Monitor Servers (Zabbix)

Important

Zabbix is an external, fully-functional tool that is officially supported by Cybereason, but is currently primarily used by Technical Support. We are in the process of improving accessibility and adding documentation for this tool, to allow for smoother use and a better understanding of the various alerts.

Zabbix overview

The Cybereason Platform monitors Cybereason On-Prem environments using Zabbix, an open-source monitoring tool for diverse IT components, including networks, servers, VMs, and cloud services. Cybereason leverages Zabbix to provide monitoring metrics, including network utilization, CPU load, and disk space consumption. The Cybereason Defense Platform supports Zabbix version 5.0.

Defenders can use Zabbix to:

  • Monitor the operating system CPU, memory, network, and operating system load on machines on which the servers are running

  • Check that the hosts are available

  • Check that the Docker daemon is up on the MDS microservice, the Microservices server, and the Scribe microservice

  • Check that the following servers and services are up and healthy:

    • Microservices server

    • Detection server

    • Registration server

    • WebApp server

    • Configuration management server

    • Local Threat Intel server and Local Threat Intel database

    • MDS microservice

    • Management microservice

    • Arbiter microservice

    • Scribe microservice

    • PostgreSQL microservice

    • RabbitMQ microservice

Access Zabbix

  1. Make sure that your environment’s firewall allows port 8444.

  2. To access Zabbix, enter the monitoring IP or URL in the browser. For example, https://192.168.10.12:8444.

  3. Log in with the following default credentials:

    • User: Admin

    • Password: zabbix

If you need to update the password for the Admin user, Cybereason recommends that you create a new user instead of changing the password for the existing user.

View monitoring information

Main dashboard

The Cybereason Platform displays the state of the monitored components on the Zabbix dashboard. The dashboard includes a general summary of the information and problems in the environment.

Zabbix Dashboard

The System information area includes information about the environment, such as the total number of servers that have an installed Zabbix agent, the total number of templates, items, or triggers, and more.

The Problems area displays a list of ‘problem events’, which indicate issues or problems in the environment. Problem events specify whether a component is down or is unavailable.

When there are no problem events listed under the Problems section besides the no sensors connected event, this indicates that the environment is functioning properly with no issues. The no sensors connected event visible under the Problem/Severity column indicates that no sensors are connected to the relevant Detection servers. If no sensors are connected to the relevant Detection server, this is an expected event and does not require any action. If sensors are connected to this server, contact Technical Support.

Alerts of type Disaster, High, Average, and Warning typically indicate issues that require your attention. When you encounter problem events, check if the servers that triggered the problem events are up and running, and are not currently undergoing maintenance. For additional assistance, contact Technical Support.

For more information on the dashboard screen, see the Dashboard section in the Zabbix documentation.

Monitoring > Hosts screen

The Monitoring > Hosts screen displays a list of hosts and details about the connectivity from the Configuration management server (named Zabbix server in the Zabbix Web UI) to the other servers. When every server has a green “ZBX” icon under the Availability column, and an Enabled status under the Status column, this indicates that the environment is functioning properly, and there are no connectivity issues between the Zabbix agent and all servers in the environment.

Zabbix Monitoring

If the ZBX icon in the Availability column is red, this may indicate that the server is not connected properly or is currently being rebooted. For other issues, contact Technical Support to resolve the error.

For more information, see the Monitoring Hosts section in the Zabbix documentation.

Latest Data Screen

The Monitoring > Latest data screen allows you to view different monitored items, information and graphs for specific Zabbix application(s), per relevant server(s) in the environment.

Zabbix Latest Data

We recommend that you filter the data by the relevant host(s). You can also filter by applications and other components.

For more information, see the Latest data section in the Zabbix documentation.

Configuration > Hosts screen

The Configuration > Hosts screen provides a detailed description for each relevant server, including configurations, templates, applications, triggers, etc.

Important

Cybereason recommends that you do not make any changes to the servers under this screen. Making changes to a server might disable the monitoring for that server.

Zabbix Configuration Hosts

For more information, see the Configuration Hosts section in the Zabbix documentation.

Manage uses in Zabbix

To add, delete or edit users, see the Login and configuring user section in the Zabbix documentation.