I have a few open points that I would like to discuss in
this round in regards to the use of CheckMK monitoring. Please feel free to correct any points you feel that need to be corrected.
Firstly, the installation and distribution of the agent will
be automated. The configuration and Host registration has to be completed via
CheckMK portal, as well as moving the Host to its respective folder and applying
the required ruleset to achieve effective monitoring.
Secondly, there should be a specific service account used
for the agent itself, to prevent any security vulnerabilities connected to
using the local system account. I am suggesting either MSA (managed service
account) which requires domain functional level 2008 R2 or gMSA (group managed
service account) that requires domain functional level 2012 R2 and higher. From
these two options the obviously simpler to use and set up would be gMSA as this
could be a single service account used for all hosts. This service would also
gain the read rights to specific objects and databases in MS SQL, interactive
logon will be disabled. The biggest advantage of this setup is that there is no
need to manage passwords as the domain will fulfill this role.
Thirdly, we should have a standard way of building
infrastructure for the purpose of enabling monitoring. As an addition to this
standard I would like to suggest that there will be a “Slave” CheckMK
monitoring site for each customer per environment, in most cases this would
result in 3 monitoring sites per customer (PROD, REF/UAT, TEST/SIT). By
following this setup we would not need to request FW rules for each new or
already existing Host, but instead only allow the “slave” monitoring site
server to communicate with the “master” monitoring site server on port 6556.
Hope for a quick Reply…
Sandeep Kumar Ballari