CheckMKServer
A server that listens for incoming check_mk connection and processes incoming requests.
Enable module
To enable this module and and allow using the commands you need to ass CheckMKServer = enabled to the [/modules] section in nsclient.ini:
[/modules]
CheckMKServer = enabled
Configuration
| Path / Section | Description |
|---|---|
| /settings/check_mk/server | CHECK MK SERVER SECTION |
| /settings/check_mk/server/scripts | REMOTE TARGET DEFINITIONS |
| /settings/default | Default values |
CHECK MK SERVER SECTION
Section for check_mk (CheckMKServer.dll) protocol options.
| Key | Default Value | Description |
|---|---|---|
| allowed ciphers | ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH | ALLOWED CIPHERS |
| allowed hosts | 127.0.0.1 | ALLOWED HOSTS |
| bind to | BIND TO ADDRESS | |
| ca | ${certificate-path}/ca.pem | CA |
| cache allowed hosts | true | CACHE ALLOWED HOSTS |
| certificate | ${certificate-path}/certificate.pem | SSL CERTIFICATE |
| certificate format | PEM | CERTIFICATE FORMAT |
| certificate key | SSL CERTIFICATE | |
| debug verify | false | Debug peer certificate verification |
| dh | DH KEY | |
| port | 6556 | PORT NUMBER |
| socket queue size | 0 | LISTEN QUEUE |
| ssl options | VERIFY MODE | |
| thread pool | 10 | THREAD POOL |
| timeout | 30 | TIMEOUT |
| tls version | tlsv1.2+ | TLS version to use |
| use ssl | false | ENABLE SSL ENCRYPTION |
| verify mode | none | VERIFY MODE |
# Section for check_mk (CheckMKServer.dll) protocol options.
[/settings/check_mk/server]
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts=127.0.0.1
ca=${certificate-path}/ca.pem
cache allowed hosts=true
certificate=${certificate-path}/certificate.pem
certificate format=PEM
debug verify=false
port=6556
socket queue size=0
thread pool=10
timeout=30
tls version=tlsv1.2+
use ssl=false
verify mode=none
ALLOWED CIPHERS
The chipers which are allowed to be used. The default here will differ is used in "insecure" mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.html
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | allowed ciphers |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# ALLOWED CIPHERS
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
ALLOWED HOSTS
A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | allowed hosts |
| Default value: | 127.0.0.1 |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
BIND TO ADDRESS
Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | bind to |
| Default value: | N/A |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# BIND TO ADDRESS
bind to=
CA
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | ca |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | ${certificate-path}/ca.pem |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# CA
ca=${certificate-path}/ca.pem
CACHE ALLOWED HOSTS
If host names (DNS entries) should be cached, improves speed and security somewhat but won't allow you to have dynamic IPs for your Nagios server.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | cache allowed hosts |
| Default value: | true |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# CACHE ALLOWED HOSTS
cache allowed hosts=true
SSL CERTIFICATE
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | certificate |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | ${certificate-path}/certificate.pem |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# SSL CERTIFICATE
certificate=${certificate-path}/certificate.pem
CERTIFICATE FORMAT
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | certificate format |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | PEM |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# CERTIFICATE FORMAT
certificate format=PEM
SSL CERTIFICATE
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | certificate key |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | N/A |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# SSL CERTIFICATE
certificate key=
Debug peer certificate verification
Set this to tru to output certificate verification errors, these are outputed to stdout (not the log).
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | debug verify |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | false |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# Debug peer certificate verification
debug verify=false
DH KEY
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | dh |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | N/A |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# DH KEY
dh=
PORT NUMBER
Port to use for check_mk.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | port |
| Default value: | 6556 |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# PORT NUMBER
port=6556
LISTEN QUEUE
Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | socket queue size |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | 0 |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# LISTEN QUEUE
socket queue size=0
VERIFY MODE
Comma separated list of verification flags to set on the SSL socket.
default-workarounds Various workarounds for what I understand to be broken ssl implementations no-sslv2 Do not use the SSLv2 protocol (prefer tls version instead). no-sslv3 Do not use the SSLv3 protocol (prefer tls version instead). no-tlsv1 Do not use the TLSv1 protocol (prefer tls version instead). no-tlsv1_1 Do not use the TLSv1.1 protocol (prefer tls version instead). no-tlsv1_2 Do not use the TLSv1.2 protocol (prefer tls version instead). no-tlsv1_3 Do not use the TLSv1.3 protocol (prefer tls version instead). single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using "strong" primes (e.g. when using DSA-parameters).
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | ssl options |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | N/A |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# VERIFY MODE
ssl options=
THREAD POOL
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | thread pool |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | 10 |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# THREAD POOL
thread pool=10
TIMEOUT
Timeout (in seconds) when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | timeout |
| Default value: | 30 |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# TIMEOUT
timeout=30
TLS version to use
Valid options are tlsv1.3, tlsv1.2, tlsv1.1, tlsv1.0, sslv3 as well as tlsv1.3+, tlsv1.2+, tlsv1.1+, tlsv1.0+, sslv3+ (Which uses the version mentioned and above)
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | tls version |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | tlsv1.2+ |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# TLS version to use
tls version=tlsv1.2+
ENABLE SSL ENCRYPTION
This option controls if SSL should be enabled.
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | use ssl |
| Default value: | false |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# ENABLE SSL ENCRYPTION
use ssl=false
VERIFY MODE
Comma separated list of verification flags to set on the SSL socket.
none The server will not send a client certificate request to the client, so the client will not send a certificate. peer The server sends a client certificate request to the client and the certificate returned (if any) is checked. fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer. peer-cert Alias for peer and fail-if-no-cert. workarounds Various bug workarounds. single Always create a new key when using tmp_dh parameters. client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer
| Key | Description |
|---|---|
| Path: | /settings/check_mk/server |
| Key: | verify mode |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | none |
| Used by: | CheckMKServer |
Sample:
[/settings/check_mk/server]
# VERIFY MODE
verify mode=none
REMOTE TARGET DEFINITIONS
This is a section of objects. This means that you will create objects below this point by adding sections which all look the same.
Default values
Default values used in other config sections.
| Key | Default Value | Description |
|---|---|---|
| allowed hosts | 127.0.0.1 | ALLOWED HOSTS |
| bind to | BIND TO ADDRESS | |
| cache allowed hosts | true | CACHE ALLOWED HOSTS |
| encoding | NRPE PAYLOAD ENCODING | |
| inbox | inbox | INBOX |
| password | Password | |
| socket queue size | 0 | LISTEN QUEUE |
| thread pool | 10 | THREAD POOL |
| timeout | 30 | TIMEOUT |
# Default values used in other config sections.
[/settings/default]
allowed hosts=127.0.0.1
cache allowed hosts=true
inbox=inbox
socket queue size=0
thread pool=10
timeout=30
ALLOWED HOSTS
A comma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | allowed hosts |
| Default value: | 127.0.0.1 |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
BIND TO ADDRESS
Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | bind to |
| Default value: | N/A |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# BIND TO ADDRESS
bind to=
CACHE ALLOWED HOSTS
If host names (DNS entries) should be cached, improves speed and security somewhat but won't allow you to have dynamic IPs for your Nagios server.
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | cache allowed hosts |
| Default value: | true |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# CACHE ALLOWED HOSTS
cache allowed hosts=true
NRPE PAYLOAD ENCODING
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | encoding |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | N/A |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# NRPE PAYLOAD ENCODING
encoding=
INBOX
The default channel to post incoming messages on
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | inbox |
| Default value: | inbox |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# INBOX
inbox=inbox
Password
Password used to authenticate against server
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | password |
| Default value: | N/A |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# Password
password=
LISTEN QUEUE
Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | socket queue size |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | 0 |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# LISTEN QUEUE
socket queue size=0
THREAD POOL
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | thread pool |
| Advanced: | Yes (means it is not commonly used) |
| Default value: | 10 |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# THREAD POOL
thread pool=10
TIMEOUT
Timeout (in seconds) when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.
| Key | Description |
|---|---|
| Path: | /settings/default |
| Key: | timeout |
| Default value: | 30 |
| Used by: | CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer |
Sample:
[/settings/default]
# TIMEOUT
timeout=30