Skip to content

Latest commit

 

History

History
878 lines (527 loc) · 31.5 KB

CheckMKServer.md

File metadata and controls

878 lines (527 loc) · 31.5 KB

CheckMKServer

A server that listens for incoming check_mk connection and processes incoming requests.

List of Configuration

Common Keys

Path / Section Key Description
/settings/check_mk/server port PORT NUMBER
/settings/check_mk/server [use ssl](#/settings/check_mk/server_use ssl) ENABLE SSL ENCRYPTION
/settings/default [allowed hosts](#/settings/default_allowed hosts) ALLOWED HOSTS
/settings/default [bind to](#/settings/default_bind to) BIND TO ADDRESS
/settings/default [cache allowed hosts](#/settings/default_cache allowed hosts) CACHE ALLOWED HOSTS
/settings/default inbox INBOX
/settings/default password PASSWORD
/settings/default timeout TIMEOUT

Advanced keys

Path / Section Key Description
/settings/check_mk/server [allowed ciphers](#/settings/check_mk/server_allowed ciphers) ALLOWED CIPHERS
/settings/check_mk/server [allowed hosts](#/settings/check_mk/server_allowed hosts) ALLOWED HOSTS
/settings/check_mk/server [bind to](#/settings/check_mk/server_bind to) BIND TO ADDRESS
/settings/check_mk/server ca CA
/settings/check_mk/server [cache allowed hosts](#/settings/check_mk/server_cache allowed hosts) CACHE ALLOWED HOSTS
/settings/check_mk/server certificate SSL CERTIFICATE
/settings/check_mk/server [certificate format](#/settings/check_mk/server_certificate format) CERTIFICATE FORMAT
/settings/check_mk/server [certificate key](#/settings/check_mk/server_certificate key) SSL CERTIFICATE
/settings/check_mk/server dh DH KEY
/settings/check_mk/server [socket queue size](#/settings/check_mk/server_socket queue size) LISTEN QUEUE
/settings/check_mk/server [ssl options](#/settings/check_mk/server_ssl options) VERIFY MODE
/settings/check_mk/server [thread pool](#/settings/check_mk/server_thread pool) THREAD POOL
/settings/check_mk/server timeout TIMEOUT
/settings/check_mk/server [verify mode](#/settings/check_mk/server_verify mode) VERIFY MODE
/settings/default encoding NRPE PAYLOAD ENCODING
/settings/default [socket queue size](#/settings/default_socket queue size) LISTEN QUEUE
/settings/default [thread pool](#/settings/default_thread pool) THREAD POOL

Configuration

## CHECK MK SERVER SECTION

Section for check_mk (CheckMKServer.dll) protocol options.

# Section for check_mk (CheckMKServer.dll) protocol options.
[/settings/check_mk/server]
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts=127.0.0.1
ca=${certificate-path}/ca.pem
cache allowed hosts=true
certificate=${certificate-path}/certificate.pem
certificate format=PEM
dh=${certificate-path}/nrpe_dh_512.pem
port=6556
socket queue size=0
thread pool=10
timeout=30
use ssl=false
verify mode=none
Key Default Value Description
[allowed ciphers](#/settings/check_mk/server_allowed ciphers) ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ALLOWED CIPHERS
[allowed hosts](#/settings/check_mk/server_allowed hosts) 127.0.0.1 ALLOWED HOSTS
[bind to](#/settings/check_mk/server_bind to) BIND TO ADDRESS
ca ${certificate-path}/ca.pem CA
[cache allowed hosts](#/settings/check_mk/server_cache allowed hosts) true CACHE ALLOWED HOSTS
certificate ${certificate-path}/certificate.pem SSL CERTIFICATE
[certificate format](#/settings/check_mk/server_certificate format) PEM CERTIFICATE FORMAT
[certificate key](#/settings/check_mk/server_certificate key) SSL CERTIFICATE
dh ${certificate-path}/nrpe_dh_512.pem DH KEY
port 6556 PORT NUMBER
[socket queue size](#/settings/check_mk/server_socket queue size) 0 LISTEN QUEUE
[ssl options](#/settings/check_mk/server_ssl options) VERIFY MODE
[thread pool](#/settings/check_mk/server_thread pool) 10 THREAD POOL
timeout 30 TIMEOUT
[use ssl](#/settings/check_mk/server_use ssl) false ENABLE SSL ENCRYPTION
[verify mode](#/settings/check_mk/server_verify mode) none VERIFY MODE
### allowed ciphers

ALLOWED CIPHERS

The chipers which are allowed to be used. The default here will differ is used in "insecure" mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.html

Key Description
Path: /settings/check_mk/server
Key: allowed ciphers
Advanced: Yes (means it is not commonly used)
Default value: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
Used by: CheckMKServer

Sample

[/settings/check_mk/server]
# ALLOWED CIPHERS
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
### allowed hosts

ALLOWED HOSTS

A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Key Description
Path: /settings/check_mk/server
Key: allowed hosts
Advanced: Yes (means it is not commonly used)
Default value: 127.0.0.1
Used by: CheckMKServer
[/settings/check_mk/server]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
### bind to

BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Key Description
Path: /settings/check_mk/server
Key: bind to
Advanced: Yes (means it is not commonly used)
Default value: N/A
Used by: CheckMKServer
[/settings/check_mk/server]
# BIND TO ADDRESS
bind to=
### ca

CA

Key Description
Path: /settings/check_mk/server
Key: ca
Advanced: Yes (means it is not commonly used)
Default value: ${certificate-path}/ca.pem
Used by: CheckMKServer
[/settings/check_mk/server]
# CA
ca=${certificate-path}/ca.pem
### cache allowed hosts

CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won't allow you to have dynamic IPs for your Nagios server. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Key Description
Path: /settings/check_mk/server
Key: cache allowed hosts
Advanced: Yes (means it is not commonly used)
Default value: true
Used by: CheckMKServer
[/settings/check_mk/server]
# CACHE ALLOWED HOSTS
cache allowed hosts=true
### certificate

SSL CERTIFICATE

Key Description
Path: /settings/check_mk/server
Key: certificate
Advanced: Yes (means it is not commonly used)
Default value: ${certificate-path}/certificate.pem
Used by: CheckMKServer
[/settings/check_mk/server]
# SSL CERTIFICATE
certificate=${certificate-path}/certificate.pem
### certificate format

CERTIFICATE FORMAT

Key Description
Path: /settings/check_mk/server
Key: certificate format
Advanced: Yes (means it is not commonly used)
Default value: PEM
Used by: CheckMKServer
[/settings/check_mk/server]
# CERTIFICATE FORMAT
certificate format=PEM
### certificate key

SSL CERTIFICATE

Key Description
Path: /settings/check_mk/server
Key: certificate key
Advanced: Yes (means it is not commonly used)
Default value: N/A
Used by: CheckMKServer
[/settings/check_mk/server]
# SSL CERTIFICATE
certificate key=
### dh

DH KEY

Key Description
Path: /settings/check_mk/server
Key: dh
Advanced: Yes (means it is not commonly used)
Default value: ${certificate-path}/nrpe_dh_512.pem
Used by: CheckMKServer
[/settings/check_mk/server]
# DH KEY
dh=${certificate-path}/nrpe_dh_512.pem
### port

PORT NUMBER

Port to use for check_mk.

Key Description
Path: /settings/check_mk/server
Key: port
Default value: 6556
Used by: CheckMKServer
[/settings/check_mk/server]
# PORT NUMBER
port=6556
### socket queue size

LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Key Description
Path: /settings/check_mk/server
Key: socket queue size
Advanced: Yes (means it is not commonly used)
Default value: 0
Used by: CheckMKServer
[/settings/check_mk/server]
# LISTEN QUEUE
socket queue size=0
### ssl options

VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.

default-workarounds Various workarounds for what I understand to be broken ssl implementations
no-sslv2 Do not use the SSLv2 protocol.
no-sslv3 Do not use the SSLv3 protocol.
no-tlsv1 Do not use the TLSv1 protocol.
single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).
Key Description
Path: /settings/check_mk/server
Key: ssl options
Advanced: Yes (means it is not commonly used)
Default value: N/A
Used by: CheckMKServer
[/settings/check_mk/server]
# VERIFY MODE
ssl options=
### thread pool

THREAD POOL

parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Key Description
Path: /settings/check_mk/server
Key: thread pool
Advanced: Yes (means it is not commonly used)
Default value: 10
Used by: CheckMKServer
[/settings/check_mk/server]
# THREAD POOL
thread pool=10
### timeout

TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Key Description
Path: /settings/check_mk/server
Key: timeout
Advanced: Yes (means it is not commonly used)
Default value: 30
Used by: CheckMKServer
[/settings/check_mk/server]
# TIMEOUT
timeout=30
### use ssl

ENABLE SSL ENCRYPTION

This option controls if SSL should be enabled.

Key Description
Path: /settings/check_mk/server
Key: use ssl
Default value: false
Used by: CheckMKServer
[/settings/check_mk/server]
# ENABLE SSL ENCRYPTION
use ssl=false
### verify mode

VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.

none The server will not send a client certificate request to the client, so the client will not send a certificate.
peer The server sends a client certificate request to the client and the certificate returned (if any) is checked.
fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer.
peer-cert Alias for peer and fail-if-no-cert.
workarounds Various bug workarounds.
single Always create a new key when using tmp_dh parameters.
client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer
Key Description
Path: /settings/check_mk/server
Key: verify mode
Advanced: Yes (means it is not commonly used)
Default value: none
Used by: CheckMKServer
[/settings/check_mk/server]
# VERIFY MODE
verify mode=none
## REMOTE TARGET DEFINITIONS
# 
[/settings/check_mk/server/scripts]
##
# 
[/settings/default]
allowed hosts=127.0.0.1
cache allowed hosts=true
inbox=inbox
socket queue size=0
thread pool=10
timeout=30
Key Default Value Description
[allowed hosts](#/settings/default_allowed hosts) 127.0.0.1 ALLOWED HOSTS
[bind to](#/settings/default_bind to) BIND TO ADDRESS
[cache allowed hosts](#/settings/default_cache allowed hosts) true CACHE ALLOWED HOSTS
encoding NRPE PAYLOAD ENCODING
inbox inbox INBOX
password PASSWORD
[socket queue size](#/settings/default_socket queue size) 0 LISTEN QUEUE
[thread pool](#/settings/default_thread pool) 10 THREAD POOL
timeout 30 TIMEOUT
### allowed hosts

ALLOWED HOSTS

A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.

Key Description
Path: /settings/default
Key: allowed hosts
Default value: 127.0.0.1
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
### bind to

BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.

Key Description
Path: /settings/default
Key: bind to
Default value: N/A
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# BIND TO ADDRESS
bind to=
### cache allowed hosts

CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won't allow you to have dynamic IPs for your Nagios server.

Key Description
Path: /settings/default
Key: cache allowed hosts
Default value: true
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# CACHE ALLOWED HOSTS
cache allowed hosts=true
### encoding

NRPE PAYLOAD ENCODING

Key Description
Path: /settings/default
Key: encoding
Advanced: Yes (means it is not commonly used)
Default value: N/A
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# NRPE PAYLOAD ENCODING
encoding=
### inbox

INBOX

The default channel to post incoming messages on

Key Description
Path: /settings/default
Key: inbox
Default value: inbox
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# INBOX
inbox=inbox
### password

PASSWORD

Password used to authenticate against server

Key Description
Path: /settings/default
Key: password
Default value: N/A
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# PASSWORD
password=
### socket queue size

LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.

Key Description
Path: /settings/default
Key: socket queue size
Advanced: Yes (means it is not commonly used)
Default value: 0
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# LISTEN QUEUE
socket queue size=0
### thread pool

THREAD POOL

Key Description
Path: /settings/default
Key: thread pool
Advanced: Yes (means it is not commonly used)
Default value: 10
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# THREAD POOL
thread pool=10
### timeout

TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.

Key Description
Path: /settings/default
Key: timeout
Default value: 30
Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer
[/settings/default]
# TIMEOUT
timeout=30