Instalasi dan Integrasi Zabbix Monitoring Server dengan Telegram

Dapet request dari kantor lagi, untuk integrasi monitoring server dengan aplikasi chat, agar alert yang dikirim dapat langsung dibaca. Karena selama ini alert dikirim melalui email, jadi banyak yang terlewatkan. Tau sendiri, orang banyak yg males baca email, hahaha….

Setelah cari sana sini, akhirnya pilihan jatuh pada Zabbix dan Telegram. O iya seperti biasa, requestnya yg free alias gratis alias opensource, hahaha….

Ok, sekarang kita mulai aja ya

Instalasi Zabbix Server

  1. Update Repository
sudo apt update
  1. Install Packet yang diperlukan
sudo apt install apache2 mysql-server php libapache2-mod-php php-mcrypt php-mysql php-xml php-bcmath php-mbstring
  1. Download repo zabbix
wget http://repo.zabbix.com/zabbix/3.5/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.5-1%2Bxenial_all.deb
  1. Install repo zabbix, bisa juga dengan menambahkan manual di /etc/apt/sources.list
sudo dpkg -i zabbix-release_3.5-1%2Bxenial_all.deb
  1. Update repo, agar dapat mengenali repo zabbix
sudo apt update
  1. Install zabbix
sudo apt install zabbix-server-mysql zabbix-frontend-php
  1. Karena, akan memonitor dirinya sendiri, maka perlu install zabbix agent juga diserver
sudo apt install zabbix-agent
  1. Buat database zabbix
mysql -u root -p
            Enter password:
            Welcome to the MySQL monitor.  Commands end with ; or \g.
            Your MySQL connection id is 4
            Server version: 5.7.24-0ubuntu0.16.04.1 (Ubuntu)


            Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.


            Oracle is a registered trademark of Oracle Corporation and/or its
            affiliates. Other names may be trademarks of their respective
            owners.


            Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.


            mysql>
            mysql> create database zabbix character set utf8 collate utf8_bin;
            Query OK, 1 row affected (0.00 sec)

            mysql> grant all privileges on zabbix.* to zabbix@localhost identified by '12345678';
            Query OK, 0 rows affected, 1 warning (0.00 sec)

            mysql> flush privileges;flush privileges;
            Query OK, 0 rows affected (0.00 sec)

            mysql> quit;

9. Restore database zabbix ke database zabbix yang kita buat tadi

zcat /usr/share/doc/zabbix-server-mysql/create.sql.gz | mysql -u zabbix -p zabbix
  1. Edit konfigurasi zabbix server, sesuaikan db password dengan yang dibuat tadi
sudo nano /etc/zabbix/zabbix_server.conf
            ...
            ### Option: DBPassword                          
            #       Database password. Ignored for SQLite.  
            #       Comment this line if no password is used.
            #                                                
            # Mandatory: no                                 
            # Default:                                      
            # DBPassword=
            DBPassword=12345678
  1. Edit konfigurasi zabbix apachenya, ubah timezone dengan timezone kita
sudo nano /etc/zabbix/apache.conf

            ...
            <IfModule mod_php7.c>
                        php_value max_execution_time 300
                        php_value memory_limit 128M
                        php_value post_max_size 16M
                        php_value upload_max_filesize 2M
                        php_value max_input_time 300
                        php_value always_populate_raw_post_data -1
                        php_value date.timezone Asia/Jakarta
            </IfModule>
  1. Restart apache2
sudo systemctl restart apache2
  1. Enable service zabbix-server
sudo systemctl enable zabbix-server
  1. Aktifkan/Start service zabbix-server
sudo systemctl start zabbix-server
  1. Cek service zabbix-server sudah berjalan baik atau tidak
sudo systemctl status zabbix-server
  1. Selanjutnya, buka zabbix melalui dashboard, langkah pertama akan mengecek kebutuhan yang akan digunakan oleh zabbix, apabila sudah “OK” semua, klik Next step 
  2. Selanjutnya, konfigurasi database, isikan sesuai yang dibuat sebelumnya, kemudian klik Next step 
  3. Selanjutnya, isi nama host, kemudian klik Next step 
  4. Summary dari langkah yang dilakukan tadi, klik Next step untuk melanjutkan 
  5. Selamat, sudah berhasil install zabbix. Klik finish 
  6. Login ke zabbix, user default adalah Admin dan password default adalah zabbix

 

Instal Zabbix Agent di Ubuntu Server

  1. Install repository zabbix pada Ubuntu server
wget http://repo.zabbix.com/zabbix/3.5/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.5-1%2Bxenial_all.deb
sudo dpkg -i zabbix-release_3.5-1%2Bxenial_all.deb
  1. Update repository
sudo apt update
  1. Install zabbix-agent
sudo apt install zabbix-agent
  1. Generate key untuk preshared key zabbix agent
sudo sh -c "openssl rand -hex 32 > /etc/zabbix/zabbix_agentd.psk"
  1. Lihat preshared key (psk) yang sudah digenerate
cat /etc/zabbix/zabbix_agentd.psk
3b36cea5dc8f000568d66e8189524661c65c0a0b96ebc57ff1e980db0bbc8819
  1. Edit zabbix agent configuration, sesuaikan dengan ip zabbix server. Karena akan menggunakan preshared key (psk), untuk TLSAccept dan TLSConnet menggunakan psk. Untuk TLSPSKIdentity isi dengan kata spesifik, disini kita isi dengan PSKAgent1. TLSPSKFile merupakan lokasi penyimpanan psk yang tadi digenerate.
sudo nano /etc/zabbix/zabbix_agentd.conf
            ...
            ### Option: Server
            #       List of comma delimited IP addresses (or hostnames) of Zabbix servers.
            #       Incoming connections will be accepted only from the hosts listed here.
            #       If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally.
            #
            # Mandatory: no
            # Default:
            # Server=
            Server=172.30.0.51

            ...
            ### Option: TLSConnect
            #       How the agent should connect to server or proxy. Used for active checks.
            #       Only one value can be specified:
            #               unencrypted - connect without encryption
            #               psk         - connect using TLS and a pre-shared key
            #               cert        - connect using TLS and a certificate
            #
            # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
            # Default:
            # TLSConnect=unencrypted
            TLSConnect=psk

            ...
            ### Option: TLSAccept
            #       What incoming connections to accept.
            #       Multiple values can be specified, separated by comma:
            #               unencrypted - accept connections without encryption
            #               psk         - accept connections secured with TLS and a pre-shared key
            #               cert        - accept connections secured with TLS and a certificate
            #
            # Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
            # Default:
            # TLSAccept=unencrypted
            TLSAccept=psk

            ...
            ### Option: TLSPSKIdentity
            #       Unique, case sensitive string used to identify the pre-shared key.
            #
            # Mandatory: no
            # Default:
            # TLSPSKIdentity=
            TLSPSKIdentity=PSKAgent1

            ...
            ### Option: TLSPSKFile
            #       Full pathname of a file containing the pre-shared key.
            #
            # Mandatory: no
            # Default:
            # TLSPSKFile=
            TLSPSKFile=/etc/zabbix/zabbix_agentd.psk
  1. Start zabbix agent service
sudo systemctl start zabbix-agent
  1. Enable zabbix agent service
sudo systemctl enable zabbix-agent
  1. Cek zabbix agent service status
sudo systemctl status zabbix-agent

Menambahkan Server (Ubuntu server) di Zabbix Server

  1. Klik Configuration => Host, kemudian klik create hosts 
  2. Isikan nama hostname, kemudian pada group pilih linux server dan terakhir, karena menggunakan zabbix agent yg diinstall pada server yang akan dimonitor, maka isikan ip server yang akan dimonitor pada agent interface 
  3. Selanjutnya klik templates. Pada link new templates, klik select, kemudian cari Template OS Linux. Setelah itu klik add dibawah kotak link new templates. 
  4. Selanjutnya klik Encryption, pilih psk pada connection to host dan connection from host. Isikan PSK Identity dan PSK sesuai yang ada di set pada server yang akan dimonitor. Terakhir, klik Add, maka akan muncul host 

Integrasi Zabbix dengan Telegram

  1. Buat dulu akun bot Telegram di Botfather dengan command /newbot, kemudian nama botnya
  2. Catat TokenID, karena ini nanti yang akan kita masukan di script. Pada lab ini TokenIDnya 782976883:AAGsqdWf3lei2ehsbL5NaJTMuEwGdShCcqQ
  3. Tambahkan bot ini kedalam group telegram, agar apabila ada notification, dapat diketahui banyak orang. Kemudian, cek dan catat id dari group dengan ketikan https://api.telegram.org/bot782976883:AAGsqdWf3lei2ehsbL5NaJTMuEwGdShCcqQ/getUpdates, pada browser
  4. Download the zabbix-telegram.sh di sini, kemudian extract kemudian copy file zabbix-telegram.sh ke /usr/lib/zabbix/alertscripts/ pada Server Zabbix Monitoring.
  5. Edit zabbix-telegram.sh pada parameter berikut
  • ZBX_URL : isikan dengan IP Zabbix or URL
ZBX_URL="http://172.30.0.51/zabbix"
  • USERNAME and PASSWORD : untuk akses ke Zabbix GUI (user harus punya akses untuk melihat graph)
USERNAME="Admin"

PASSWORD="konfigurasi12345"
  • BOT_TOKEN : isikan TokenID dari BotFather
BOT_TOKEN='782976883:AAGsqdWf3lei2ehsbL5NaJTMuEwGdShCcqQ'
  • ZABBIXVERSION34 jika Zabbix is >= 3.4.1, isikan 1
ZABBIXVERSION34="1"
  1. Kemudian, login ke Zabbix Dashboard. Klik Administration => Media types. Buat media baru dengan klik create media.
  2. Isikan seperti berikut, kemudian klik Update 
  3. Klik Administration => Users. Edit user Admin yang akan diintegrasi dengan Telegram. Kemudian pilih media, isikan seperti gambar dibawah. Untuk Send To, karena akan dikirimkan ke group, isikan dengan id group seperti yang dicek pada browser pada langkah 3. Klik update untuk menyimpan setingan  
  4. Selanjutnya, kita akan melakukan set triger, sehingga apabila ada alert dr triger dapat dikirimkan ke group. 
  5. Pilih Configuration => Actions. Klik Report problems untuk mengedit.
  6. Klik Operation, isikan dengan parameter seperti gambar. Pada Kotak Operations, Klik New, tambahkan zabbix administrator ke group. 

Isi dari Default message

     GroupName:{TRIGGER.HOSTGROUP.NAME}
     Hostname: {HOSTNAME}
     Problem: {TRIGGER.NAME}:
     Problem status: {STATUS}
     Severity: {TRIGGER.SEVERITY}
     Date and Time: {EVENT.DATE} - {EVENT.TIME}
     Item Graphic: [{ITEM.ID1}]
     Last tested value: {{HOSTNAME}:{TRIGGER.KEY}.last(0)}
  1. Pada Recovery Operations, isikan seperti gambar berikut. Jangan lupa tambahkan Zabbix administrator group pada Operations nya 

Isi dari default message pada Recovery Operations

    Problem has been resolved at {EVENT.RECOVERY.TIME} on {EVENT.RECOVERY.DATE}
    Problem name: {EVENT.NAME}
    Host: {HOST.NAME}
    Severity: {EVENT.SEVERITY}


    Original problem ID: {EVENT.ID}
    {TRIGGER.URL}
  1. Klik Update untuk menyimpan settingan

Install Let’s Encrypt SSL

Kali ini kita akan coba install SSL gratisan dari Let’s Encrypt.

Cek web server sudah berjalan dengan baik, dan belum ada SSL nya

Edit web conf nya

root@instance-2:/home/konfigurasi_net#nano /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com


        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html


        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

</VirtualHost>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet


Uncomment dan Edit servername sesuai dengan domain server yang dipakai, kali ini menggunakan konfigurasi.site sehingga menjadi seperti berikut

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName www.konfigurasi.site


ServerAdmin webmaster@localhost
DocumentRoot /var/www/html


# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn


ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>


# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

 

Restart service apache2

root@instance-2:/home/konfigurasi_net# service apache2 restart

Cek status service apache2

root@instance-2:/home/konfigurasi_net# service apache2 status
  • apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-11-29 01:51:44 UTC; 5s ago
Process: 2994 ExecStop=/usr/sbin/apachectl stop (code=exited, status=0/SUCCESS)
Process: 3000 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 3006 (apache2)
Tasks: 55 (limit: 4915)
CGroup: /system.slice/apache2.service
├─3006 /usr/sbin/apache2 -k start
├─3007 /usr/sbin/apache2 -k start
└─3008 /usr/sbin/apache2 -k start


Nov 29 01:51:44 instance-2 systemd[1]: Stopped The Apache HTTP Server.
Nov 29 01:51:44 instance-2 systemd[1]: Starting The Apache HTTP Server...
Nov 29 01:51:44 instance-2 systemd[1]: Started The Apache HTTP Server.

 

Tambahkan repository backports

root@instance-2:/home/konfigurasi_net#nano /etc/apt/sources.list

deb http://deb.debian.org/debian/ stretch main
deb-src http://deb.debian.org/debian/ stretch main
deb http://security.debian.org/ stretch/updates main
deb-src http://security.debian.org/ stretch/updates main
deb http://deb.debian.org/debian/ stretch-updates main
deb-src http://deb.debian.org/debian/ stretch-updates main
deb http://ftp.debian.org/debian stretch-backports main

 

Update repository

root@instance-2:/home/konfigurasi_net#apt update

Install Certbot

root@instance-2:/home/konfigurasi_net#apt install python-certbot-apache -t stretch-backports

Download dan create SSL certificate untuk website

root@instance-2:/home/konfigurasi_net# certbot --apache -d konfigurasi.site -d www.konfigurasi.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): support@konfigurasi.id


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for konfigurasi.site
http-01 challenge for www.konfigurasi.site
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://konfigurasi.site and
https://www.konfigurasi.site


You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=konfigurasi.site
https://www.ssllabs.com/ssltest/analyze.html?d=www.konfigurasi.site
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/konfigurasi.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/konfigurasi.site/privkey.pem
Your cert will expire on 2019-02-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:


Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

Sekarang coba buka website, dan cek SSL certificate

Usia SSL Certicate Lets Encrypt adalah 90 hari. Package Certbot yang sudah kita install tadi sudah membuat cron di /etc/cron.d/

Untuk test proses renewal

root@instance-2:/home/konfigurasi_net# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/konfigurasi.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for konfigurasi.site
http-01 challenge for www.konfigurasi.site
Waiting for verification...
Cleaning up challenges


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/konfigurasi.site/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)


Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/konfigurasi.site/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.