabbix uses libcurl (libraries, not binaries) to do its Web Scenarios. Web scenarios are very powerful, and allow you to emulate a user experience. Using a Zabbix web scenario, you can emulate logging into your site, accepting the cookie, clicking on something unique (Report showing 10 Last purchases for example), then verify that you get either a particular HTTP code, or that certain text shows up in the response. Way cool stuff. Its got a few kinks to be worked out, however. One very frustrating one is that these web scenarios are not template aware yet… But the zabbix team is working on it, and its going to be a part of a future release. One minor, but significant thing for several of my environments is that the web scenario will error out if the SSL certificate CN (www.yoursite.com) does not match the URL you accessed the web server with.

But Doug, thats bad practice for the CN to not match the url!

I know! However, in most environments its not uncommon for the internal DNS name to NOT match the external DNS name. For example, the CN name for your SSL cert will be www.yoursite.com, but internally you have 10 app servers responding as www. You refer to them as app1.sjc.yoursite.com, app2.phx.yoursite.com.

By default curl (and therefore zabbix) will error out. With the following:

Failed on “HTTPS TEST app1.sjc.yoursite.com” [1 of 1] Error: SSL peer certificate was not ok

I’ve written a patch for the zabbix_server binary, which will instruct libcurl to not error out, and life is peachy! You need to unpack the zabbix source, apply the patch, recompile, and install the new binary. The patch, and steps are below:

I’ve attached the patch to this post, I’d suggest downloading it, instead of copying and pasting, but if you’d like to here it is:

--- src/zabbix_server/httppoller/httptest.c     2007-08-20 12:22:22.000000000 -0700
 +++ src/zabbix_server/httppoller/httptest.c.dp  2007-11-13 17:53:54.000000000 -0800
 @@ -318,6 +318,15 @@ static void        process_httptest(DB_HTTPTEST
 return;
 }
+       /* Process certs whose hostnames do not match the queried hostname. */
 +       if(CURLE_OK != (err = curl_easy_setopt(easyhandle,CURLOPT_SSL_VERIFYHOST , 0)))
 +       {
 +               zabbix_log(LOG_LEVEL_ERR, "Cannot set CURLOPT_SSL_VERIFYHOST [%s]",
 +                       curl_easy_strerror(err));
 +               (void)curl_easy_cleanup(easyhandle);
 +               return;
 +       }
 +
 lastfailedstep=0;
 httptest->time = 0;
 result = DBselect("select httpstepid,httptestid,no,name,url,timeout,posts,required,status_codes from httpstep where httptest
 id=" ZBX_FS_UI64 " order by no",

Link to Patch: libcurl disable ssl verifyhost

Instructions for installing patch:

Shut down zabbix_server process

/etc/init.d/zabbix_server stop

If you already have your zabbix source unpacked, you can skip the first tar step :) I’ve checked the patch with Zabbix 1.4.1 and 1.4.2

tar -zxvf zabbix-1.4.2.tar.gz

cd zabbix-1.4.2

wget http://www.muck.net/wp-content/uploads/2007/11/libcurl_disable_ssl_verifyhost.patch

patch src/zabbix_server/httppoller/httptest.c libcurl_ssl_verifyhost.patch

Then build zabbix_server as normal, for example:

./configure –enable-server –prefix=/usr/local/zabbix –with-mysql –with-net-snmp –with-libcurl

make install

Restart zabbix_server

/etc/init.d/zabbix_server start

Your Internal SSL Web Scenarios should now work! That was easy wasn’t it?

As always, I appreciate any feedback, and would love to hear if this helped you, or if you have any questions! :)

Posted by Doug Peterson on 13 November 2007 at 7:00 pm under Tech, Zabbix.
7 Comments.

I’ve been saying I was going to do it for the last 6 months. I finally did it this weekend. I built a demo version of zabbix that I can give full admin rights to. If you’re not familiar with zabbix you can visit my zabbix page , or the zabbix website .

The problem with the old zabbix demo was that it was the only copy. If someone messed it up, I had to manually go in and restore the DB. It didn’t have a self recovery method. In the end, it meant that I was limited to handing out read only access in most cases. That in turn meant it wasn’t used very often by folks, and because it wasn’t used very often, I neglected it.

However! I have now put zabbix into its own VM universe. I took a snapshot of a “clean” zabbix installation, which is known to be good. Every 24 hours, I wipe out the VM instance, put a new one in place, restore the Zabbix DB, and timeshift all the data so it looks like the data is contiguous, even though in all likelyhood its several weeks old. The process results in about 10 minutes of downtime, and another 20 minutes of data processing in the background. Any data displayed from Midnight PST through Midnight PST the following night, is live, accurate, real data, not timeshifted data.

I’m pretty happy with it so far. I still want to add a lot more items and hosts to the demo, but I think its a great start. As far as I know this is the only Zabbix Demo, so I’d love to hear from you what you’d like to see in the demo. More graphs? Screens? Web Monitoring? oracle monitoring? mysql monitoring? Zabbix Tutorials? Walkthroughs? Clever uses for the Demo? Any and all comments appreciated.

Feel free to add new hosts, or even install a zabbix agent on your side and monitor your own server (until midnight that is, when the DB will be reset). I get a lot of hits on my site every day from people searching google for zabbix demo’s. Hopefully this will raise awareness of zabbix and get more people using this excellent tool.

Of course, I can also help you with your zabbix deployment. I can do a custom install for your environment, or I can ship you a pre configured zabbix box that you just plug in and go. If you’d like talk about my zabbix services, please indicate so on the Zabbix Demo form below. Hopefully the form you have to fill out to get access to the zabbix demo isn’t too painful. If you really dislike me for making you fill out a form to get the login credentials, feel free to call me names in every field except the email field. That one happens to be accurate in order to get the login credentials! :)

Stay tuned over the next several weeks for updates and new features.

Zabbix Demo
  1.  (required)
  2.  (valid email required)
  3.  (required)
  4.  (required)
  5.  (required)
  6.  (required)
  7. Please select any software packages you're currently using
  9.  (required)

cforms contact form by delicious:days

Posted by Doug Peterson on 6 November 2007 at 10:11 pm under Tech, Zabbix.
7 Comments.

Here is an excellent article from Bruce Schneier about the day to day effects of the “War on Terror”. He points out the many many ridiculous suspected acts of terrorism, and the absolutely mind numbingly stupid act of rewarding those who over react. This not only is an incredible waste of time and resources, but it only serves to further install fear of the abnormal in the general populace. This has been one of my major frustrations for the last 3 or 4 years, and I hope that more people will see the absurdity of this kind of behavior, and chastise our public officials for acting like paranoid delusionals with a CYA mentality.

Posted by Doug Peterson on 1 November 2007 at 11:14 am under Misc.
Comment on this post.