Step 1: Set SELinux to permissive mode

Configure SELinux to work in permissive mode:

setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=permissive/g'
/etc/selinux/config

This way, SELinux will not block anything, but the audit log will fill up with what
would have been denied. And later in step 12, we can create an SELinux policy based
on that.

Step 2: Install Zabbix server, frontend, and agent

Setup Zabbix 6 RPM package on you favorite Linux (CentOS 8/9, RHEL 8/9, Oracle Linux 8/9,
Alma Linux 8/9, Rocky Linux 8/9); clean repo; and install Zabbix server, frontend, and agent.

Zabbix 6.0 LTS version (supported until February, 2027)

rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/$(rpm -E
%{rhel})/x86_64/zabbix-release-6.0-4.el$(rpm -E %{rhel}).noarch.rpm
dnf clean all
dnf -y install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-
sql-scripts zabbix-selinux-policy zabbix-agent

OR

Zabbix 6.4 standard version (supported until November, 2023)

rpm -Uvh https://repo.zabbix.com/zabbix/6.4/rhel/$(rpm -E
%{rhel})/x86_64/zabbix-release-6.4-1.el$(rpm -E %{rhel}).noarch.rpm
dnf clean all
dnf -y install zabbix-server-mysql zabbix-web-mysql zabbix-apache-conf zabbix-
sql-scripts zabbix-selinux-policy zabbix-agent

You can find more information about Zabbix’s life cycle and release policies on the
official website.

Step 3: Install and configure database

In this installation, I will use password rootDBpass as root password and
zabbixDBpass as Zabbix password for DB. Consider changing your password for
security reasons.

a. Install MariaDB 10.6

curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
sudo bash mariadb_repo_setup --mariadb-server-version=10.6
dnf -y install mariadb-server && systemctl start mariadb && systemctl enable
mariadb
b. Reset root password for database

Secure MySQL by changing the default password for MySQL root:

mariadb-secure-installation
Enter current password for root (enter for none): Press Enter
Switch to unix_socket authentication [Y/n] y
Change the root password? [Y/n] y
New password: <Enter root DB password>
Re-enter new password: <Repeat root DB password>
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]:  Y
Reload privilege tables now? [Y/n]:  Y

c. Create database

Create a database for Zabbix directly from the terminal using these two commands:

sudo mysql -uroot -p'rootDBpass' -e "create database zabbix character set

utf8mb4 collate utf8mb4_bin;"
sudo mysql -uroot -p'rootDBpass' -e "grant all privileges on zabbix.* to
zabbix@localhost identified by 'zabbixDBpass';"

d. Import initial schema and data

sudo zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql --default-
character-set=utf8mb4 -uzabbix -p'zabbixDBpass' zabbix

e. Enter database password in Zabbix configuration file

Open zabbix_server.conf file with command (use “vi” if you don’t have “nano” installed”):

sudo nano /etc/zabbix/zabbix_server.conf

and add database password in this format anywhere in file:

DBPassword=zabbixDBpass

Save and exit file (ctrl+x, followed by y and enter).

Step 4: Start Zabbix server and agent processes

systemctl restart zabbix-server zabbix-agent
systemctl enable zabbix-server zabbix-agent

Step 5: Configure firewall

firewall-cmd --add-service={http,https} --permanent
firewall-cmd --add-port={10051/tcp,10050/tcp} --permanent
firewall-cmd --reload

Step 6: Configure Zabbix frontend

a. Restart Apache web server and make it start at system boot
systemctl restart httpd php-fpm
systemctl enable httpd php-fpm

b. Configure web frontend

Connect to your newly installed Zabbix frontend using URL

“http://server_ip_or_dns_name/zabbix” to initiate the Zabbix installation wizard.

In my case, that URL would be “http://192.168.1.161/zabbix” because I have installed Zabbix on

the server with IP address 192.168.1.161 (you can find the IP address of your server by typing
“ip a” command in the terminal).

NOTE: If you get an error saying that the minimum required version of php is 7.4, upgrade
your PHP using these commands:

sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

sudo dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
sudo dnf module reset php -y
sudo dnf module install php:remi-7.4 -y

Basically, in this wizard you only need to enter a password for Zabbix DB user and for
everything else just click “Next step“. In this guide, I have used a zabbixDBpass as a database
password, but if you set something else, be sure to enter the correct password when prompted by
the wizard.
1. Installation step: Welcome screen
2. Installation step: Pre-requisites check
3. Installation step: Configure DB connection
4. Installation step: Configure Zabbix server
5. Installation step: Pre-installation summary
6. Installation step: Finish

That’s it, you have installed Zabbix monitoring system!

Step 7: Login to frontend using Zabbix default login

credentials
Use Zabbix default admin username “Admin” and password “zabbix” (without
quotes) to login to Zabbix frontend at URL “http://server_ip_or_dns_name/zabbix”
via your browser.
 ZABBIX LOGIN PAGE

In my example, I have installed Zabbix on server 192.168.1.161 so I will enter in my

browsers URL field http://192.168.1.161/zabbix (you can find the IP address of your
server by typing “ip a” command in the terminal)
Zabbix 6.0 Dashboard

CONGRATULATIONS!
You have successfully installed Zabbix 6 on CentOS / RHEL and now you can
monitor anything!
No need to change anything else as other steps are optional.

CONTINUE TO LEARN MORE:

How to create MySQL partitions on History and Events tables
Optimizing Zabbix server and MySQL database
Managing Zabbix / MySQL / Apache service
Enable and configure SELinux on Zabbix

Step 8: Create MySQL partitions on History and Events

tables
Zabbix’s housekeeping process is responsible for deleting old trend and history data. Removing
old data from the database using SQL delete query can negatively impact database performance.
Many of us have received that annoying alarm “Zabbix housekeeper processes more than
75% busy” because of that.

That problem can be easily solved with the database partitioning. Partitioning creates tables for
each hour or day and drops them when they are not needed anymore. SQL DROP is way more
efficient than the DELETE statement.

You can partition MySQL tables in 5 minutes using this simple guide.

Step 9: Optimizing Zabbix Server (optional)

Don’t bother with this optimization if you are monitoring a small number of devices, but if you
are planning to monitor a large number of devices then continue with this step.

Open “zabbix_server.conf” file with command: “nano

/etc/zabbix/zabbix_server.conf” and add this configuration anywhere in file:

StartPollers=100
StartPollersUnreachable=50
StartPingers=50
StartTrappers=10
StartDiscoverers=15
StartPreprocessors=15
StartHTTPPollers=5
StartAlerters=5
StartTimers=2
StartEscalators=2
CacheSize=128M
HistoryCacheSize=64M
HistoryIndexCacheSize=32M
TrendCacheSize=32M
ValueCacheSize=256M

Save and exit file (ctrl+x, followed by y and enter).

This is not a perfect configuration, keep in mind that you can optimize it even more. Let’s say if
you don’t use ICMP checks then set the “StartPingers” parameter to 1 or if you don’t use
active agents then set “StartTrappers” to 1 and so on. You can find out more about the
parameters supported in a Zabbix server configuration file in the official documentation.

If you try to start the Zabbix server you may receive an error “[Z3001] connection to
database 'Zabbix' failed: [1040] Too many connections” in the log
“/var/log/zabbix/zabbix_server.log” because we are using more Zabbix server processes
than MySQL can handle. We need to increase the maximum permitted number of simultaneous
client connections and optimize MySQL – so move to the next step.
Step 10: Optimizing MySQL/MariaDB database (optional)
a. Create custom MySQL configuration file

Create file “10_my_tweaks.cnf" with “nano /etc/my.cnf.d/10_my_tweaks.cnf” and paste

this configuration:

[mysqld]
max_connections = 404
innodb_buffer_pool_size = 800M

innodb-log-file-size = 128M
innodb-log-buffer-size = 128M
innodb-file-per-table = 1
innodb_buffer_pool_instances = 8
innodb_old_blocks_time = 1000
innodb_stats_on_metadata = off
innodb-flush-method = O_DIRECT
innodb-log-files-in-group = 2
innodb-flush-log-at-trx-commit = 2

tmp-table-size = 96M
max-heap-table-size = 96M
open_files_limit = 65535
max_connect_errors = 1000000
connect_timeout = 60
wait_timeout = 28800

Save and exit the file (ctrl+x, followed by y and enter) and set the correct file permission:

chown mysql:mysql /etc/my.cnf.d/10_my_tweaks.cnf

chmod 644 /etc/my.cnf.d/10_my_tweaks.cnf

Two things to remember!

Configuration parameter max_connections must be larger than the total number of all Zabbix

proxy processes plus 150. You can use the command below to automatically check the number
of Zabbix processes and add 150 to that number:

egrep "^Start.+=[0-9]" /etc/zabbix/zabbix_server.conf | awk -F "=" '{s+=$2}

END {print s+150}'
295

The second most important parameter is innodb_buffer_pool_size, which determines how much
memory can MySQL get for caching InnoDB tables and index data. You should set that
parameter to 70% of system memory if only database is installed on server.

However, in this case, we are sharing a server with Zabbix and Apache processes so you should
set innodb_buffer_pool_size to 40% of total system memory. That would be 800 MB because
my CentOS server has 2 GB RAM.
I didn’t have any problems with memory, but if your Zabbix proxy crashes because of lack of
memory, reduce “innodb_buffer_pool_size” and restart MySQL server.

Note that if you follow this configuration, you will receive “Too many processes on the
Zabbix server” alarm in Zabbix frontend due to the new Zabbix configuration. It is safe to
increase the trigger threshold or turn off that alarm (select “Problems” tab → left click on the
alarm → select “Configuration” → remove the check from “Enabled” → hit the “Update”
button)

b. Restart Zabbix Server and MySQL service

Stop and start the services in the same order as below:

systemctl stop zabbix-server

systemctl stop mysql
systemctl start mysql
systemctl start zabbix-server

Step 11: How to manage Zabbix / MySQL / Apache service

Sometimes you will need to check or restart Zabbix, MySQL or Apache service – use commands
below to do that.

Zabbix Server
systemctl <status/restart/start/stop> zabbix-server

MySQL/MariaDB Server
systemctl <status/restart/start/stop> mysql

Apache Server
systemctl <status/restart/start/stop> httpd

PHP FastCGI Process Manager

systemctl <status/restart/start/stop> php-fpm

Zabbix Agent
systemctl <status/restart/start/stop> zabbix-agent

Step 12: Enable and configure SELinux on Zabbix

While it is acceptable to disable SELinux in a lab environment, depending on the requirements of
the local security IT team, you may need to enable and configure SELinux in your production
environment.

At the beginning of this guide, we did not turn off SELinux completely but configure it to work
in the permissive mode which means it will log all the security errors but will not block anything.
If you accidentally left it in enforcing mode then you will receive the “Zabbix server is not
running: the information displayed may not be current” warning on the Zabbix
frontend and “cannot set resource limit: [13] Permission denied” in the log file.

Don’t worry, this can be easily fixed, so without further delay, let’s configure SELinux for
Zabbix!

a) SELinux: Allow http daemon to connect to Zabbix:

Enable SELinux  boolean “httpd_can_connect_zabbix” that will allow http daemon to

connect to Zabbix:

setsebool -P httpd_can_connect_zabbix 1

b) SELinux: Allow Zabbix to connect to all TCP ports:

Enable SELinux  boolean “zabbix_can_network” that will allow Zabbix to connect to all TCP
ports :

setsebool -P zabbix_can_network on

And to avoid error “cannot start HA manager: timeout while waiting for HA manager
registration” enable daemons_enable_cluster_mode with this command:

setsebool -P daemons_enable_cluster_mode on

c) Set SELinux to work in enforcing mode

Turn on SELinux by setting it to work in enforcing mode:

setenforce 1 && sed -i 's/^SELINUX=.*/SELINUX=enforcing/g' /etc/selinux/config

And check SELinux status :

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

d) Create additional SELINUX policy for Zabbix

Just in case, we will create an additional SELinux policy for each error in the audit log
(“/var/log/audit/audit.log“)

To do this, we will need the policycoreutils-python tool, so let’s install it:

dnf -y install policycoreutils-python-utils

Create a custom policy package:

grep "denied.*zabbix" /var/log/audit/audit.log | audit2allow -M zabbix_policy

Install custom SELinux policy package:

semodule -i zabbix_policy.pp

Also, to avoid “Database error on login” on CentOS 9 please run these command

sealert -a /var/log/audit/audit.log

It will suggest you to apply additional rules:

ausearch -c ‘php-fpm’ –raw | audit2allow -M my-phpfpm

semodule -X 300 -i my-phpfpm.pp

Well done! You have configured SELinux for Zabbix!

Step 13: Upgrade between minor Zabbix versions

I wrote about upgrade procedures in my post about Zabbix upgrade. Zabbix’s team releases new
minor versions at least once a month. The main purpose of minor upgrades is to fix bugs (hotfix)
and sometimes even bring new functionality. Therefore, try to do a minor upgrade of Zabbix at
least once a month.

There is no need for backups when doing a minor upgrade, they are completely safe. With this
command you can easily upgrade minor versions of 6.0.x (for example, from 6.0.1 to 6.0.5):

dnf upgrade 'zabbix*'

And restart Zabbix server afterward:

systemctl restart zabbix-server

Thank you for reading.