I have a typical environment setup where I’m monitoring a lot of systems at a retail setup, so imagine a hundreds or even thousands of stores. Retailers often have fairly extensive firewall setups and block everything by default. Each of my sites could have a number of SNMP devices I want to monitor. The typical setup is the Checkmk server doing the snmp question of those devices, but this will be blocked by the firewalls and would be a tough conversation with security to open that up.
I’m wondering if I can configure the SNMP to run through an agent at the store and report up. I feel like I saw this available somewhere, but can’t find it in documentation or the forum here. Could I configure another agent at my site to do the SNMP walk and report it back up to the server?
So in last years conference when Tribe talked about cloud monitoring they specifically mentioned that you could setup a local server to act as a proxy for SNMP and that the proxy would use push mode to a central site.
In this years conference there were zero talk about that, so perhaps that feature was scrapped but would have helped you.
We are in the same situation where remote sites, due to security or other network “issues” prevents us to talk SNMP from a remote location.
from your description it is not entirely clear if you are talking about sites or agents.
A typical setup would be
1 Central Site (let’s say in HQ)
n Remote Sites (let’s say 1 in each store)
The SNMP devices in that store would be queried from that store’s site (and not the central site). At least that’s how you’d normally configure it. So as long as the store doesn’t have multiple network segments, then there would be no need to pass through any firewalls.
Doing SNMP from an agent deployed on a Linux or Windows server would require for the agent to be able to communicate with other devices on the network and then parse the output (OR at the very least serve as a proxy to funnel that data through), all of which the current agent can’t do, afaik. And for the agent to communicate with the server, you would also need to pass through the firewalls.
Yes, you’re understanding this correctly. I could go build my own plugin of course, but I was hoping there’s a method of doing the typical SNMP “Agent” but routing that through another checkmk agent in the store already. Think like a proxy.
Well, at least I understood the question Sounds a bit like a ‘SNMP-Piggyback’.
As to a solution: My intuition tells me that that would be a pretty big hack of the Checkmk agent. Not even sure if that could be done as an agent plugin or whether the agent itself would need to be modified.
But hey, maybe I am completely wrong. I am not a developer, nor a Checkmk consultant, so #blindmantalkingofcolor
I found the link. This was discussed in 2021 conference as local SNMP proxy (Checkmk light) - This was a cloud example but could be used in isolated environments as well.
Yep!
We need to build something for Checkmk SaaS. What it will be exactly (e.g. local proxy for special agent and SNMP monitoring) is still to be decided.
Adding the functionality to the agent would bloat the agent massively, so it is something worth thinking through. As Checkmk does not simply just “query” via SNMP but has a much more clever bulk query + disco + individual query mechanism AFAIK.
I agree that having this functionality in the standard agent does not make a whole lot of sense. The mechanism for push could perhaps be reused to carry a section for SNMP.
But I believe this needs to work with all existing SNMP plugins and the way SNMP collection works is a bit… different from the regular Agent so I think we need a light poller that would act as an collector having all poller features of active checks, event console, SNMP and special agent, and push data towards somewhere else (centrally) i.e would not store any data (rrd) locally, nor should be able to send notifications, have a web gui, ldap etc. etc.
The way i see it, you have two options I can think of:
Have a portion of the server that can run on agents, and you designate an agent to be a sort of “proxy” where it also runs part of the server and pushes that up. It’d be a bit of a nightmare to rework all the configuration and stuff to pass correctly.
Network pass-thru. Basically tunnel the connection. Whatever traffic you want, you do a sort of socks proxy type deal to push it through that agent into the location. It’d add a speed hit, but wouldn’t require an excessive amount of coding.
Totally agree. While we initially actually planned to do something like 1) / what Anders proposes, we actually started to consider the second option as well now.
I will forward your thoughts to our SaaS team. While this doesn’t help you for now unfortunately, maybe we have a solution for you in the future though.
Sounds a bit like a ‘SNMP-Piggyback’.