SNMP Queries via JumpHost

Hello together,

due to some firewall and cooperate restrictions we’re unable to access some devices via SNMP directly. We’ve got some hosts in the same network running the cmk agent. The “Server” is running cmk enterprise using the cmc.

Does somebody have a hint how to monitor the inaccessible devices via SNMP and cmk using built-in functionality? Otherwise I’ll need to write my one plugins … that would be really much work…

Thanks!

Do you already use a distributed setup? Can you set up a Checkmk server inside that special network? Then you would just have to integrate that server (via ssh tunnel, VPN, whatever method) and have that server directly monitor the hosts in its own network.

Currently we only use one cmk server. Maybe you’re right and a distributed setup would be the simplest solution. I’ll discuss it in my team.
Are there any other solutions? Can I “fake” the agent using a “plugin”/“check”-name and the server parses the output?

What I have done in a similar situation (albeit only a single client and not checked by SNMP but with an installed Checkmk agent):

  • regularly (e.g. every minute) run the agent (from cron) and write the output to a local file
  • copy the agent ouput to some file in the checkmk site’s tmp folder
  • create a rule in the WATO ruleset “Individual program call instead of agent access” → cat ~/tmp/HOSTNAME.agent-output
  • since the server can’t even ping the client, also create a rule in the WATO ruleset “Host Check Command” to Use a custom check plugin: check_file_age -w 90 -c 120 -f ~/tmp/HOSTNAME.agent-output (host is alive if it has recently copied its agent output to the site’s tmp dir)
1 Like

Why not using the host in the same network and then just send the data as piggyback ?

I don’t know if it works the same for snmp, but for agent based and custom plugins it works.

The piggyback mechanic and SNMP data is not so easy like it is with agent output.
This was also one of my thoughts first. At the moment i would prefer the solution from @martin.schwarz with a distributed setup if this is possible. For “high security” networks you can also tunnel the complete traffic over ssh or use the included TLS encryption from CMK.

1 Like

Thank’s for the recommendation. That was my first idea also but requires a lot of work (implementing my own plugins,…)
I havn’t found a solution for returning the result of an snmpwalk to the core and getting it parsed automatically :frowning:

Technically a distributed setup would be probably possible. I’ll have to check if that is possible concerning the license and some hardware topics.

In principle the setup would look like the following.

  • your check host in the other network creates output like an stored snmpwalk from CMK
  • this output is then transferred to the CMK server and stored as an stored walk for the host to be checked
  • the host itself on the CMK machine is configured to use a stored walk
  • you have to check that the stored walks are with an actual timestamp
  • the check interval should be between 1.5 and 2 times the interval for the new data from the remote machine

Yes it is much to do :slight_smile:

This should be no problem as your license covers all checked services in your environment, you can have instances as many as you want. All services together must be under your licensed services.

1 Like