mkeventd is the Check_MK component for receiving structured event data. It's not a slpunk/logstash replacement, rather the thing that comes after a tool has aggregated millions of log events, to alert on the ones classified as interesting enough to forward.

As usual, it is very fast, pretty underdocumented (for people who can't think economically and just go on MK's training) and also pretty awesome.

I'm using it mostly to aggregate switch error logs, i.e. to track port flapping or if other bugs grow out of bounds. To send data from switches it has a component that runs as a Syslog receiver and one that does snmp traps. (I use syslog only so far).

Problem is the thing won't just work if you downloaded OMD and enabled it:

 

root@mon:# omd start sitename mkeventd
Starting mkeventd (builtin: syslog-udp,syslog-tcp,snmptrap)...Cannot bind UDP socket for syslog to port: Permission denied
OK

(And yes, it also doesn't notice that it didn't work. That's pretty normal, Python coders and error handling don't come together, not even in shell scripts...)

 

So, what's wrong? To open port 514 as a non-root user, this binary needs to be "suid root". (Alternatively you could patch stuff to use not port 514 but one above 1024 and then hook in an iptables forward. Everyone is allowed to open a port above 1024)

My (personal) preference is to FIX ISSUES so I've adjusted the permissions as they should be. The missing suid bit is a problem of the OMD build process, nothing else. It was the same when we still had the inline ICMP / livecheck binary. So, lets not fuss about it and also not hope it'll get fixed for longer than 3 years.

SUID binaries are something people have often exploited and as such most people are *afraid*. The biggest risk is if you let them be executed by random users in the other group.

Instead we'll change it to be accessible only by people in the "omd" group, which is one all OMD sites are in. This should also cover some basic circumventions. If you can't even read it, you can't likely exploit it.

So, summary: It should be suid root, but not for everyone :)

Below you'll see how it should look and how to set it.

These are the most safe/correct permissions you can/should set on the mkeventd_open514 handler:

root@mon:/omd/versions/default/bin# ls -ld mkeventd_open514 
-rwsr-x--- 1 root omd 10344 Aug  7 17:48 mkeventd_open514

 

That translates to the following commands - I hope like this it is very clear what is changed:

chown root mkeventd_open514
chgrp omd  mkeventd_open514
chmod 750  mkeventd_open514
chmod u+s  mkeventd_open514

 

 

If you want to go with the iptables variant, you need to do two things:

Hack OMD to open a different port. (no, I don't know how to do it)

Add the matching Fw rules. Say, you changed it to port 10514?

iptables -A INPUT -i eth0 -p tcp --dport 514 -j ACCEPT
iptables -A INPUT -i eth0 -p ucp --dport 514 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 10514 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 10514 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 514 -j REDIRECT --to-port 10514
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 10514