Get alert information the fastest with Zabbix API! And to automation

Hello.
I'm Mandai, in charge of Wild on the development team.

This time I would like to write about Zabbix's API.

This may be out of the blue, but do you think APIs are troublesome?

To be honest, I'm the opposite; APIs are overwhelmingly easier.
Zabbix's management screen has a lot of information, so if you use it as often as I do, you often forget where everything is.

Alert information appears on the dashboard, so it's easy to get lost, but the API would still be faster! So, we investigated the fastest way to get alert information from the API.

API execution environment

This time, I used a software called Postman to run the API.
It was originally released as an extension for Chrome and Firefox, but a standalone version has also been released for some time now, so I'll be using that one.

Postman | API Development Environment

I think there is no problem with the trial version as long as you implement the contents of this article.
It is also convenient to use for API development, etc., so if you like it, please try switching to a paid plan.
This is useful when developing with a team because you can share URLs, etc.

 

Check Zabbix API version

Let's start with the simplest API.
Zabbix provides only one API endpoint, so all APIs are executed from the URL below.

http[s]://[your domain]/api_jsonrpc.php

 

Be sure to use POST to send information such as login account information.

Also, the content type is specified as application/json-rpc.

First, let's get Zabbix information.

// request body { "jsonrpc": "2.0", "method": "apiinfo.version", "id": 1, "auth": null, "params": {} } // response { "jsonrpc": "2.0", "result": "3.4.14", "id": 1 }

 

If the version returns like this, the request was made correctly.

If an error occurs, check the HTTP request information below to see what is wrong.

POST /api_jsonrpc.php HTTP/1.1 Host: [your domain] Content-Type: application/json-rpc {"jsonrpc":"2.0","method":"apiinfo.version","id":1,"auth ":null,"params":{}}

 

It seems to work well if the request JSON is stored as raw data in the body.
Otherwise, the URL may be incorrect, so please check the correct URL.

The steps are:

• Log in to the Zabbix management screen from your browser
• Check the URL of the top page (in this case, it will be https://[your domain]/zabbix.php?action=dashboard.view)
• Since api_jsonrpc.php is located at the same level as zabbix.php, replace zabbix.php?action=dashboard.view with api_jsonrpc.php

I think you can now get the URL to the correct API.

 

Log in

// request body { "jsonrpc": "2.0", "method": "user.login", "params": { "user": "[username]", "password": "[password]" }, "id": 1, "auth": null } // response { "jsonrpc": "2.0", "result": "[32-digit hash value]", "id": 1 }

 

By putting the hash value obtained in the response as a token in the auth key of each request, detailed information can be obtained.

 

Get host information

Obtaining a list of hosts is very easy.
Just specify host.get as method and the necessary information as params.

Since Zabbix retrieves a large amount of data from the server, it may be more difficult to remember the parameters.

// request body { "jsonrpc": "2.0", "method": "host.get", "params": { "output": [ "hostid", "host" ], "selectInterfaces": [ "interfaceid" , "ip" ] }, "id": 2, "auth": "[32-digit hash value]" } // response { "jsonrpc": "2.0", "result": [ { "hostid": " 1", "host": "Zabbix server", "interfaces": [ { "interfaceid": "1", "ip": "127.0.0.1" } ] }, ... ], "id": 2 }

 

I think you can get the information by copying and pasting, except where you need to fill in the login hash obtained with the user.login API in the auth section.
Be aware that if you monitor a large number of servers, you will receive a tremendous amount of JSON data.

If there are many records, you can use the limit key to narrow down the number of records.

 

Get alerts

Now, the main issue is getting alerts, which is almost the same as getting host information.

// request json // Get the 3 latest alerts { "jsonrpc": "2.0", "method": "alert.get", "params": { "output": "extend", "limit": "3", "sortfield": "alertid", "sortorder": "DESC" }, "auth": "xxxxxxxxxxxxxxxxxxxxxx", "id": 1 } // response { "jsonrpc": "2.0", "result" : [ { "alertid": "21496022", "actionid": "13", "eventid": "72481", "userid": "xxx", "clock": "1557795687", "mediatypeid": "7" , "sendto": "...", "subject": "...", "message": "...", "status": "1", "retries": "0", "error" : "", "esc_step": "1", "alerttype": "0", "p_eventid": "xxxxx", "acknowledgeid": "0" }, { "alertid": "21496021", "actionid": "13", "eventid": "72481", "userid": "xxx", "clock": "1557795687", "mediatypeid": "1", "sendto": "...", "subject": "...", "message": "...", "status": "1", "retries": "0", "error": "", "esc_step": "1", "alerttype" : "0", "p_eventid": "xxxxx", "acknowledgeid": "0" }, { "alertid": "21496020", "actionid": "11", "eventid": "72481", "userid" : "xxx", "clock": "1557795687", "mediatypeid": "1", "sendto": "...", "subject": "...", "message": "..." , "status": "1", "retries": "0", "error": "", "esc_step": "1", "alerttype": "0", "p_eventid": "xxxxx", "acknowledgeid ": "0" } ], "id": 1 }

 

Although detailed information has been deleted, the items that can be retrieved are listed above.
You can use this API to obtain both when an alert occurs and when it is resolved.

There's no obvious point, but if I had to guess, I'd say it's sorting the alertids in descending order.
Specify the data you want to sort with sortfield and the sort order with sortorder.

sortorder must be specified as ASC | DESC and must be in uppercase.
I'm a little stuck on this one.

 

conclusion

As it turned out, in order to get alert information from the API, we needed to run two APIs.

1. Get login token with user.login API
2. Get alert information using alert.get API

If you parse the response in step 1 a little and extract the token, you can also execute the API in step 2, so even those who are not familiar with programming should be able to create it relatively easily.

 

What is id?

id is any integer that can be specified by the user to identify the response.
However, please note that if it is null, a value other than an integer, or does not exist, the API return value will not be received correctly.

 

summary

You can add and change monitors from Zabbix API, so most things can be done from the API.

In addition, although they do not directly execute the API, plugins have been developed that allow you to register hosts from ansible and terraform (the software uses the API to reflect the settings), so We have an environment in place that can automate everything from construction to monitoring.

You can periodically hit it from AWS Lambda or Cloud Functions, or run it periodically from cron, and I'd like to use it more and more for automating regular host health checks and changing settings.

the latest version of the Zabbix API documentation here , but it only exists in English and it doesn't seem to be very friendly, so I think some trial and error is required at first.
In that case, it would be safer to set up his Zabbix server for testing and check the execution.

That's it.