If you are having difficulties, please try putting SELinux into permissive mode on each server in the monitoring cluster and restarting all the servers in your monitoring cluster. Here is an example of what the config could look like: Once you have successfully started all the stunnel services, you can go into WATO and setup Distributed Monitoring connections. Then, start the stunnel services: systemctl start stunnel As an example:Ĭheckmk Master: firewall-cmd -permanent -zone=public -add-service=httpsĬheckmk pollers: firewall-cmd -permanent -zone=public -add-service=httpsįirewall-cmd -permanent -zone=public -add-port=/tcp The following steps need to be done on all Checkmk servers:Īdd firewall rules as appropriate to your Checkmk master and pollers. Here is an example with two pollers being setup for Distributed Monitoring over stunnel: chroot = /var/run/stunnel
CONFIGURING STUNNEL UPDATE
If you have more than one poller, you will just duplicate the client definition block and update the block name, IP address, and port accordingly. You will need to replace the IP 4.3.2.1 with your Checkmk poller's IPv4 address: chroot = /var/run/stunnel The following step is to be on the Checkmk master server: If you have a second poller it would use port 7557 as an example. Please be sure to increment the port used with each poller.
Make sure to edit the stunnel config file on all pollers you wish to Livestatus monitor over stunnel. You will need to replace the IP 4.3.2.1 with your poller's IPv4 address: chroot = /var/run/stunnel
CONFIGURING STUNNEL INSTALL
If a certificate signed by a CA is available, install it onto the pollers as /etc/stunnel/stunnel.pem The following needs to be done on all Checkmk pollersĬreate a self signed certificate if one signed by a Certificate Authority is not available: openssl req -new -newkey rsa:2048 -days 3650 \ Last command that needs to be done on all servers for now is to create the systemd service unit for stunnel then enable it: cat /etc/systemd/system/rviceĭescription=SSL tunnel for network daemons accept 127.0.0.1:5140 connect 192.168.1.99:6140 This configures Stunnel in client mode (the default is server mode), and tells Stunnel to listen on port. Next, create the user for stunnel to run as: useradd -r -m -d /var/run/stunnel -s /bin/false stunnelĪdd the runtime folder to tmpfiles.d configuration to recreate the directory on reboot: echo "d /var/run/stunnel 0770 stunnel stunnel -" > /etc/tmpfiles.d/nf The following instructions need to be done on all Checkmk servers that will be part of your distributed monitoring environment:įirst, install stunnel: yum install stunnel
You should be able to port these instructions to other distros without too much difficulty.
CONFIGURING STUNNEL HOW TO
This guide covers how to setup stunnel for Livestatus on CentOS based Checkmk servers. NOTE: It is recommended that you enable HTTPS on Checkmk's UI as part of your move to secure your monitoring environment.
After installing Checkmk, configuring your sites, as well as Livestatus TCP on the remote pollers but before configuring the Distributed Monitoring connections in WATO, this article can help you setup an SSL encrypted tunnel for the Livestatus data to flow between.
0 kommentar(er)
