Agent configuration should support whitelist of allowed paths for following agent items:

• log
• logrt
• vfs.file.*

This is necessary when running agent in environment where security requirements state that full external access to file system items by Zabbix is not allowed but some file items still must be monitored. Whitelisting paths allows limiting accessible file system items easily.

Another way to restrict Zabbix access to file system requires configuring file access of Zabbix agent user at file system level which is much more cumbersome, prone to errors and may be impossible to implement in certain environments.

I have already implemented this feature in fork of Zabbix which can be seen at: https://github.com/digiapulssi/zabbix/pull/2

In the implementation, whitelist can be configured by adding AllowedPath elements in agent configuration specifying regex path patterns. When none are configured full access is allowed to ensure backwards compatibility.

For example, following configuration would only allow checking of mariadb logs:

AllowedPath=^/var/log/mariadb/.*$