SO 2.4 with ELK and Zabbix

[danielo37]

Our infrastructure already contains ELK as a SIEM and Zabbix for monitoring, we decided to work with SO for Network Security and now we need a way to send alerts from SO to our ELK and to connect influxdb to zabbix (as mentioned in best practices not to install third party agents to avoid conflicts! ) so we get those info in a centralized manner, my question is: is there a way to do that with API or something else please?

[cm-ops]

Is this for 2.3 or 2.4? You could use Logstash to forward alerts via output plugin. Have you looked at this https://www.zabbix.com/integrations/influxdb? Just be aware we customize telegraf/influxdb for SO.

[danielo37]

Hello again, thank you for the previous answer,
For Zabbix:
I am trying to connect zabbix to influxdb with the following integration.
https://www.zabbix.com/integrations/influxdb
I created an API token and I opened the nginx firewall port to the outside from security onion config and lastely tried the follwoing command but it seems that it didnt work.



Also when I try this it works apparently!!!

The curl commands are launched from zabbix instance.

What do you think about that please!! (I have a doubt about the token it needs to be created somewhere else or have extra permissions perhaps but I don't know why and how)

If someone could help with that please?

[cm-ops]

There is a token in SO, salt-call pillar.get influxdb have your tried with that?

[danielo37]

Yes I tried with that too but it didn't work for the command, otherwise the integration now can retreive the data it maint to have


Thank you man

[TotieBash]

"q=SHOW DATABASES" is for the old FLUX-QL query language for INFLUXDB v1.8 which was on SOv2.3.x. The new INFLUXDB on SOv2.4 is v2.7.1 which uses the FLUX query language natively. The new FLUX language uses Buckets instead of databases. If you want to enable the old FLUX-QL for reasons maybe that is what Zabbix is using, follow the instructions on link below.

Pretty much in summary this is what I had to do:

1. "docker exec -it so-influxdb /bin/bash"
2. influx v1 dbrp list --skip-verify
3. influx v1 dbrp create --db telegraf-st --rp so_short_term --bucket-id a4b2d1c3640f2d3c --skip-verify
4. influx v1 auth list --skip-verify
5. influx v1 auth create --username readOnlyUser --password super-secret-password --read-bucket a4b2d1c3640f2d3c --skip-verify

REFERENCE: https://klennan.github.io/influxdb/grafana/2020/12/02/Configuring-InfluxDB-v2-API-v1-and-Grafana.html