OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: iMx on February 27, 2019, 04:27:39 pm

Title: Check_MK Agent setup
Post by: iMx on February 27, 2019, 04:27:39 pm

Quick overview for installing the check-mk agent - brain dump whilst I still have it in my shell history - I saw this was mentioned once before some time ago:

https://forum.opnsense.org/index.php?topic=1310.0

1. Create a new directory:

Code: [Select]

mkdir -p /opt/bin
2. Download the agent:

Code: [Select]

curl "http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD" -o /opt/bin/check_mk_agent
3. Make it executable:

Code: [Select]

chmod +x /opt/bin/check_mk_agent
4. Install bash and statgrab

Code: [Select]

pkg install libstatgrab bash
5. Add the following to /etc/inetd.conf

Code: [Select]

check_mk  stream  tcp nowait  root  /opt/bin/check_mk_agent check_mk_agent
6. Add the following to /etc/services:

Code: [Select]

check_mk        6556/tcp   #check_mk agent
7. Add the following, modify monitoring.server.ip.address as required, to /etc/hosts.allow

Code: [Select]

# Allow nagios server to access us
check_mk_agent : monitoring.server.ip.address : allow
check_mk_agent : ALL : deny
8. Start inetd

Code: [Select]

/etc/rc.d/inetd onestart
9. Add firewall rules as required to access tcp 6556

To Do: Make it start on boot, investigate a potential plugin to make it survive (major?) upgrades

Title: Re: Check_MK Agent setup
Post by: qinohe on March 04, 2019, 04:21:33 pm

Hey iMx, nice guide  ;) I do the same as you till point 5, I don't use xinetd/inetd at all.
All check_mk checks are done trough SSH, so I hope you find it okay me to show my setup from point 5 down, to use SSH.

5. create a private keypair on you check_mk server in '/etc/check_mk' F.I.
set the owner and permissions, don't set a password
if '/etc/check_mk' is empty, something like this:

Code: [Select]

ssh-keygen -b 4096 -t rsa && chown check_mk-user * && chmod 400 *
6. create a user on OPNsense for the SSH check: 'opnsense-check_mk' F.I.

7. copy the public part of the SSH key to your newly created check_mk user on OPNsense
put this in front of the public key to restrict it's powers;)

Code: [Select]

command="bash /opt/bin/check_mk_agent.freebsd"
7. head back to the check_mk server and su to your check_mk admin run a command similar to this:

Code: [Select]

# ssh -v -p 22 -l opnsense-check_mk -i /etc/check_mk/check_mk 10.10.10.1
8. edit main.mk on your server and add something similar like this:

Code: [Select]

datasource_programs = [
  ( "ssh -p 22 -i /etc/check_mk/check_mk -l opnsense-check_mk 10.10.10.1 check_mk_agent", [ 'opnsense' ] ),
]

10. Add firewall rules as required to access tcp 22

To Do: Nothing, no need to start anything on boot for it already works 8)
[/quote]

Title: Re: Check_MK Agent setup
Post by: iMx on March 07, 2019, 12:40:07 pm

Nice solution!  To anyone reading... what he/she said ;)

Title: Re: Check_MK Agent setup
Post by: sbeccato on December 18, 2019, 11:50:30 am

Quote from: iMx on February 27, 2019, 04:27:39 pm

To Do: Make it start on boot, investigate a potential plugin to make it survive (major?) upgrades

Hi Guys,

I just solved this issue using /etc/rc.conf , I added this line:

Code: [Select]

inetd_enable="YES"
After a reboot the inetd service was started automatically.

Have a nice day!

Title: Re: Check_MK Agent setup
Post by: zitlo on December 12, 2020, 02:44:16 pm

Quote from: iMx on February 27, 2019, 04:27:39 pm

2. Download the agent:

Code: [Select]

curl "http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob_plain;f=agents/check_mk_agent.freebsd;hb=HEAD" -o /opt/bin/check_mk_agent

Link is down. I just downloaded the agent from checkmk monitoring agent site:
i.e.: http://yourcheckmkserver/yoursite/check_mk/agents/check_mk_agent.freebsd

Thank you for this post, everything is working

Title: Re: Check_MK Agent setup
Post by: no_Legend on March 11, 2021, 04:33:43 pm

Hi Guys,

just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration

There are 2 point which are not complete understand by me:
1. What does need to be setup for the firewall rules?
Solved: There was a copy and paste error
2. the is no rc.conf file in my /etc folder

I was using the instruction from the first post

Are there any hints for me?

I'm runing 21.1.2

Title: Re: Check_MK Agent setup
Post by: qinohe on March 21, 2021, 04:18:27 pm

Quote from: no_Legend on March 11, 2021, 04:33:43 pm

just tried to setup up check_mk_agent but it is not working.
Check_mk reports by full scan the following error:
Agent output is encrypted but encryption is disabled by configuration

I don't know why you get that encryption error, what exactly are you trying to do?
Does the script run okay on OPNsense itself?

Quote

2. the is no rc.conf file in my /etc folder

I was using the instruction from the first post

Are there any hints for me?

I'm runing 21.1.2

Neither is there on mine I don't see it mentioned in the first post either?!
If you really need it create it!
BTW. the way I use check_mk using SSH and main.mk(WATO is prefered) is still working fine on 2.0.0p1

Title: Re: Check_MK Agent setup
Post by: Bu66as on August 11, 2021, 10:05:33 am

Hello to all,

I can't get a connection to the service running on the OPNsense that is responsible for checkmk!

The rules in the firewall are entered but I can't get a connection!

Can anyone help me with this, as I just can't figure out why I can't connect to the service!

With best regards

Bild OPNsense: https://www.dropbox.com/s/1etoxzxebz2jpbg/2021-08-11%2009_50_35-LAN%20_%20Regeln%20_%20Firewall%20_%20opnsense.aenl.one.png?dl=0 (https://www.dropbox.com/s/1etoxzxebz2jpbg/2021-08-11%2009_50_35-LAN%20_%20Regeln%20_%20Firewall%20_%20opnsense.aenl.one.png?dl=0)

Bild checkmk: https://www.dropbox.com/s/45s9kl82404n4xk/2021-08-11%2009_58_27-Checkmk%20Local%20site%20home%20-%20Verbindung%20zum%20Host%20testen%20OPNsense.png?dl=0 (https://www.dropbox.com/s/45s9kl82404n4xk/2021-08-11%2009_58_27-Checkmk%20Local%20site%20home%20-%20Verbindung%20zum%20Host%20testen%20OPNsense.png?dl=0)

Title: Re: Check_MK Agent setup
Post by: katamadone [CH] on November 19, 2021, 08:20:04 am

If you didn't found the solution. Think you shouldn't specify the source port

Title: Re: Check_MK Agent setup
Post by: Dysprosium11 on December 13, 2021, 10:05:13 pm

it would be amazing if someone could create a plugin for the mk agent
i created a feature request here: https://github.com/opnsense/plugins/issues/2713
maybe some one could add it :)

Title: Re: Check_MK Agent setup
Post by: NilsS on January 21, 2022, 08:59:46 pm

we created a small python daemon implements a checkmk_agent

https://github.com/bashclub/check-opnsense

no additional package requirements

Installation

Code: [Select]

fetch -o /usr/local/etc/rc.syshook.d/start/99-checkmk_agent https://github.com/bashclub/check-opnsense/raw/main/opnsense_checkmk_agent.py
chmod +x /usr/local/etc/rc.syshook.d/start/99-checkmk_agent
/usr/local/etc/rc.syshook.d/start/99-checkmk_agent

current state is near to beta

current features

age of current Firmware/new Version available
Interfaces with opnsense names
Gateways
OpenVPN Server/Client
OpenVPN per client (can be configured through Client Specific Overrides only add an empty entry name common name from cert or username/ the description field can be used to change the service name)

Title: Re: Check_MK Agent setup
Post by: iMx on January 24, 2022, 02:28:19 pm

Wonderful, many thanks @NilsS

Title: Re: Check_MK Agent setup
Post by: NilsS on February 01, 2022, 06:18:59 am

some news and screenshots https://forum.opnsense.org/index.php?topic=26594.0

Title: Re: Check_MK Agent setup
Post by: zerwes on April 01, 2022, 05:16:24 pm

for those who like to use ansible (and maybe interesting for others) our ansible playbook for this task:
https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-checkmk