|
| 1 | +.. _checkmk-section: |
| 2 | + |
| 3 | +Checkmk |
| 4 | +======= |
| 5 | + |
| 6 | +Checkmk is a monitoring platform used to supervise servers, network devices, and appliances. |
| 7 | +The firewall can be monitored with `Checkmk <https://checkmk.com/>`_ by installing the NethSecurity extra packages described in this chapter. |
| 8 | + |
| 9 | +NethSecurity packages |
| 10 | +--------------------- |
| 11 | + |
| 12 | +The Checkmk integration for NethSecurity is split into two packages: |
| 13 | + |
| 14 | +* ``checkmk-agent`` is the standard Checkmk agent package. |
| 15 | +* ``ns-checkmk-utils`` adds NethSecurity-specific monitoring scripts and is optional. |
| 16 | + |
| 17 | +Installing ``ns-checkmk-utils`` also pulls in ``checkmk-agent`` as a dependency. |
| 18 | +If you only need the upstream agent, install ``checkmk-agent`` alone. |
| 19 | + |
| 20 | +Install the packages |
| 21 | +-------------------- |
| 22 | + |
| 23 | +Install the agent and the optional NethSecurity checks from the command line:: |
| 24 | + |
| 25 | + opkg update |
| 26 | + opkg install ns-checkmk-utils |
| 27 | + |
| 28 | +After installation, the agent service is managed by ``/etc/init.d/check_mk_agent`` and it's started and |
| 29 | +enabled on boot by default. |
| 30 | + |
| 31 | +Use the following command to check the status:: |
| 32 | + |
| 33 | + /etc/init.d/check_mk_agent status |
| 34 | + |
| 35 | +Verify the output locally with:: |
| 36 | + |
| 37 | + check_mk_agent |
| 38 | + |
| 39 | +Allow remote monitoring |
| 40 | +----------------------- |
| 41 | + |
| 42 | +The agent listens on TCP port ``6556``. |
| 43 | +By default, traffic from the LAN is allowed, but if you have a more restrictive firewall configuration, you may need |
| 44 | +to allow access to this port from the Checkmk monitoring server. |
| 45 | + |
| 46 | +You can add a firewall rule to allow access directly from web user interface, see :ref:`firewall_rules-section`, or use the command line interface to add a rule. |
| 47 | + |
| 48 | +For example, to allow access from a monitoring host in the LAN:: |
| 49 | + |
| 50 | + uci add firewall rule |
| 51 | + uci set firewall.@rule[-1].name='Allow-Checkmk' |
| 52 | + uci set firewall.@rule[-1].src='lan' |
| 53 | + uci set firewall.@rule[-1].proto='tcp' |
| 54 | + uci set firewall.@rule[-1].dest_port='6556' |
| 55 | + uci set firewall.@rule[-1].target='ACCEPT' |
| 56 | + uci commit firewall |
| 57 | + /etc/init.d/firewall restart |
| 58 | + |
| 59 | +Bear in mind that if the monitoring server is located in a different zone, you will need to adjust the source zone and address accordingly. |
| 60 | + |
| 61 | +When the rule is in place, the monitoring server can connect to the firewall and read the agent output, including the optional NethSecurity checks. |
0 commit comments