SNMP Queries via JumpHost

flori-it · October 5, 2020, 10:17am

Hello together,

due to some firewall and cooperate restrictions we’re unable to access some devices via SNMP directly. We’ve got some hosts in the same network running the cmk agent. The “Server” is running cmk enterprise using the cmc.

Does somebody have a hint how to monitor the inaccessible devices via SNMP and cmk using built-in functionality? Otherwise I’ll need to write my one plugins … that would be really much work…

Thanks!

martin.schwarz · October 5, 2020, 10:49am

Do you already use a distributed setup? Can you set up a Checkmk server inside that special network? Then you would just have to integrate that server (via ssh tunnel, VPN, whatever method) and have that server directly monitor the hosts in its own network.

flori-it · October 5, 2020, 11:05am

Currently we only use one cmk server. Maybe you’re right and a distributed setup would be the simplest solution. I’ll discuss it in my team.
Are there any other solutions? Can I “fake” the agent using a “plugin”/“check”-name and the server parses the output?

martin.schwarz · October 5, 2020, 12:18pm

What I have done in a similar situation (albeit only a single client and not checked by SNMP but with an installed Checkmk agent):

regularly (e.g. every minute) run the agent (from cron) and write the output to a local file
copy the agent ouput to some file in the checkmk site’s tmp folder
create a rule in the WATO ruleset “Individual program call instead of agent access” → cat ~/tmp/HOSTNAME.agent-output
since the server can’t even ping the client, also create a rule in the WATO ruleset “Host Check Command” to Use a custom check plugin: check_file_age -w 90 -c 120 -f ~/tmp/HOSTNAME.agent-output (host is alive if it has recently copied its agent output to the site’s tmp dir)

tavanez · October 5, 2020, 2:45pm

Why not using the host in the same network and then just send the data as piggyback ?

I don’t know if it works the same for snmp, but for agent based and custom plugins it works.

andreas-doehler · October 5, 2020, 3:10pm

The piggyback mechanic and SNMP data is not so easy like it is with agent output.
This was also one of my thoughts first. At the moment i would prefer the solution from @martin.schwarz with a distributed setup if this is possible. For “high security” networks you can also tunnel the complete traffic over ssh or use the included TLS encryption from CMK.

flori-it · October 5, 2020, 5:19pm

Thank’s for the recommendation. That was my first idea also but requires a lot of work (implementing my own plugins,…)
I havn’t found a solution for returning the result of an snmpwalk to the core and getting it parsed automatically

flori-it · October 5, 2020, 5:20pm

Technically a distributed setup would be probably possible. I’ll have to check if that is possible concerning the license and some hardware topics.

andreas-doehler · October 5, 2020, 8:10pm

In principle the setup would look like the following.

your check host in the other network creates output like an stored snmpwalk from CMK
this output is then transferred to the CMK server and stored as an stored walk for the host to be checked
the host itself on the CMK machine is configured to use a stored walk
you have to check that the stored walks are with an actual timestamp
the check interval should be between 1.5 and 2 times the interval for the new data from the remote machine

Yes it is much to do

This should be no problem as your license covers all checked services in your environment, you can have instances as many as you want. All services together must be under your licensed services.

system · October 5, 2021, 8:10pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.