Articles in this section

See more
Self help
FAQ
["FAQ"]

OP5 Monitor - How to hide credentials for service checks

Avatar
ITRS Support
  • Updated
Follow

Introduction

For security purposes, it is not a good practice to have security credentials for different systems easily accessible to users through the GUI when configuring objects or running checks. The concept of the $USERn$ series of macros can be used to obfuscate sensitive information. You can define something in the resource.cfg file and have it be referenced and re-used multiple times. The official documentation mentions that this is useful for paths, but it can be used for other strings as well (and not just paths to plugins, etc).

More details on the $USERn$ series of variables can be found here.

 

Configuration

Edit /opt/monitor/etc/resource.cfg to add the $USERn$ variables. Below is an example for WMI credentials (which have been redacted) for a Windows hosts, assigned to $USER16$ and $USER17$, for username and password.

Save the file and issue a mon restart.

Use the variable in a service. Below is an example for a WMI-based check where the username and password fields have been changed to use $USER16$ and $USER17$ instead.

The output from running "Test this check" shows the arguments passed to the service check, but the $USERn$ variables were expanded to show _USER16_ and _USER17_ instead of the actual value.

 

Point for consideration

One thing to consider though is if you are using a multi-node setup (i.e., you have other masters and/or pollers). is that resource.cfg must be included in the sync{} block of merlin.conf, and a config push must be done, so that the contents of resource.cfg gets propagated to all other nodes. Failure to do so means that the check will only be able to run on the node where $USER16$ is defined on resource.cfg; you will get access denied errors otherwise.
 
Example merlin.conf file with sync{} block for resource.cfg:

peer mc-rocky-mon9-mas02peer {
   address = mc-rocky-mon9-mas02peer
   port = 15551
   sync{
      /opt/monitor/etc/resource.cfg
   }
}

Ensure that a mon restart is issued after editing the merlin.conf file.

 

If you have any further questions:

  • Please contact with our Client Services team via the chat service box available in any of our websites or via email to support@itrsgroup.com
    mceclip0.pngmceclip1.png

  • Make sure you provide to us:
    • ANY LOG FILE OR DIAGNOSTIC
    • ANY SCREENSHOT

Related articles

Comments

0 comments

Please sign in to leave a comment.