Ingest Zabbix (Zabbix 4.4 or later) alerts into Log Service -

Zabbix is a common open source monitoring system. Zabbix provides a variety of alert rules for system monitoring and supports different alert notification channels. You can add a notification channel in Zabbix so that Zabbix can send alerts to the alerting system of Log Service. Then, the alerting system processes the alerts, such as denoising the alerts and sending alert notifications.

Prerequisites

An alert ingestion application is created. For more information, see Configure webhook URLs for alert ingestion.
alibaba_cloud_sls.yml is downloaded.

Configure Zabbix

Notice Only Zabbix 4.4 and later versions are supported.

Log on to the Zabbix console.
Optional:Configure the global variable ZABBIX.SERVER.URL.
After ZABBIX.SERVER.URL is configured, it is included in alerts and sent to Log Service. After alerts are received by Log Service, you can click the variable to access the Zabbix console and view alert details.
If no values are configured for ZABBIX.SERVER.URL, the IP address 127.0.0.1 is included in alerts by default.
1. In the left-side navigation pane, choose Administration > General > Macros.
2. On the Macros page, click Add.
3. Add the global variable ZABBIX.SERVER.URL and set the value to the actual address of the Zabbix console.
4. Click Update.
Add a notification channel of the Alibaba Cloud SLS (Log Service) type.
1. In the left-side navigation pane, choose Administration > Media types.
2. In the upper-right corner of the Media types page, click Import.
3. In the Import dialog box, select the alibaba_cloud_sls.yml file that you downloaded, select Update existing, and then click Import.
4. On the Media types page, click Alibaba Cloud SLS (Log Service).
5. Find Parameters, change the value of the hook_url field, and then click Update.
  Change the value of the hook_url field to the full URL of the webhook URL that is generated after you create an alert ingestion service and an alert ingestion application in the alert ingestion system of Log Service. For more information, see Obtain webhook URLs.
  
  Note If your Zabbix server is deployed on an Elastic Compute Service (ECS) instance, we recommend that you select the region where the ECS instance resides and use an internal endpoint that is accessible over a LAN or virtual private cloud (VPC) when you configure the region information. If your Zabbix server is not deployed on an ECS instance, you can use a public endpoint that is accessible over the Internet for a region.
Specify the notification channel for the required user.
1. In the left-side navigation pane, choose Administration > Users.
2. Find and click the required user.
  You can also click Create user to create a user.
3. On the Media tab, find the required media and click Edit.
  You can also click Add to create a media.
4. In the Media dialog box, select Alibaba Cloud SLS (Log Service) for Type and click Update.
5. Click Update.
Configure a trigger.
1. In the left-side navigation pane, choose Configuration > Actions > Trigger actions.
2. On the Trigger actions page, click the trigger that you created.
3. On the Operations tab, click Add in the Operations section.
  You can also click Edit next to the required operation.
4. In the Operation details dialog box, select the required user or user group, select Alibaba Cloud SLS (Log Service) for Send only to, and then click Add.
5. Click Update.

Alert parsing

A Zabbix alert contains more than 100 variables. For more information, see Zabbix documentation. Log Service retains only dozens of the variables. The following table describes the variables retained by Log Service.


Zabbix macro	Example value
{TRIGGER.ID}	19006
{TRIGGER.NAME}	test used
{EVENT.UPDATE.STATUS}	0
{EVENT.VALUE}	1
{DATE}	2021.06.10
{TIME}	12:44:23
{EVENT.DATE}	2021.06.10
{EVENT.TIME}	19:23:01
{EVENT.RECOVERY.DATE}	""
{EVENT.RECOVERY.TIME}	""
{HOST.NAME}	zabbix-agent
{HOST.IP}	192.0.2.0
{TRIGGER.HOSTGROUP.NAME}	Linux servers
{EVENT.DURATION}	20h 1m 31s
{TRIGGER.DESCRIPTION}	The system is running out of free memory.
{EVENT.OPDATA}	73.22 %
{EVENT.TAGS}	Application:Memory
{NSEVERITY}	2
{EVENT.ID}	1036

Field mapping

The following table describes the mappings between Log Service fields and Zabbix fields.

Table 1. Field mapping
Log Service	Zabbix	Description
aliuid	None	The ID of the Alibaba Cloud account to which the alert ingestion application belongs.
alert_id	{TRIGGER.ID}	The ID of the alert monitoring rule.
alert_type	None	The alert type. The value is fixed as sls_pub.
alert_name	{TRIGGER.NAME}	The name of the alert monitoring rule.
status	{EVENT.UPDATE.STATUS} and {EVENT.VALUE}	The alert status. If the values of {EVENT.UPDATE.STATUS} and {EVENT.VALUE} in the Zabbix alert are both 0, the status is resolved, which indicates that the alert is cleared. If the values are not 0, the status is firing, which indicates that the alert is triggered.
next_eval_interval	None	The interval at which the alert is evaluated. The value is fixed as 0.
alert_time	None	The time at which the evaluation is performed. The time is obtained by using {DATE} and {TIME}.
fire_time	None	The time at which the alert is first triggered. The time is obtained by using {EVENT.DATE} and {EVENT.TIME}.
resolve_time	None	The time at which the alert is cleared. If the alert status is firing, the value of this field is 0. If the alert status is resolved, the value of this field is a specific time. The time is obtained by using {EVENT.RECOVERY.DATE} and {EVENT.RECOVERY.TIME}.
labels	{HOST.NAME}	The labels of the alert. If you add a label on the Enrichment tab when you create the alert ingestion application, the label is added to the labels field. Note If the key of the label specified on the Enrichment tab is the same as a field in the tags field of the Zabbix alert, the label on the Enrichment tab prevails.
annotations	{EVENT.TAGS}	After the Zabbix alert is ingested into Log Service, Log Service expands the {EVENT.TAGS} field into multiple key-value pairs and adds the pairs to the annotations field. {HOST.IP} is mapped to __host_ip__. {TRIGGER.HOSTGROUP.NAME} is mapped to __host_group_name__. {EVENT.DURATION} is mapped to event_duration. {EVENT.NAME} is mapped to title. {TRIGGER.DESCRIPTION} is mapped to desc. {EVENT.OPDATA} is mapped to event_opdata. In addition to the preceding fields, the following fields are added: __config_app__: "sls_pub_alert" __pub_alert_service__: {The ID of the alert ingestion service} __pub_alert_app__: {The ID of the alert ingestion application} __pub_alert_protocol__: "zabbix" __pub_alert_region__: {The region of the endpoint to which the alert is sent} If you add an annotation on the Enrichment tab when you create the alert ingestion application, the annotation is added to the annotations field.
severity	{NSEVERITY}	The alert severity. For more information, see Table 2.
policy	None	The alert policy that is specified for the alert ingestion application. For more information, see Data structure of the policy variable.
project	None	The project to which Alert Center belongs. For more information, see Project.
drill_down_query	{$ZABBIX.SERVER.URL}, {TRIGGER.ID}, and {EVENT.ID}	The link to the alert management page of the Zabbix console. You can click the link to go to the page.

Table 2. Alert severity mapping
Severity in Zabbix	Severity in Log Service
Not Classified	report
Information	low
Warning	medium
Average	medium
High	high
Disaster	critical

FAQ

How do I view operation logs?

Log on to the Zabbix console.
In the left-side navigation pane, choose Reports > Action log.
View operation logs.