What is the correct way to change the default port (6556)? In other topics reference is made to the /var/lib/cmk-agent/cmk-agent-ctl.toml file, but I cannot find it on my debian 11 linux.
Thanks in advance!
Agent Controller only work with systemd (with min version) - Not sure about Debian 11.
The correct way is to use rules, if you are on enterprise, otherwise change the service in either xinetd or systemd to listen to the port you want.
You also need to update the server of course so it talks on another port.
Thanks Anders!
In my case it is version 2.1.0p26 Raw of ChekMK, so I assume that the port change must be based on systemd and that is what I don’t know how to do. The file /lib/systemd/system/check-mk-agent.socket on the Debian 11 machine on which the agent is installed has this content:
[Unit]
Description=Local Checkmk agent socket[Socket]
ListenStream=/run/check-mk-agent.socket
SocketUser=cmk-agent
SocketMode=0240
Accept=true[Install]
WantedBy=sockets.target
I’ve tried using ListemStream=6560, but no luck. Any ideas?
Thank you very much for your answer!
How did you solve this? Many thanks
I have the latest 2.2 agent and I cannot find any configuration docs on how to change the agent port from the default 6556.
The only ref I found to the port is in a template file /etc/check_mk/xinetd-service-template.cfg
On systemd systems the dataflow is as follows:
- The systemd service cmk-agent-ctl-daemon.service listens on TCP port 6556 (by default).
- If that daemon decides to call the checkmk agent, it talks into the local unix domain socket /run/check-mk-agent.socket.
- That socket is controlled by the systemd socket unit check-mk-agent.socket.
- If something “happens” on that socket, systemd starts the service unit check-mk-agent@.service which then in turn runs the agent.
To change the listening port from 6556 to 16556 you must create (or edit) the file /var/lib/cmk-agent/cmk-agent-ctl.toml on the monitored host and add this line:
pull_port = 16556
After that, do a systemctl restart cmk-agent-ctl-daemon.service.
Unfortuntely, this is not documented very well.
Usually the file /var/lib/cmk-agent/cmk-agent-ctl.toml is maintained by the agent bakery.
4 Likes
Hi Dirk!
Great! works for me.
In my case I had to create the file because it did not exist.
Thanks a lot!
​
2 Likes
You are welcome. Maybe this picture helps a bit understanding the data flow. It’s from the checkmk conference 2022 and shows the “new” communication.
To change the listening port we have to change the configuration of the “transport channel” on the left hand side of the slide, i.e. the configuration of the cmk-agent-ctl daemon. By default it listens on port 6556 and allows access from every IP address.
This can be changed with the file /var/lib/cmk-agent/cmk-agent-ctl.toml (in Python syntax):
pull_port = 16556
allowed_ip = [
"127.0.0.1",
"127.0.0.2",
]
(The file doesn’t exist by default.)
2 Likes
Same question from me.
The file does not exist on the host that I want to include in the monitoring.
I have created the file /var/lib/cmk-agent/cmk-agent-ctl.toml.
I have tested the following configuration:
pull_port = 6557
and
pull_port = 6557
allowed_ip = [
“127.0.0.1”,
“127.0.0.2”,
]
However, I do not have the service that was mentioned. I have the following:
check-mk-agent-async.service
checkmk-tunnel.service
system-check\x2dmk\x2dagent.slice
check-mk-agent.socket
tcp LISTEN 0 4096 *:6556 *:* users:((“systemd”,pid=1,fd=43))
How exactly do I have to proceed?
I would like to set the port from 6556 to 6557.
Hi!
This setting must be on the machine to be monitored. Have you tried rebooting the entire machine?
The allowed IPs must be those of your CheckMK server. Right?
1 Like
Hello,
yes, I have restarted the machine, but still no effect.
I don’t have the service mentioned. Which service do I need to restart instead of restarting the machine?
Which configuration do I need exactly? The first or the second.
All this depends on the agent installation. How is your agent installed as systemd or xinetd. What version of agent is used and so on.
2 Likes
I’am using systemd, see me post above. I’ve installed the agent with apt install ./check-mk-agent_2.3.0p22-1_all.deb
The Agent ist Version: 2.3.0p22, same as the CheckMK Monitoring Version.
If the agent is 2.3 then the only important thing is the status of your agent controller.
Please refer to the section 4.3 here
The port 6556 should be used by the agent controller and not systemd.
I think in your system there are parts of an old agent present.
1 Like
No problem - I’ve reinstalled the (raspberry pi) OS. BTW: I’am using the RAW Edition.
What I’ve done next:
- System updated - everything is up tp date
- Downloaded the Agent
check-mk-agent_2.3.0p22-1_all.deb - Installed the Agent
dpkg -i check-mk-agent_2.3.0p22-1_all.deb - Checked the listen ports:
ss -tulpn | grep LISTEN:
tcp LISTEN 0 4096 *:6556 *:* users:(("systemd",pid=1,fd=46)) - Checked the available services:
systemctl | grep check:
check-mk-agent-async.service check-mk-agent.socket
Any ideas? I just want to monitor my internal devices by changing the list port of the agents.
That’s the problem. On ARM the agent controller will not run and you need to configure the agent for legacy mode.
You need to look at your check-mk-agent.socket unit file. If there is no “ListenStream=6556” option inside then you have the wrong unit file installed.
You should find a “check-mk-agent.socket.fallback” file inside the agent package. This needs to be installed instead of you unit file.
There you can configure the port.
3 Likes
Okay, thanks for the clarification!
The following procedure has brought me the desired success in Checkmk Raw Edition 2.3.0p22:
The initial situation is as follows:
Several Raspberry Pi’s in the LAN, which should communicate with the CheckMK server in the WAN. Due to the ISP, ICMP is not possible.
The aim is therefore to have each individual Raspberry Pi 5 communicate with the CheckMK server via a different port.
Info: I strongly recommend implementing the scenario with a DynDNS address!
Due to the ARM architecture, the port must be changed as follows after installing the agent (dpkg -i agent.deb):
nano /etc/systemd/system/sockets.target.wants/check-mk-agent.socket
Adjust the port here (please note that no CheckMK ports are used and the selected port is definitely unused!)
Then reload the daemon and restart the service:
systemctl daemon-reload && systemctl restart check-mk-agent.socket
Check whether the configuration has been implemented correctly and check whether the service is listening on the new port:
ss -tulpn | grep LISTEN
In WATO, search for “TCP port for connection to Checkmk agent” and create a rule there to explicitly set the port to the corresponding Raspberry Pi.
Do not forget port forwarding in the router.
Thanks for help!
As a sidenote:
It is discouraged to edit the systemd unit files that come with checkmk (or any other “standard” unit file, for that matter) because it will either get overwritten by the next update or the package manager will ask questions during an update (“which one should I take?”).
The recommended way to override certain settings in a unit file is to use so called override files, sometimes called drop-ins:
- Run
sudo systemctl edit check-mk-agent.socket. - An editor will open with the new file
/etc/systemd/system/check-mk-agent.socket.d/override.conf - Enter
[Socket]
ListenStream=50665
SocketUser=
SocketMode=
MaxConnectionsPerSource=3
This overrides the given settings from the original check-mk-agent.socket file and survives any updates. The original file is not even touched.
More on override files is here:
3 Likes