Discussion:
[Check_mk (english)] Monitor servers behind NAT: options?
Alan Murrell
2014-08-24 04:46:47 UTC
Permalink
I have installed latest OMD from RPM repositories and am testing it
out. We currently use regular Nagios and monitor a number fo servers
for our clients (those who don't have large enough network to justify
their own full Nagios deployment)

To monitor these clients' servers, we install the NRPE server (and
Nagios plugins) on the client's network (usually on their Linux
firewall) and then our Nagios contacts the NRPE server and the NRPE
server performs the requested checks.

The nice thing about it is that it is a pretty light solution, and
only requires on port be opened on the firewall. It seems that in
order to monitor remote servers the same way, a distributed setup is
the way to go? It seems a bit heavy, though? Is there another way?
Patrick Flaherty
2014-08-24 15:20:28 UTC
Permalink
You can do what you're currently doing. Look at datasource programs.

http://mathias-kettner.com/checkmk_datasource_programs.html
I have installed latest OMD from RPM repositories and am testing it out.
We currently use regular Nagios and monitor a number fo servers for our
clients (those who don't have large enough network to justify their own
full Nagios deployment)
To monitor these clients' servers, we install the NRPE server (and Nagios
plugins) on the client's network (usually on their Linux firewall) and then
our Nagios contacts the NRPE server and the NRPE server performs the
requested checks.
The nice thing about it is that it is a pretty light solution, and only
requires on port be opened on the firewall. It seems that in order to
monitor remote servers the same way, a distributed setup is the way to go?
It seems a bit heavy, though? Is there another way?
_______________________________________________
checkmk-en mailing list
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
--
* Patrick **Flaherty *|
* w:* 978 983 6597 *e:* ***@weather.com
Alan Murrell
2014-08-24 16:36:20 UTC
Permalink
Post by Patrick Flaherty
You can do what you're currently doing. Look at datasource programs.
http://mathias-kettner.com/checkmk_datasource_programs.html
OK, I took a look at the above page. It seems that I would still
install just check_mk_agent on each host I want to check that is behind
the NAT firewall. I then set my check_mk server to connect to the NAT
firewall by SSH, and it will check each of the hosts that I have listed
in my "main.mk" file for that host IP.

Is that about right?


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
Patrick Flaherty
2014-08-25 01:13:55 UTC
Permalink
Post by Patrick Flaherty
You can do what you're currently doing. Look at datasource programs.
http://mathias-kettner.com/checkmk_datasource_programs.html
OK, I took a look at the above page. It seems that I would still install
just check_mk_agent on each host I want to check that is behind the NAT
firewall. I then set my check_mk server to connect to the NAT firewall by
SSH, and it will check each of the hosts that I have listed in my "main.mk"
file for that host IP.
Is that about right?
That's what we do for hosts we don't have direct access to. Basically the
check_mk server connects to the "jump box", runs either check_by_ssh, calls
the check_mk_agent on a remote host, or runs regular nagios plugins.
koanit gmbh - technik
2014-08-25 09:30:05 UTC
Permalink
Hallo,

We have the same problem.

I solved it by installing check_mk on each server, than mapping the port 6556 on the cisco asa via policy to the internal servers.

6556 = first server
6557 = second server
.... And so on

But this is only the outside Port. On the inside I'll translate it to 6556.

On the cisco ASA we also configured a deny from any other IP Adress than our nagios...

Maybe it's not the safest way, still flawless working.

Best regards

Mit freundlichen Grüßen

Philipp Kahr
------------------------------------------------------
koanit gmbh ®
Mengerweg 8A
8045 Graz
Tel.: +43 / 050 877 333
Fax: +43 / 050 877 222
Web: http://www.koanit.at<file:///\\owa\redir.aspx>
Mail: ***@koanit.at<mailto:***@koanit.at>
FN 315393p Landesgericht Graz
-----------------------------------------------------
Andreas Döhler
2014-08-25 16:10:51 UTC
Permalink
It is very easy to implement it the way Patrick was saying.
What you can do if you use a actual OMD (1.11 with Check_MK 1.2.4) is to
use the "piggyback" function from CMK.

That means the one directly reachable machine will be called over ssh as it
is described in the datasource program documentation.
Now on this host you will have plugin or local_check script and this script
is producing an output whats looks like the following.

<<<<hostname1>>>>>
agent output hostname1
<<<<>>>>
<<<<hostname2>>>>
agent output hostname2
<<<<>>>>

On your OMD server side you will get some entries inside the check_mk var
directory under tmp/piggyback.
Now if you create a host with name "hostname1" there you will receive all
the data whats is transported with piggyback over the one reachable host.

br
Andreas
Post by koanit gmbh - technik
Hallo,
We have the same problem.
I solved it by installing check_mk on each server, than mapping the port
6556 on the cisco asa via policy to the internal servers.
6556 = first server
6557 = second server

. And so on
But this is only the outside Port. On the inside I’ll translate it to 6556.
On the cisco ASA we also configured a deny from any other IP Adress than
our nagios

Maybe it’s not the safest way, still flawless working.
Best regards
Mit freundlichen GrÌßen
*Philipp Kahr*
------------------------------------------------------
*koanit gmbh** ®*
Mengerweg 8A
8045 Graz
Tel.: +43 / 050 877 333
Fax: +43 / 050 877 222
Web: http://www.koanit.at
FN 315393p Landesgericht Graz
-----------------------------------------------------
_______________________________________________
checkmk-en mailing list
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
Dhawal Doshy
2014-08-25 17:12:07 UTC
Permalink
Another option is to use the Client's Linux Firewall as an OMD slave
(since you are already using it for NRPE server).
I have installed latest OMD from RPM repositories and am testing it out. We
currently use regular Nagios and monitor a number fo servers for our clients
(those who don't have large enough network to justify their own full Nagios
deployment)
To monitor these clients' servers, we install the NRPE server (and Nagios
plugins) on the client's network (usually on their Linux firewall) and then
our Nagios contacts the NRPE server and the NRPE server performs the
requested checks.
The nice thing about it is that it is a pretty light solution, and only
requires on port be opened on the firewall. It seems that in order to
monitor remote servers the same way, a distributed setup is the way to go?
It seems a bit heavy, though? Is there another way?
_______________________________________________
checkmk-en mailing list
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
Continue reading on narkive:
Loading...