Looking for:
Download check_mk_agent.exe |
Download check_mk_agent.exe
We highly recommend using Checkmk only in combination with OMD. You can also find the stand-alone source code of Checkmk here. These downloads are typically only relevant for you if you:. If you are a common user of Checkmk we recommend to use the download page. Note I : All packages are platform independent. The source codes are only contained in the complete tarball. Note II : We do not provide the agent installers and packages as dedicated downloads anymore, but they are packed in the complete tarball.
If you are using our subscription builds, you can download the agents from the Agent Bakery. On most distributions these compilers are available from addon repositories or third party sources.
It will inform you about manual actions that may be required. Sources Download. These downloads are typically only relevant for you if you: are a package maintainer use Checkmk in some kind of special environment If you are a common user of Checkmk we recommend to use the download page.
Latest versions Checkmk 2. You can create your local clone with:. Product Back Product. Back Solutions. Back Use Cases. Back Learn. Back Resources. Back Trainings. Back Community. Download Checkmk. Checkmk with OMD.
Download check_mk_agent.exe.File details of most used file with name "check_mk_agent.exe"
Then the Setup wizard presents you with the following page:. The choices on this page are relevant to you only if a Windows agent is already installed on the host and it is older than version 1. In version 1. If you are updating or migrating from a Windows agent before version 1. There you will learn which of the provided options you should select in this particular update case.
In all other cases, we recommend selecting the Clean installation. Confirm the start of the installation and then allow the installation program to make changes in the User Account Control dialog.
When finished, you can exit the Setup wizard. After the installation, the agent will immediately start as a Windows service and be ready to monitor the system. Via the command line, Windows provides administrators with msiexec the possibility to install MSI packages automatically without user interaction. An automated installation can then look like this, for example:. So this method is great for automatically rolling out the agent to many hosts.
You can also use this method to select the three options that were offered to you during the manual installation in the Setup wizard. For each option, there is an identifier that you can use for the installation command:.
Remove Legacy Windows Agent pre 1. Migrate from Legacy Windows Agent pre 1. To explicitly disable an option, you must add two more quotation marks following the equal sign:. For a detailed description of this, see the general article on agents. The installation of the baked MSI package is then done again exactly as described above. If you use the Agent Bakery, you can set up automatic updates of the agent.
These are described in their own article. You do not need to customize the program-specific files. The host-specific files are used to store plug-ins, log and configuration files and to configure the behavior of the agent. If an option has been set in multiple files, then the last file read in determines the content of this option. As you may have already recognized from the file extension of the configuration files, YAML is used as the file format.
After installing the agent including the Agent Controller, the next step is the registration , which sets up TLS encryption so that the encrypted agent output can be decrypted by the Checkmk server and displayed in monitoring. There is a special feature when the agent was installed with the Agent Controller for the first time. Then the agent switches to the unencrypted legacy pull mode so that the Checkmk server is not cut off from the monitoring data and can continue to display it.
This applies to a new installation as well as to an update of an agent of version 2. After registration, only encrypted pull mode is used for communication. The legacy pull mode is switched off and will remain so. However, it can be switched on again by command if necessary. The case is different if the agent is installed on very old Windows systems. The installation of the agent may be successful. However, if the Agent Controller cannot be started due to API incompatibilities, the unencrypted transfer is resorted to.
Without Agent Controller, registration is not possible and the only communication path remains the legacy mode. In legacy mode, only the sections in the Registration chapter are relevant for adding the host to the Setup and then to the monitoring.
In the chapter Testing and troubleshooting you must omit the test for calling the Agent Controller, because it is not available in legacy mode. Since there is also no TLS encryption without Agent Controller, you have to use other methods of encryption if required. Note: In the Checkmk Agent installation auditing rule set you will find various settings to check the state of the agent and make it visible in monitoring.
Immediately after the installation of the new agent also as an update of an agent of version 2. An exclusively encrypted data transmission is only active after a trust relationship has been established. This chapter shows how to do this.
For this purpose, a good choice is the automation user , which is automatically created with every Checkmk installation and whose password you can randomly generate. Note: Since there is no Agent Controller, and thus no registry and TLS encryption, on very old Windows systems , you have to use other methods of encryption if required. In this case we recommend using the built-in symmetric encryption with the rule Encryption Linux, Windows or to set up an SSH tunnel.
A host must exist in the configuration environment before it can be registered. The registration is done using the Agent Controller cmk-agent-ctl , which provides a command interface for configuring the connections.
You can use the cmk-agent-ctl help command to display help on the options. Now go to the host that is to be registered. Here you have to make a request to the Checkmk site with administrator rights:. The host name following the --hostname option must be exactly the same as it was when it was created in the Setup. The --server and --site options specify the name of the Checkmk server and the site. The server name may also be the IP address, the site name here mysite corresponds to the one you see in the URL path of the web interface.
The options are completed by the name and password for the automation user. If you omit the --password option, the password will be requested interactively. If the specified values were correct, you will be asked to confirm the identity of the Checkmk site to which you want to connect. We have shortened the server certificate to be confirmed for clarity:. If no error message is displayed, the encrypted connection has been established. All data will be transmitted in compressed form via this connection.
The cmk-agent-ctl status command now shows exactly one trust relationship with the Checkmk server:. Note: There can only ever be one trust relationship between host and site. For example, if you register an already registered host mynewhost under a different name mynewhost2 but with the same IP address, then the new connection will replace the existing one.
The connection from mynewhost to the site will be disconnected and no more agent data will be supplied to the host for monitoring. For easier registration of multiple hosts, any host on which the agent is installed can perform registration on behalf of others. This exports a JSON file, which can then be transferred to the target host and imported there. Again, as before, the host being registered in the job must already be set up on the site. First, the registration is performed on any host in the Setup by proxy.
Here, of course, the Checkmk server comes in handy, as it is usually the first host to be set up. As with the example above, you can provide the password by job option or be asked for it interactively if you omit the --password option. We redirect the JSON output to a file in the example:. Once the registration is complete, perform a connection test and a service discovery in the Checkmk server Setup. Then, as the last step include the discovered services in the monitoring by activating the changes.
If the connection test fails, refer to the following chapter for testing and troubleshooting information. On a host connected to the Checkmk server, you can revoke the trust. Here, in the following command, the Universally Unique Identifier UUID to specify is the one output by the cmk-agent-ctl status command:.
To delete all connections from the host and additionally restore legacy pull mode, enter the following command:. After that, the agent behaves as it did after the initial installation and before the first registration and sends its data unencrypted. In case you prefer the command line: On the Checkmk server, for each connection of a host that is in monitoring, there is a soft link with the UUID that points to the folder with the agent output:.
A modular system may not work as intended in many situations. Since the introduction with 2. When troubleshooting, a structured approach is thus recommended.
You can of course also use the step-by-step analysis described here to get to know the data collection and communication provided by Checkmk in more detail. All of the diagnostic options that are available from the Checkmk server side are described in the general article on monitoring agents. But, of course, there are other diagnostics available when logged in directly to the monitored host itself. In most cases, after correcting an error, you can restart the service discovery and complete the inclusion in monitoring.
To check that the configuration has been read in as expected, call the agent program with the showconfig option. With this option you will not only get the configuration as it is currently used by the agent, but additionally, the environment variables as well as the configuration files in use will always be displayed.
If only a certain part of the configuration is of interest, you can limit the output to that specific part. Here, for example, it is checked whether the options in the ps section have been set correctly:. In this way you get a quick overview of how the three different configuration files have been merged and used by the agent program.
Errors will be immediately visible. The agent program is a simple Windows executable that obtains data from your system and outputs it as loosely-formatted text. You can call this program directly from the command line. With the test parameter it prints everything to standard output. With the help option you get, among other things, a detailed and complete list of options available to you beyond those described here.
Since the output can be a bit long, the more pager, with which you can exit from the output with the Q key, is very handy here:. Since the agent program listens on the local loopback interface As second step a connection to the Agent Receiver is established to request the certificate. You can simulate the first request on the host with a program like curl :. The parameter --insecure instructs curl to skip the certificate check. This behavior reflects the behavior of the Agent Controller in this step.
The response is only a few bytes, containing the port number of the Agent Receiver. For the first site this is usually just , for the second and so on.
Common problems regarding this request are:. When the curl command fails you might change routing or firewall settings to enable access, respectively add the internal CA to the trust chain of the host. Use the additional Flag --detect-proxy to instruct cmk-agent-ctl to use a proxy configured via system settings. However often it may be easier to find out the port of the Agent Receiver and note it down.
To do so, on the Checkmk server run, logged in as site user:. Now you can specify the port when entering the command for registration. Communication then takes place directly with the Agent Receiver without any detours:. Port also must be reachable from the host. In case it is not, you will get this error message:. Should security policies prohibit access to the Agent Receiver, there is still the possibility to use registration by proxy on the Checkmk server.
The Agent Controller provides its own subcommand, dump , which displays the full agent output as it arrives in the monitoring:.
This allows you to verify that the data from the agent program has arrived at the Agent Controller. Latest versions Checkmk 2. You can create your local clone with:.
Product Back Product. Back Solutions. Back Use Cases. Back Learn. Back Resources. All conditions should should now have been fulfilled. The Prerequisites table should now look like this:. From now on, the agent will report at the end of each configured update interval and look for a new version of the agent. At the same time, the Master switch is also one way to deactivate the update process globally. A step-by-step guide is also provided by the video which originated at the Checkmk Conference 3 , under the following link.
Before rolling out a new agent to a large number of hosts, you will certainly want to first try it out with a smaller number of hosts. This important step prevents a possible mistake of serious dimensions. For this function, use the middle box on the Automatic agent updates page:.
After you have met the conditions for selecting hosts here, you can use the Test hostname before activation field to enter individual host names and check if the updates for these hosts have now been enabled or not.
The conditions are always connected with AND. There are quite a few sources of information for diagnosing whether all updates work as intended.
This overview shows how the individual hosts in the agent update behave. The inline help gives further explanations. Clicking on provides a detailed list of the individual hosts. There you can then search for individual hosts.
In this list you will also find documention on how the hash of an agent starts, which agent is intended for a host Target Agent , which agent was most recently downloaded from the host Downloaded Agent , and which agent is currently installed on the host Installed Agent. In this way you can always see if the specifications have been met or where the process is currently located.
If you have installed the agent updater plug-in on an agent, it will regularly output the current status of the update in the form of monitoring data. This again reflects the current state of the update. This way you can be notified of any problem with the updates. The behavior of the agent updater is governed by the two files cmk-update-agent.
It always applies that defined values from the. If the agent updater shows unexpected behavior, it is sometimes worth having a look in the configuration. There is also a handy feature if you call the agent updater directly from the command line:. In the event of a problem you will also find log data for the updates on the host to be monitored.
A more detailed log file cmk-update-agent. If a host is to be removed from the automatic updates, alter its setting with the Agent updater Linux, Windows, Solaris rule set so that the update plug-in is deactivated there. At the next regular update the agent itself then removes its own updater! It goes without saying that the update can then only be reactivated by the manual installation of a new agent package! The registration is retained and does not have to be renewed.
Should you want to move to a new Checkmk site in a single-site setup without losing the hosts registered on the server, it should be noted that for a successful agent update process the following information on server and host must match:. The host secret , which was automatically assigned during registration.
First add all hosts whose registration information is to be migrated to the new site to the monitoring. Make sure the hosts in the new site are monitored under the same name.
Export the signature key s that are accepted by the agents installed on the hosts. Configure the agent updater rule on the new monitoring site according to the instructions, and sign the baked agents with the imported signature key s. Lastly, in the agent updater rule on the old site, configure the fields for the update server and the name of the Checkmk site conforming to your new monitoring site, and bake the agents again. Note : Please check at this point that you have specified everything correctly before you re-bake the agents.
As soon as the next automatic updates go through the hosts, the old monitoring site will be locked out. From that time on the hosts to be monitored will only answer to the new Checkmk server.
Following the second automatic update the agent will be installed by the new Checkmk server accordingly. Attention : This is not an official feature of the agent updater. These instructions are therefore intended primarily for more experienced users. The official way to install a Checkmk Agent on a host is to download and run the agent package appropriate for the system. It is however also possible to allow the Checkmk Agent to be installed initially by the agent updater, since this also works as a stand-alone program.
Register the host on the Checkmk server by invoking cmk-update-agent register. Here it makes sense to pass the required registration information directly via the command line — especially if you want to use an installation script. Then, with a final call to the agent updater plug-in, install the agent with all of the configuration details for the host being monitored.
The prerequisite for the installation by agent updater is, of course, that the Agent Bakery has a suitable agent package ready for the target host on the Checkmk server. Since Checkmk 2. Agent packages that have already been requested at a remote site are cached on the remote site as long as they are valid , so that the packages do not have to be downloaded again from the central site.
In addition, the requested data will be checked for consistency on the remote site, so that unnecessary connections to the central site are avoided. Unlike in a single-site setup, the appropriate update server for the hosts does not originate exclusively from the set of rules for the agent updater, but is communicated to the requesting agent updater by the contacted Checkmk site.
In this process, a host is provided with its server by the site from which it is being monitored. If the connection to the automatically determined server fails, the previously saved server from the rule configuration or previously-entered manually during registration is used as a fallback. If the agents are to report explicitly only to the central site for updates, this can be done via a fixed update server in the rule set for the Agent Updater.
While the Checkmk site will try to identify all other missing settings itself, the specification of this URL is not optional, as this connection direction will otherwise not be established in the case of a central configuration. The remote site also requires a previously-created automation user to be able to log on to the central site.
This can also be selected here. If none is specified, the remote site searches for an automation user with the name 'Automation'. Since the remote sites are not necessarily accessible from the respective monitored hosts via the same URL as from the central site, a URL can be configured here for this purpose. This URL is then automatically communicated to the host or the requesting Agent Updater when a connection is made to a Checkmk site. The configuration as a site-specific global setting makes particular sense here.
If no URL is specified, it is assumed that the remote sites are accessible from both the central site and from the monitored hosts under the identical URL.
If it is an HTTPS connection, the appropriate certificate can also be automatically made available to the host. Since the central CA store cannot be used for this, appropriate certificates can be specified at this point. Alternatively, the certificates can also be specified in the Agent Updater rules. At various points in this article, there are references to securing the respective connections via HTTPS.
At this point, a central summary is provided showing everything that needs to be done for complete security via HTTPS. Both the connection from the remote site to the central site and from the host to the Checkmk site regardless of whether it is a single-site setup or a distributed setup can and should be secured via TLS, i. This also of course applies in the case of the explicitly-specified protocol when the server being contacted is the one from the Agent Updater configuration Update Server Information.
This can be realized as follows:. Certificates for verification are available to the Agent Updater from the following sources:. The internal CA store will therefore be ignored as soon as one or more certificates have been imported via one of the following mechanisms. Certificates from the following three sources are stored locally on the host and thus form their own certification store:.
Using the rule entry Certificates for HTTPS verification , certificates can be included in the agent package and will be available to the Agent Updater following an installation or update. This is particularly useful if it is not yet clear at configuration time which host is assigned to which site. This import option also reduces the number of agents that need to be baked in, as the correct certificates for the respective update servers do not have to be host-specifically configured.
The Agent Updater can be called with the ' --trust-cert ' command line argument. This attempts to retrieve a CA or self-signed certificate from the server and import it. Unfortunately, this only works when either a self-signed certificate is used as this is already the server certificate or when the CA certificate is stored on the server, i. This latter is generally not required for a valid certificate chain and is therefore unfortunately often not the case.
Caution : If a certificate is imported in this way, the user themselves must ensure the authenticity of the server, as the certificate does not come from a separate source. If no valid certificate is available to the Agent Updater at all, the HTTPS verification can be bypassed by using the command line argument ' --insecure '' for a call.
No comments:
Post a Comment