How-To: Monitor Synology NAS with CheckMK agent for linux

You can easily monitor a synology nas with smnp. But you can not configure anything.

But there is a way to monitor your nas using the normal checkmk agent for linux.

Here is what you have to do on a high level:

On the check_mk appliance

• Create a password-free ssh key

On the synology nas:

• Create an admin user on the nas - we call it checkmk_admin. Give this user minimal rights (only on folders you want to monitor and maybe only read only rights). We will use this user to run the check_mk_agent by allowing password-less ssh login from your checkmk appliance. Use a strong password.

• download check_mk_agent.linux to the checkmk_admin homedir - create folders etc, usr and var in your homedir and adjust the paths in check_mk_agent.linux

• copy the id_rsa.pub from your checkmk applicance to your nas (so that you can ssh from you checkmk-appliance to your nas without need for a password)

• Run the agent on the nas remotely from your checkmk-vm

Let’s run through it in detail:

Step 1: Setup password-less ssh login into the nas from the checkmk-vm

checkmk-vm:

on the terminal, logged in as your user (here: praxis)

OMD[praxis]:~$ mkdir .ssh
OMD[praxis]:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/omd/sites/praxis/.ssh/id_rsa):
OMD[praxis]:~$ chmod 700 .ssh
OMD[praxis]:~$ chmod 600 .ssh/id_rsa
OMD[praxis]:~$ chmod 600 .ssh/id_rsa.pub

synology:

Create admin user checkmk_admin with minimal rights and a strong password.

Login with ssh to this user:

checkmk_admin@synpb:~$ mkdir .ssh
checkmk_admin@synpb:~$ nano .ssh/authorized_keys
--> paste the contents from .ssh/id_rsa.pub on your checkmk-vm into authorized files
checkmk_admin@synpb:~$ chmod 700 .ssh/
checkmk_admin@synpb:~$ chmod 600 .ssh/authorized_keys

Now test the password-less login from checkmk-vm:

OMD[praxis]:~$ ssh checkmk_admin@IP-OF-NAS

You should be able to login without password.

Step 2: Install agents in your nas

synology:

# Get the path to your home folder
checkmk_admin@synpb:~$ pwd
/var/services/homes/checkmk_admin

# make folders for all checkmk files within your home folder
# you can find the folders to create in the check_mk_agent.linux
checkmk_admin@synpb:~$ mkdir -p /var/services/homes/checkmk_admin/usr/lib/check_mk_agent/plugins
checkmk_admin@synpb:~$ mkdir -p /var/services/homes/checkmk_admin/usr/lib/check_mk_agent/local/
checkmk_admin@synpb:~$ mkdir -p /var/services/homes/checkmk_admin/usr/bin/
checkmk_admin@synpb:~$ mkdir -p /var/services/homes/checkmk_admin/etc/check_mk/
checkmk_admin@synpb:~$ mkdir -p /var/services/homes/checkmk_admin/var/lib/check_mk_agent/
checkmk_admin@synpb:~$ mkdir -p /var/services/homes/checkmk_admin/var/log/check_mk_agent/

# Download check_mg_agent.linux from your checkmk-vm to your homedir /var/services/homes/checkmk_admin

# Edit this file and adjust the paths in the section set_variable_defaults
# here are my edits, maybe it look different in other / newer versions
set_variable_defaults() {
    # some 'booleans'
    [ "${MK_RUN_SYNC_PARTS}" = "false" ] || MK_RUN_SYNC_PARTS=true
    [ "${MK_RUN_ASYNC_PARTS}" = "false" ] || MK_RUN_ASYNC_PARTS=true

    # WATCH OUT: These 5 lines are searched for and replaced by the
    # agent bakery!
    # TODO: CMK-8339 (proper configuration)
    : "${MK_LIBDIR:="/var/services/homes/checkmk_admin/usr/lib/check_mk_agent"}"
    : "${MK_CONFDIR:="/var/services/homes/checkmk_admin/etc/check_mk"}"
    : "${MK_VARDIR:="/var/services/homes/checkmk_admin/var/lib/check_mk_agent"}"
    : "${MK_LOGDIR:="/var/services/homes/checkmk_admin/var/log/check_mk_agent"}"
    : "${MK_BIN:="/var/services/homes/checkmk_admin/usr/bin"}"

Now you should be able to run check_mg_agent.linux from the command line and plugins etc should also work when you put the in those folders.

Now try the run the agent from the checkmk-vm via ssh:

ssh checkmk_admin@IP-OF-SYNOLOGY /var/services/homes/checkmk_admin/check_mk_agent.linux

It must run without prompt and return the output of the agent

Step 3: Configure check-mk

Create the host in checkmk (no services will be detected)

Go to: Setup → Agents ->Other integrations → Individual program call instead of agent access

Add a new rule:

Command line to execute:

ssh checkmk_admin@$HOSTADDRESS$ /var/services/homes/checkmk_admin/check_mk_agent.linux

Explicit hosts: Select your synology nas

Activate the changes and go again to the services detection

→ et voila → you can monitor your synology nas like any other linux machine

If you use special agents → you might have to edit them to tweak the paths!

Why do you need to use SSH?

Inetd would work as well, but SSH allows for encryption, so this way is what I prefer. See also:

You can not easily install the normal checkmk agent in a synology nas.

That was what I was thinking,

you can use the legacy encyption as well if what you monitor from your NAS is sensitive.

We use ssh for getting data from isolated networks using jump-hosts…

I have no real knowledge on using inetd. My experience with synology is that they like to break things afters upgrades so probably. Search the web for synology and xinetd did only bring up pretty old threads but I’d be happy if could share some more information how do use inetd on synology / checkmk.

With this method, it’s possible to obtain updates and plugins from bakery?

This worked great. Just to add one thing. htop says my checkmk server daemon service is running as user: “monitoring”, so I had to set up that user with the ssh key pair:

1. create key pair with another user, in this case “monitoring”

sudo -u monitoring ssh-keygen

2. after you have put the contents of .pub into the authorized_keys file on the server you are trying to reach, it still won’t work because the first connection has to auth the fingerprint, so we just have to connect one time as user “monitoring”:

sudo -u monitoring ssh checkmk_admin@IP-OF-NAS