Checkmk agent updater - no central site?

Hey guys,

I’m implementing Checkmk with 1 central site and 3 distributed servers to monitor ± 450 servers.

I’m working on the auto updater feature but I’m a bit annoyed about the fact the main console MUST (from what I read) be accessible with HTTPS by each site, there is no VPN between these so it means public traffic… Isn’t there a way to update agent from distributed servers instead ?



Hi @KAMI, I took the liberty to move your post to the right area.

Regarding your question: What you want to do is not possible. You either have a distributed setup, which also means distributed bakery, or you have separate setups, each with its own bakery.
As long as the central site is not accessible through HTTPS by either the hosts directly or the distributed sites, you cannot use automatic agent updates.

My questions to you is this: If you do not have a secured line (DWDM, VPN, etc.) between your central and remote site, what about livestatus to the remote sites? It is encrypted of course, but if you are concerned with sending data through the internet, that should be a major concern as well. Otherwise, allowing HTTPS from only the three distributed sites to your central site should not be that much of an issue.

Have a look here:



1 Like

Hey guys,

For mike1098, when I do that, I have : “Agent Bakery: Registering/updating at remote site but found no URL to central site. Please provide it in “automatic agent updates” section at global settings.”

For Robin, I know for LiveStatus, it’s more “another door” than something else. A precision, whom is doing the call to the central site to download the agent ? The monitored server or the distributed server ?
Is the monitored server downloading the agent directly from the central site or the distributed server acting like a proxy for the monitored agent ?



This is the almost same situation I wanted to configure. To have one master site and few slave sites with automatic agent updating via bakery, but inside our private MPLS.

Official docu page contains only simple scenario regarding automatic updating and says nothing about our scenario. So definitely, the article from kb page should be written in official docu page.

Also the tooltips in checkmk portal is not very informative what where to put:

After making steps from kb article, my host monitored on slave site got automatically updated.

However, it looks like that this is possible only with one slave site? Because I don’t see place where to put IP address of other slaves:

Or maybe the sections will appear after I add more slaves into Distributed monitoring?

This section must be set with the central info only.

in the distributed section you can add as many servers distributed servers you want

Alright, understand. I got it working for two slaves now. Testing with logwatch plugin and adding new entries to config via WATO to verify that it installs new agent.

However that means, that if I have for example 5 satellites around the world, which are visible only from central instance, and I would like to have same agents everywhere, I need to have 5 times entry with ‘Agent updater’ section with particular IP of satelit, and 5 times entry in this case for logwatch.


Exactly the problem why this is useless for us. We have ~40 different agents and ~300 remote sites :frowning: