Support and questions about distributed monitoring

Hello,

I’m quite insecure about the distributed monitoring in my case:

I currently have a OnPrem Master running as a CentOS 8 Virtual Machine in our internal network (Icinga 2.13.2-1, web 2-9-5, director 1.9.0)

In a project we got new external hosted machines (ionos 1and1 monitoring is pretty limited and does not give me needed information)

I already setup an satellite instance of icinga in our DMZ-Network which works flawless in communication to internal network.

Here are my insecuritys are starting about the correct deployment:

I tried to setup the external hosted machine as additional satellite which has his parent to the DMZ satellite Instance (used our firewall to setup some rules that only the IP of the external hosted machine can access port 5665 to the dmz satellite)

After importing the new satellite to the master. I setup a new host which only is accessible from the external hosted machine but the hostalive check doesnt finish and is outstanding.

I didnt find something for stacking satellites, maybe its an design problem from my site. Here is a photo how I thought this design could work?

zones.conf from master:

`object Endpoint "dmz-satellite" {
}

object Zone "dmz-satellite" {
        endpoints = ["dmz-satellite"]
        parent = "internal master"
}

object Endpoint "external hosted server" {
}

object Zone "external hosted server" {
        endpoints = ["external hosted server"]
        parent = "dmz-satellite"
}
`

Im happy for every input and corrections :slight_smile:

Hi, I don’t see a problem with your design at the moment. Have you ever tried to query the host via the DMZ satellite? What do the uptime statistics of the satellites say? Have you blocked the interface rolls in the firewall or not released the port in both directions?

As you do not share enough details here some general hints. With cluster-zone you can define checks which informs you whether a zone is connected or not. Second, in icinga2.log of all icinga instances you’ll find hints about connection tries and failures.

Hey, thanks for your message. I think Firewall isnt an issue as I created rules, means:

Internal master connects successfully to DMZ-Satellite and DMZ-Satellite connects to the Internal master successfully.

The DMZ-Satellite connects successfully to the external hosted server and external hosted server connects to the dmz satellite successfully.

Hello Roland, thanks for the hint about cluster-zone, will look into it. Here are some more Information I have found.

icinga2.log on the DMZ-Satellite:

Ignoring config update from endpoint ‘Internal Master’ for unknown zone ‘External hosted server’

so there is something wrong in a zones.conf ?

Here is the zones.conf from the DMZ-Satellite:


object Endpoint "internal master" {
        host = "internal master"
        port = "5665"
}

object Zone "master" {
        endpoints = [ "internal master" ]
}

object Endpoint "dmz-satellite" {
}

object Zone "dmz-satellite" {
        endpoints = [ "dmz-satellite" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

here is the zones.conf from the external hosted server


object Endpoint "dmz-satellite" {
        host = "x.x.x.x"
        port = "5665"
}

object Zone "master" {
        endpoints = [ "dmz-satellite" ]
}

object Endpoint "external hosted server" {
}

object Zone "external hosted server" {
        endpoints = [ "external hosted server" ]
        parent = "master"
}

object Zone "global-templates" {
        global = true
}

object Zone "director-global" {
        global = true
}

If I run icinga2 daemon -C on all servers there are no errors and everything is green…
Here a Screeshot from th director with the endpoints:

You have defined a zone called master with two different endpoints and I’m not sure if this would work. As it is confusing anyway I’d not do it.

Hello Roland, thanks for your reply! For my understanding I have to set different endpoints?

The endpoint for the external hosted satellite is the dmz-satellite (?)
The endpoint for the dmz-satellite is the internal master (?)

So that the external hosted satellite uses the dmz-satellite as bridge and that I dont need to forward any ports from the internal master to the WWW (?)

I was talking about this:

Yes, I know that you were reffering to this two distinctions… Is it an mistake like this?

I can not understand how the external hosted satellite should communicate with the internal master without using the dmz-satellite as bridge which means to me that the parent for the external hosted server is the dmz-satellite?

Wouldn’t you want to define both in the same stanza, like this?

object Zone "master" {
        endpoints = [ "dmz-satellite", "internal master" ]
}

Hmmm, I changed the zones.conf on the external site like this without success…
I’m already thinking about making the dmz-satellite to an standalone extra master and configure the external server as satellite, maybe I’m more successfull with this solution

You need something like this

object Zone "master" {
        endpoints = [ "internal master" ]
}

object Endpoint "internal master" {
}


object Zone "dmz-satellite" {
        endpoints = [ "dmz-satellite" ]
        parent = "master"
}

object Endpoint "dmz-satellite" {
}

object Zone "external-satellite" {
        endpoints = [ "external-satellite" ]
        parent = "dmz-satellite"
}

object Endpoint "external-satellite" {
}

object Zone "external hosted server" {
        endpoints = ["external hosted server"]
        parent = "external-satellite"
}

object Endpoint "external hosted server" {
}

Easiest is to have this on every node and add host and port on those nodes who shall initiate to cluster connection.

Ah, from your previous configuration, I though that was already supposed to be another master node. If that wasn’t intended, then definitely don’t do what I recommended!