Hi, since I have a CMK server on the public network, and want to monitor two windows servers on the same network, I want to change the port the windows agent is listening on, since portforwarding to both servers is not possible.
I have changed the port for the host on the CheckMK server to 6554 under the following option: TCP port for connection to Check_MK agent.
In addition, in the file: “C:\ProgramData\checkmk\agent\check_mk.user.yml” I commented out the port and replaced it with 6554. The service is still listening on port 6556 according to netstat.
# User Check MK configuration file
# Copyright Mathias Kettner GmbH
# version 10009
# tag '06.05.2019'
# global must be presented
# IMPORTANT notes
# @user -> is ProgramData/CheckMK/Agent/plugins
# @core -> is Program Files(x86)/check_mk_service/plugins
# @data -> is ProgramData/CheckMK/Agent/
# @local -> is ProgramData/CheckMK/Agent/local
# 1. use http://www.yamllint.com/ for example to validate your yamllint
# 2. Windows filenames contains backslash \, ergo you have to write either "c:\\windows" or 'c:\windows'
# To disable any feature you may use two methods
# 1. commenting out with '#' recommended to use with one line declarations
# 2. renaming. Recommended to disable big parts of YAML tree
# Most useful is adding _ at the beginning of name
#
# example _logging: # <----- this structure is fully ignored
# logging: # <----- this structure is accepted
global:
# use name to have mor clear logs just for user
# Descriptive name of the configuration file
# name: Config File Example from Check MK distribution
# section may be fully disabled
# enabled: yes
# Restrict access to certain IP addresses
# If ipv6 is enabled, all listed ipv4 adresses are also accepted as
# source adresses in their ipv6-mapped form. I.e. if
# 192.168.56.0/24 is listed, connections from ::ffff:c0a8:3800/120
# are also possible
only_from: # 127.0.0.1 192.168.56.0/24 ::1
# Change port where the agent is listening ( default 6556 )
port: 6554
# New parameter
# lock: no # [-] use port exclusively by own process
# Disable ipv6 support. By default, ipv4 is always supported
# and ipv6 is enabled additionally if supported by the system.
# ipv6: no
# encryption
# encrypted: no
# password
# passphrase: secret
# Do only execute programs and scripts with
# the following suffixes (in local and plugins).
# Per default all extensions except txt and dir
# are being executed.
# execute: exe bat vbs cmd ps1
# Run sync scripts in parallel (to each other). Default is "sequential",
# which means the scripts are run asynchronously to the agent itself but
# one after the other. Setting this to parallel may improve the delay before
# new data is reported but may also lead to the agent having more noticable
# impact on the system performance
# BAD PLACE and duplicates same flag in plugins
# async: yes
# Just output certain sections
_sections: check_mk mrpe skype spool plugins local winperf uptime systemtime df mem services msexch dotnet_clrmemory wmi_webservices wmi_cpuload ps fileinfo logwatch openhardwaremonitor
# Useful example
# sections: ~ # <--- this line is ignored
# sections: [] # <--- this removes all sections(make values sections empty)
# forced to not use
_disabled_sections: _logfiles winperf_xxx badname
#realtime data description
# to control section manually change name from _realtime to realtime.
_realtime:
enabled: yes
# specifies how long (in seconds) realtime updates are sent to
# the last monitoring system that requested an update.
# this should be longer than the request frequency (usually
# one minute).
# Please note that any new request cancels previous realtime
# update schedules, so no more than one update is sent per second,
# no matter if this timeout is "too high" or how many monitoring
# systems are querying the agent.
timeout: 90
# enable/disable encryption of regular agent output (default: disabled)
# yes or no
port: 6559
encrypted: no
# passphrase for encrypted communication.
passphrase: this is my password
# which sections are realtime, this is by default
run: mem df winperf_processor
# run: [] # if you want to disable all sections in run time
# run: # if you want to run sections defined by bakery
# by default the agent flushes the socket for each agent section.
# this is mostly for debugging purposes in case the agent is slow
# to respond.
# Disabling this may (very) slightly reduce network traffic.
# section_flush: no
# In seconds. Windows may be slow during WMI, increase the value when you have problems
# Legacy agent is 2.5 seconds, this is not enough
# wmi_timeout: 3
# --------------------------------------------------------------
# Internal log of agent
# Write a logfile for tackling down crashes of the agent
_logging:
# windows /logs/name or public/name, default is yes
public: yes
# name of file log, default is check_mk.log
file :
# log in file also internal debug messages, recommended when we have problems
# allowed no, yes and all. Default yes!
debug: yes
# you may send logging messages in realtime in windows debug sink, default is yes
windbg: yes
# you may disable your eventlog ability
eventlog: yes
ps:
# enabled: yes
# use_wmi: yes
# full_path: yes
winperf:
# enabled: yes
# default value, do not change it if do not know what are you douing
# exe: agent
# changes only section name winperf_******
# prefix: winperf
# default value, increase for heavy loaded machine
# timeout: 10
# Select counters to extract. The following counters
# are needed by checks shipped with check_mk.
# Format:
# - id:name
# where id is OS counter and name is part of CHECK_MK Header
counters:
#- 234: phydisk
#- 510: if
#- 238: processor
#- 638: tcp_conn
#- Terminal Services: ts_sessions
logfiles:
# enabled: no
## Define textfiles to be monitored
## observer
_view:
- name: My usual log for daily use with my friends # this is name of the check
observe:
- 'C:\tmp': # this is folder
# below list of file to view on location
- 'logfiles\message_*.log'
- 'logfile\my*.log'
- 'D:\log': #this is folder
- 'sample1.txt'
- 'sample2.txt'
- 'c:\Windows\Logs\setupapi.log'
patterns:
ok: 'Successfully logged in*'
crit: 'Error in*'
warn: 'Unable to contact*'
ignore: 'Backup * saved'
- name: My special logs
observe:
- 'C:\tmp\memo.udf':
patterns:
ok: '*mail sent*'
warn: '*overdue*'
- name: My interesting logs
description: >
this is my description which I can add to almost any iten
item ib the config file and see it in the log
observe:
- 'C:\tmp\memo.crit':
# below is default
rotated: no
context: yes
from_start: no
patterns:
ok: '*mail sent*'
warn: '*overdue*'
fileinfo:
# enabled: yes
path:
# - '' # empty strings will be ignored
# - '--' # all string without "C:\" or "\\" at start will be ignored too for security reason
# - 'c:\a\a' # generates missing| string
# - 'c:\Users\Public\*.log' # real string to process
# - "this\\is\\not\\recommended\\" # double quoating uses escape sequences
# - 'c:\Users\Public\**\Desktop.ini' works, 8 files to control
# - 'c:\Windows\Resources\**\aero\aero*.*' works too, you will get two files in 'c:\Windows\Resources\Themes\aero\'
# - 'c:\dev\shared_public\*.*' # typical test folder, provided during development
logwatch:
# enabled: yes
# sendall: no # this is MANDATORY
# vista_api: no # this is RECOMMENDED
logfile: # entries in the windows eventlog
# Format is sequence
# - 'EventLogName': <crit|warn|all|off> + [context|nocontext]
# end of documentation
# - 'Application': crit context # example
# - 'System': warn nocontext # another example
# - 'YourOwn': all nocontext # yet another example
# - '': warn nocontext # allowed crit, warn, all, off
# - '*': warn nocontext # This is default params for not missing entries
plugins:
# scripts in plugin
# enabled: yes
# default value, you may disable all scripts in local with no
# player: '' # [-] when empty we wil use default value, i.e. our player
# max_wait: 60 # max timeout for every sync plugin. Agen will gather plugins data no more than max_wait time.
# this is useful to terminate badly written or hanging plugins
# async_start: yes # start plugins asynchronous, this is normal mode.
# folders are scanned top -> down
# duplicated files will be removed
# folders: ['@core', '@user' ] # folder in ProgramData/CheckMK/agent/plugins
# example: mk_inventory.vbs
# plugin is executed asynchronous
# and is only updated every 3600 seconds
# it may fail (timeout / error) up to 3 times before the last known data is discarded
# we will look for a folder in core(Program Files/Check_mk/plugins), if not found in
# ProgramData, if not found in __mdlx, etc/
# after config change fail count will be reset
_execution:
# execution pattern for windows-updates.vbs:
# all parameters below are DEFAULT set for every entry
#- pattern : '@user\mk_inventory.vbs' # Plugin name or absolute path . * and ? are allowed
# run : yes # execute this plugin if plugin found
# async : yes # async plugin is a bit special. Normally you will get delayed data.
# timeout : 120 # after 120 seconds process will be killed.
# cache_age : 3600 # only combined with async, upto 3600 seconds we may reuse plugin output
# retry_count : 3 # failure on start plugin, before stopping
# cmd_line : '' # [-] command line
# description : 'In free form' # [-] will be stored in the log
#
# pattern : '@user\win_license.bat' # Plugin name. * and ? are allowed
# run : no # do not execute this plugin even if plugin found
- pattern : '@user\*.*' # in the ProgramData folder. DO NOT REMOVE THIS ENTRY
timeout : 30 # after 30 seconds process will be killed.
run : yes # ALL FOUND files ARE DISABLED this Current Default Behavior
- pattern : '@core\*.*' # in the ProgramFiles folder. DO NOT REMOVE THIS ENTRY
timeout : 30 # after 30 seconds process will be killed.
run : no # ALL FOUND files ARE DISABLED this Default Behavior
- pattern : '*' # This is safety entry. Try not use plugins outside your predefined folder
run : no # ALL FOUND files ARE DISABLED this Current Default Behavior
# set this parameter to yes to change behavior like Legacy Agent
# The same as plugins with same parameters
# But: used folder local
local:
# scripts in plugin
# enabled: yes
# default value, you may disable all scripts in local with no
# player: '' # [-] when empty we wil use default value, i.e. our player
# max_wait: 60 # max timeout for every sync plugin. Agen will gather plugins data no more than max_wait time.
# this is useful to terminate badly written or hanging plugins
# async_start: true # start plugins asynchronous, this is normal mode.
_execution:
# execution pattern for windows-updates.vbs:
# all parameters below are DEFAULT set for every entry
- pattern : 'test_me.bat' # [+] Plugin name. * and ? are allowed
timeout : 10 # [+] after 10 seconds process will be killed.
run : yes # [+] execute this plugin.
- pattern : '*.*' # in the user folder. DO NOT REMOVE THIS ENTRY
timeout : 10 # [+] after 10 seconds process will be killed.
run : yes # ALL FOUND files ARE DISABLED this Current Default Behavior
mrpe:
# enabled: yes
# 60 is default, this is safe value, because mrpe checks are relative fast ergo
# hitting this timeout is virtually not possible
# timeout: 60
# entries and cfg are the same as in the Legacy agent
config:
# - check = Console 'c:\windows\system32\mode.com' CON CP /STATUS
# - include user_name = @data\mrpe_checks.cfg
# - include = @data\mrpe_checks.cfg
have you restarted the “CheckMkService” windows service? otherwise the new config file will not be read :).
If that doesn’t help, check the output of the following command for your port 6554, if it still lists 6556, there is probably an indentation/syntax error in your config file, use the recommended http://www.yamllint.com/ to verify.
# be sure to run this as an ADMINISTRATOR
& 'C:\Program Files (x86)\checkmk\service\check_mk_agent.exe' showconfig
Yes I have restarted the CheckMK service several times. The YAML checker says that the config is valid.
I have run the command you mentioned as administrator, unfortunately it still lists port 6556 instead of 6554… For both CheckMK services I have also created firewall rules for port 6554. Unfortunately the problem still exists.
Thanks for the tip with the encryption, I know about it.
Hm, ok if yaml is valid but not picked up: is it possible the file actually has the extension .yml.txt but Microsoft keeps hiding the .txt?
Ideally check the top of the showconfig output for the path of the config files that the agent tries to load and open that exact path in notepad (or similar) to be 100% sure
Are you using the 2.1 agent or 2.0? 2.1 introduced a second component, the Agent Controller that manages TLS. This component does not obey the yaml file. I’ll check with the developers how to change ports here and update our Official User Guide accordingly?
I edited the .yml which is under Program Files x86 and not Program Data. Then restarted the CheckMK Service and showconfig has finally shown my custom Port…
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.