Checks for one customer from different sites

Hello everybody,

we are using Check_mk Enterprise Managed Services edition.

My aim is to offer our customers monitoring as a service. Every customer have resources and services which makes sense to monitor from within of LAN. And then there are resources and services which makes more sense to monitor from outside of LAN or from both from LAN and WAN. Typically a Firewall or Router has 2 or more interfaces. Also the quality of internet connection makes also sense to monitor from outside of LAN.

At the moment I see no way how can I achieve this. I can only assign a host to one site. But what I actually need is to tell check_mk to assign one host to two different sites. Or to assign different hosts or services belonging to one customer to different sites.

I think that I need one more layer of abstraction where I can tell that:
1.
HOST-1 belongs to CUSTOMER-1 one and should be monitored from SITE-A
2.
HOST-2 belongs also to CUSTOMER-1 but it should be monitored from SITE-B.
3.
HOST-3 belongs to CUSTOMER-2 and it should be monitored from SITE-A
4.
In case that I have host FIREWALL-1 with 2 interfaces then I need to monitor service PING-INT from SITE-A and service PING-EXT from SITE-B.

Is there a way how can I achieve this with current resources?
At the moment I feel quite limited when I want to use managed servicces edition as intended.

Also now when the internet connection at remote customer site is down I see only livestatus error message in WATO, but I do not get any notification, because the internet connection from this customer is monitored from within of their LAN and when the internet connection is down then of course I cannot get any notification. To partially solve this I have to create the firewall host of this customer again at central site, but this is not system solution.

Best regards,
Jiri

Hi there,

Just my two cents about this.

We also have managed services edition and have similiar “problems” like you.
Still, we don’t mix hosts within sites, every site has it’s own customer, so, we don’t have the need to mix hosts from different customers to different sites.

Regarding your 4th point. We have a customer that we monitor several web-sites from the internal prespective and outside prespective, and what we did was to have two sites for that customer - one inside it’s own infrastructure and another one outsite - this way we can check web-site responses times both ways (internal and external).
So i believe that with some wato rules you can achieve what you need (disabled services in one site for an host and other), of course you need to have different names for the hosts itself.

About the need to get notifications about remote sites, we monitor those sites from our master site, and in the distributed monitoring configuration we set the status host config and so, we still have notifications about it - you can also set active checks to get further alarms (http, tcp/port, and so on).

I feel your pain, and hope my two cents get to help you somehow.

Cheers,

2 Likes

edit: @jiri, i messed up the instances in original post, this one’s OK.

Hi,

we have a setup of different physical datacenters, and a distribution of different load entities that are summarized in monitoring, but are separated from each other. These entities sometimes are spread across locations. This is what you call CUSTOMER. In every location we have some monitoring hosts, that in general do local monitoring only. You call this SITE.

We separate CUSTOMER into single checkmk instances on the monitoring hosts, we do not mix this within one checkmk site. So on every SITE with workload from CUSTOMER there is also an instance for that, leading to many different checkmk instances on one monitoring host. This runs very fine, overhead of many checkmk instances on one host isn’t that much. If wanted, sites from one CUSTOMER may be connected to each other in “Distributed Monitoring” to get a global view of the entity.

As to your example:

  • prepare a CHECKMK-1-A instance in SITE-A
  • prepare a CHECKMK-2-A instance in SITE-A
  • prepare a CHECKMK-1-B instance in SITE-B
  • establish distributed monitoring between CHECKMK-1-A and CHECKMK-1-B, both directions
  • monitor HOST-1 from CHECKMK-1-A
  • monitor HOST-2 from CHECKMK-1-B
  • monitor HOST-3 from CHECKMK-2-A
  • monitor FIREWALL-1/PING-INT from CHECKMK-1-A
  • monitor FIREWALL-1/PING-EXT from CHECKMK-1-B

To partially solve this I have to create the firewall host of this customer again at central site, but this is not system solution.

We work this way for some hundreds of hosts without any problem.

Regards,
Tom

2 Likes

Hi @ttr,

thank you very much for your answer.

What do you exactly mean with “establish distributed monitoring between CHECKMK-1-A and CHECKMK-1-B, both directions” ?

In my setup I already have distributed monitoring established between CHECKMK-1-B (slave remote site) and CHECKMK-1-A (master site in cloud). How can I create connection in opposite direction?

And I still do not see a way how to tell checkmk to monitor service PING-INT on FIREWALL-1 from instance CHECKMK-1-A and service PING-EXT on FIREWALL-1 from instance CHECKMK-1-B.

I am able to assign only complete hosts with all its services to one site. I cannot assign different services belonging to same hosts to different sites.

Thanks.

Regards,
Jiri

Hi @jiri,

To clarify: you do not need both directions, but it might have some advantages. If you do distributed monitoring that way you’ll see all the hosts from site B also within site A. But logged into site B you only see local hosts from that site. Sometimes this is not desired and you want to see all host from CUSTOMER-1 in CHECKMK-1-A and CHECKMK-1-B. For that, you define a second master-slave relationship, in reverse direction to first one.
If you only need one master (we call it “view-server”), than you define thins the way you do.

Regards,
Tom.

1 Like

Hi @ttr,

ok, both directions are clear. Thank you.

But what about the PING-INT and PING-EXT services on FIREWALL-1? I still cannot see any way how to monitor FIREWALL-1/PING-INT from CHECKMK-1-A and FIREWALL-1/PING-EXT from CHECKMK-1-B.

Regards,
Jiri

Hi, @jiri,

Sorry for the delay. In CHECKMK-1-A you configure internal IP address, in CHECKMK-1-B you use external. So you have same host in two sites with two different IP addresses.

Regards,

Hi @ttr,

thank you for your answer.

That is what I actually did. But this is not ideal solution, becaus then I have to create every such host two times which will most likely bring confusion to our customers.
Nevertheless I do not see any other solution at the moment.

Regards,
Jiri