zabbix-tools
Incorrect User used for Database Access
Running Postgres 9.6 on CentOS 7.4 and Zabbix-Agent (from the official repo) on the same machine.
Using a basic config for the agent (http://pastebin.centos.org/576441/) i added the following Macros:
{$PG_CONN} => host=pg.ad.ganzwerk.de port=5432 user=monitoring connect_timeout=10
{$PG_DB} => confluence
I also created a new key, just like the already existing pg.connect:
PG Connect as Monitoring | | pg.connect[user=monitoring,postgres] | 60 | 7d | 365d | Zabbix agent (active) | PostgreSQL Server | Enabled |
I added to the pg_hba.conf:
# Trust Monitoring User for Zabbix
local all monitoring ident map=monitoring-map
and to the pg_ident.conf:
# MAPNAME SYSTEM-USERNAME PG-USERNAME
monitoring-map zabbix monitoring
Still i cant receive any data. When i run sudo -u zabbix zabbix_agentd -p manually, i get the folllowing output:
pg.table.toast_blks_hit [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.table.toast_blks_ratio [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.table.tidx_blks_read [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.table.tidx_blks_hit [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.table.tidx_blks_ratio [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.index.idx_scan [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.index.idx_tup_read [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.index.idx_tup_fetch [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.index.idx_blks_read [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.index.idx_blks_hit [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
zabbix_agentd [3023]: Error: PostgreSQL: FATAL: role "zabbix" does not exist
pg.index.idx_blks_ratio [m|ZBX_NOTSUPPORTED] [FATAL: role "zabbix" does not exist
]
[...]
Am i missing something?
The command zabbix_agentd -p uses default "test" parameter values that are not appropriate for all system configurations. For example, it will try connect to local host as zabbix. This command will prove that the module is loaded, but not that it can connect to your specific database server.
You will need to use zabbix_get -s ... -k pg.connect[...] instead, passing in your connection string values.
Okay, i now used zabbix_get. Didn't know that this will make a difference. I was able to find the cause of the problem in the pg-config. But maybe you can still help me out and it could be added to the documentation for local auth:
Connecting only providing the username works:
[servmin@zabbix ~]$ zabbix_get -s pg.ad.domain.com -k pg.connect[user=monitoring,database]
1
Connecting with the full connection-string didn't work:
[servmin@zabbix ~]$ zabbix_get -s pg.ad.domain.com -k pg.db.discovery["host=pg.ad.domain.com port=5432 user=monitoring connect_timeout=10",database]
ZBX_NOTSUPPORTED: FATAL: Ident authentication failed for user "monitoring"
Looking at the postgres-log i was able to find this snippet:
2018-03-08 10:45:11.178 CET > LOG: could not connect to Ident server at address "127.0.0.1", port 113: Connection refused
< 2018-03-08 10:45:11.178 CET > FATAL: Ident authentication failed for user "monitoring"
Creating something like host all monitoring 127.0.0.1/1 trust or host all monitoring 127.0.0.1/1. ident map=monitoring did get matched, but only the former worked.
Somehow my Postgres-Server is handling all these requests as 'remote, even when the connection get's executed by '127.0.0.1'. And still the ident-auth doesn't work. Seems like a working ident-server is not provided on CentOS 7. Maybe it can be helpful to include this info in the documents ? (sure thing this whole template is not pointed towards newbies, but still...)
Anyway, with a working postgres-config i can connect with the full connect-string zabbix_get -s pg.ad.domain.com -k pg.connect["host=pg.ad.domain.com port=5432 user=monitoring connect_timeout=10",database]. But not with zabbix_get -s pg.ad.domain.com -k pg.connect.
Also i don't receive any data at the example graphs. It seems like macros are not 'respected' in any item.
Configuring an identity server is outside the scope of the documentation for this module. The docs instead step you through using Unix sockets with Peer auth for local connections or MD5 auth for remote connections. Please see: http://cavaliercoder.com/libzbxpgsql/documentation/.
Above, connecting using only the username will use Unix sockets. Providing a DNS hostname will enforce the use of remote TCP. Using trust is a silver-bullet, but very dangerous!
From PostgreSQL perspective, 127.0.0.1 is a remote host and is not given any special "local" treatment. Only Unix sockets are treated as local.
Unfortunately, connecting is a little difficult, as Zabbix and PostgreSQL both have some subtleties concerning configuration and authentication. Essentially, if you can configure the psql client to connect to the Postgres server (completely unrelated to Zabbix), you can use the same connection configuration to connect from Zabbix.
To debug the Macros, you may need to enable debug logging on the server or agent and take a look to see what keys are actually being requested after macros are resolved.