I’ve thought I ask here before doing stupid things
Scenario: I have a backup-server (Win2019, installed cmk-agent) with a dedicated NAS (QNAP) for storing the backups. This NAS is due security physically direct attached to this server. Therefore I can’t reach the NAS for monitoring purposes directly from check_mk.
Sure, I can get some information directly from the backup server, for example how full the NAS is, but a lot of information remains hidden.
I’m wondering what the best way is to monitor more information such as the temperatures or health of hard drives.
Can this be solved elegantly using a local check or something?
The “brute force” method would certainly be to install a CheckMK instance in a VirtualBox on the backup server and integrate it into the “main monitoring”. Whether that is safer then remains to be seen.
Maybe one or the other has already solved a similar scenario. I look forward to your suggestions.
I’m sorry if that wasn’t entirely clear: For security reasons, the NAS is completely separated from the network, i.e. the only connection that exists is a direct network cable from the backup server to the NAS.
This is intended to create a physical barrier that prevents the backup from being compromised via an admin interface on the NAS or similar.
If a potential attacker has already made it to the backup server, then it is irrelevant whether he still makes it to the NAS or not. The damage is the same.
Here’s a little sketch of how i imagine it:
Hallo,
1)
an cmk server in the zone or a seperated zone with access to the backupzone
or
2)
a smnp relay (don t know if something like this exists)
or
3)
write an on own check runing on the backupserver to fetch all informations you need.
I think you understand that Checkmk needs to reach all services it should monitor. Checkmk promised to write a “proxy” in their cloud edition to support this but they never did that…
Your easiest option would be to let your Windows backup server use some kind of port forwarding and/or NAT to reach your NAS. That way you could use SNMP, but on another port and target your windows server. Not ideal…
Otherwise you would need to deploy a checkmk site in your backup zone.
A last resort might be to write your own plugin that would create all checks as piggyback data but seems to be way to complicated for just a simple NAS
@pfleck this would be easy if your NAS has some type of HTTP/S API that you can fetch.
You make some script that fetches all the API data as JSON and append this to the agent output of your backup server as an own section.
On CMK side you need only some checks that use this section. Parsing should be easy if it is valid JSON data.
Thank you all for your suggestions. I already suspected that there was no obvious solution.
The variant with CheckMK in the backup zone would also require that the NAS would have to move from the physical direct connection to the “regular” network… This is not my first choice
The option of doing your own check sounds complicated at first, but if it is actually done with a REST API, as mentioned from @andreas-doehler, it would be maybe a manageable solution.
I actually haven’t come up with the idea of doing port forwarding in Windows yet. That might also be an option, even if, as you say, it’s not ideal
I have to look at the variants in detail and evaluate which one makes the most sense from a cost/benefit effect on the one hand and from a security point of view on the other.
In any case, I would like to thank you at this point for your feedback.
It will take me a few days to put the ideas through their paces, but I’ll let you know what my solution looks like.
