When reviewing metrics in Zabbix, sometimes it’s not enough to just check the Current problems section on the dashboard. Zabbix has many additional ways to notify the administrator about certain events. One of them, which interests me, is configuring SMTP to send emails directly via Zabbix. I will describe in detail how to set up this configuration.

In fact, this important configuration is done in three stages:

• Configuring user email
• Configuring SMTP
• Configuring notifications

After completing these steps, it will be necessary to check whether everything works correctly.

Configuring user email

For a user to receive emails, their address must be set in the account. To do this, go to the Users → Users menu, select the required user from the list, and go to the Media tab.

In the Media section, click Add. A Media window will open, where you just need to enter the user’s email and click Add. In this window, you can also set the schedule for sending emails and specify the type of event that will trigger an email. In other words, this configuration is quite flexible.

After saving the changes, the email address will be linked to the user, and you can proceed to the next step.

Configuring SMTP

The main settings are found under Alerts → Media types. From the list of available types, choose Email. Initially, you need to fill in the values on the Media type form. The Message templates and Options tabs can be configured later.

For testing, I created a dedicated email account specifically for Zabbix. Emails will be sent on behalf of this user. Now, using this information, you need to fill in the following fields:

Media type

• Name – Email
• Type – Email
• Email provider – Generic SMTP
• SMTP server – mail.yourdomain.com
• SMTP server port – 465
• Email – [email protected]
• SMTP helo – <mail.yourdomain.com>
• Connection security – SSL/TLS
• SSL verify peer – Checkbox
• SSL verify host – Checkbox
• Authentication – Username and password
• Username – [email protected]
• Password – <password>
• Message format – HTMLPlain text
• Description – Postfix server for sending notifications from Zabbix
• Enabled – Checkbox

To ensure the settings are correct, you can immediately test sending a test message. To do this, click the Test button, select the recipient, optionally write a message, and send the test email.

Once the test email is received, you can move on to the next stage – configuring notifications.

Configuring notifications

Notification settings are located under Alerts → Actions → Trigger actions. In this window, you will already see a list of created notification triggers, but we will create a new one by clicking the Create action button.

In the New action window, fill in the following fields:

On the Action tab:

• Name – Email notification
• Conditions – Select the appropriate trigger, for example, the one responsible for CPU temperature
• Enabled – Checkbox

On the Operations tab, I configured only Operations action by clicking Add in this block. In this window, you only need to change two fields:

• Send to users – select the recipient from the list
• Send to media type – select the previously created media type – email

I decided to uncheck the following options: Notify about canceled escalations, Pause operations for symptom problems, Pause operations for suppressed problems. During notification testing, you can re-enable them if needed.

After completing this step, save the settings and notifications.

Viewing activity

To see the activity of email sending, go to Reports → Action log, where you will be able to view all successful or unsuccessful actions that were executed.

Conclusion

Configuring SMTP in Zabbix is a straightforward but crucial process that significantly enhances monitoring efficiency. Thanks to this configuration, the administrator can receive timely notifications about system issues without constantly checking the dashboard.

The process consists of clearly defined steps: setting up the user’s email, configuring SMTP parameters, and defining notification rules. Each of these stages is logical and easy to verify through built-in test tools.

However, it’s worth noting a potential nuance — notifications may not reach standard users even if everything is set up correctly. This may be due to additional permissions or configuration peculiarities within Zabbix. If you encounter a similar situation, I encourage you to share your solution, as this could help others who are trying to implement the same functionality.

When I bought a domain and decided to deploy a public site on my Raspberry Pi (this blog you are reading now) I knew that a DDoS attack would happen, for sure, but it was only a matter of time. That time has come. In this post, I’ll share my experience of how I fended off a DDoS attack with Cloudflare on a free plan. I will provide here the graphs and results of the work on the fact of the completion of the attack, but they will be quite informative for visual perception.

Preventive measures

I continue to study modern network capabilities, new technologies, understand settings and services. I currently have several web services installed on my server, but from a security point of view, I have restricted access from the Internet to only the local network. Such measures cannot apply to a public web resource – this blog. After writing about the 5th article, I thought about protection against DDoS attacks, and the first thing that came to mind was the Cloudflare service.

Cloudflare – is a powerful platform for ensuring security, optimizing performance and increasing the stability of web resources. Thanks to a global network of data centers, Cloudflare acts as an intermediate link between the site and the visitor: it caches content, blocks unwanted traffic and provides analytics.

At the entry level, I chose the free plan, which has some limitations unlike the commercial one, but it is quite enough for basic site protection needs. To start using Cloudflare, you need to follow a few simple steps:

• Sign up for Cloudflare
• In the admin panel of the domain registrar it is necessary to register the DNS records of the Cloudflare servers
• In the admin panel of Cloudflare add DNS records of your physical server

After making the changes, the reindexing of DNS records will begin, which can take up to 72 hours, but in my case it happened in less than a day. After that, I breathed a sigh of relief and started using the site fully relying on Cloudflare.

DDoS attack detection

I use Zabbix to monitor the resources of my local network. I usually monitor mail server activity, Raspberry Pi temperatures, and other metrics. Visually, I placed several widgets on the dashboard so that anomalies in the operation of services can be clearly and quickly identified

Normally the temperature is around 60 – 65°C, but I noticed an over temperature of almost 10 degrees, up to 70 – 75°C. At this time, I looked at the CPU load, and it was at the level of 50%, I immediately understood that something was wrong.

I looked at the server metrics and almost all of the graph values ​​indicated an emergency situation

Visual charts only show the big picture. Now my goal was to identify the root of the evil. To do this, I connected to the server and started viewing the status of processes and services. Unfortunately, I did not take screenshots during the diagnostics, but I copied the text from the console. I will try to reproduce the course of events based on the history of the teams.

CPU resource

With the first command, I identified the first 15 processes with high CPU consumption.

ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head -n 15

I got the following output:

ps -eo pid,ppid,cmd,%mem,%cpu --sort=-%cpu | head -n 15
    PID    PPID CMD                         %MEM %CPU
2366770 1943100 /usr/sbin/apache2 -k start   1.1 12.4
2373538 1943100 /usr/sbin/apache2 -k start   1.2 12.2
2374705 1943100 /usr/sbin/apache2 -k start   1.2 11.8
2374940 1943100 /usr/sbin/apache2 -k start   1.2 11.3
2376091 1943100 /usr/sbin/apache2 -k start   1.0 11.1
2370641 1943100 /usr/sbin/apache2 -k start   1.2 10.4
2355557 1943100 /usr/sbin/apache2 -k start   1.2 10.4
    709       1 /opt/networkoptix/mediaserv  5.7  9.6
2375784 1943100 /usr/sbin/apache2 -k start   1.0  9.3
2373539 1943100 /usr/sbin/apache2 -k start   1.2  7.8
2375416 1943100 /usr/sbin/apache2 -k start   1.2  7.1
2376564 1943100 /usr/sbin/apache2 -k start   0.8  6.9
2372672 1943100 /usr/sbin/apache2 -k start   1.2  6.9

Of course, the values ​​were 10-20% CPU per process, which in sum gave quite a large total load.

Traffic source

The second team had to determine which IPs generate a lot of traffic. This command displays the first 10 IP addresses based on the number of requests.

awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -n 10

I got the following output:

 118852 127.0.0.1
   7169 162.158.239.23
   7168 162.158.238.232
   6304 162.158.238.233
   5810 162.158.239.24
   5068 162.158.238.106
   4848 162.158.238.107
   3871 162.158.238.120
   3843 162.158.238.121
   2875 104.23.217.65

This information reflects local requests (127.0.0.1) – more than 118 thousand requests, that is, someone from the server actively requests the site. The pool of IP addresses 162.158.x.x and 104.23.x.x is owned by Cloudflare, as a proxy, so the real traffic is hidden behind Cloudflare and certain rules of my router are not working.

Virtual host involvement

The next step is to determine which site or virtual host is loading the server. To do this, we will analyze the first 100 lines of the log, however, for improved statistics, this number can be increased. Since I detected this attack at an early stage, 100 lines is enough.

sudo tail -n 100 /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -nr | head -20

I got the following output:

29 /wp-login.php
22 /wp-admin/images/
7 /zabbix/zabbix.php?action=widget.item.view
4 /zabbix/zabbix.php?action=widget.svggraph.view
1 /wp-cron.php?doing_wp_cron=1748089832.8370869159698486328125
...

If you ignore requests to Zabbix, then the main requests go to WordPress. To summarize, the result of the diagnosis is as follows:

• apache2 – consumes more than all the resources of the processor
• local IP and Cloudflare IP – has the most requests
• requests to WordPress pages

At the first stage, these diagnostic data turned out to be sufficient to determine further actions.

Cloudflare Security Actions

I didn’t expect Cloudflare to be such a powerful tool, even in the free version. Many features are disabled by default and must be enabled manually for certain attacks, and it is recommended to deactivate these settings after the attack is over. The main mode is I’m under attack mode.

I’m under attack mode

I’m Under Attack Mode is a special Cloudflare feature designed for protection of websites from DDoS attacks, in particular at the level HTTP flood (e.g., bulk GET/POST attacks). The basic principle of operation of this mode is as follows:

• Before each visit to the site an intermediate verification page is displayed, which lasts a few seconds.
• Cloudflare does JavaScript challenge — that is, forces the browser to “prove” that it is not a bot.
• If the check is successful, the user gets to the site.
• Bots and simple scripts that cannot execute JS – automatically are sifted out.

This mode can be enabled in the Security -> Settings section, there is a switch I’m under attack mode, it must be activated, and the work of repelling the attack will begin immediately.

In the new interface, this item was moved to the All settings tab at the bottom, and named Security Level. When you click on Edit, you can enable or disable I’m under attack mode.

After activating this mode, a message will appear on the dashboard:

In this mode, there is a small delay with the check, which looks like this:

In the Security -> Events section, you can see records about the initiator of the requests, rather complete and organized information is displayed. In the new interface, the Events section has been moved to the Analytics menu and the Events tab has been created, where the information is structured in the same way.

Custom and IP access rules

Given that the DDoS attack occurred from a single IP address, rules can be applied to it.

• IP access rules – to block IP addresses individually or using a subnet mask
• Custom rules – more flexible setting of rules

First, I decided to create a rule that would block the attacking server by IP address, for this in the new interface you need to go to the Security -> Security rules -> IP access rules section and click on the +Create button. To create a rule, it is enough to fill in only 4 fields:

• IP, IP range, country name, or ASN – 194.67.196.50
• Action – Block
• Zone – This website
• Notes – Fucking russian hacker

From the very beginning, I wanted to block all of russia by geolocation, but in the free tariff plan, at the level it is not possible to do so, after applying this rule I see an error: Sorry, block by country is only available on the Enterprise plan.

It turns out that there is a geolocation filter in the free version, but it can be configured in the Custom rules section.

• Rule name (required) – Block_country_404
• Field – Country
• Operator – equals
• Value – russian federation
• Then take action – Block
• Place at – First

This way the rule will look like this

Reports

In the Security -> Overview section, you can see a graph of the ratio of restricted, Cloudflare-handled and server-handled traffic to the total number of requests. When Cloudflare is active, the value of the traffic limit (Mitigated) will increase, and the number of cached requests will also increase, because Cloudflare in this mode works without direct traffic and has a number of restrictions to prevent hacking, such as password selection by brute force.

Many useful graphs are displayed on the dashboard – Overview. I took several screenshots, at the beginning of the attack and at the end of it. The graph shows the last 24 hours of activity, so I’ve overlayed these two graphs to show you the big picture of activity. I marked the range of Cloudflare’s service from start to finish with a red rectangle.

The graphs are quite informative and setting up Cloudflare is easy. According to the schedule, the attack lasted 17 hours from the beginning, and thanks to my vigilance, at the beginning of the attack, at the 6th hour, I applied Cloudflare protection, and already in 11 hours the attack was stopped, I think because of its irrationality for the attacker.

After the attack was over, I turned off the I’m under attack mode and continue to monitor server activity to be ready to prevent repeated attacks at any time!

Conclusions

The experience of fighting a DDoS attack on my own server has shown that even with minimal resources – a Raspberry Pi, my own blog, and a free Cloudflare plan – you can effectively protect yourself from threats if you have a basic understanding of how the network, servers, and monitoring systems work.

I was convinced that:

• Preventive actions are important. Installing Cloudflare in advance allowed me to quickly enable protective mechanisms.
• Monitoring tools such as Zabbix help to quickly detect anomalies and localize the source of the problem.
• Cloudflare has proven to be extremely effective even in its free version, in particular thanks to the I’m Under Attack mode, which allows you to filter out malicious traffic before it even reaches the server.
• Openness to learning and log analysis is the key to a quick response. The ps, awk commands, and access.log analysis helped not only identify the source of the load, but also draw conclusions about the type of attack.

This case confirmed that reliable protection is not always expensive infrastructure, but primarily attentiveness, readiness to respond, and the ability to work with available tools.

My blog remained online, and this is the best indicator of the effectiveness of the solutions applied.

I use an HP LaserJet MFP M141w multifunction device (MFP). This MFP is quite attractive for home use, as it has quite small physical dimensions, which makes it possible to place it on a small bedside table, or on a table, it will also take up a minimum of space compared to other models.

Recently, I had to print quite a lot of documents, and I was wondering if I could see a report on the resources used. Basic information through the HP Smart app was missing. The application refers to use advanced settings: “This feature is not available for the selected printer. To print reports or view printer information, access Advanced Settings under Settings or use the printer’s control panel”

OK, you can try to view this report in the web interface of the printer, for this you need to be authorized.

Info: The code (password) is located under the cover of the printer, on the side edge near the cartridge.

Usage report

On the main page, on the Home tab, you need to select the Supplies Status menu, and general (summary) information about the use of the cartridge will be displayed.

• Status: Low
• Cartridge Application: (c) Hewlett Packard Dev Co LP, 2020
• Cartridge Zone: 1
• Approximate Pages Remaining * : < 50
• Pages Printed With This Supply * : 376
• Serial Number: 0100733310-2I29
• First Install Date: Not Available
• Last Used Date: 20250428

Despite the general information, I want to monitor resource usage consistently and regularly. Zabbix – resource monitoring service will help me in this. This MFP supports the modern version of SNMP – v3, for the interaction of information, these parameters must be configured both on the HP and on the Zabbix server.

Configure SNMP on the MFP

In the Networking section, select SNMP. In the window, check the Disable SNMPv1/v2 item to disable this protocol in general. Instead, check the SNMPv3 – Enable SNMPv3 checkbox and fill in the fields according to their purpose. There is no fixed information here, you can provide any passwords and logins and usernames, it is important that they are then entered in the same form on the Zabbix server.

Click the Apply button so that the actions take effect.

Check settings

To check the availability of the Hewlett-Packard for Zabix, you need to use snmpget and snmpwalk applications. Instal them in one package. Execute the following command on the server where Zabix is ​​installed. In my case it is still my Raspberry Pi.

sudo apt-get install snmp

After installing the utility, run the command:

snmpget -v3 -u ostrich -l authPriv \
  -a SHA1 -A <Your Authentication Protocol password> \
  -x AES-128 -X <Your Privacy Protocol password> \
  -n Jetdirect \
  192.168.99.216 .1.3.6.1.2.1.43.10.2.1.4.1.1

The result of executing this command should be a line similar to:

iso.3.6.1.2.1.43.10.2.1.4.1.1 = Counter32: 687

This parameter is called prtMarkerLifeCount and stored in the OID iso.3.6.1.2.1.43.10.2.1.4.1.1 – its value is the number of printed sheets during the entire time of the printer life, and in my case it is 687 sheets.

Create a new Host in Zabbix

To monitor activity, you need to create a new host in Zabbix. Do next steps:

• Click Data collection menu
• Click Hosts submenu
• Click Create host button

In the Host tab fill next information:

• Host name: HP M141w
• Host groups: Select from the list
• Interfaces: select SNMP from the list and type the IP address of the printer. Port 161 by default.

This information is not enough for the host, because when it accesses the printer, it will need to be authenticated. The authentication parameters are entered on the Macros tab, as the value – parameter.

• {$SNMPV3_CONTEXTNAME} – Jetdirect
• {$SNMPV3_SECURITYNAME} – ostrich
• {$SNMPV3_AUTH_PROTOCOL} – SHA1
• {$SNMPV3_AUTH_PASSPHRASE} – <Your Authentication Protocol password>
• {$SNMPV3_PRIV_PROTOCOL} – AES-128
• {$SNMPV3_PRIV_PASSPHRASE} – <Your Privacy Protocol password>
• {$SNMPV3_SECURITYLEVEL} – authPriv

It looks like on the screenshot:

Since the values ​​are already written, you can return to the Host tab and open the SNMP block value, in which to select from the SNMPv3 list. Additional fields will be instantly displayed, which can be filled with macro values ​​so that you do not have to write the password values ​​directly.

After saving or updating the information, there will be a green SNMP value in the host line, in the Availability column, which indicates that the Zabbix settings are correct.

Create a new Item for HP M141w Host

It is necessary to click on the items link in the hosts section and create a new item. In the window that appears, enter the following data:

• Name: Printer Usage
• Type: SNMP agent
• Key: page.count.total
• Host interface: should already be available
• SNMP OID: .1.3.6.1.2.1.43.10.2.1.4.1.1
• Units: pages

After that, you need to test this item for the expected result. Click on the Test button and all the necessary values ​​are substituted from the macro automatically, so we have the expected result

This means that there will be a query every minute about the total number of pages printed, but the purpose is different – to get the value of how many sheets were printed and when. Such a function can be implemented through the Preprocessing steps of the item as an expression.

So we need to create the second Item based on the total number of pages printed.

• Name: Printed pages
• Type: SNMP agent
• SNMP OID: iso.3.6.1.2.1.43.10.2.1.4.1.1
• Key: pagesPrinted.delta
• Type of information: Numeric (unsigned)
• Units: pages

Additionally we need go to the Preprocessing tab

• click add link
• select from the list Simple change
• and test result

The result should be 0 (zero) because no changes between previous and current values. When you start printing you can see the difference between old total value and new total value – it will be the result of printed pages.

Add widgets on the Dashboard

I added 3 widgets:

• Graph – using Printed pages Item
• Item value – using Printed pages Item
• Item value – using Printer Usage Item

It looks like on screenshot:

Conclusion

By enabling SNMPv3 on the HP LaserJet MFP M141w and integrating it with Zabbix, I successfully set up a reliable monitoring system for printer resource usage. This setup allows me to track the total number of pages printed over the device’s lifetime and detect real-time printing activity using delta values. With custom Zabbix items and widgets, I now have continuous visibility into printer workload directly from the dashboard. This approach is efficient, secure, and highly suitable for managing resource usage even in home environments.

Zabbix is a powerful monitoring tool that by default installs with English (US) locale settings, which means time is displayed in the 12-hour AM/PM format. For users who are used to the 24-hour format, this can be inconvenient. To display time in the 24-hour format on dashboards and graphs, we need to change the locale settings to English (en_GB). This article explains how to properly configure the server to use the en_GB.UTF-8 locale and ensure that time is shown correctly on Zabbix graphs.

Checking Current Settings

To check the current GUI language settings, go to Administration → General, then open the GUI tab. The current interface language will be shown in the Default language field. If locales are not installed on the server, you may see the message: You are not able to choose some of the languages, because locales for them are not installed on the web server.

This indicates that you need to configure locales on the server.

Locale Configuration

To view the installed locales on your Linux system, run:

locale -a

Example output:

C  
C.utf8  
en_US.utf8  
POSIX

As we can see, only the US locale is currently available. To install additional locales, run:

sudo dpkg-reconfigure locales

A graphical interface will open. Use the keyboard to select en_GB.UTF-8 by navigating with the arrow keys and pressing space to mark the selection. Then press Tab to choose OK and hit Enter.

Next, you’ll be asked to choose the default locale. Select en_GB.UTF-8 again and confirm.

Console output:

Generating locales (this might take a while)...
  en_GB.UTF-8... done
  en_US.UTF-8... done
Generation complete.

Restart Apache:

sudo systemctl restart apache2

Edit the file:

sudo nano /etc/default/locale

Ensure it contains:

LANG=en_GB.UTF-8  
LC_ALL=en_GB.UTF-8  
LANGUAGE=en_GB.UTF-8

Then reboot the server (in my case, a Raspberry Pi):

sudo reboot

After rebooting, Zabbix will begin displaying time in the 24-hour format on graphs.

Conclusion

System locale settings significantly impact the usability and clarity of monitoring dashboards like Zabbix. As shown, simply changing the language in the GUI is not enough – you must also properly configure the server locale and restart the system. With the correct settings in place, the time on graphs will now follow the 24-hour format, making the interface more familiar and easier to interpret for users in many parts of the world.

In today’s world, where cyberattacks are becoming increasingly sophisticated, account security is more important than ever. One of the most effective ways to protect user accounts is through Multi-Factor Authentication (MFA). It adds an extra layer of protection on top of the standard username and password login.

Zabbix, a popular monitoring system, supports MFA using TOTP (Time-based One-Time Password). In this article, we’ll walk through the process of enabling MFA in Zabbix to help secure your monitoring environment.

Enabling Global MFA Settings

First, log in to Zabbix using a super admin account, since only super admins have access to global configuration settings.

1. Navigate to Users → Authentication.
2. Open the MFA settings tab.
3. Enable Multi-factor authentication by checking the corresponding box.

This allows Zabbix to use multi-factor authentication for user logins.

Activate checkbox and add authentication method

Adding an Authentication Method

After enabling MFA, you need to add a method that Zabbix will use to process authentication requests.

Configuration:

• Click Add under the Methods section.
• In the dialog window, enter the following:
  • Type: TOTP (Time-based One-Time Password)
  • Name: Zabbix RPI — this name will be displayed in your authentication app (e.g., Google Authenticator, Authy)
  • Hash function: SHA-256
  • Code length: leave it as 6 — this is the standard code length for TOTP

Note: Once this method is added, users allowed to use MFA can set up their mobile authentication apps accordingly.

In this case there are nom users, so we need to add group for mfa and add users to this group.

Creating a User Group for MFA

Zabbix allows you to enforce MFA at the group level, rather than for each user individually. This makes it easy to manage which users are required to use two-factor authentication.

1. Go to Users → User groups.
2. Create a new group with the following parameters:
   • Group name: TOTP group
   • Users: add the user Admin (or any other user who should use MFA)
   • Multi-factor authentication: select the previously created method (Zabbix TOTP) if it’s not set as default

Now, all users in this group will be required to configure MFA in their profiles — for example, by scanning a QR code in their mobile app.

Important: MFA settings are applied per group, not per individual user. So, make sure users are added to the correct group.

Check result

To test the operation, you must log out of your account and log in again to initialize the authenticator token creation process.

My Google Google Authenticator got next record:

Conclusion

Enabling multi-factor authentication is one of the simplest and most effective ways to protect your Zabbix monitoring system from unauthorized access. With TOTP and group-based policies, the setup takes just a few minutes but significantly enhances your security posture.

Zabbix is a powerful monitoring system often used to track server health, network devices, and services. By default, after installation, the Zabbix web interface becomes available not only locally but also from the internet, which may pose a security risk. In this article, we’ll explain how to restrict access to the Zabbix web interface so it is only available from your local network using Apache. So, how to restrict access to Zabbix from the local network only via Apache

I have this domain and now I have access to the Zabbix admin UI.

Main Steps

Zabbix is usually integrated into Apache through the config file /etc/apache2/conf-enabled/zabbix.conf, where the web UI directory is declared:

<Directory "/usr/share/zabbix/ui">
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    ...
</Directory>

We are interested in the <Directory "/usr/share/zabbix/ui"> block, where access rules need to be modified.

Here is the updated version:

<Directory "/usr/share/zabbix/ui">
    Options FollowSymLinks
    AllowOverride None
    Require ip 192.168.99.0/24
    Require all denied
</Directory>

This configuration means:

• Allow access only from IPs in the 192.168.99.0/24 subnet
• Deny access to everyone else

After editing the file, apply the changes by reloading Apache:

sudo systemctl reload apache2

Verifying the Changes

Try opening the Zabbix interface:

• From the internet (e.g., via a public domain): you should see a 403 Forbidden error.
• From the local network: the page should open normally.

This confirms that Apache successfully blocks external access to the Zabbix admin panel.

Conclusion

Securing Zabbix is a vital part of managing a monitoring system. Simple IP-based access restriction significantly reduces the risk of unauthorized access. This method is ideal for internal environments and test setups where Zabbix should not be exposed publicly.

In the world of IoT and home servers, Raspberry Pi stands out as a versatile companion. However, to ensure its stable operation, it’s crucial to monitor key metrics such as the CPU temperature. In this guide, I’ll walk you through how to configure Zabbix for Raspberry Pi temperature monitoring — from setting access permissions to visualizing CPU temperature trends directly on the dashboard. You’ll also learn how to create an alert trigger for overheating.

Since I have Zabbix installed directly on the Raspberry Pi, it acts as both the server and agent, making setup slightly easier.

Fixing Permissions for Zabbix Agent

To avoid errors while collecting temperature data, you may need to perform some permission tweaks, especially if you run into this error:

Try creating a device file with: sudo mknod /dev/vcio c 100 0

In my case, /dev/vcio already existed but lacked proper permissions. I need to fix it.

Permission settings

sudo chgrp video /dev/vcio
sudo chmod 660 /dev/vcio

Then, add the zabbix user to the video group

sudo usermod -aG video zabbix

and restart the agent to apply changes

sudo systemctl restart zabbix-agent

Now you can go to user settings

Creating a Custom User Parameter

To let Zabbix agent fetch the CPU temperature, we add a custom user parameter to the config file

sudo nano /etc/zabbix/zabbix_agentd.conf

Add this line to the end of the file:

UserParameter=system.cpu.temp,vcgencmd measure_temp | sed -n "s/temp=\([0-9]*\.[0-9]*\)[^0-9]*$/\1/p"

Breakdown:

• UserParameter defines a custom key.
• system.cpu.temp is the key name.
• vcgencmd measure_temp is a standard Raspberry Pi command returning temp like temp=45.0'C.
• The sed command extracts just the numeric part (e.g., 63.3).

Restart the agent again:

sudo systemctl restart zabbix-agent

Adding a New Item in Zabbix Web Interface

Go to: Data collection → Hosts → Zabbix server → Items → Create item

Fill in the fields:

• Name: CPU Temperature
• Type: Zabbix agent
• Key: system.cpu.temp
• Type of information: Numeric (float)
• Units: °C

Test the item by clicking Test → Get value and test.

We got the correct result, which indicates the correct settings. We save this item. Сlick Add or Update

Creating a Trigger for Alerts

In order for me to receive notifications about the temperature rising, for example to the desired value of 70 degrees, I need to create a trigger. It will compare the current temperature with the critical one, and if such an event occurs, a notification will appear on the dashboard.

Navigate to: Data collection → Hosts → Zabbix server → Triggers → Create trigger

Fill in:

• Name: CPU Temperature is too high
• Event name: CPU Temperature is too high
• Severity: Warning
• Expression: last(/Zabbix server/system.cpu.temp)>=70

You can also use the expression constructor

Click Add to save.

Adding a Graph Widget to the Dashboard

It would be visually appealing to observe the device’s temperature graph depending on the conditions of use.

To visualize temperature data, go to your Zabbix dashboard, click Edit dashboard, and add a new widget.

Configure the widget as:

• Type: Graph
• Name: RPI Temp C
• Host patterns: Zabbix Server
• Item patterns: CPU Temperature

Click Add, then resize or reposition the widget as you like.

Add this widget by clicking the Add button. You can then resize and position this widget as you see fit. After that, confirm saving the dashboard by clicking the Save changes button in the upper right corner.

Conclusion

As you can see, Zabbix Raspberry Pi temperature monitoring is quite achievable. Once configured, you’ll have a reliable tool that can alert you when your Pi overheats and display historical temperature trends in a clean graphical format. Whether you’re running a home server or experimenting with projects, CPU temperature monitoring on Raspberry Pi is a smart precaution.

After installing and configuring the Postfix mail server, it became necessary to track various metrics of this server using Zabbix and display a diagram for visual monitoring.

Defining the monitoring type

First, it is essential to determine what exactly needs to be monitored, what state is considered normal, and what indicates a deviation. I am interested in two metrics: mail queue statistics and monitoring the number of processes, which we will discuss in detail.

Mail queue statistics

When the mail server operates correctly, emails are usually processed instantly, and the queue does not form, or it is only a momentary process. However, if the server becomes unavailable, the queue accumulates, which indicates a problem with the mail server. Under normal operation, this value is zero; if it is greater than zero, attention should be paid to it.

Monitoring the number of processes

Under normal idle operation, the server typically runs 5 processes:

• master – the main Postfix process (manages all other processes).
• qmgr – manages the mail queue, responsible for delivering messages.
• tlsmgr – manages TLS sessions for encryption (if used).
• pickup – processes new messages entering the queue.
• showq – displays the status of the mail queue.

During authentication, sending, or receiving mail, the number of processes increases to 9 or 10. Thus, if authentication occurs, even a failed one, it is recorded, allowing the administrator to take action against potential attacks on the server.

Connecting Postfix to Zabbix

Since Zabbix Agent is already installed on the server, the configuration is straightforward via the configuration file. To do this, the Zabbix Agent configuration file must be updated with user parameters for our metrics.

Open the configuration file, usually located at:

sudo nano /etc/zabbix/zabbix_agentd.conf

Add the following lines at the end of the file:

# Settings for Postfix:
UserParameter=postfix.queue_size,postqueue -p | tail -n 1 | awk '{print ($5+0)}'
UserParameter=postfix.active_processes,ps aux | grep "[p]ostfix" | wc -l

Restart the Zabbix agent:

sudo systemctl restart zabbix-agent

Creating Items in Zabbix

In the Data Collection menu, select the Hosts submenu and, in the host list, click on Items. Then, in the Items list window, click the Create item button.

To monitor active Postfix processes (postfix.active_processes) fill form by next data:

• Name: Postfix Active Processes
• Type: Zabbix Agent
• Key: postfix.active_processes
• Type of Information: Numeric (unsigned)
• Host interface: 127.0.0.1:10050
• Update interval: 1m
• Description: Postfix Active Processes
• Enabled: checkbox

In the Tags tab:

• Name: Mail
• Value: Postfix

To ensure the item works correctly, test its functionality and obtain the expected value by clicking TEST and GET VALUE.

Similarly, create a second item to monitor the mail queue (postfix.queue_size), with the only difference being the Key: postfix.queue_size. Again, test the created item to obtain the expected result – 0.

Verifying data collection

After one minute, Postfix begins collecting data. To view it, navigate to the Monitoring menu and select Latest data. In the name filter, enter Postfix Active Processes. On the Latest data page, the Last check column should display the expected value, which in my case is 5.

Creating a dashboard graph

To display the graph on the dashboard, click the Add button, which will automatically open the new widget creation window. Fill in the following fields:

• Type: Graph
• Name: Mail
• Refresh interval: Default 1m
• Data set: select the host and items

Other characteristics in the Data set tab, such as color and transparency, can be customized as desired.

Detecting and mitigating a server attack

I regularly monitor the mail server’s activity and noticed significantly high activity on the dashboard graph. By expanding the date range to two days, I identified the exact date and time when the attack began.

Reviewing Postfix logs for the past two days, I discovered that a malicious actor was attempting brute-force login authentication on my mail server. Although these attempts failed, they still consumed server resources:

sudo tail -f /var/log/mail.log

Mar 30 13:31:51 mail postfix/smtpd[1230298]: connect from unknown[196.251.92.50]
Mar 30 13:31:55 mail postfix/smtpd[1230298]: warning: unknown[196.251.92.50]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=admin2
Mar 30 13:31:55 mail postfix/smtpd[1230298]: disconnect from unknown[196.251.92.50] ehlo=1 auth=0/1 quit=1 commands=2/3
Mar 30 13:35:13 mail postfix/smtpd[1230766]: connect from unknown[196.251.92.50]
Mar 30 13:35:17 mail postfix/smtpd[1230766]: warning: unknown[196.251.92.50]: SASL LOGIN authentication failed: (reason unavailable), sasl_username=back-up
Mar 30 13:35:17 mail postfix/smtpd[1230766]: disconnect from unknown[196.251.92.50] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4 

To mitigate this incident, I blocked the specified address in the router’s firewall settings and applied the rule. After that, the server activity returned to normal.

Conclusions

Monitoring Postfix activity with Zabbix enables timely detection of mail server issues, such as mail queue accumulation or suspicious activity. By configuring metrics to track the queue size and the number of active processes, administrators can quickly respond to potential threats and system failures.

During server operation, monitoring also helps identify unauthorized access attempts, such as brute-force login attacks. By analyzing graphs and system logs, administrators can take immediate security measures, such as blocking malicious IP addresses. This significantly enhances the security of the mail infrastructure and ensures stable service operation.