DevOps

Monitor UDP Ports Remotely with Zabbix Without Target Agent

Learn how to monitor UDP ports on remote hosts using Zabbix without installing agents on target systems. Configure custom scripts and built-in checks for effective UDP service monitoring.

1 answer 1 view

How can I check the availability of a UDP port on a remote host using a Zabbix agent when the service is running on a different host without installing an agent on the target host? For example, if my Zabbix agent is on 192.168.1.2 and I need to monitor a UDP port on 192.168.1.3.

To check the availability of a UDP port on a remote host using Zabbix without installing an agent on the target host, you can use several approaches including Zabbix’s built-in net.udp.service item type or custom external scripts. The most straightforward method is configuring a Zabbix item that performs an external check using tools like nc (netcat) or nmap to test UDP connectivity from your Zabbix agent machine to the remote target.

Contents

Zabbix Built-in UDP Monitoring

Zabbix provides native support for monitoring UDP ports through the net.udp.service item type. This built-in functionality allows you to check if a UDP port is open and responsive on a remote host without needing an Zabbix agent on the target machine. The net.udp.service item works by attempting to send a UDP packet to the specified port and verifying that a response is received.

Key characteristics of Zabbix’s UDP monitoring:

  • Item key: net.udp.service[<target>,<port>,<value>,<timeout>]
  • Parameters:
  • <target>: IP address or hostname of the remote host
  • <port>: The UDP port number to check
  • <value>: Expected response value (optional)
  • <timeout>: Connection timeout in seconds (default 3s)

For your scenario of monitoring UDP port on 192.168.1.3 from agent on 192.168.1.2, you would configure an item with the key:
net.udp.service[192.168.1.3,<port>,<expected_response>,<timeout>]

However, there’s an important limitation to be aware of: UDP is a connectionless protocol, and unlike TCP, there’s no standard way to verify if a service is actually listening. The net.udp.service item only confirms that the port is open and accepting packets, not that a service is actually running and responding correctly.

Configuring Remote UDP Port Checks

To properly configure UDP port monitoring from your Zabbix agent machine to a remote host, follow these steps:

1. Verify Network Connectivity

First, ensure your Zabbix agent machine can reach the target host:

bash
# From 192.168.1.2, check if you can reach 192.168.1.3
ping 192.168.1.3

# Check if the UDP port is open (requires netcat)
nc -u -z -w3 192.168.1.3 <port>

2. Install Required Tools

On your Zabbix agent machine (192.168.1.2), install the necessary tools for UDP monitoring:

bash
# For CentOS/RHEL
sudo yum install nmap-netcat

# For Ubuntu/Debian
sudo apt-get install netcat-openbsd nmap

3. Create a Zabbix Item

In your Zabbix configuration, create an item with one of these approaches:

Method A: Using Zabbix’s net.udp.service (limited)

Name: UDP Port Check on 192.168.1.3
Type: Zabbix agent
Key: net.udp.service[192.168.1.3,<port>]
Type of information: Numeric (unsigned)
Update interval: 60s

Method B: Using custom script (recommended)

Create a script on your Zabbix agent machine:

bash
#!/bin/bash
# /etc/zabbix/scripts/check_udp_port.sh

TARGET="$1"
PORT="$2"
TIMEOUT="${3:-3}"

# Use netcat to check if UDP port is open
nc -u -z -w$TIMEOUT $TARGET $PORT >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo "1"
else
 echo "0"
fi

Make the script executable:

bash
chmod +x /etc/zabbix/scripts/check_udp_port.sh

Configure the Zabbix item:

Name: UDP Port Check on 192.168.1.3 (Custom)
Type: Zabbix agent (active)
Key: custom.check_udp_port[192.168.1.3,<port>]
Type of information: Numeric (unsigned)
Update interval: 60s

4. Create a Trigger

Create a trigger to alert when the UDP port is not available:

Name: UDP Port <port> on 192.168.1.3 is down
Expression: {HOST:custom.check_udp_port[192.168.1.3,<port>].last()}=0

Custom Script Solutions

For more sophisticated UDP port monitoring, you can create custom scripts that verify not only port availability but also service-specific responses:

1. DNS Service Monitoring

To monitor a DNS server (UDP port 53):

bash
#!/bin/bash
# /etc/zabbix/scripts/check_dns_response.sh

TARGET="$1"
PORT="${2:-53}"
DOMAIN="${3:-example.com}"
TIMEOUT="${4:-3}"

# Send a DNS query and check for response
dig @${TARGET} ${DOMAIN} +timeout=${TIMEOUT} +tries=1 >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo "1"
else
 echo "0"
fi

2. NTP Service Monitoring

To monitor an NTP server (UDP port 123):

bash
#!/bin/bash
# /etc/zabbix/scripts/check_ntp_response.sh

TARGET="$1"
PORT="${2:-123}"
TIMEOUT="${4:-3}"

# Send an NTP query using nmap
nmap -sU -p${PORT} --host-timeout ${TIMEOUT} ${TARGET} | grep "open" >/dev/null 2>&1
if [ $? -eq 0 ]; then
 echo "1"
else
 echo "0"
fi

3. Custom Service Response Monitoring

For services that expect specific packet formats:

bash
#!/bin/bash
# /etc/zabbix/scripts/check_custom_udp.sh

TARGET="$1"
PORT="$2"
EXPECTED_RESPONSE="$3"
TIMEOUT="${4:-3}"

# Send custom UDP packet and check for expected response
echo -n "custom_query" | nc -u -w${TIMEOUT} ${TARGET} ${PORT} | grep -q "${EXPECTED_RESPONSE}"
if [ $? -eq 0 ]; then
 echo "1"
else
 echo "0"
fi

4. Zabbix UserParameter Configuration

Add these parameters to your Zabbix agent configuration file (/etc/zabbix/zabbix_agentd.conf):

ini
# Custom UDP port check
UserParameter=custom.check_udp_port[*],/etc/zabbix/scripts/check_udp_port.sh "$1" "$2"

# DNS service check
UserParameter=custom.check_dns[*],/etc/zabbix/scripts/check_dns_response.sh "$1" "$2" "$3"

# NTP service check
UserParameter=custom.check_ntp[*],/etc/zabbix/scripts/check_ntp_response.sh "$1" "$2"

# Custom service response check
UserParameter=custom.check_custom_udp[*],/etc/zabbix/scripts/check_custom_udp.sh "$1" "$2" "$3"

Restart the Zabbix agent after making changes:

bash
sudo systemctl restart zabbix-agent

Troubleshooting Common Issues

When implementing UDP port monitoring with Zabbix, you may encounter several issues:

1. Firewall Blocking UDP Traffic

Problem: The target host’s firewall is blocking UDP packets.

Solution: Verify firewall rules on both hosts:

bash
# Check if firewall is blocking on target (192.168.1.3)
sudo iptables -L -n -v | grep <port>

# Allow UDP traffic on the target if needed
sudo iptables -A INPUT -p udp --dport <port> -j ACCEPT

2. ICMP Blocking

Problem: ICMP (ping) is blocked, preventing initial connectivity tests.

Solution:

bash
# Test UDP connectivity directly
nc -u -z -w3 192.168.1.3 <port>

# If this fails, check firewall rules for ICMP
sudo iptables -L -n -v | grep icmp

3. Zabbix Agent Permissions

Problem: The Zabbix agent doesn’t have execute permissions for the custom scripts.

Solution:

bash
# Ensure scripts are executable
chmod +x /etc/zabbix/scripts/*.sh

# Ensure zabbix user has read/execute permissions
chown -R zabbix:zabbix /etc/zabbix/scripts

4. Network Path Issues

Problem: Network routing or intermediate devices are blocking UDP traffic.

Solution:

bash
# Test network path
traceroute -T 192.168.1.3

# Check if UDP packets are being dropped
mtr -u -P <port> 192.168.1.3

5. Service-Specific Issues

Problem: The UDP port is open, but the service isn’t responding correctly.

Solution: Create service-specific monitoring scripts that check for expected responses rather than just port availability.

6. Timeout Configuration

Problem: The default timeout is too short for some UDP services.

Solution: Increase the timeout parameter in your scripts or Zabbix item configuration:

bash
# In script call
custom.check_udp_port[192.168.1.3,<port>,5]

# In Zabbix item configuration
Update interval: 60s
Timeout: 5s

7. Log Monitoring

Problem: You need to verify that actual service traffic is being processed.

Solution: Monitor service logs on the target host:

bash
# Create a Zabbix item to check service logs
UserParameter=service.log.check[*],grep -c "$1" /var/log/service.log

Sources

  1. Zabbix Documentation on Simple Checks — Detailed information about Zabbix’s built-in monitoring capabilities including UDP port checks: https://www.zabbix.com/documentation/current/en/manual/config/items/itemtypes/simple_checks

  2. Zabbix Service Check Details — Comprehensive guide to Zabbix’s net.udp.service item type and implementation specifics: https://www.zabbix.com/documentation/current/en/manual/appendix/items/service_check_details

  3. TechExpert Zabbix Tutorials — Step-by-step guide for setting up UDP port monitoring with Zabbix: https://techexpert.tips/zabbix/zabbix-monitor-udp-port/

  4. Pierky’s Zabbix Blog — External script approach using netcat for monitoring UDP services: https://blog.pierky.com/zabbix-how-to-monitor-radius-and-other-services-with-external-check-items-and-netcat-nc/

  5. Zabbix Community Forum — Discussion on limitations of Zabbix’s built-in UDP support and workarounds: https://support.zabbix.com/browse/ZBXNEXT-6501

Conclusion

Monitoring UDP ports on remote hosts without installing Zabbix agents is achievable through several methods. While Zabbix’s built-in net.udp.service provides basic functionality, custom scripts offer more flexibility and reliability for production environments. The key to successful UDP monitoring is understanding the limitations of the protocol and implementing appropriate checks based on your specific service requirements. By following the configuration steps and troubleshooting guidelines provided, you can effectively monitor UDP ports from your Zabbix agent machine on 192.168.1.2 to verify the availability of services on 192.168.1.3 without compromising security or performance.

Authors
NeuroAnswers
Author
Verified by moderation
NeuroAnswers
Moderation
Monitor UDP Ports Remotely with Zabbix Without Target Agent