VMware Cloud Community
Rode_Draak
Contributor
Contributor

Check_MK and vCenter appliance

Hi All,

We have a vCenter Appliance server running (ESX 5.5). We want to monitor this server with check_mk (port 6556), but by default this server is firewalled.

I already modified /etc/vmware/appliance/firewall/vmware-vmca to include the following:

  {
    "direction": "inbound",
    "protocol": "tcp",
    "porttype": "dst",
    "port": "6556",
    "portoffset": 0
  }
  {
    "direction": "inbound",
    "protocol": "udp",
    "porttype": "dst",
    "port": "6556",
    "portoffset": 0
  }

After an initial reboot it all worked fine and I was able to communicate with the check_mk agent on port 6556. But all of a sudden it stopped working and I am unable to find the reason why.

Any help would be appreciated.

Richard.

Reply
0 Kudos
11 Replies
vijayrana968
Virtuoso
Virtuoso

Check the firewall and grep the information with this port number.

Reply
0 Kudos
Rode_Draak
Contributor
Contributor

Grep which firewall where? I checked and added it to iptables, but no luck there.

Richard.

Reply
0 Kudos
vijayrana968
Virtuoso
Virtuoso

1. SSH to the appliance shell with root.

2. change directory to /var/log/vmware/applmgmt

3. List firewall logs by with LS or DIR

4. Filter logs by command cat firewall-reload.log | grep check_mk

For example, I am checking logs for vsan :

pastedImage_3.png

Reply
0 Kudos
Rode_Draak
Contributor
Contributor

Alas, no such directory /var/log/vmware/applmgmt.

Also nothing with firewall in anything under /var/log/vmware

Richard.

Reply
0 Kudos
vijayrana968
Virtuoso
Virtuoso

/var/log/vmware/applmgmt is the path available in VCSA 6.0. I am not sure what will be for VSCA 5.X but I am sure there will be firwall logs under /var/log/vmware on your VCSA

Reply
0 Kudos
Rode_Draak
Contributor
Contributor

Only /var/log/firewall exists under /var/logand that one is empty 😞

or136:/var/log # find . -print | grep fir

./firewall

or136:/var/log # ll firewall

-rw------- 1 root root 0 Jul 27  2016 firewall

Reply
0 Kudos
vijayrana968
Virtuoso
Virtuoso

/var/log/firewall is directory or file ?

Reply
0 Kudos
Rode_Draak
Contributor
Contributor

It's a file

Reply
0 Kudos
Rode_Draak
Contributor
Contributor

Has anyone else got any idea?

Richard

Reply
0 Kudos
roman79
Enthusiast
Enthusiast

Hi mate,

Have you got any success investigating this issue?

I was wondering if there were any software updates to VCSA before the firewall rule got broken. There is a possibility an update overwrites the configuration files to their defaults.

Regards,

Reply
0 Kudos
udayvm
Contributor
Contributor

Hi Richard

I am wondering why did you add the protocol as UDP and TCP, generally chkmk port using the TCP protocol. I would say, remove the UDP and reboot the VCSA then you can check

the stability of chkmk agent.

pastedImage_0.png

cheers

uday

Reply
0 Kudos