After installing Check_MK, configuring your sites, as well as Livestatus TCP on the remote pollers but before configuring the Distributed Monitoring connections in WATO, this article can help you setup an SSL encrypted tunnel for the Livestatus data to flow between.
NOTE: It is recommended that you enable HTTPS on Check_MK’s UI as part of your move to secure your monitoring environment.
This guide covers how to setup stunnel for Livestatus on CentOS based Check_MK servers. You should be able to port these instructions to other distros without too much difficulty.
The following instructions need to be done on all Check_MK servers that will be part of your distributed monitoring environment.
First, install stunnel:
yum install stunnel
Next, create the user for stunnel to run as:
useradd -r -m -d /var/run/stunnel -s /bin/false stunnel
Add the runtime folder to tmpfiles.d configuration to recreate the directory on reboot:
echo "d /var/run/stunnel 0770 stunnel stunnel -" > /etc/tmpfiles.d/stunnel.conf
Last command that needs to be done on all servers for now is to create the systemd service unit for stunnel then enable it:
cat << EOF > /etc/systemd/system/stunnel.service [Unit] Description=SSL tunnel for network daemons After=syslog.target [Service] ExecStart=/usr/bin/stunnel Type=forking [Install] WantedBy=multi-user.target EOF
systemctl enable stunnel.service
The following needs to be done on all Check_MK pollers
Create a self-signed certificate if one signed by a Certificate Authority is not available:
openssl req -new -newkey rsa:2048 -days 3650 \ -nodes -x509 -sha256 \ -subj '/CN=127.0.0.1/O=localhost/C=US' \ -keyout /etc/stunnel/stunnel.pem \ -out /etc/stunnel/stunnel.pem
If a certificate signed by a CA is available, install it onto the pollers as
Next, edit the file
You will need to replace the IP 184.108.40.206 with your poller’s IPv4 address:
chroot = /var/run/stunnel setuid = stunnel setgid = stunnel pid = /stunnel.pid fips = no [cmklivestatus] client = no accept = 220.127.116.11:7556 connect = 127.0.0.1:6557 cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem sslVersion = TLSv1
Make sure to edit the stunnel config file on all pollers you wish to Livestatus monitor over stunnel. Please be sure to increment the port used with each poller. If you have a second poller it would use port 7557 as an example.
The following step is to be on the Check_MK master server:
Edit the file
You will need to replace the IP 18.104.22.168 with your Check_MK poller’s IPv4 address:
chroot = /var/run/stunnel setuid = stunnel setgid = stunnel pid = /stunnel.pid [cmklivestatus] client = yes accept = 127.0.0.1:7556 connect = 22.214.171.124:7556 sslVersion = TLSv1
If you have more than one poller, you will just duplicate the client definition block and update the block name, IP address, and port accordingly. Here is an example with two pollers being setup for Distributed Monitoring over stunnel:
chroot = /var/run/stunnel setuid = stunnel setgid = stunnel pid = /stunnel.pid [cmklivestatus] client = yes accept = 127.0.0.1:7556 connect = 126.96.36.199:7556 sslVersion = TLSv1 [cmklivestatus2] client = yes accept = 127.0.0.1:7557 connect = 188.8.131.52:7557 sslVersion = TLSv1
The following steps need to be done on all Check_MK servers:
Add firewall rules as appropriate to your Check_MK master and pollers. As an example:
firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --reload
firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-port=<stunnelPortNumber>/tcp firewall-cmd --reload
Then, start the stunnel services:
systemctl start stunnel
Once you have successfully started all the stunnel services, you can go into WATO and setup Distributed Monitoring connections. Here is an example of what the config could look like:
If you are having difficulties, please try putting SELinux into permissive mode on each server in the monitoring cluster and restarting all the servers in your monitoring cluster.