Zabbix Enterprise Application How to quickly view abnormal traffic

The recent machine room total traffic is always abnormal, and then I was constantly receiving text messages and phone calls, received after cacti view or is very troublesome and waste of time, in order to solve this problem, I wrote a script, from the database to obtain all the host monitoring data, and then print the traffic more than 10m of the host information, This will quickly help me to determine the abnormal traffic host.

The script is written in Python, using MYSQLDB to get traffic data from the Zabbix database, and then writes the data to Excel after the traffic is judged.

The MYSQLDB, XLWT modules need to be installed before use and can be installed using Easy_install.

Here is the script content

#!/usr/bin/env python#-*- coding: utf-8 -*-#author:D eng lei#email: [email  Protected]import mysqldbimport timeimport sysimport xlwtreload (SYS) sys.setdefaultencoding ( ' UTF8 ') if __name__ ==  "__main__":     now_hour=int (Time.strftime ('%H '))     old_hour=now_hour-1    now_time=time.strftime ('%Y-%m-%d ')      mysql_conn=mysqldb.connect (host= ' 10.10.14.11 ', user= ' Zabbix ', passwd= ' Zabbix ', port=3306, charset= "UTF8")     mysql_cur=mysql_conn.cursor ()     mysql_conn.select_ db (' Zabbix ')     last_results=[]    in_results=[]     out_results=[]    network_device=[' em2 ', ' eth1 ', ' eth0 ']    try:         room=sys.argv[1]    except indexerror : room= ' All '     try:old_hour=sys.argv[2]    except indexerror:old_hour=now_hour-1     try:        now_hour=sys.argv[3]     Except indexerror:        now_hour=int (Time.strftime ('%H '))      if room ==  ' All ':         #search  network in traffic        for i in  Network_device:            search_sql= "Select  from_unixtime (Hi.clock, '%%y-%%m-%%d %%t ')  as date,g.name as group_name,h.host  as host,round (Max (Hi.value_max)/1000,0)  as network  from hosts_groups  hg join groups g on g.groupid = hg.groupid join items  i on hg.hostid = I.hostid join hosts h on h.hostid=i.hostid join trends_uint hi on   i.itemid = hi.itemid  where  i.key_= ' net.if.in[%s]  and   hi.clock >= unix_timestamp ('%s %s:00:00 ')  and  hi.clock <  Unix_timestamp ('%s %s:00:00 ')  group by h.host; "% ( I,now_time,old_hour,now_time,now_hour)              N=mysql_cur.execute (Search_sql)             result= Mysql_cur.fetchall ()             for ii  in result:        msg1={' group_name ': ii[1], ' Host ': ii[2], ' Network_ Device ': I, ' Source ': ' In '}        if msg1 not in in_ Results:    in_results.append (MSG1)             msg={' Date ': ii[0], ' Group_Name ': ii[1], ' Host ': ii[2], ' Network ': float (ii[3]), ' network_device ': I, ' Source ': ' In '}             last_results.append (msg)         # Search network out traffic        for i in  network_device:            search_sql= " Select from_unixtime (Hi.clock, '%%y-%%m-%%d %%t ')  as date,g.name as group_name, H.host as host,round (Max (Hi.value_max)/1000,0)  as network  from hosts_ Groups hg join groups g on g.groupid = hg.groupid join items  i on hg.hostid = i.hostid join hosts h on h.hostid=i.hostid  join trends_uint hi on  i.itemid = hi.itemid  where  i.key_= ' net.if.out[%s] '  and  hi.clock >= unix_timestamp ('%s %s:00:00 ')  and  hi.clock  < unix_timestamp ('%s %s:00:00 ')  group by h.host; "% ( I,now_time,old_hour,now_time,now_hour)              N=mysql_cur.execute (Search_sql)             result= Mysql_cur.fetchall ()             for ii  in result:                 msg1={' group_name ': ii[1], ' Host ': ii[2], ' network_device ': I, ' Source ': ' Out '}                 if msg1 not in out_ Results:       &nbSp;            out_results.append (MSG1)                       msg={' Date ': ii[0], ' group_name ': ii[1], ' Host ': ii[2], ' Network ': float (ii[3]), ' network_device ': I, ' Source ': ' Out '}                     last_results.append (msg)     else:          #search  network in traffic        for  I in network_device:            search_ Sql= "Select from_unixtime (Hi.clock, '%%y-%%m-%%d %%t ')  as date,g.name as group_ Name,h.host as host,round (Max (Hi.value_max)/1000,0)  as network  from hosts_ Groups hg join groups g on g.groupid = hg.groupid join items i on  hg.hostid = i.hostid join hosts h on h.hostid=i.hostid join  Trends_uint hi on  i.itemid = hi.itemid  where  i.key_= ' net.if.in[%s] '  and g.name like  '%s '  and hi.clock >= unix_timestamp ( '%s %s:00:00 ')  and  hi.clock < unix_timestamp ('%s %s:00:00 ')  group  by h.host; "% ( i,room+ "%", Now_time,old_hour,now_time,now_hour)              n=mysql_cur.execute (Search_sql)              result=mysql_cur.fetchall ()             for  ii in result:                 msg1={' group_name ': ii[1], ' Host ': ii[2], ' network_device ': I, ' Source ': ' In '}                 if msg1 not in in_ results:                     in_results.append (MSG1)                      msg={' Date ': ii[0], ' group_name ': ii[1], ' Host ': ii[2], ' Network ': Float (ii[3]), ' network_device ': I, ' Source ': ' In '}                     last_results.append (msg)           #search  network out traffic         for i in network_device:             search_sql= "select&Nbsp;from_unixtime (Hi.clock, '%%y-%%m-%%d %%t ')  as date,g.name as group_name,h.host  as host,round (Max (Hi.value_max)/1000,0)  as network  from hosts_groups  hg join groups g on g.groupid = hg.groupid join items  i on hg.hostid = i.hostid join hosts h on h.hostid=i.hostid  join trends_uint hi on  i.itemid = hi.itemid  where   i.key_= ' net.if.out[%s] '  and g.name like  '%s '  and hi.clock >= unix_ TIMESTAMP ('%s %s:00:00 ')  and  hi.clock < unix_timestamp ('%s %s:00:00 ')  group by h.host; "% ( i,room+ "%", Now_time,old_hour,now_time,now_hour)              n=mysql_cur.execute (Search_sql)          &nbsP;  result=mysql_cur.fetchall ()              for ii in result:                 msg1={' group_name ': ii[1], ' Host ': ii[2], ' network_device ': I, ' Source ': ' Out '}                 if msg1 not  in out_results:                     out_results.append (MSG1)                      msg={' Date ': ii[0], ' Group_Name ': ii[1], ' Host ': ii[2], ' Network ': float (ii[3]), ' network_device ': I, ' Source ': ' Out '}                     last_results.append (msg)     time="%s-[%s-%s]"% (now_time,old_hour,now_hour)     a=[]    for i  in last_results:if i[' Network '] >=10000:    msg= (i[' Group_Name '],i[' Host '],i[' Network ']/1000,i[' network_device '],i[' Source ')     a.append (msg)      sort_list=sorted (a,key=lambda d:d[2],reverse = true)     wb = &NBSP;XLWT. Workbook ()     ws = wb.add_sheet (' Zabbix ',  cell_overwrite_ok=true)      ws.write (0,0, ' alarm group '. Decode ("Utf-8"))     ws.write (0,1, ' host '. Decode ("Utf-8") )     ws.write (0,2, ' Traffic (Mbps) ' Decode ("Utf-8")     ws.write (0,3, ' Nic name '). Decode ("Utf-8"))     ws.write (0,4, ' direction '. Decode ("Utf-8"))     for i  in range (1,len (sort_list) +1):         for ii in  range (0,len(Sort_list[i-1]):             ws.write (I,ii,sort_ LIST[I-1][II])     ws.col (0). Width = 3333*3    ws.col (1). Width = 3333    wb.save ('/tmp/zabbix_network_traffic-%s.xls '%time)      mysql_cur.close ()     mysql_conn.close ()

When running, the parameter information is as follows:

The first parameter is the room information, such as I have 2 room, respectively A and B, I would like to view a room, then the first parameter to write ' a ';

The second parameter is the start time, such as 09;

The third parameter is the end time, such as 13;

For example, I would like to view a room 9 to 13 o'clock in the afternoon in the morning of more than 10m of traffic, then you can use

Python check_zabbix_network_traffic.py ' A ' 09 13

The default output directory is/tmp/, and the file name format is zabbix_network_traffic-day-[Start time-end time], such as Zabbix_network_traffic-2015-08-19-[0-13].xls

Effect is

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/95/wKioL1XUJqfwHT1HAAF3fk-GFi4016.jpg "title=" 11.png "alt=" Wkiol1xujqfwht1haaf3fk-gfi4016.jpg "/>

Alarm Group is Zabbix in the alarm group description, the host is the IP information, network card name is the detection of the network card name, the direction is incoming or outgoing traffic.

For the NIC name I describe more, in the default script, the NIC is em2, eth1, eth0

network_device=[' em2 ', ' eth1 ', ' eth0 ']

Why write this, is because I here Host network card information is chaotic, such as OpenStack Cloud Platform host on a network card eth0, and CENTOS5 network card is eth0 ETH1,CENTOS6 and Centos7 is em1 and EM2, caused by the platform and different systems, the public network device name is not the same, so I made a judgment in this script, if there is a EM2 network card, do not detect eth1 and eth0, and so on.

I write the directory is to quickly check the traffic, if you have other needs, you can change according to demand.

This article is from the "Yin-Technical Exchange" blog, please be sure to keep this source http://dl528888.blog.51cto.com/2382721/1685932

Zabbix Enterprise Application How to quickly view abnormal traffic