OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: iMx on February 27, 2019, 04:27:39 PM

Title: Check_MK Agent setup
Post by: iMx on February 27, 2019, 04:27:39 PM
Quick overview for installing the check-mk agent - brain dump whilst I still have it in my shell history - I saw this was mentioned once before some time ago:


1. Create a new directory:

mkdir -p /opt/bin

2. Download the agent:

curl "http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD" -o /opt/bin/check_mk_agent

3. Make it executable:

chmod +x /opt/bin/check_mk_agent

4. Install bash and statgrab

pkg install libstatgrab bash

5. Add the following to /etc/inetd.conf

check_mk  stream  tcp nowait  root  /opt/bin/check_mk_agent check_mk_agent

6. Add the following to /etc/services:

check_mk        6556/tcp   #check_mk agent

7. Add the following, modify monitoring.server.ip.address as required, to /etc/hosts.allow

# Allow nagios server to access us
check_mk_agent : monitoring.server.ip.address : allow
check_mk_agent : ALL : deny

8. Start inetd

/etc/rc.d/inetd onestart

9. Add firewall rules as required to access tcp 6556

To Do: Make it start on boot, investigate a potential plugin to make it survive (major?) upgrades
Title: Re: Check_MK Agent setup
Post by: qinohe on March 04, 2019, 04:21:33 PM
Hey iMx, nice guide  ;) I do the same as you till point 5, I don't use xinetd/inetd at all.
All check_mk checks are done trough SSH, so I hope you find it okay me to show my setup from point 5 down, to use SSH.

5. create a private keypair on you check_mk server in '/etc/check_mk' F.I.
set the owner and permissions, don't set a password
if '/etc/check_mk' is empty, something like this:

ssh-keygen -b 4096 -t rsa && chown check_mk-user * && chmod 400 *

6. create a user on OPNsense for the SSH check: 'opnsense-check_mk' F.I.

7. copy the public part of the SSH key to your newly created check_mk user on OPNsense
put this in front of the public key to restrict it's powers;)

command="bash /opt/bin/check_mk_agent.freebsd"

7. head back to the check_mk server and su to your check_mk admin run a command similar to this:

# ssh -v -p 22 -l opnsense-check_mk -i /etc/check_mk/check_mk

8. edit main.mk on your server and add something similar like this:

datasource_programs = [
  ( "ssh -p 22 -i /etc/check_mk/check_mk -l opnsense-check_mk check_mk_agent", [ 'opnsense' ] ),

10. Add firewall rules as required to access tcp 22

To Do: Nothing, no need to start anything on boot for it already works 8)
Title: Re: Check_MK Agent setup
Post by: iMx on March 07, 2019, 12:40:07 PM
Nice solution!  To anyone reading... what he/she said ;)
Title: Re: Check_MK Agent setup
Post by: sbeccato on December 18, 2019, 11:50:30 AM
Quote from: iMx on February 27, 2019, 04:27:39 PM
To Do: Make it start on boot, investigate a potential plugin to make it survive (major?) upgrades

Hi Guys,

I just solved this issue using /etc/rc.conf , I added this line:


After a reboot the inetd service was started automatically.

Have a nice day!
Title: Re: Check_MK Agent setup
Post by: zitlo on December 12, 2020, 02:44:16 PM
Quote from: iMx on February 27, 2019, 04:27:39 PM
2. Download the agent:

curl "http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD" -o /opt/bin/check_mk_agent

Link is down. I just downloaded the agent from checkmk monitoring agent site:
i.e.: http://yourcheckmkserver/yoursite/check_mk/agents/check_mk_agent.freebsd

Thank you for this post, everything is working
Title: Re: Check_MK Agent setup
Post by: no_Legend on March 11, 2021, 04:33:43 PM
Hi Guys,

just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration

There are 2 point which are not complete understand by me:
1. What does need to be setup for the firewall rules?
Solved: There was a copy and paste error
2. the is no rc.conf file in my /etc folder

I was using the instruction from the first post

Are there any hints for me?

I'm runing 21.1.2
Title: Re: Check_MK Agent setup
Post by: qinohe on March 21, 2021, 04:18:27 PM
Quote from: no_Legend on March 11, 2021, 04:33:43 PM
just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration
I don't know why you get that encryption error, what exactly are you trying to do?
Does the script run okay on OPNsense itself?

2. the is no rc.conf file in my /etc folder

I was using the instruction from the first post

Are there any hints for me?

I'm runing 21.1.2
Neither is there on mine I don't see it mentioned in the first post either?!
If you really need it create it!
BTW. the way I use check_mk using SSH and main.mk(WATO is prefered) is still working fine on 2.0.0p1
Title: Re: Check_MK Agent setup
Post by: Bu66as on August 11, 2021, 10:05:33 AM
Hello to all,

I can't get a connection to the service running on the OPNsense that is responsible for checkmk!

The rules in the firewall are entered but I can't get a connection!

Can anyone help me with this, as I just can't figure out why I can't connect to the service!

With best regards

Bild OPNsense: https://www.dropbox.com/s/1etoxzxebz2jpbg/2021-08-11%2009_50_35-LAN%20_%20Regeln%20_%20Firewall%20_%20opnsense.aenl.one.png?dl=0 (https://www.dropbox.com/s/1etoxzxebz2jpbg/2021-08-11%2009_50_35-LAN%20_%20Regeln%20_%20Firewall%20_%20opnsense.aenl.one.png?dl=0)

Bild checkmk: https://www.dropbox.com/s/45s9kl82404n4xk/2021-08-11%2009_58_27-Checkmk%20Local%20site%20home%20-%20Verbindung%20zum%20Host%20testen%20OPNsense.png?dl=0 (https://www.dropbox.com/s/45s9kl82404n4xk/2021-08-11%2009_58_27-Checkmk%20Local%20site%20home%20-%20Verbindung%20zum%20Host%20testen%20OPNsense.png?dl=0)
Title: Re: Check_MK Agent setup
Post by: katamadone [CH] on November 19, 2021, 08:20:04 AM
If you didn't found the solution. Think you shouldn't specify the source port
Title: Re: Check_MK Agent setup
Post by: Dysprosium11 on December 13, 2021, 10:05:13 PM
it would be amazing if someone could create a plugin for the mk agent
i created a feature request here: https://github.com/opnsense/plugins/issues/2713
maybe some one could add it :)
Title: Re: Check_MK Agent setup
Post by: NilsS on January 21, 2022, 08:59:46 PM
we created a small python daemon implements a checkmk_agent


no additional package requirements

fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent

current state is near to beta

current features

age of current Firmware/new Version available
Interfaces with opnsense names
OpenVPN Server/Client
OpenVPN per client (can be configured through Client Specific Overrides only add an empty entry name common name from cert or username/ the description field can be used to change the service name)

Title: Re: Check_MK Agent setup
Post by: iMx on January 24, 2022, 02:28:19 PM
Wonderful, many thanks @NilsS
Title: Re: Check_MK Agent setup
Post by: NilsS on February 01, 2022, 06:18:59 AM
some news and screenshots https://forum.opnsense.org/index.php?topic=26594.0

Title: Re: Check_MK Agent setup
Post by: zerwes on April 01, 2022, 05:16:24 PM
for those who like to use ansible (and maybe interesting for others) our ansible playbook for this task: