2 Zabbix proxy
Overview
This section lists parameters supported in a Zabbix proxy configuration file (zabbix_proxy.conf). Note that:
The default values reflect daemon defaults, not the values in the shipped configuration files;
Zabbix supports configuration files only in UTF-8 encoding without BOM;
Comments starting with “#” are only supported in the beginning of the line.
Parameters
Parameter | Mandatory | Range | Default | Description |
---|---|---|---|---|
AllowRoot | no | 0 | Allow the proxy to run as ‘root’. If disabled and the proxy is started by ‘root’, the proxy will try to switch to the ‘zabbix’ user instead. Has no effect if started under a regular user. 0 - do not allow 1 - allow This parameter is supported since Zabbix 2.2.0. | |
CacheSize | no | 128K-64G | 8M | Size of configuration cache, in bytes. Shared memory size, for storing host and item data. |
ConfigFrequency | no | 1-604800 | 3600 | How often proxy retrieves configuration data from Zabbix server in seconds. Active proxy parameter. Ignored for passive proxies (see ProxyMode parameter). |
DataSenderFrequency | no | 1-3600 | 1 | Proxy will send collected data to the server every N seconds. Note that active proxy will still poll Zabbix server every second for remote command tasks. Active proxy parameter. Ignored for passive proxies (see ProxyMode parameter). |
DBHost | no | localhost | Database host name. In case of MySQL localhost or empty string results in using a socket. In case of PostgreSQL only empty string results in attempt to use socket. | |
DBName | yes | Database name or path to database file for SQLite3 (multi-process architecture of Zabbix does not allow to use in-memory database, e.g. :memory: , file::memory:?cache=shared or file:memdb1?mode=memory&cache=shared ).Warning: Do not attempt to use the same database Zabbix server is using. | ||
DBPassword | no | Database password. Ignored for SQLite. Comment this line if no password is used. | ||
DBSchema | no | Schema name. Used for PostgreSQL. | ||
DBSocket | no | 3306 | Path to MySQL socket. Database port when not using local socket. Ignored for SQLite. | |
DBUser | Database user. Ignored for SQLite. | |||
DBTLSConnect | no | Setting this option enforces to use TLS connection to database: required - connect using TLS verifyca - connect using TLS and verify certificate verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost matches its certificate On MySQL starting from 5.7.11 and PostgreSQL the following values are supported: “required”, “verify”, “verify_full”. On MariaDB starting from version 10.2.6 “required” and “verify_full” values are supported. By default not set to any option and the behavior depends on database configuration. This parameter is supported since Zabbix 5.0.0. | ||
DBTLSCAFile | no (yes, if DBTLSConnect set to one of: verify_ca, verify_full) | Full pathname of a file containing the top-level CA(s) certificates for database certificate verification. This parameter is supported since Zabbix 5.0.0. | ||
DBTLSCertFile | no | Full pathname of file containing Zabbix server certificate for authenticating to database. This parameter is supported since Zabbix 5.0.0. | ||
DBTLSKeyFile | no | Full pathname of file containing the private key for authenticating to database. This parameter is supported since Zabbix 5.0.0. | ||
DBTLSCipher | no | The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2. Supported only for MySQL. This parameter is supported since Zabbix 5.0.0. | ||
DBTLSCipher13 | no | The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol. Supported only for MySQL, starting from version 8.0.16. This parameter is supported since Zabbix 5.0.0. | ||
DebugLevel | no | 0-5 | 3 | Specifies debug level: 0 - basic information about starting and stopping of Zabbix processes 1 - critical information 2 - error information 3 - warnings 4 - for debugging (produces lots of information) 5 - extended debugging (produces even more information) |
EnableRemoteCommands | no | 0 | Whether remote commands from Zabbix server are allowed. 0 - not allowed 1 - allowed This parameter is supported since Zabbix 3.4.0. | |
ExternalScripts | no | /usr/local/share/zabbix/externalscripts | Location of external scripts (depends on compile-time installation variable datadir). | |
Fping6Location | no | /usr/sbin/fping6 | Location of fping6. Make sure that fping6 binary has root ownership and SUID flag set. Make empty (“Fping6Location=”) if your fping utility is capable to process IPv6 addresses. | |
FpingLocation | no | /usr/sbin/fping | Location of fping. Make sure that fping binary has root ownership and SUID flag set! | |
HeartbeatFrequency | no | 0-3600 | 60 | Frequency of heartbeat messages in seconds. Used for monitoring availability of proxy on server side. 0 - heartbeat messages disabled. Active proxy parameter. Ignored for passive proxies (see ProxyMode parameter). |
HistoryCacheSize | no | 128K-2G | 16M | Size of history cache, in bytes. Shared memory size for storing history data. |
HistoryIndexCacheSize | no | 128K-2G | 4M | Size of history index cache, in bytes. Shared memory size for indexing history data stored in history cache. The index cache size needs roughly 100 bytes to cache one item. This parameter is supported since Zabbix 3.0.0. |
Hostname | no | Set by HostnameItem | Unique, case sensitive Proxy name. Make sure the proxy name is known to the server! Allowed characters: alphanumeric, ‘.’, ‘ ‘, ‘‘ and ‘-‘. Maximum length: 128 | |
HostnameItem | no | system.hostname | Item used for setting Hostname if it is undefined (this will be run on the proxy similarly as on an agent). Does not support UserParameters, performance counters or aliases, but does support system.run[]. Ignored if Hostname is set. This parameter is supported since Zabbix 1.8.6. | |
HousekeepingFrequency | no | 0-24 | 1 | How often Zabbix will perform housekeeping procedure (in hours). Housekeeping is removing outdated information from the database. Note: To prevent housekeeper from being overloaded (for example, when configuration parameters ProxyLocalBuffer or ProxyOfflineBuffer are greatly reduced), no more than 4 times HousekeepingFrequency hours of outdated information are deleted in one housekeeping cycle. Thus, if HousekeepingFrequency is 1, no more than 4 hours of outdated information (starting from the oldest entry) will be deleted per cycle. Note: To lower load on proxy startup housekeeping is postponed for 30 minutes after proxy start. Thus, if HousekeepingFrequency is 1, the very first housekeeping procedure after proxy start will run after 30 minutes, and will repeat every hour thereafter. This postponing behavior is in place since Zabbix 2.4.0. Since Zabbix 3.0.0 it is possible to disable automatic housekeeping by setting HousekeepingFrequency to 0. In this case the housekeeping procedure can only be started by housekeeper_execute runtime control option and the period of outdated information deleted in one housekeeping cycle is 4 times the period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days. |
Include | no | You may include individual files or all files in a directory in the configuration file. To only include relevant files in the specified directory, the asterisk wildcard character is supported for pattern matching. For example: /absolute/path/to/config/files/*.conf . Pattern matching is supported since Zabbix 2.4.0.See special notes about limitations. | ||
JavaGateway | no | IP address (or hostname) of Zabbix Java gateway. Only required if Java pollers are started. This parameter is supported since Zabbix 2.0.0. | ||
JavaGatewayPort | no | 1024-32767 | 10052 | Port that Zabbix Java gateway listens on. This parameter is supported since Zabbix 2.0.0. |
ListenIP | no | 0.0.0.0 | List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing. Multiple IP addresses are supported since Zabbix 1.8.3. | |
ListenPort | no | 1024-32767 | 10051 | Listen port for trapper. |
LoadModule | no | Module to load at proxy startup. Modules are used to extend functionality of the proxy. Formats: LoadModule=<module.so> LoadModule=<path/module.so> LoadModule=</abs_path/module.so> Either the module must be located in directory specified by LoadModulePath or the path must precede the module name. If the preceding path is absolute (starts with ‘/‘) then LoadModulePath is ignored. It is allowed to include multiple LoadModule parameters. | ||
LoadModulePath | no | Full path to location of proxy modules. Default depends on compilation options. | ||
LogFile | yes, if LogType is set to file, otherwise no | Name of log file. | ||
LogFileSize | no | 0-1024 | 1 | Maximum size of log file in MB. 0 - disable automatic log rotation. Note: If the log file size limit is reached and file rotation fails, for whatever reason, the existing log file is truncated and started anew. |
LogRemoteCommands | no | 0 | Enable logging of executed shell commands as warnings. 0 - disabled 1 - enabled This parameter is supported since Zabbix 3.4.0. | |
LogType | no | file | Log output type: file - write log to file specified by LogFile parameter, system - write log to syslog, console - write log to standard output. This parameter is supported since Zabbix 3.0.0. | |
LogSlowQueries | no | 0-3600000 | 0 | How long a database query may take before being logged (in milliseconds). 0 - don’t log slow queries. This option becomes enabled starting with DebugLevel=3. This parameter is supported since Zabbix 1.8.2. |
PidFile | no | /tmp/zabbix_proxy.pid | Name of PID file. | |
ProxyLocalBuffer | no | 0-720 | 0 | Proxy will keep data locally for N hours, even if the data have already been synced with the server. This parameter may be used if local data will be used by third party applications. |
ProxyMode | no | 0-1 | 0 | Proxy operating mode. 0 - proxy in the active mode 1 - proxy in the passive mode This parameter is supported since Zabbix 1.8.3. Note that (sensitive) proxy configuration data may become available to parties having access to the Zabbix server trapper port when using an active proxy. This is possible because anyone may pretend to be an active proxy and request configuration data; authentication does not take place. |
ProxyOfflineBuffer | no | 1-720 | 1 | Proxy will keep data for N hours in case of no connectivity with Zabbix server. Older data will be lost. |
ServerPort | no | 1024-32767 | 10051 | Port of Zabbix trapper on Zabbix server. Active proxy parameter. Ignored for passive proxies (see ProxyMode parameter). |
Server | yes | If ProxyMode is set to active mode: IP address or DNS name of Zabbix server to get configuration data from and send data to. If ProxyMode is set to passive mode: List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix server. Incoming connections will be accepted only from the addresses listed here. If IPv6 support is enabled then ‘127.0.0.1’, ‘::127.0.0.1’, ‘::ffff:127.0.0.1’ are treated equally and ‘::/0’ will allow any IPv4 or IPv6 address. ‘0.0.0.0/0’ can be used to allow any IPv4 address. Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com | ||
SNMPTrapperFile | no | /tmp/zabbix_traps.tmp | Temporary file used for passing data from SNMP trap daemon to the proxy. Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file. This parameter is supported since Zabbix 2.0.0. | |
SocketDir | no | /tmp | Directory to store IPC sockets used by internal Zabbix services. This parameter is supported since Zabbix 3.4.0. | |
SourceIP | no | Source IP address for: - outgoing connections to Zabbix server; - agentless connections (VMware, SSH, JMX, SNMP, Telnet and simple checks); - HTTP agent connections; - script item JavaScript HTTP requests; - preprocessing JavaScript HTTP requests; - connections to the Vault | ||
SSHKeyLocation | no | Location of public and private keys for SSH checks and actions | ||
SSLCertLocation | no | Location of SSL client certificate files for client authentication. This parameter is used in web monitoring only and is supported since Zabbix 2.4.0. | ||
SSLKeyLocation | no | Location of SSL private key files for client authentication. This parameter is used in web monitoring only and is supported since Zabbix 2.4.0. | ||
SSLCALocation | no | Location of certificate authority (CA) files for SSL server certificate verification. Note that the value of this parameter will be set as libcurl option CURLOPT_CAPATH. For libcurl versions before 7.42.0, this only has effect if libcurl was compiled to use OpenSSL. For more information see cURL web page. This parameter is used in web monitoring since Zabbix 2.4.0 and in SMTP authentication since Zabbix 3.0.0. | ||
StartDBSyncers | no | 1-100 | 4 | Number of pre-forked instances of DB Syncers. Note: Be careful when changing this value, increasing it may do more harm than good. The upper limit used to be 64 before version 1.8.5. This parameter is supported since Zabbix 1.8.3. |
StartDiscoverers | no | 0-250 | 1 | Number of pre-forked instances of discoverers. The upper limit used to be 255 before version 1.8.5. |
StartHTTPPollers | no | 0-1000 | 1 | Number of pre-forked instances of HTTP pollers. |
StartIPMIPollers | no | 0-1000 | 0 | Number of pre-forked instances of IPMI pollers. The upper limit used to be 255 before version 1.8.5. |
StartJavaPollers | no | 0-1000 | 0 | Number of pre-forked instances of Java pollers. This parameter is supported since Zabbix 2.0.0. |
StartPingers | no | 0-1000 | 1 | Number of pre-forked instances of ICMP pingers. The upper limit used to be 255 before version 1.8.5. |
StartPollersUnreachable | no | 0-1000 | 1 | Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java). Since Zabbix 2.4.0, at least one poller for unreachable hosts must be running if regular, IPMI or Java pollers are started. The upper limit used to be 255 before version 1.8.5. This option is missing in version 1.8.3. |
StartPollers | no | 0-1000 | 5 | Number of pre-forked instances of pollers. The upper limit used to be 255 before version 1.8.5. |
StartPreprocessors | no | 1-1000 | 3 | Number of pre-forked instances of preprocessing workers1. The preprocessing manager process is automatically started when a preprocessor worker is started. This parameter is supported since Zabbix 4.2.0. |
StartSNMPTrapper | no | 0-1 | 0 | If set to 1, SNMP trapper process will be started. This parameter is supported since Zabbix 2.0.0. |
StartTrappers | no | 0-1000 | 5 | Number of pre-forked instances of trappers. Trappers accept incoming connections from Zabbix sender and active agents. The upper limit used to be 255 before version 1.8.5. |
StartVMwareCollectors | no | 0-250 | 0 | Number of pre-forked vmware collector instances. This parameter is supported since Zabbix 2.2.0. |
StatsAllowedIP | no | List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances. Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests will be accepted. If IPv6 support is enabled then ‘127.0.0.1’, ‘::127.0.0.1’, ‘::ffff:127.0.0.1’ are treated equally and ‘::/0’ will allow any IPv4 or IPv6 address. ‘0.0.0.0/0’ can be used to allow any IPv4 address. Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com This parameter is supported since Zabbix 4.2.0. | ||
Timeout | no | 1-30 | 3 | Specifies how long we wait for agent, SNMP device or external check (in seconds). |
TLSAccept | yes for passive proxy, if TLS certificate or PSK parameters are defined (even for unencrypted connection), otherwise no | What incoming connections to accept from Zabbix server. Used for a passive proxy, ignored on an active proxy. Multiple values can be specified, separated by comma: unencrypted - accept connections without encryption (default) psk - accept connections with TLS and a pre-shared key (PSK) cert - accept connections with TLS and a certificate This parameter is supported since Zabbix 3.0.0. | ||
TLSCAFile | no | Full pathname of a file containing the top-level CA(s) certificates for peer certificate verification, used for encrypted communications between Zabbix components. This parameter is supported since Zabbix 3.0.0. | ||
TLSCertFile | no | Full pathname of a file containing the proxy certificate or certificate chain, used for encrypted communications between Zabbix components. This parameter is supported since Zabbix 3.0.0. | ||
TLSCipherAll | no | GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. Example: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 This parameter is supported since Zabbix 4.4.7. | ||
TLSCipherAll13 | no | Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. Override the default ciphersuite selection criteria for certificate- and PSK-based encryption. Example for GnuTLS: NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL::+SIGN-ALL:+CTYPE-X.509 Example for OpenSSL: EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128 This parameter is supported since Zabbix 4.4.7. | ||
TLSCipherCert | no | GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. Override the default ciphersuite selection criteria for certificate-based encryption. Example for GnuTLS: NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509 Example for OpenSSL: EECDH+aRSA+AES128:RSA+aRSA+AES128 This parameter is supported since Zabbix 4.4.7. | ||
TLSCipherCert13 | no | Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. Override the default ciphersuite selection criteria for certificate-based encryption. This parameter is supported since Zabbix 4.4.7. | ||
TLSCipherPSK | no | GnuTLS priority string or OpenSSL (TLS 1.2) cipher string. Override the default ciphersuite selection criteria for PSK-based encryption. Example for GnuTLS: NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL Example for OpenSSL: kECDHEPSK+AES128:kPSK+AES128 This parameter is supported since Zabbix 4.4.7. | ||
TLSCipherPSK13 | no | Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3. Override the default ciphersuite selection criteria for PSK-based encryption. Example: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 This parameter is supported since Zabbix 4.4.7. | ||
TLSConnect | yes for active proxy, if TLS certificate or PSK parameters are defined (even for unencrypted connection), otherwise no | How the proxy should connect to Zabbix server. Used for an active proxy, ignored on a passive proxy. Only one value can be specified: unencrypted - connect without encryption (default) psk - connect using TLS and a pre-shared key (PSK) cert - connect using TLS and a certificate This parameter is supported since Zabbix 3.0.0. | ||
TLSCRLFile | no | Full pathname of a file containing revoked certificates.This parameter is used for encrypted communications between Zabbix components. This parameter is supported since Zabbix 3.0.0. | ||
TLSKeyFile | no | Full pathname of a file containing the proxy private key, used for encrypted communications between Zabbix components. This parameter is supported since Zabbix 3.0.0. | ||
TLSPSKFile | no | Full pathname of a file containing the proxy pre-shared key. used for encrypted communications with Zabbix server. This parameter is supported since Zabbix 3.0.0. | ||
TLSPSKIdentity | no | Pre-shared key identity string, used for encrypted communications with Zabbix server. This parameter is supported since Zabbix 3.0.0. | ||
TLSServerCertIssuer | no | Allowed server certificate issuer. This parameter is supported since Zabbix 3.0.0. | ||
TLSServerCertSubject | no | Allowed server certificate subject. This parameter is supported since Zabbix 3.0.0. | ||
TmpDir | no | /tmp | Temporary directory. | |
TrapperTimeout | no | 1-300 | 300 | Specifies how many seconds trapper may spend processing new data. |
User | no | zabbix | Drop privileges to a specific, existing user on the system. Only has effect if run as ‘root’ and AllowRoot is disabled. This parameter is supported since Zabbix 2.4.0. | |
UnavailableDelay | no | 1-3600 | 60 | How often host is checked for availability during the unavailability period, in seconds. |
UnreachableDelay | no | 1-3600 | 15 | How often host is checked for availability during the unreachability period, in seconds. |
UnreachablePeriod | no | 1-3600 | 45 | After how many seconds of unreachability treat a host as unavailable. |
VaultDBPath | no | Vault path from where credentials for database will be retrieved by keys ‘password’ and ‘username’. Example: secret/zabbix/database This option can only be used if DBUser and DBPassword are not specified. This parameter is supported since Zabbix 5.2.0. | ||
VaultToken | no | Vault authentication token that should have been generated exclusively for Zabbix proxy with read-only permission to the path specified in the optional VaultDBPath configuration parameter. It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time. This parameter is supported since Zabbix 5.2.0. | ||
VaultURL | no | https://127.0.0.1:8200 | Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified. This parameter is supported since Zabbix 5.2.0. | |
VMwareCacheSize | no | 256K-2G | 8M | Shared memory size for storing VMware data. A VMware internal check zabbix[vmware,buffer,…] can be used to monitor the VMware cache usage (see Internal checks). Note that shared memory is not allocated if there are no vmware collector instances configured to start. This parameter is supported since Zabbix 2.2.0. |
VMwareFrequency | no | 10-86400 | 60 | Delay in seconds between data gathering from a single VMware service. This delay should be set to the least update interval of any VMware monitoring item. This parameter is supported since Zabbix 2.2.0. |
VMwarePerfFrequency | no | 10-86400 | 60 | Delay in seconds between performance counter statistics retrieval from a single VMware service. This delay should be set to the least update interval of any VMware monitoring item that uses VMware performance counters. This parameter is supported since Zabbix 2.2.9, 2.4.4 |
VMwareTimeout | no | 1-300 | 10 | The maximum number of seconds vmware collector will wait for a response from VMware service (vCenter or ESX hypervisor). This parameter is supported since Zabbix 2.2.9, 2.4.4 |