Remote access to SNMP Traps over Event

kafos · February 3, 2022, 11:13am

I installed checkmk raw 1.6.0p27 and enabled the SNMP trap server.
locally I was able to get a correct response like OK - no events for 192.168.104.213 with ./check_mkevents 192.168.104.213
But if I try to do that from a remote Server with ./check_mkevents -H 192.168.200.33:6558 192.168.104.213 then I get:
UNKNOWN - Event console answered with incorrect header (missing event_phase)
Query was:
GET events
Columns: event_phase event_state event_text
Filter: event_host =~ 192.168.104.213
Filter: event_phase in open ack
OutputFormat: plain

Received 0 byte response:

The livestatus tcp port is set to 6558.

Is the livestatus port the correct one or do I have to use another one?
The check_mkevents plugin is the same on both server

robin.gierse · July 7, 2022, 7:07am

Is this problem still present in Checkmk 2.1?

briand · October 7, 2022, 7:52pm

I have replicated this in a 3 site distributed environment running 2.1.0p11.cee

OMD[SITE]:~/lib/nagios/plugins$ ./check_mkevents -H <other cmk server>:6558 <host sending traps>
UNKNOWN - Event console answered with incorrect header (missing event_phase)
Query was:
GET events
Columns: event_phase event_state event_text
Filter: event_host =~ <host sending traps>
Filter: event_phase in open ack
OutputFormat: plain

Received 0 byte response:

OMD[SITE]:~/lib/nagios/plugins$

I had to redact some information for infosec of my client. I did open port 6558 from the /32 of the remote poller IP so it’s not a firewall issue.

briand · October 10, 2022, 4:00pm

‘Setup > Events > Event console rule packs > Event console configuration > Access to event status via TCP’ did not help, same issue

briand · October 10, 2022, 4:23pm

Did TCP dump on both master and remote sites. Confirmed both are seeing 6558/tcp traffic, so the layer 4 is good

briand · November 9, 2022, 7:51pm

Forgot to follow up. After working with support we tracked the issue down. Somehow that distributed site had a Global Settings override for the allowed IPs. In my case we had to go to Setup > Distributed Monitoring > click the gear for the site specific Global Settings and update it there too. Once that was done and activated, the issue went away.

The thing that caught Support’s attention was “<timestamp> [cmk.mkeventd.StatusServer] Denying access to status socket from SITE2_in_DC2 (allowed is only 127.0.0.1)” in ~/var/log/mkeventd.log of the primary site.

system · November 9, 2023, 7:52pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.