Hi everyone,
We're setting up Centreon to monitor a small startup environment where all monitored hosts are VMs spread across multiple cloud providers. These VMs have public IPs, and the monitoring data will travel over public networks. Importantly, we will not be using any remote Poller, the central Centreon server will handle all checks directly.
From what I’ve seen, most discussions on Centreon security focus on securing communication between the central server and distributed pollers. Our scenario is a bit different, and I’d really appreciate the community’s advice.
Use Case Overview:
-
Multiple Linux VMs (Alma, Debian, Ubuntu) across different hosting providers
-
One dedicated server running KVM hosting additional VMs
-
Basic monitoring requirements: system health (CPU, RAM, disk, network), services (MySQL/PostgreSQL, Apache/Nginx, PHP, Node.js apps), and HTTP keyword checks for websites
-
No internal network between hosts and Centreon; all communication goes over the internet
Current Agent/Protocol Considerations:
-
Centreon Monitoring Agent for Linux: Tagged as stable but described as a proof of concept ( is it production-ready?
) -
SNMPv3: Marked experimental and seems complex to set up securely
-
SNMP (v2c): Easy to configure but lacks encryption or authentication
-
NRPE4: Decent option, but requires setup on every VM
-
SSH: Possibly the most secure transport, but how viable is it to give the Centreon server SSH access to all monitored VMs?
We will be implementing strict firewall rules to only allow traffic from the Centreon server to the monitored hosts. However, we're especially concerned about securing the data in transit over the public internet.
Question to the community:
Given this scenario, how would you secure communication between Centreon and the monitored VMs? What would you consider the best trade-off between simplicity, reliability, and security?
Appreciate any advice or lessons learned from similar deployments.
Thanks in advance!