Update zabbix agent configuration template to be compatible with Debian Stretch

roles/monitoring/tasks/zabbix.yml

@@ -11,7 +11,7 @@
     dest: '/etc/zabbix/zabbix_agentd.conf'
     owner: 'root'
     group: 'root'
-    mode: '0600'
+    mode: '0644'
   notify:
     - 'Restart zabbix agent'
 

roles/monitoring/templates/zabbix/agent.conf.j2

@@ -8,7 +8,7 @@
 ############ GENERAL PARAMETERS #################
 
 ### Option: PidFile
-#       Name of PID file.
+#   Name of PID file.
 #
 # Mandatory: no
 # Default:
@@ -16,9 +16,18 @@
 
 PidFile=/var/run/zabbix/zabbix_agentd.pid
 
+### Option: LogType
+#   Specifies where log messages are written to:
+#       system  - syslog
+#       file    - file specified with LogFile parameter
+#       console - standard output
+#
+# Mandatory: no
+# Default:
+# LogType=file
+
 ### Option: LogFile
-#       Name of log file.
-#       If not set, syslog is used.
+#   Log file name for LogType 'file' parameter.
 #
 # Mandatory: no
 # Default:
@@ -27,8 +36,8 @@ PidFile=/var/run/zabbix/zabbix_agentd.pid
 LogFile=/var/log/zabbix-agent/zabbix_agentd.log
 
 ### Option: LogFileSize
-#       Maximum size of log file in MB.
-#       0 - disable automatic log rotation.
+#   Maximum size of log file in MB.
+#   0 - disable automatic log rotation.
 #
 # Mandatory: no
 # Range: 0-1024
@@ -38,38 +47,39 @@ LogFile=/var/log/zabbix-agent/zabbix_agentd.log
 LogFileSize=0
 
 ### Option: DebugLevel
-#       Specifies debug level
-#       0 - no debug
-#       1 - critical information
-#       2 - error information
-#       3 - warnings
-#       4 - for debugging (produces lots of information)
+#   Specifies debug level:
+#   0 - basic information about starting and stopping of Zabbix processes
+#   1 - critical information
+#   2 - error information
+#   3 - warnings
+#   4 - for debugging (produces lots of information)
+#   5 - extended debugging (produces even more information)
 #
 # Mandatory: no
-# Range: 0-4
+# Range: 0-5
 # Default:
 # DebugLevel=3
 
 ### Option: SourceIP
-#       Source IP address for outgoing connections.
+#   Source IP address for outgoing connections.
 #
 # Mandatory: no
 # Default:
 # SourceIP=
 
 ### Option: EnableRemoteCommands
-#       Whether remote commands from Zabbix server are allowed.
-#       0 - not allowed
-#       1 - allowed
+#   Whether remote commands from Zabbix server are allowed.
+#   0 - not allowed
+#   1 - allowed
 #
 # Mandatory: no
 # Default:
 # EnableRemoteCommands=0
 
 ### Option: LogRemoteCommands
-#       Enable logging of executed shell commands as warnings.
-#       0 - disabled
-#       1 - enabled
+#   Enable logging of executed shell commands as warnings.
+#   0 - disabled
+#   1 - enabled
 #
 # Mandatory: no
 # Default:
@@ -78,9 +88,9 @@ LogFileSize=0
 ##### Passive checks related
 
 ### Option: Server
-#       List of comma delimited IP addresses (or hostnames) of Zabbix servers.
-#       Incoming connections will be accepted only from the hosts listed here.
-#       If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally.
+#   List of comma delimited IP addresses (or hostnames) of Zabbix servers.
+#   Incoming connections will be accepted only from the hosts listed here.
+#   If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally.
 #
 # Mandatory: no
 # Default:
@@ -89,7 +99,7 @@ LogFileSize=0
 Server={{ zabbix_remote_server }}
 
 ### Option: ListenPort
-#       Agent will listen on this port for connections from the server.
+#   Agent will listen on this port for connections from the server.
 #
 # Mandatory: no
 # Range: 1024-32767
@@ -97,16 +107,16 @@ Server={{ zabbix_remote_server }}
 # ListenPort=10050
 
 ### Option: ListenIP
-#       List of comma delimited IP addresses that the agent should listen on.
-#       First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
+#   List of comma delimited IP addresses that the agent should listen on.
+#   First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
 #
 # Mandatory: no
 # Default:
 # ListenIP=0.0.0.0
 
 ### Option: StartAgents
-#       Number of pre-forked instances of zabbix_agentd that process passive checks.
-#       If set to 0, disables passive checks and the agent will not listen on any TCP port.
+#   Number of pre-forked instances of zabbix_agentd that process passive checks.
+#   If set to 0, disables passive checks and the agent will not listen on any TCP port.
 #
 # Mandatory: no
 # Range: 0-100
@@ -116,12 +126,12 @@ Server={{ zabbix_remote_server }}
 ##### Active checks related
 
 ### Option: ServerActive
-#       List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks.
-#       If port is not specified, default port is used.
-#       IPv6 addresses must be enclosed in square brackets if port for that host is specified.
-#       If port is not specified, square brackets for IPv6 addresses are optional.
-#       If this parameter is not specified, active checks are disabled.
-#       Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
+#   List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks.
+#   If port is not specified, default port is used.
+#   IPv6 addresses must be enclosed in square brackets if port for that host is specified.
+#   If port is not specified, square brackets for IPv6 addresses are optional.
+#   If this parameter is not specified, active checks are disabled.
+#   Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
 #
 # Mandatory: no
 # Default:
@@ -130,9 +140,9 @@ Server={{ zabbix_remote_server }}
 ServerActive={{ zabbix_remote_server }}
 
 ### Option: Hostname
-#       Unique, case sensitive hostname.
-#       Required for active checks and must match hostname as configured on the server.
-#       Value is acquired from HostnameItem if undefined.
+#   Unique, case sensitive hostname.
+#   Required for active checks and must match hostname as configured on the server.
+#   Value is acquired from HostnameItem if undefined.
 #
 # Mandatory: no
 # Default:
@@ -141,18 +151,18 @@ ServerActive={{ zabbix_remote_server }}
 Hostname={{ ansible_hostname }}
 
 ### Option: HostnameItem
-#       Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
-#       Does not support UserParameters or aliases.
+#   Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
+#   Does not support UserParameters or aliases.
 #
 # Mandatory: no
 # Default:
 # HostnameItem=system.hostname
 
 ### Option: HostMetadata
-#       Optional parameter that defines host metadata.
-#       Host metadata is used at host auto-registration process.
-#       An agent will issue an error and not start if the value is over limit of 255 characters.
-#       If not defined, value will be acquired from HostMetadataItem.
+#   Optional parameter that defines host metadata.
+#   Host metadata is used at host auto-registration process.
+#   An agent will issue an error and not start if the value is over limit of 255 characters.
+#   If not defined, value will be acquired from HostMetadataItem.
 #
 # Mandatory: no
 # Range: 0-255 characters
@@ -160,18 +170,18 @@ Hostname={{ ansible_hostname }}
 # HostMetadata=
 
 ### Option: HostMetadataItem
-#       Optional parameter that defines an item used for getting host metadata.
-#       Host metadata is used at host auto-registration process.
-#       During an auto-registration request an agent will log a warning message if
-#       the value returned by specified item is over limit of 255 characters.
-#       This option is only used when HostMetadata is not defined.
+#   Optional parameter that defines an item used for getting host metadata.
+#   Host metadata is used at host auto-registration process.
+#   During an auto-registration request an agent will log a warning message if
+#   the value returned by specified item is over limit of 255 characters.
+#   This option is only used when HostMetadata is not defined.
 #
 # Mandatory: no
 # Default:
 # HostMetadataItem=
 
 ### Option: RefreshActiveChecks
-#       How often list of active checks is refreshed, in seconds.
+#   How often list of active checks is refreshed, in seconds.
 #
 # Mandatory: no
 # Range: 60-3600
@@ -179,7 +189,7 @@ Hostname={{ ansible_hostname }}
 # RefreshActiveChecks=120
 
 ### Option: BufferSend
-#       Do not keep data longer than N seconds in buffer.
+#   Do not keep data longer than N seconds in buffer.
 #
 # Mandatory: no
 # Range: 1-3600
@@ -187,8 +197,8 @@ Hostname={{ ansible_hostname }}
 # BufferSend=5
 
 ### Option: BufferSize
-#       Maximum number of values in a memory buffer. The agent will send
-#       all collected data to Zabbix Server or Proxy if the buffer is full.
+#   Maximum number of values in a memory buffer. The agent will send
+#   all collected data to Zabbix Server or Proxy if the buffer is full.
 #
 # Mandatory: no
 # Range: 2-65535
@@ -196,33 +206,33 @@ Hostname={{ ansible_hostname }}
 # BufferSize=100
 
 ### Option: MaxLinesPerSecond
-#       Maximum number of new lines the agent will send per second to Zabbix Server
-#       or Proxy processing 'log' and 'logrt' active checks.
-#       The provided value will be overridden by the parameter 'maxlines',
-#       provided in 'log' or 'logrt' item keys.
+#   Maximum number of new lines the agent will send per second to Zabbix Server
+#   or Proxy processing 'log' and 'logrt' active checks.
+#   The provided value will be overridden by the parameter 'maxlines',
+#   provided in 'log' or 'logrt' item keys.
 #
 # Mandatory: no
 # Range: 1-1000
 # Default:
-# MaxLinesPerSecond=100
+# MaxLinesPerSecond=20
 
 ############ ADVANCED PARAMETERS #################
 
 ### Option: Alias
-#       Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
-#       Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
-#       Different Alias keys may reference the same item key.
-#       For example, to retrieve the ID of user 'zabbix':
-#       Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
-#       Now shorthand key zabbix.userid may be used to retrieve data.
-#       Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
+#   Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
+#   Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
+#   Different Alias keys may reference the same item key.
+#   For example, to retrieve the ID of user 'zabbix':
+#   Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
+#   Now shorthand key zabbix.userid may be used to retrieve data.
+#   Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
 #
 # Mandatory: no
 # Range:
 # Default:
 
 ### Option: Timeout
-#       Spend no more than Timeout seconds on processing
+#   Spend no more than Timeout seconds on processing
 #
 # Mandatory: no
 # Range: 1-30
@@ -230,18 +240,27 @@ Hostname={{ ansible_hostname }}
 # Timeout=3
 
 ### Option: AllowRoot
-#       Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
-#       will try to switch to user 'zabbix' instead. Has no effect if started under a regular user.
-#       0 - do not allow
-#       1 - allow
+#   Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
+#   will try to switch to the user specified by the User configuration option instead.
+#   Has no effect if started under a regular user.
+#   0 - do not allow
+#   1 - allow
 #
 # Mandatory: no
 # Default:
 # AllowRoot=0
 
+### Option: User
+#   Drop privileges to a specific, existing user on the system.
+#   Only has effect if run as 'root' and AllowRoot is disabled.
+#
+# Mandatory: no
+# Default:
+# User=zabbix
+
 ### Option: Include
-#       You may include individual files or all files in a directory in the configuration file.
-#       Installing Zabbix will create include directory in /etc/zabbix, unless modified during the compile time.
+#   You may include individual files or all files in a directory in the configuration file.
+#   Installing Zabbix will create include directory in /etc/zabbix, unless modified during the compile time.
 #
 # Mandatory: no
 # Default:
@@ -254,9 +273,12 @@ Include=/etc/zabbix/zabbix_agentd.conf.d/
 ####### USER-DEFINED MONITORED PARAMETERS #######
 
 ### Option: UnsafeUserParameters
-#       Allow all characters to be passed in arguments to user-defined parameters.
-#       0 - do not allow
-#       1 - allow
+#   Allow all characters to be passed in arguments to user-defined parameters.
+#   The following characters are not allowed:
+#   \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
+#   Additionally, newline characters are not allowed.
+#   0 - do not allow
+#   1 - allow
 #
 # Mandatory: no
 # Range: 0-1
@@ -264,9 +286,9 @@ Include=/etc/zabbix/zabbix_agentd.conf.d/
 # UnsafeUserParameters=0
 
 ### Option: UserParameter
-#       User-defined parameter to monitor. There can be several user-defined parameters.
-#       Format: UserParameter=<key>,<shell command>
-#       See 'zabbix_agentd' directory for examples.
+#   User-defined parameter to monitor. There can be several user-defined parameters.
+#   Format: UserParameter=<key>,<shell command>
+#   See 'zabbix_agentd' directory for examples.
 #
 # Mandatory: no
 # Default:
@@ -275,19 +297,100 @@ Include=/etc/zabbix/zabbix_agentd.conf.d/
 ####### LOADABLE MODULES #######
 
 ### Option: LoadModulePath
-#       Full path to location of agent modules.
-#       Default depends on compilation options.
+#   Full path to location of agent modules.
+#   Default depends on compilation options.
 #
 # Mandatory: no
 # Default:
 # LoadModulePath=${libdir}/modules
 
 ### Option: LoadModule
-#       Module to load at agent startup. Modules are used to extend functionality of the agent.
-#       Format: LoadModule=<module.so>
-#       The modules must be located in directory specified by LoadModulePath.
-#       It is allowed to include multiple LoadModule parameters.
+#   Module to load at agent startup. Modules are used to extend functionality of the agent.
+#   Format: LoadModule=<module.so>
+#   The modules must be located in directory specified by LoadModulePath.
+#   It is allowed to include multiple LoadModule parameters.
 #
 # Mandatory: no
 # Default:
 # LoadModule=
+
+####### TLS-RELATED PARAMETERS #######
+
+### Option: TLSConnect
+#   How the agent should connect to server or proxy. Used for active checks.
+#   Only one value can be specified:
+#       unencrypted - connect without encryption
+#       psk         - connect using TLS and a pre-shared key
+#       cert        - connect using TLS and a certificate
+#
+# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+# Default:
+# TLSConnect=unencrypted
+
+### Option: TLSAccept
+#   What incoming connections to accept.
+#   Multiple values can be specified, separated by comma:
+#       unencrypted - accept connections without encryption
+#       psk         - accept connections secured with TLS and a pre-shared key
+#       cert        - accept connections secured with TLS and a certificate
+#
+# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+# Default:
+# TLSAccept=unencrypted
+
+### Option: TLSCAFile
+#   Full pathname of a file containing the top-level CA(s) certificates for
+#   peer certificate verification.
+#
+# Mandatory: no
+# Default:
+# TLSCAFile=
+
+### Option: TLSCRLFile
+#   Full pathname of a file containing revoked certificates.
+#
+# Mandatory: no
+# Default:
+# TLSCRLFile=
+
+### Option: TLSServerCertIssuer
+#      Allowed server certificate issuer.
+#
+# Mandatory: no
+# Default:
+# TLSServerCertIssuer=
+
+### Option: TLSServerCertSubject
+#      Allowed server certificate subject.
+#
+# Mandatory: no
+# Default:
+# TLSServerCertSubject=
+
+### Option: TLSCertFile
+#   Full pathname of a file containing the agent certificate or certificate chain.
+#
+# Mandatory: no
+# Default:
+# TLSCertFile=
+
+### Option: TLSKeyFile
+#   Full pathname of a file containing the agent private key.
+#
+# Mandatory: no
+# Default:
+# TLSKeyFile=
+
+### Option: TLSPSKIdentity
+#   Unique, case sensitive string used to identify the pre-shared key.
+#
+# Mandatory: no
+# Default:
+# TLSPSKIdentity=
+
+### Option: TLSPSKFile
+#   Full pathname of a file containing the pre-shared key.
+#
+# Mandatory: no
+# Default:
+# TLSPSKFile=