Introduction
After managing infrastructure for several years, I’ve found that effective monitoring is the difference between proactive maintenance and firefighting. Zabbix has been my go-to solution for enterprise monitoring—it’s open source, incredibly flexible, and scales well.
This guide walks through setting up Zabbix from scratch, configuring meaningful alerts, and building custom templates that actually help you sleep at night.
Why Zabbix?
Before diving in, here’s why I prefer Zabbix over alternatives:
| Feature | Zabbix | Prometheus + Grafana | Nagios |
|---|---|---|---|
| Auto-discovery | Excellent | Manual | Limited |
| Agent-based + Agentless | Both | Pull-only | Agent-based |
| Built-in alerting | Yes | Requires Alertmanager | Yes |
| Learning curve | Moderate | Steep | Low |
| Enterprise features | Free | Mixed | Paid |
The killer feature: auto-discovery. In dynamic environments with VMs spinning up and down, Zabbix automatically finds and monitors new hosts.
Initial Setup
Prerequisites
For a production deployment, I recommend:
# Minimum specs for up to 500 hosts
- 4 CPU cores
- 8GB RAM
- 100GB SSD (database grows fast)
- Ubuntu 22.04 LTS or RHEL 8+Installation
# Add Zabbix repository (Ubuntu 22.04)
wget https://repo.zabbix.com/zabbix/6.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_6.4-1+ubuntu22.04_all.deb
dpkg -i zabbix-release_6.4-1+ubuntu22.04_all.deb
apt update
# Install Zabbix server, frontend, and agent
apt install zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-sql-scripts zabbix-agent2
# Install MySQL
apt install mysql-serverDatabase Configuration
-- Create database with proper charset
CREATE DATABASE zabbix CHARACTER SET utf8mb4 COLLATE utf8mb4_bin;
CREATE USER 'zabbix'@'localhost' IDENTIFIED BY 'your_secure_password';
GRANT ALL PRIVILEGES ON zabbix.* TO 'zabbix'@'localhost';
FLUSH PRIVILEGES;# Import initial schema
zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql -uzabbix -p zabbixCritical Configuration
Edit /etc/zabbix/zabbix_server.conf:
# Database connection
DBHost=localhost
DBName=zabbix
DBUser=zabbix
DBPassword=your_secure_password
# Performance tuning for 500+ hosts
StartPollers=10
StartPollersUnreachable=5
StartTrappers=10
StartPingers=5
StartDiscoverers=5
CacheSize=256M
HistoryCacheSize=64M
TrendCacheSize=32M
ValueCacheSize=128MHost Discovery and Templates
Network Discovery
Auto-discover hosts on your network:
# Discovery rule configuration
Name: Internal Network Discovery
IP Range: 192.168.1.1-254
Delay: 1h
Checks:
- ICMP ping
- TCP port 22 (SSH)
- TCP port 10050 (Zabbix agent)
- SNMP v2c (community: public)Custom Templates
The built-in templates are a starting point. Here’s a template I use for Linux servers:
# Template: Linux Server - Production
Items:
- CPU utilization (all cores)
- Memory usage (used/available/cached)
- Disk I/O (read/write IOPS, throughput)
- Network traffic (in/out by interface)
- Process count
- Open file descriptors
- System uptime
Triggers:
- High: CPU > 90% for 5 minutes
- Warning: Memory > 85% for 10 minutes
- Critical: Disk space < 10% on any mount
- Info: System rebootedAgent Configuration
On monitored hosts, install and configure the agent:
# Install Zabbix Agent 2 (recommended)
apt install zabbix-agent2
# Configure /etc/zabbix/zabbix_agent2.conf
Server=zabbix-server.internal
ServerActive=zabbix-server.internal
Hostname=webserver-01.internalAlerting That Works
The Problem with Default Alerts
Default Zabbix alerts are noisy. You’ll get paged for:
- Brief CPU spikes during deployments
- Memory usage from normal caching
- Disk space warnings with weeks of runway
Smart Alert Configuration
# Trigger: High CPU Usage
Expression: avg(/Linux/system.cpu.util,10m)>90
Severity: High
Depends on: Host unreachable # Don't alert if host is down
# Trigger: Memory Pressure
Expression: last(/Linux/vm.memory.size[available])<{$MEM_CRIT_THRESHOLD}
Severity: High
# Use macro for threshold so it's per-host configurable
# Trigger: Disk Space Critical
Expression: last(/Linux/vfs.fs.size[/,pfree])<10
Severity: Disaster
Recovery: last(/Linux/vfs.fs.size[/,pfree])>15 # HysteresisAlert Escalation
Configure escalations to avoid alert fatigue:
# Action: Critical Infrastructure Alerts
Conditions:
- Trigger severity >= High
- Host group = Production
Operations:
- Step 1 (0 min): Send to Slack #alerts
- Step 2 (15 min): Send email to on-call
- Step 3 (30 min): Send SMS to on-call
- Step 4 (60 min): Page infrastructure-leadAdvanced Monitoring
Custom User Parameters
Monitor application-specific metrics:
# /etc/zabbix/zabbix_agent2.d/custom.conf
# Check if critical process is running
UserParameter=app.process.running[*],pgrep -c $1
# Get queue depth from application
UserParameter=app.queue.depth,curl -s http://localhost:8080/metrics | grep queue_size | awk '{print $2}'
# Database connection count
UserParameter=db.connections,mysql -u monitor -ppass -e "SHOW STATUS LIKE 'Threads_connected'" | tail -1 | awk '{print $2}'External Scripts
For complex checks, use external scripts:
#!/usr/bin/env python3
# /usr/lib/zabbix/externalscripts/check_ssl_expiry.py
import ssl
import socket
import sys
from datetime import datetime
def check_ssl_expiry(hostname, port=443):
context = ssl.create_default_context()
with socket.create_connection((hostname, port)) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
cert = ssock.getpeercert()
expiry = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
days_remaining = (expiry - datetime.now()).days
return days_remaining
if __name__ == '__main__':
hostname = sys.argv[1]
print(check_ssl_expiry(hostname))Low-Level Discovery
Automatically discover items like disk partitions or network interfaces:
// Discovery rule for mounted filesystems
{
"data": [
{"{#FSNAME}": "/", "{#FSTYPE}": "ext4"},
{"{#FSNAME}": "/var", "{#FSTYPE}": "ext4"},
{"{#FSNAME}": "/data", "{#FSTYPE}": "xfs"}
]
}Performance Optimization
Database Maintenance
Zabbix databases grow quickly. Implement housekeeping:
-- Check table sizes
SELECT table_name,
round(((data_length + index_length) / 1024 / 1024), 2) as size_mb
FROM information_schema.tables
WHERE table_schema = 'zabbix'
ORDER BY (data_length + index_length) DESC
LIMIT 10;# zabbix_server.conf
# Aggressive housekeeping for high-volume environments
HousekeepingFrequency=1
MaxHousekeeperDelete=50000Proxy Architecture
For distributed monitoring, deploy Zabbix proxies:
[Remote Site A] → [Zabbix Proxy A] ─┐
├→ [Zabbix Server]
[Remote Site B] → [Zabbix Proxy B] ─┘Benefits:
- Reduced bandwidth to central server
- Continued monitoring during WAN outages
- Offloaded data collection
Lessons Learned
After deploying Zabbix across multiple environments:
- Start with fewer alerts. Add alerts as you understand your baselines, not the other way around.
- Use template inheritance. Base template → OS template → Role template keeps things manageable.
- Document your triggers. Include remediation steps in trigger descriptions.
- Monitor the monitor. Zabbix itself needs monitoring—use a separate system or synthetic checks.
- Plan for storage. History data grows exponentially. Use partitioning and set retention policies early.
Conclusion
Zabbix isn’t just a monitoring tool—it’s a framework for understanding your infrastructure. The initial setup takes time, but the payoff is observability that scales with your environment.
Start simple, iterate on your templates, and resist the urge to monitor everything. The goal is actionable insights, not dashboards full of green lights that turn red when it’s too late.