currently I’m sitting on a problem for a project where I’m a bit missing the approach. I would like to monitor our clients, workstations as well as notebooks. The workstations are not a problem at first, they have a fixed IP address and are connected to our network. So far so good. But the notebooks make me a bit desperate.
My approach was to install an Icinga client on the notebooks. But how do I get it to dump the info to the server? The problem is that I can’t use port 5665 for a bi-directional connection in this case. But it must rather run according to the principle:
The notebooks do the checks themselves via their local 127.0.0.1 IP address and then report the result to the Icinga master via the Internet. For me only the 127.0.0.1 IP address is really left over, because the notebooks are constantly located somewhere else and therefore have different IP addresses. They change with their location in the home WLAN, office WLAN, the hotel WLAN, connection via LTE and and and…
In principle, I would like to have it like in the attached graphic. But: I am missing the approach. Because if I look at the graphic about zones in the Distributed Monitoring of the Icinga documentation, it is always a bi-directional connection. But I only have a one-way connection, because only the notebooks can reach the Icinga server but not the other way around.
Does anyone have a smart approach for me or can at least nudge me in the right direction please? My feeling is that it’s basically quite simple but I don’t see it right now…
There is no need for a bi-directional connection, just let the clients connect to the server. Perhaps to separate the clients from the servers I would create a satellite below the master only responsible for them.
So I am not sure if opening port 5665 up to the Internet is a great idea, but a VPN should be ok for security.
And while technically possible I would not make the client schedule there own checks except it is really required to have them report a state also for when they were not connected. I would use the Check command cluster_zone for the Host, so I can easily see which ones are connected and then also add an explicit dependency to override the implicit one to be able to deactivate check by setting disable_checks to true.
@dgoetz thanks for your help in the other topic too, again. It works now like I thought and painted in the picture above. But the main question which I still have: You wrote “I am not sure, if opening port 5665 up to the Internet is a great idea”.
What are your thoughts on this? Spontaneously, I don’t see any problems, but maybe I’m missing something. Maybe you can help @dnsmichi ?
While it is not a reserved port, 5665 is probably well-known. So if the port is open, a scan will quite easily reveal an installation of Icinga 2. So if there is some vulnerability and it is exposed to the public this is more critical than normal. Also I am pretty sure that scans already result in a bloated log, someone can easily request a certificate and if erroneously signed get too much information about the environment without an easy revocation of the certificate, and many more scenarios which makes me think it is not a good idea.
