Yesterday Zabbix blog had a fascinating entry on how you can use Zabbix to monitor Zabbix Security Advisories. The blog post does go above and beyond to make sure that everything gets captures planned, and does so by using web scraping and AWS Lambdas, for example. Their solution for sure generates better results than what I'm going to show you, but what I'm offering here is a solution that's 100% produced within Zabbix instead of using any 3rd party code.
As my regular readers do know, my blog is very much real-time -- many times I develop something whilst I blog -- so this is really a rough concept. Just like on Zabbix blog, my attempt to do this does use the public Zabbix security issue tracker, but instead of scraping the page, I'm using Jira API which returns JSON.
The idea
- Create a new template
- Fetch the list of security related tickets from https://support.zabbix.com/rest/api/2/search?project = ZBX AND issuetype = "Defect (Security)" ORDER BY updated DESC
- Make that JSON as the master item for some low-level discovery stuff
- Setup some LLD macros
- Create bunch of Item prototypes with bits and pieces from the JSON we are interested about
- Create some item prototypes by extracting some details from some JSON fields
Let's get to it! Y'all know that creating a new template happens just by clicking on Create template, so not going to spend too much time on that. Moving on to more interesting.
Fetch the master data
Here's the interesting part from my master data item which I created inside my new template.
Below is a very short snippet of how that JSON looks like. As this is coming from Jira, there's a lot of data.
{
"expand": "schema,names",
"startAt": 0,
"maxResults": 50,
"total": 158,
"issues": [
{
"expand": "operations,versionedRepresentations,editmeta,changelog,renderedFields",
"id": "133912",
"self": "https://support.zabbix.com/rest/api/2/issue/133912",
"key": "ZBX-25016",
"fields": {
"fixVersions": [
{
"self": "https://support.zabbix.com/rest/api/2/version/22809",
"id": "22809",
"description": "",
"name": "6.4.16rc1",
"archived": true,
"released": true,
"releaseDate": "2024-06-10"
},
{
"self": "https://support.zabbix.com/rest/api/2/version/22836",
"id": "22836",
"description": "",
"name": "7.0.0rc3",
"archived": true,
"released": true,
"releaseDate": "2024-05-28"
}
],Create Discovery rule
For any discovery rules to kick in, we first need to create them. Here's mine. The rule will use the JSON data the fetcher HTTP Agent item has downloaded.
Setup LLD macros
Next, under Discovery tab of the new template I'm building, I went to Preprocessing and added $.issues as the root JSONPath that Zabbix should be following, so it will loop over all the issues that are present in JSON.
Time for LLD macros, so on that tab, I did enter some macros for later use.
Setting up Item prototypes
For this test, I created few item prototypes. Nothing too interesting there, just taking the previously defined macros in use.
Let's take a closer look at one that's using something more specific, regsub macro function for extracting just the SVE Mitre ID -- that is those CVE-2024-12345 stylish vulnerability IDs. Basically, that regsub just extracts the part that matches with CVE-XXXX-XXXXX on description field of the JSON.
For tags, I gave bunch of stuff like this.
And we are about done! Now all that was left is that I created a new host, for which I assigned the new template.
Observing the results
I now have those items automatically created in a way that each item is prefixed with Zabbix Jira ticket ID, which is in ZBX-1234 format.
As I added lots of stuff as tags as well, the tags list for my test host exploded.
I can also browse these tickets through the Zabbix 7.0 new Item navigator widget.
Not much else on this template, but feel free to download it from my GitHub, explore and enhance to your needs. Maybe instead of one host, create a separate host for each ZBX ticket? It's up to you, this was just a quick test from me.
Add new comment