OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: iMx on February 27, 2019, 04:27:39 pm
-
Quick overview for installing the check-mk agent - brain dump whilst I still have it in my shell history - I saw this was mentioned once before some time ago:
https://forum.opnsense.org/index.php?topic=1310.0
1. Create a new directory:
mkdir -p /opt/bin
2. Download the agent:
curl "http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD" -o /opt/bin/check_mk_agent
3. Make it executable:
chmod +x /opt/bin/check_mk_agent
4. Install bash and statgrab
pkg install libstatgrab bash
5. Add the following to /etc/inetd.conf
check_mk stream tcp nowait root /opt/bin/check_mk_agent check_mk_agent
6. Add the following to /etc/services:
check_mk 6556/tcp #check_mk agent
7. Add the following, modify monitoring.server.ip.address as required, to /etc/hosts.allow
# Allow nagios server to access us
check_mk_agent : monitoring.server.ip.address : allow
check_mk_agent : ALL : deny
8. Start inetd
/etc/rc.d/inetd onestart
9. Add firewall rules as required to access tcp 6556
To Do: Make it start on boot, investigate a potential plugin to make it survive (major?) upgrades
-
Hey iMx, nice guide ;) I do the same as you till point 5, I don't use xinetd/inetd at all.
All check_mk checks are done trough SSH, so I hope you find it okay me to show my setup from point 5 down, to use SSH.
5. create a private keypair on you check_mk server in '/etc/check_mk' F.I.
set the owner and permissions, don't set a password
if '/etc/check_mk' is empty, something like this:
ssh-keygen -b 4096 -t rsa && chown check_mk-user * && chmod 400 *
6. create a user on OPNsense for the SSH check: 'opnsense-check_mk' F.I.
7. copy the public part of the SSH key to your newly created check_mk user on OPNsense
put this in front of the public key to restrict it's powers;)
command="bash /opt/bin/check_mk_agent.freebsd"
7. head back to the check_mk server and su to your check_mk admin run a command similar to this:
# ssh -v -p 22 -l opnsense-check_mk -i /etc/check_mk/check_mk 10.10.10.1
8. edit main.mk on your server and add something similar like this:
datasource_programs = [
( "ssh -p 22 -i /etc/check_mk/check_mk -l opnsense-check_mk 10.10.10.1 check_mk_agent", [ 'opnsense' ] ),
]
10. Add firewall rules as required to access tcp 22
To Do: Nothing, no need to start anything on boot for it already works 8)
[/quote]
-
Nice solution! To anyone reading... what he/she said ;)
-
To Do: Make it start on boot, investigate a potential plugin to make it survive (major?) upgrades
Hi Guys,
I just solved this issue using /etc/rc.conf , I added this line:
inetd_enable="YES"
After a reboot the inetd service was started automatically.
Have a nice day!
-
2. Download the agent:
curl "http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD" -o /opt/bin/check_mk_agent
Link is down. I just downloaded the agent from checkmk monitoring agent site:
i.e.: http://yourcheckmkserver/yoursite/check_mk/agents/check_mk_agent.freebsd
Thank you for this post, everything is working
-
Hi Guys,
just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration
There are 2 point which are not complete understand by me:
1. What does need to be setup for the firewall rules?
Solved: There was a copy and paste error
2. the is no rc.conf file in my /etc folder
I was using the instruction from the first post
Are there any hints for me?
I'm runing 21.1.2
-
just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration
I don't know why you get that encryption error, what exactly are you trying to do?
Does the script run okay on OPNsense itself?
2. the is no rc.conf file in my /etc folder
I was using the instruction from the first post
Are there any hints for me?
I'm runing 21.1.2
Neither is there on mine I don't see it mentioned in the first post either?!
If you really need it create it!
BTW. the way I use check_mk using SSH and main.mk(WATO is prefered) is still working fine on 2.0.0p1
-
Hello to all,
I can't get a connection to the service running on the OPNsense that is responsible for checkmk!
The rules in the firewall are entered but I can't get a connection!
Can anyone help me with this, as I just can't figure out why I can't connect to the service!
With best regards
Bild OPNsense: https://www.dropbox.com/s/1etoxzxebz2jpbg/2021-08-11%2009_50_35-LAN%20_%20Regeln%20_%20Firewall%20_%20opnsense.aenl.one.png?dl=0 (https://www.dropbox.com/s/1etoxzxebz2jpbg/2021-08-11%2009_50_35-LAN%20_%20Regeln%20_%20Firewall%20_%20opnsense.aenl.one.png?dl=0)
Bild checkmk: https://www.dropbox.com/s/45s9kl82404n4xk/2021-08-11%2009_58_27-Checkmk%20Local%20site%20home%20-%20Verbindung%20zum%20Host%20testen%20OPNsense.png?dl=0 (https://www.dropbox.com/s/45s9kl82404n4xk/2021-08-11%2009_58_27-Checkmk%20Local%20site%20home%20-%20Verbindung%20zum%20Host%20testen%20OPNsense.png?dl=0)
-
If you didn't found the solution. Think you shouldn't specify the source port
-
it would be amazing if someone could create a plugin for the mk agent
i created a feature request here: https://github.com/opnsense/plugins/issues/2713
maybe some one could add it :)
-
we created a small python daemon implements a checkmk_agent
https://github.com/bashclub/check-opnsense
no additional package requirements
Installation
fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent
current state is near to beta
current features
age of current Firmware/new Version available
Interfaces with opnsense names
Gateways
OpenVPN Server/Client
OpenVPN per client (can be configured through Client Specific Overrides only add an empty entry name common name from cert or username/ the description field can be used to change the service name)
-
Wonderful, many thanks @NilsS
-
some news and screenshots https://forum.opnsense.org/index.php?topic=26594.0
-
for those who like to use ansible (and maybe interesting for others) our ansible playbook for this task:
https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-checkmk