Zabbix: “TLS handshake fail” workaround: Enable Jabber (XMPP) notifications via script (Cent OS)

 

Once you’ve been around for a while dealing with a medium sized company, you start to crave a system to control your machines and not get to work one morning to a crashed server or some other worse catastrophe.

Bad things happen, computers crash, disks fail, power supplies burn out (believe me, I’ve suffered a couple of them zapping and then leaving that characteristic burnt dust smell) – there’s nothing we can do about it.

There are a lot of tools to monitor your hardware: The traditional Nagios, PandoraFMS… Some are free, some other offer support.

Some years ago, I had a Nagios Setup and what I missed the most was a web UI to configure my devices: You had (and still have) to go through text files configuring each device: Once it’s done, it’s done, you don’t have to touch it anmore: But the learning curve can be very steep.

This is why some days ago I went ahead and tried Zabbix: It’s simple, looks great and gets the things done and oh, guess what: It’s got a UI for adding hosts and templates. You still will have to use the console, but not as much.


 

Anyway, let’s get to the point of this post: I was configuring the alerts: The e-mail ones are pretty straightforward, but I wasn’t able to get the jabber notifications to work

tls handshake error

There was no way to get around the tls handshake error.  I tried on CentOS, Ubuntu and OpenSUSE: All of them had the same issue.

At least, on CentOS, I figured out (well, some guy over at the Zabbix forums did) that the culprit of this was a library called eksemel. Its github page has not been updated for the past 6 years. Latest version, 1.5 seems to support newest (and supported) cypher systems, but 1.4, which is the version included in CentOS, does not.

I went on and tried to manually update it, found an rpm and started trying, but got entangled on a hell of dependencies. So, I had to find another way.

Note: this instructions are for CentOS. If you are using Ubuntu or other distro, you can do the same, but slightly changing the most distro-specific steps, such as repository addition, etc… also, bear in mind, some directory location may and WILL differ from this walkthrough.

Let’s get to it:

First, activate Software Collections (SCL)

sudo yum install centos-release-SCL

Once enabled, you’ll be able to install this piece of software that will let you send Jabber messages from the command line: sendxmpp

sudo yum install sendxmpp

This will also pull a bunch of dependencies.

Now, let’s get a jabber account ready, if you don’t have it: you’ll need an account from where to send the messages from, and another account for yourself, to receive those messages, if you didn’t have it before.

I chose Dismail. There’s also Jabjab, and many others: Feel free to browse this feature matrix and choose whichever you like most (the greener, the better, I guess..) https://gultsch.de/compliance_ranked.html

Now, go to your zabbix server to the alertscripts folder:

cd /usr/lib/zabbix/alertscripts

And create the script:

#!/bin/sh
echo “$3” | /usr/bin/sendxmpp -u <username> -j <domain> -p <password> -s “$2” “$1” -t

Where <username>, type in your jabber user name (without the @xxxx)

Where <domain>, type in the domain (what’s after the @)

Where <password>, well, your password.

You can put all this sensitive data in a text file somewhere secure and reference it, avoiding having plain text passwords in a script.

Once the script is created, save it, and give it execution permissions:

chmod +x sendxmpp.sh

You can go now to your web UI.

Under Administration -> Media types, create a new Media type

zabbix-xmpp-script-config

Name it as you wish- It’s important you select the type correctly “Script” and give the proper parameters to the script and in that particular order:

{ALERT.SENDTO}

{ALERT.SUBJECT}

{ALERT.MESSAGE}

And enable it.

 

As the final step, you will have to go over to Administration -> Users, edit your user and go to the “Media” tab.

There, Add a new media for the jabber script you created.

zabbix-xmpp-script-config-media

Select as “Type” the name you gave the media type on the previous screen, and set the destination address. Save, and you’re done! No more tls errors!

 

I’ll have to point out that even the Ubuntu appliance you download from the zabbix download page has the same tls handshake error issue.

I hope they implement a different approach some day so can use the integrated system that comes with the suite.

Thanks to the zabbix team, the people over at their forums and their subreddit for helping.