Running the agent in a non Administrative Account doesn't retrieve services

CMK version: 2.0.0p
OS version:Windows

**Error message: Services don’t appear as it should **


Recently, installed an agent in a Windows machine running Oracle.
All was going fine, but saw that the agent was using the Local System Account (NT) to access the Oracle database which is not ideal, so I changed the CheckMK Service to be run at a local user with non administrative privileges.
Doing that I lost all services I had, just 1 remained called System Time but thats it.

I Tried to install the agent with the local user and stuff but nothing worked

The Oracle check does not use the local system account. It uses the user configured inside the “mk_oracle_cfg.ps1” file. If this file is not existing it tries to use to connect as “/ as sysdba”. Normally you should define this config file and insert the correct database users for the monitoring job.
The Windows agent itself should run als local system. If it runs as a normal user the output depends on the rights of this user.

I have it configured with the user I wanted.

The problem is that the account that I created for oracle should not be using sysdba, it shouldnt have priviliges to see the whole database like it is right now.

Which other role options can I insert in the config file? Only sysdba works, tried “normal connection” but its not accepting

just leave the role empty

If I leave it empty, it stops working…

My sys admin, told me he created as a normal connection.

This is what he sent me any thing wrong here, that Im missing?

normal DB users have no role, so leaving it empty should work. Any error you can share?

$DBUSER = @("OPS$LOCAL_CHECK-DB", "<password>", "", "localhost", "1521")

should be at your mk_oracle_cfg.ps1

1 Like

If I leave as empty, I lose the services and get the following message:

I dont know if my last image from my sys admin helped or not, did it say something that it indicates that the user is not correctly created and it is indeed sysdba user?

This ORA error simply says, as in the error description, your credentials are incorrect. Please check them again. A wrong role would produce a different ORA error.

That’s the thing. When I add the SYSDBA, it works with those credentials

$DBUSER=@("OPS$LOCAL_CHECK-DB","password", "SYSDBA", "localhost", "1521")

Oh just realized now that when I remove everything and just let the SYSDBA, I also get the services… What is happening…

$DBUSER=@("","", “SYSDBA”, “localhost”, “1521”)

Okay, i can explain what’s happening:
You are running the check on the same system as the database, therefore the default connection is with local user. From the naming scheme of your DBA i guess the wallet function is active and the default connection without a username is set to / which means local user. If you don’t provide a password the wallet is checked if there is a password stored for your local user and is used to connect to the database. I assume the database is running with the same user as the checkmk agent. Therefore your connection string is now sqlplus / as sysdba and you connect as the main administrative user against the database.
Just ask you DBA if he has assigned the sysdba role for your monitoring user (which i hope he doesn’t).

1 Like

As a reply to your screenshot with the many grants i can only say.
It should be enough to setup the account as shown inside the documentation.

sqlplus> create user checkmk identified by myPassword;
sqlplus> grant select_catalog_role to checkmk;
sqlplus> grant create session to checkmk;
sqlplus> connect checkmk/myPassword
sqlplus> exit
1 Like