Applications - Network Monitor - Zabbix - Notes - Template App MySQL
Tested with Zabbix 3.4.11 on CentOS 7.5.1804 with SELinux set to Enforcing.
Check https://github.com/zabbix/zabbix/tree/master/templates/db/mysql_agent for the latest information.
Zabbix provides a template for basic MySQL monitoring since Zabbix 2.2.0 with the Template App MySQL that is provided on a fresh install or on Zabbix.org - Zabbix Templates/Official Templates/2.2 when upgrading.
A few preparations need to be made on the MySQL host before the template will work after assigning it to the host:
- A MySQL login with at least USAGE grant needs to be added to the MySQL server.
- A .my.cnf file with the MySQL login with USAGE grant needs to be created for the zabbix user.
- Connecting to MySQL via Zabbix agent needs to be enabled in SELinux.
Zabbix 3.4(.11) already provides the required userparameter_mysql.conf needed as /etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf which is included by default in /etc/zabbix/zabbix_agentd.conf.
Use the following steps to configure:
- Log into the Zabbix server via SSH.
- Log into MySQL:
mysql -u root -p
- Execute the following SQL statement to create the zabbix-agent@localhost user with a password:
GRANT USAGE ON *.* TO 'zabbix-agent'@'localhost' IDENTIFIED BY 'PASSSWORD'; FLUSH PRIVILEGES;
Change the PASSWORD to the chosen (generated) password.
- Exit MySQL:
\q
- The configured home directory for the zabbix user is /var/lib/zabbix/. This is also the directory where the default userparameter_mysql.conf expects to find the .my.cnf file. This directory does not exist by default, so create it now:
sudo mkdir /var/lib/zabbix/
- Create .my.cnf with a text editor (in this case vi):
vi /var/lib/zabbix/.my.cnf
- Fill .my.cnf with:
[client] user = zabbix-agent password = PASSWORD
Change the PASSWORD to the chosen (generated) password.
- Correct the permissions on /var/lib/zabbix/:
sudo chown -R zabbix:zabbix /var/lib/zabbix/ sudo chmod 0750 /var/lib/zabbix/
- Label /var/lib/zabbix/ as SELinux type user_home_t:
sudo chcon -Rt user_home_t /var/lib/zabbix/
- Now SELinux needs to be adjusted to allow connecting to MySQL from Zabbix agent.
- Save the following as “zabbix_agent_mysql.te”:
module zabbix_agent_mysql 1.0; require { type mysqld_etc_t; type mysqld_t; type user_home_t; type zabbix_agent_t; class unix_stream_socket connectto; class file { read open }; } #============= zabbix_agent_t ============== allow zabbix_agent_t mysqld_etc_t:file { read open }; #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow zabbix_agent_t mysqld_t:unix_stream_socket connectto; allow zabbix_agent_t user_home_t:file { read open }; - Compile the .te file to an SELinux binary policy module:
checkmodule -M -m -o zabbix_agent_mysql.mod zabbix_agent_mysql.te # checkmodule: # -M,--mls # Enable the MLS/MCS support when checking and compiling the policy module. # -m Generate a non-base policy module. # -o,--output filename # Write a binary policy module file to the specified filename. Otherwise, # checkmodule will only check the syntax of the module source file and will not generate a # binary module at all.
- Turn the binary policy module into a policy package:
semodule_package -m zabbix_agent_mysql.mod -o zabbix_agent_mysql.pp #semodule_package # -m --module <Module file> # Policy module file to be included in the package. # -o --outfile <output file> # Policy module package file generated by this tool.
- Install the policy package:
semodule -i zabbix_agent_mysql.pp # semodule: # -i,--install=MODULE_PKG # install/replace a module package
- Import the latest version of the Zabbix template Template App MySQL on the Zabbix server.
- On 2018-07-27 that is Template_App_MySQL-2.2.0.xml from Zabbix.org - Zabbix Templates/Official Templates/2.2.
- Attach the Template App MySQL to the host to monitor.
- Wait a few minutes and check if the 2 MySQL graphs on that host show data.
Sources:
- A cleaned up .te file after 'sudo audit2allow -a -M zabbix_agent_mysql'.