Difference between revisions of "Pandora: Documentation en: Events"

From Pandora FMS Wiki
Jump to: navigation, search
(Event Alerts and Event Correlation)
(Event Statistics)
 
(75 intermediate revisions by 8 users not shown)
Line 2: Line 2:
  
 
= Events =
 
= Events =
 +
==Introduction==
 +
Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a picture of what is happening at that time will be shown. It is one of the views that is used the most by operation teams in any type of professional monitoring software.
  
== Introduction ==
+
Events are classified by their severity:
  
Pandora FMS events system allows to see a real time record of all the events that occur in our monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view you will see a photo of what is happening of relevance at that time, it is one of the most used views  by the operation teams in any type of professional monitoring software.
+
* '''Maintenance''' (grey)
 +
* '''Informational''' (blue)
 +
* '''Normal''' (green)
 +
* '''Warning''' (yellow)
 +
* '''Critical''' (red)
 +
* '''Major''' (brown)
 +
* '''Minor''' (pink)
  
Events are managed in Events > View Events, where you see the following menu.
+
The following actions can be performed in regard to an event:
 +
 
 +
* '''Change its status''' (validated or in progress)
 +
* '''Change the owner'''
 +
* '''Delete'''
 +
* '''Show additional information'''
 +
* '''Add a comment'''
 +
* '''Apply custom responses'''
 +
 
 +
== General information==
 +
 
 +
Events are managed in Events > View Events, where there is the following menu:
  
 
<center>
 
<center>
Line 19: Line 38:
 
</CENTER>
 
</CENTER>
  
In the 726 version of Pandora FMS it was introduced the possibility of sort the events by ID, status, name ...
+
Pandora FMS version 726 includes the possibility of sorting out events by ID, status, name...
  
 
<CENTER>
 
<CENTER>
Line 25: Line 44:
 
</CENTER>
 
</CENTER>
  
The Events viewer shows the event which is a descriptive text of the problem, the origin (agent) which generated it and the event's date. Sometimes there is some other data associated (e.g. the agent's module which generated the event, the group, the tags associated to the module, etc.). If we e.g. click on the magnifying glass, we'll be able to view all the event's details:
+
The event viewer shows the event itself, which is a descriptive text of the problem, its source (agent) and the event's date. Sometimes, there is some other linked data (e.g. agent module that generated the event, the group, module related tags, etc.).
  
 
<CENTER>
 
<CENTER>
 
[[File:detalle_evento_1.jpg|500px]]
 
[[File:detalle_evento_1.jpg|500px]]
<br>
+
</CENTER>
 +
 
 +
By clicking on the magnifying glass, all event details are shown:
 +
 
 +
<CENTER>
 
[[File:detalle_evento_2.jpg|500px]]
 
[[File:detalle_evento_2.jpg|500px]]
 
</CENTER>
 
</CENTER>
  
By default, the events are shown by a specific search, and this can be modified, showing the information in the way that interests us through its different filtering options:
+
By default, events are shown through a specific search, which can be modified, showing the information in the most suitable way through its different filtering options:
  
 
<CENTER>
 
<CENTER>
Line 39: Line 62:
 
</CENTER>
 
</CENTER>
  
As we can see here, by default (although it can be modified in the setup options), Pandora FMS shows events that are up to eight hours old or less, and shows only those that are not validated. A user who only has access to one group will only see events in that group. By default, '''groups the events''', that is, if we have several events of the same origin and of the same type, it will only show one, and in the detailed view of the event, it will tell us how many events we have equal, grouped in that single item of the list.  
+
As seen here, by default (although it can be modified in setup options), Pandora FMS shows events that are up to eight hours old or less, and shows only those that have not been validated. A user who only has access to one group will only see events from that group. It '''groups events''' by default. That is, if there are several events from the same source and of the same type, it will show only one. However, the detailed event view will specify the number of events of the same type, grouped in that single item of the list.  
  
There's also the possibility of saving a specific search so that you're able to apply filters you've created before.
+
There is also the possibility of saving searches as filters, or applying a previously created filter (see Event filter creation section).
  
'''Events are the recording and an essential part of a monitoring system.'''
+
'''The events are the record and a key point of a monitoring system.'''
  
The operators who see this screen are able to know any information about the monitored system's current state (active events) and all its history (seeing all the validated events), without being forced to look at every single agent. They're also capable of browsing through global figures, data trees, names and visual screens.
+
The operators who see this screen are able to find out the current status (active events) and the history (seeing all validated events), without going through the trouble of looking at every single agent. They are also capable of browsing through global figures, data trees, names and visual screens.
  
The operators should see a "clean" event console which is only going to show the active problems. In this way, you won't even have to create alerts. Just by looking on the screen, you're going to see everything that's going on at all times.
+
Operators should see a "clean" event console, that only shows active problems. That way, there is no need to create alerts. Just by looking at the screen, you become aware of what is going on at all times.
  
 
== Operating with events ==
 
== Operating with events ==
  
=== Validation and status of an event. Auto validation ===
+
=== Event validation and status. Autovalidation ===
  
An event have in three status: new, in process or validated. A default event, as it arrives at the system, is in the ''New'' state. When events occur due to module status changes, there will usually be two events: a first event from normal to an incorrect state, and an event back to normal once the problem is solved.
+
An event may go into three different status: new, in process or validated. A default event, newly arrived, goes into ''New'' status. When events take place due to module status changes, there will usually be two events: the first event is the change from normal to faulty state, and the second one is the event going back to normal once the problem is solved.
  
In these cases, the events of transition to an incorrect state (critical or warning) are automatically validated when normalcy is restored. This is what we call event autovalidation and is an essential functionality, as it allows you to hide information that is no longer relevant in the event console. When an event is validated, it disappears from the default initial view of events, since in this view the validated events are not shown by default because they are not considered active problems but past problems.
+
In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an key feature, since it allows to hide information that is no longer relevant in the event console. When an event is validated, it disappears from the default initial event view, since this view does not show validated events by default because they are not considered active problems but past problems.
  
When we find an event, we can validate it: This will make the system memorize the date and the user who validated the event. It is also possible to leave a comment, e. g."We checked it and emptied some disk on the server":
+
When finding an event, it can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:
  
  
Line 70: Line 93:
 
</CENTER>
 
</CENTER>
  
If we load the event view again, filtering and displaying all events, we will see the event validated (with a green cross on the left) with the information of who validated it, when, and with the text you entered at that time.
+
If the event view is reloaded, filtering and displaying all events, the validated event (with a green "x" on the left) will be displayed together with the information of who validated it, when, and the text entered at that time.
  
On the other hand, instead of validating an event, we can mark it as "in process" in the ''Responses'' tab, as you can see below:
+
On the other hand, instead of validating an event, it can be marked as "in process" in the ''Responses'' tab, as shown below:
  
 
<CENTER>
 
<CENTER>
Line 78: Line 101:
 
</CENTER>
 
</CENTER>
  
We can have an event "stopped", or blocked, so that it does not validate itself, and still be seen in the event views, as pending work. It will group the other events that arrive the same (see grouping of events) but will not validate itself. The appearance of the event will be similar to the next one:
+
An event can be "stopped", or blocked, so that it does not validate itself, and it still appears in the event view as pending work. It will group the other events of the same kind that arrive (see grouping of events), but it will not validate itself. The event will look something like this:
  
 
<CENTER>
 
<CENTER>
Line 84: Line 107:
 
</CENTER>
 
</CENTER>
  
Also in the ''Responses'' tab you can find some other possible actions on the event, such as deleting it or executing custom responses such as the ping on the host.
+
In addition, in the ''Responses'' tab you may find some other possible actions on the event, such as deleting it or executing custom responses such as the ping on the host.
  
You can also validate, mark events as "in process" and delete events in an individual way with the features shown below:
+
They can also be validated, marked as "in process" and deleted individually with these features:
  
 
<CENTER>
 
<CENTER>
Line 92: Line 115:
 
</CENTER>
 
</CENTER>
  
You can also validate, mark events as "in process" and delete events in a massive way as shown below:
+
It is also possible to validate, mark as "in process" and delete events as well as executing mass custom responses of the command type as shown below:
  
 
<CENTER>
 
<CENTER>
[[File:Op_masiva.png]]
+
[[File:Op_masiva2.png]]
 
</CENTER>
 
</CENTER>
  
=== The Custom Events View ===
+
Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.
 
 
It is possible to customize the fieldas that the Event View shows by default. For that, please click on ''Events' '-> ''Custom Events'', where you'll be able to choose the fields to be shown.
 
 
 
By default, the fields you're going to see are:
 
 
 
<ul>
 
<li>Event name</li>
 
<li>Agent name</li>
 
<li>Status</li>
 
<li>Timestamp</li>
 
</ul>
 
 
 
Select the fields you want to display from the "Fields available" list and move to "Fields selected" using the arrows. Once selected, press the "Update" button.
 
 
 
 
 
<center>
 
[[image:custom_events.png|800px]]
 
</center>
 
 
 
=== Creating Event Filters ===
 
 
 
In the section ''Events''> ''Events Filters''. You may create, remove and edit your filters within this window.
 
 
 
<center>
 
[[image:filtros_evento.png|800px]]
 
</center>
 
 
 
If you click on the ''Create Filter'' button, you're able to fill out the event fields as shown below.
 
 
 
<br>
 
[[image:crear_filtro_evento.png|700px|center]]
 
<br>
 
 
 
Once the filters have been saved, right from the Event View itself we can load them to display the desired information quickly without having to reconfigure the filter each time:
 
 
 
<br>
 
[[image:Event1.JPG|660px|center]]
 
<br>
 
  
=== Filtering Events ===
+
=== Event filtering ===
  
From the Event View page, you can filter in the event list to search for specific events.
+
From the Event View page, it is possible to filter the event list to search for specific events.
  
From the event view, you will access the filtering options in ''Event control filter'', and the advanced options with'' Advanced options'':
+
From the event view, access the filtering options in ''Event control filter'', and the advanced options through'' Advanced options'':
  
 
<br>
 
<br>
Line 148: Line 133:
 
<br>
 
<br>
  
There are many fields, some of which do not require explanation, so we will focus on those that are more relevant or complicated to understand:
+
There are many fields and some of them do not need further explanation, so only the most relevant or complicated ones are detailed in here:
  
* '''Event Type:''' The combo in which you're able to pick the event's type. There are the following types:
+
* '''Event Type:''' In Pandora FMS, there is a limited number of events, which are the following ones:
**Agent Creation
+
**Agent created
** Alert ceased (oudated)
+
** Alert triggered
** Alert fired
+
** Alert stopped (oudated)
** Manual alert validation
+
** Alert recovered (different to alert stopped)
** Alert recovered (different to alert ceased)
+
**Configuration change (affects an inventory module)
**Configuration change (affects to a module from the inventory)
+
** Unknown (generic)
 +
**New host detected via recon
 
** Error (generic)
 
** Error (generic)
 +
**Unknown monitor (unknown)
 
**Monitor in critical status
 
**Monitor in critical status
**Monitor in warning status
+
**Monitor in warning status (warning)
 
**Monitor in normal status
 
**Monitor in normal status
**Monitor  in unknown status
 
**Unknown (generic)
 
**Systema (generic)
 
**New host detected via recon
 
 
**Not normal (generic)
 
**Not normal (generic)
 +
**System (generic)
 +
** Manual alert validation
  
* '''Severity:'''It details the severity of the event, which has nothing to do with the status of the module related to that event. If the event is related to an alert, it will have the same level of severity. These are the five levels of severity that exist:
+
* '''Severity:''' It details the severity of the event, which has nothing to do with the status of the module related to that event. If the event is linked to an alert, it will have the same level of severity. These are the five levels of severity through which you may filter:
** Critical
+
** Maintenance
 
** Informational
 
** Informational
** Maintenance
 
 
** Normal
 
** Normal
 +
** Minor
 
** Warning
 
** Warning
 +
** Major
 +
** Critical
 +
** Warning/Critical
 +
** Not normal
 +
** Critical/Normal
 +
 +
* '''Max. hour old:''' The field in which the max. amount of hours old an event may be for it to be added to visible event list is set.
  
* '''Max hour old:''' The field in which the max. age is determined.
+
* '''Repeated:''' By default, Pandora FMS groups events, that means that if 10 events of the same type have the same source, only one will be shown. And the detailed event view will include the number of events of the same type, grouped in that single item of the list. This can be modified so that events are shown individually.
  
* '''Repeated:''' By default, pandora groups the events, that is, if we have 10 events of the same origin and type, it will only show one, and in the detailed view of the event, it will tell us how many events we have equals, grouped in that single item of the list. We can change this behavior to show us all the individual events.
+
* '''Timestamp:''' It is the date when the event was created. It is possible to filter event creation dates using the ''timestamp from'' and ''timestamp to'' fields.
  
You may save the filter or load another one by clicking on the 'Load Filter' icon.
+
You may save the current filter to use it later on or load an existing filter.
  
 
=== Deleting an Event ===
 
=== Deleting an Event ===
  
Another way of managing events is deleting those which aren't interesting any more. Please use the 'deleting events' option to do so. If you click on 'Operation' and 'View Events', there are two ways to delete an event from the event list:
+
Another way of managing events is deleting those that are not relevant any more. Use the 'deleting events' option to do so. From the list located at ''Events > View Events'' they can be deleted individually or several can be marked to be deleted.
  
Please click on the gray trash icon within the 'Action' column.
+
Click on the gray trash can icon.
  
 
<center>
 
<center>
Line 192: Line 184:
 
'''Automatic event purging'''
 
'''Automatic event purging'''
  
From the configuration it is possible to define the maximum historical events that we want to keep for its elimination. This purging is performed by the automatic maintenance process of the database (Pandora_DB) that should be executed automatically every hour.
+
From the configuration, it is possible to define the maximum number of history events to be kept for deleting. This purging is performed by the automatic maintenance process of the database (Pandora_DB) that should be executed automatically every hour.
  
 
<center>
 
<center>
Line 198: Line 190:
 
</center>
 
</center>
  
'''Events history'''
+
'''Event history'''
  
There is also an Enterprise functionality called "event history" that allows you to store in the historical database those events that exceed the deletion date. These events are not accessible through the event view, and are only used for special event history reports.
+
There is also an Enterprise feature called "event history" that allows to store in the historical database those events that exceed the deleting date. These events are not accessible through the event view, and they are only used for special event history reports.
  
 
<center>
 
<center>
Line 206: Line 198:
 
</center>
 
</center>
  
=== Other Ways of viewing Events ===
+
=== Other ways of viewing Events ===
 +
 
 +
Besides the event's classic view in 'Events' > 'View Events', events can also be published in news channels or as 'sliding Marquee' (a moving list at the top of the browser on a black screen) by clicking on the 'Events' drop-down and the 'RSS' or 'Marquee' options accordingly.
  
Beside the event's classic view which you may call up by clicking on 'Events' and 'View Events', you're also able to pick public news channels such as 'Sliding Marquee' (a moving list on the top of the browser on a black screen).
+
<center>
 +
[[File:View_events1.jpg]]
 +
</center>
  
 
==== RSS Events ====
 
==== RSS Events ====
  
 
Pandora FMS also has an RSS Event Provider in order for you to subscribe to it from your favorite news reader.
 
Pandora FMS also has an RSS Event Provider in order for you to subscribe to it from your favorite news reader.
To see the events within a news channel or RSS, please click on 'Events' and 'RSS' and subscribe to it from the news reader.
+
To see the events within a news channel or RSS, click on 'Events' and 'RSS' and subscribe to it from the news reader.
 +
 
 +
 
 +
{{warning|It is necessary to have a '''RSS reader''' and register to receive Pandora FMS notifications, otherwise a window with the report in XML code will appear.}}
  
 
<center>
 
<center>
Line 219: Line 218:
 
</center>
 
</center>
  
{{warning|To provide access to event RSS feed, you're required to configure which IPs are allowed to access it. To do so, please click on the field named 'IP list with API access' within 'Setup'.}}
+
{{warning|To access the event RSS feed, configure which IPs are allowed to access it. To do so, click on the field named 'IP list with API access' within 'Setup'.}}
  
==== Events in the Marquee ====
+
==== Events in the horizontal Marquee ====
  
It shows the last events in a sliding text-line format. This option is intended to visualize the last events within a monitor like a text screen. You're able to easily customize the number of visualized events or the size, color and filter of the messages by modifying the code within the file named 'operation/events/events_marquee.php'.
+
If you access 'Events' > 'Marquee', you will see the last events in a sliding text-line format. This option may be used to display the last events within a monitor as a text screen. The number of visualized events or the size, color and filtering of the messages can be easily customized by modifying the code within the file named 'operation/events/events_marquee.php'.
  
 
<center>
 
<center>
Line 229: Line 228:
 
</center>
 
</center>
  
{{warning|In order to be able to access the RSS feed of the events, it is necessary to configure the IPs that are allowed access in the IP list with API access field within Setup.}}
+
==== Event sound console ====
 
 
==== Sound Alerts ====
 
 
 
This new way is a lot easier to manage a system without having to always check Pandora's console. You will be able to hear the different tunes if an event occurs even if you are far from the computer (assumed you've attached some powerful loudspeakers). The tune is going to be played until the sound event pauses or if you press the 'OK' button.
 
 
 
The list of sound events which are going to generate the playing of a sound are:
 
  
* An alert firing
+
It allows to manage a system without having to check Pandora FMS console constantly. Just by having your speakers connected and making sure that the volume is high enough, you will be able to hear the different tunes if an event takes place, even if you are far from the computer. The tune will be played until you pause the sound event or press the 'OK' button.
* A module changes to a 'warning' state.
 
* A module changes to a 'critical' state.
 
  
It's also possible to filter the events by their groups.
+
The list of sound events that generate a sound alert:
  
===== Configuration =====
+
* A triggered alert
 +
* A module going into '''warning''' state.
 +
* A module going into '''critical''' state.
 +
* A module going into '''unknown''' state.
  
There are three types of events the alert sound is going to be attached to. You may configure any appropriate sound from Pandora's Console setup for each type of event.
+
It is also possible to filter events by group/agent.
  
 
<center>
 
<center>
[[File:Event sound.setup.screenshot.png|800px]]
+
[[File:Sound_console.jpg]]
 
</center>
 
</center>
  
You're also able to hear the tune even from the setup page. Feel free to test it (if the browser is compatible to multimedia contents) by clicking on the 'Play' button which you're going to find on the right side of any event type.
 
  
 
===== Advanced Configuration =====
 
===== Advanced Configuration =====
  
It's also possible to extend the list of sounds for all sound events. Please go to the Pandora Console Server and into the directory named '/var/www/pandora_console/'. You may paste your new sounds into the directory named 'include/sounds/' - but if you do, you're also required to consider several things achieving the right performance:
+
It is also possible to widen the list of tunes for all sound events. Go to the Pandora Console Server and into the Pandora FMS console (usually '/var/www/pandora_console/') and within the directory named '''include/sounds/''' where you may add the files with the new tunes. But take into account several key points to achieve the right performance:
 
 
* The file has to be in a 'WAV' format.
 
* It's recommended to take the smallest possible file, because this file must be sent to the browser in order to be played within your browser's window.
 
  
There are several possibilities to achieve this:
+
* The file has to be in 'WAV' format.
 +
* It is recommended to take the smallest file possible, because this file must be sent to the browser in order to be played within your browser's window. There are several tips to achieve this:
  
** Please select a sound file with only a few second's length for the main alert sound, because it's going to be played ad infinitum.
+
** Select an audio file only a few seconds long (or even less) for the main alert sound, because it will be played on a loop.
** Please convert the sound to 'mono'.  
+
** Convert the audio to ''mono''.  
** Please change the sound's coding to '16bits signed' or less. We're going to lose quality but we're diminishing the file's size by doing this.
+
** Change the audio's coding to ''16bits signed'' or even less. Quality will be lost but the file's size will decrease by doing this.
* In order to create or edit sounds, we recommend to use tools as [http://audacity.sourceforge.net/ '''Audacity'''] which is a multi platform open-source tool which is also very easy to use.
+
* In order to create or edit audio files, it is recommended to use tools as [http://audacity.sourceforge.net/ '''Audacity'''] which is a user-friendly multi platform open-source tool.
  
 
===== Use =====
 
===== Use =====
  
The event sounds are asynchronously 'scanned' every 10 seconds. If an event is received, the preconfigured or default sound for this event is going to be replayed and the window is going to start flickering in red. This window is also going to be placed in foreground of all other opened windows, depending on its browser's and operating system's configuration.
+
The event sounds are asynchronously 'scanned' every 10 seconds. If an event is received, the preconfigured or default sound for this event will be replayed and the window will start flickering in red and waving. This window will also be placed in foreground of all other opened windows, depending on the browser's and operating system's configuration.
  
To gain access to the sound events window, you're just required to go to the Pandora Console's left menu and to click on '''Operation''' and '''View Events''' there. Within the header's event window, please click on '''Sound Events'''. It's going to show you a new window, which is a lot smaller than the others.
+
To gain access to the sound events window, go to the Pandora FMS Console's left menu and click on '''Operation''' and '''View Events'''. Within the header's event window, click on the '''Sound Events''' icon.
  
 
<center>
 
<center>
Line 277: Line 268:
 
</center>
 
</center>
  
This small window is going to be the one which manages all the sound events. It's recommended to leave it open in case any event is received. Inside the window we have several controls that allow us to filter so that the console only jumps according to various filters: group, type of event or specific agent (s). Also, in caseit goes off, a small window will indicate which event is going off.
+
This small window will be the one to manage all sound events. That is why it is recommended to leave it open, so that is sounds whenever any event is received. Inside the window, there are several controls that enable filtering so that the console only goes off according to several filters: group, type of event or specific agent(s). Also, in case it goes off, a small window will indicate which event has gone off.
  
Press the "Play" button to start the sound console. When an event goes off, press "OK" to restart the console and stop the sound (until another new event rings it again).
+
Press the "Play" button to start the sound console. When an event goes off, press "OK" to restart the console and stop the sound (until another new event makes it go off again).
  
 
<center>
 
<center>
Line 287: Line 278:
 
=== Exporting Events to a CSV ===
 
=== Exporting Events to a CSV ===
  
It's possible to export the event list to a CSV file in order for the events to be processed by or incorporated into other applications.
+
It is possible to export the event list to a CSV file in order for these events to be processed or incorporated into other applications.
 +
 
 +
In order to export the events to a CSV file, click on 'Operation' -> 'View Events' and 'Export to CSV File'.
  
In order to export the events to a CSV file, please click on 'Operation' -> 'View Events' and 'CSV File'.
+
<center>
 +
[[File:Export_to_csv.jpg]]
 +
</center>
  
 
=== Event Statistics ===
 
=== Event Statistics ===
  
It's possible to gain access to the event's statistics by clicking on 'Operation' -> 'View Events' and 'Statistics'.
+
It is possible to access event statistics by clicking on 'Events'> 'Statistics' to see a brief report under the form of a graphic and in real time about the current events.There are four times of graphics that report said information:
 +
 
 +
* Event graph
 +
* Event graph by user
 +
* Event graph by agent
 +
* Number of validated events
  
 
<center>
 
<center>
Line 299: Line 299:
 
</center>
 
</center>
  
== Event Alerts and Event Correlation ==
+
Besides, by clicking on one of the sections that make up the graphic, the report will be shown in percentage format as well as the event value and its current status.
 
 
Pandora FMS allows to define alerts on events, which allows working from a much more flexible perspective, since alerts are not generated according to the status of a specific module, but on an event -which may have been generated by several different modules of different agents. This is an Enterprise feature.
 
 
 
There is a corresponding section for creating event alerts in the alert menu.
 
 
 
  
 
<center>
 
<center>
[[image:Menu_event_alert.jpg]]
+
[[File:Estadisticas_eventos.jpg]]
 
</center>
 
</center>
 +
<br><br>
  
Event alerts are based on filtering rules using logical operators (and, or, xor, nand, nor, nxor), events matching the filtering rules configured will be searched and if matches are found the alert will be triggered.
+
== Event alerts. Event correlation ==
 
 
They also use the templates to define some parameters, such as the days on which the alert will function, however in this case '''the templates do not determine when the event alert is triggered''', but rather it is through the filtering rules that the events that match will be searched and the alert triggered.
 
 
 
<CENTER>
 
[[File:Event_alerts.png|800px]]
 
</CENTER>
 
 
 
In order to render the work with them a little easier, the event alert's configuration parameters are identical to the module alerts. A detailed explanation for all of them can be found [http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Alerts#Alert_Templates '''here.'''] There are only two specific parameters for event alerts:
 
  
* '''Rule Evaluation Mode:''' There are two options: 'Pass' and 'Drop'. 'Pass' means that if an event is fulfilled by an alert, the alerts below are going to be evaluated. 'Drop' means that if an event is fulfilled by an alert, the alerts below are going to be stopped from being evaluated.
+
From Pandora FMS release 741 onwards, a series of changes have made, aimed to improve event-related alert performance, check all the information about this topic in [https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Alerts#Alert_correlation:_event_and_log_alerts Alert correlation: event and log alerts] section of the wiki.
 
 
* '''Group by:''' It allows you to group the rules by agent, module, alert or group. If a rule is e.g. configured for it, it's going to fire if we receive two critical events. If it's grouped by agent, two critical events are required to originate from the same agent. This feature is capable of getting switched off.
 
 
 
Each rule is configured to fire by a specific type of event. The alert will be fired if the condition of the logical equation, which is defined by the rules and its operators, is met.
 
 
 
<CENTER>
 
[[File:Event_rules.png|800px]]
 
</CENTER>
 
 
 
The rule's configuration parameters are the following:
 
 
 
{{WIP}}
 
 
 
* '''Name:''' The name of the rule.
 
* '''User comment:''' A free-text field intended for a comment.
 
* '''Event:''' The regular expression that matches the event's text, if it's left blank it is "for any event"
 
* '''Window:''' The events which have been generated outside the defined time range are going to be rejected.
 
* '''Count:''' The number of events which have to match the rule to fire the alert.
 
* '''Agent:''' The regular expression which matches the agent's alias which has generated the event.
 
* '''Module:''' The regular expression that matches to the module's name which has generated the event.
 
* '''Module Alerts (template):''' The regular expression that matches the alert's name which has generated the event.
 
* '''Group:''' The group the agent belongs to. If the recursion box is checked, the rule will also apply to the child groups of the selected group.
 
* '''Severity:''' The event severity.
 
* '''Tag:''' The event's associated tags.
 
* '''User:''' The event's associated user.
 
* '''Event Type''' .
 
 
 
We could e.g. configure a rule which wears a tag named 'System' and matches to the events generated by any module of any agent of the server group that is named 'cpu_load' in the moment the module moves to a 'critical' state:
 
 
 
<CENTER>
 
[[File:Event_rule_config.png|493px]]
 
</CENTER>
 
 
 
 
 
{{tip|Given the high number of events the Pandora FMS Database is able to store, the server works on an event window which is defined in the 'pandora_server.conf' configuration file by a parameter named 'event_window'. The events which have been generated outside the specified time range are '''not''' going to be processed by the server. Within a rule, it doesn't make any sense to specify a time range wider than the one configured within the Server.}}
 
 
 
{{Warning|In order for the event correlation alerts to work, it is necessary to activate the event correlation server with the parameter ''eventserver 1'' in the Pandora FMS server configuration file.}}
 
  
 
==Events from the Command Line ==
 
==Events from the Command Line ==
Line 363: Line 314:
 
=== Generating Events from the Command Line  ===
 
=== Generating Events from the Command Line  ===
  
By using the WEB API, you may interact with Pandora FMS from remote sites, even if you don't have a Database connection, Pandora FMS or an agent installed. You only require a special tool which you can find under:
+
By using the WEB API, you may interact with Pandora FMS from remote sites, even if you do not have a Database connection or an agent installed. You may do it using the tool that you can find here:
  
 
  /usr/share/pandora_server/util/pandora_revent.pl
 
  /usr/share/pandora_server/util/pandora_revent.pl
  
This tool utilizes a remote [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol '''HTTP'''] or [http://en.wikipedia.org/wiki/HTTP_Secure '''HTTPS'''] connection to create or validate events under Pandora FMS. Please execute it without parameters to see it's syntax.
+
This tool uses a HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax translated here:
  
 
<pre>
 
<pre>
Line 433: Line 384:
 
</pre>
 
</pre>
  
You're required to enable the API access and configure it first. To do so, please follow the below mentioned steps:
+
Firstly, enable the API access and configure it. To do so, follow the below mentioned steps:
  
* Please enable the API access for the IP (please use '*' for all IPs).
+
#Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
* Please set an API password
+
#Set an API password
* Please use a regular user and password or define a specific API user for conducting the operation only.
+
#Use a user/password to login, or define a specific user to access it through API.
  
In order to render the 'unknown', 'critical' or 'warning' instruction fields appear within the event details, the event type is required to consist of the types named 'going_unknown', 'going_down_critical' or 'going_down_warning'.
+
In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type must be 'going_unknown', 'going_down_critical' or 'going_down_warning' accordingly.
  
Examples:
+
More examples:
  
 
<pre>
 
<pre>
 
/pandora_revent.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora  
 
/pandora_revent.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora  
 
-create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4
 
-create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4
-user "davidv" -owner_user "admin" -source "Commandline" -comment "Prueba de comentario"
+
-user "davidv" -owner_user "admin" -source "Commandline" -user_comment "Comment test"
 
</pre>
 
</pre>
  
=== Only for generating events from Command Line:  'pandora_revent_create' Command===
+
=== Only generating events from the Command Line:  'pandora_revent_create'===
  
It comes with the same functionality as the 'pandora_revent' script with the exception of being able to validate events.
+
It is the same feature as the 'pandora_revent' script with the exception of not being able to validate events. You may do it using the tool found at:
  
 
  /usr/share/pandora_server/util/pandora_revent_create.pl
 
  /usr/share/pandora_server/util/pandora_revent_create.pl
  
This tool utilizes a remote [http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol '''HTTP'''] or [http://en.wikipedia.org/wiki/HTTP_Secure '''HTTPS'''] connection to create or validate events under Pandora FMS. Please execute it without parameters to learn it's syntax.
+
This tool uses an HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax here translated:
  
 
<pre>
 
<pre>
Line 508: Line 459:
 
</pre>
 
</pre>
  
You're required to enable the API access and configure it first. Please follow the below mentioned steps to do so.
+
Enable the API access and configure it first. Follow these three steps to do so:
  
* Please enable the API access for the IP (please use '*' for all IPs)
+
#Enable the API access for the IP from which the command will be executed or use '*' for all IPs.
* Please set an API password
+
#Set an API password.
* Please use a regular user and password or define a specific API user only for conducting the operations only.
+
#Use a regular user/password or define a specific user to have access through the API.
  
In order to render the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type is required to be one of the types named 'going_unknown', 'going_down_critical' or 'going_down_warning'.
+
In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type is required to be 'going_unknown', 'going_down_critical' or 'going_down_warning'.
  
Examples:
+
More examples:
  
 
<pre>
 
<pre>
Line 524: Line 475:
 
</pre>
 
</pre>
  
=== Custom Fields within Events ===
+
=== Custom fields within events ===
  
Events with custom fields may be generated by the [[Pandora:Documentation_en:Anexo_CLI#Create_event|Pandora FMS CLI]], e.g. an event generated by the following command:
+
Events with custom fields may be generated by the [[Pandora:Documentation_en:Anexo_CLI#Create_event|Pandora FMS CLI]], e.g. An event generated by the following command:
  
 
  perl pandora_manage.pl /etc/pandora/pandora_server.conf --create_event 'Custom event' system Firewalls 'localhost' 'module' 0 4 '' 'admin' '' '' '' '' '{"Location": "Office", "Priority": 42}'
 
  perl pandora_manage.pl /etc/pandora/pandora_server.conf --create_event 'Custom event' system Firewalls 'localhost' 'module' 0 4 '' 'admin' '' '' '' '' '{"Location": "Office", "Priority": 42}'
  
Would look like the one shown below.
+
It would look like the one shown below.
  
 
[[image:Event_custom_data.png|800px]]
 
[[image:Event_custom_data.png|800px]]
 +
 +
== Event setup ==
 +
 +
In the Event section in the management part of Pandora FMS console('Events' > 'View events' > 'Manage events'), the following aspects regarding events can be configured:
 +
 +
* ''' Event filtering.
 +
* ''' Event responses.
 +
* ''' Event display.
 +
 +
<center>
 +
[[File:Configuracion_eventos.jpg]]
 +
</center>
 +
 +
 +
=== Custom event view ===
 +
 +
It is possible to customize the fields that the Event View shows by default from the ''Events > View events > Manage events > Custom fields '' section, where the fields to be shown can be chosen.
 +
 +
By default, the fields displayed are:
 +
 +
* '''Event name
 +
* '''Agent ID
 +
* '''Status
 +
* '''Timestamp
 +
 +
However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list:
 +
 +
*'''Event name''' : Event name.
 +
*'''Event ID''' : Event ID.
 +
*'''Event type''' : Event type.
 +
*'''Agent name''' : Agent name.
 +
*'''Agent ID''' : Agent ID.
 +
*'''Status''' : Event status.
 +
*'''Timestamp''' : Date when the event was created.
 +
*'''ACK Timestamp''' : Date when the evnet was validated.
 +
*'''User''' : Event creator user.
 +
*'''Group''' : Group the module belongs to.
 +
*'''Module name''' : Module name.
 +
*'''Module status''' : Module current status.
 +
*'''Alert''' : Alert linked to the event.
 +
*'''Severity''' : Event severity.
 +
*'''Comment''' : Event comments.
 +
*'''Tags''' : Module tags.
 +
*'''Source''' : Event source.
 +
*'''Extra ID''' : Extra ID.
 +
*'''Owner''' : Owner.
 +
*'''Instructions''' : Critical or warning instructions.
 +
*'''Server name''' : Name of the server the event came from.
 +
*'''Data''' : Numerical data reported by the event.
 +
*'''Severity mini''' : Event severity in reduced format.
 +
 +
Select the fields you wish to display from the "Fields available" list and move them to "Fields selected" using the arrows. Once selected, press the "Update" button.
 +
 +
 +
<center>
 +
[[image:custom_events.png|800px]]
 +
</center>
 +
 +
=== Creating Event Filters ===
 +
 +
In this section you may create, remove and edit filters applied to the event view.
 +
 +
<center>
 +
[[image:filtros_evento.png|800px]]
 +
</center>
 +
 +
By clicking on the ''Create Filter'' button, the following view is shown, where the fields by wich you wish to filter may be chosen.
 +
 +
<br>
 +
[[image:crear_filtro_evento.png|700px|center]]
 +
<br>
 +
 +
Once the filters have been saved, right from the Event View itself they can be loaded to display the desired information quickly without having to reconfigure the filter each time:
 +
 +
<br>
 +
[[image:Event1.JPG|660px|center]]
 +
<br>
 +
 +
 +
=== Event Responses ===
 +
====Introduction====
 +
In this section, event responses can be created, edited and deleted. An event response is a custom action that can be executed on an event, for example, creating a ticket in Integria with the relevant information about the event.
 +
 +
 +
[[image:Event_responses_config_list.png|800px]]
 +
 +
Enter a representative name, a description, the parameters to use, separated by commas, the command to use (the last ones allow the use of macros), the type and the server that will execute the command.
 +
 +
<br>
 +
[[image:Event_responses_config_create.png|800px]]
 +
<br>
 +
 +
==== Event Responses macros ====
 +
 +
The accepted macros are:
 +
 +
* '''Agent address:''' _agent_address_
 +
* '''Agent ID:''' _agent_id_
 +
* '''Event related alert ID:''' _alert_id_
 +
* '''Date on which the event took place:''' _event_date_
 +
* '''Extra ID:''' _event_extra_id_
 +
* '''Event ID:''' _event_id_
 +
* '''Event instructions:''' _event_instruction_
 +
* '''Event severity ID:''' _event_severity_id_
 +
* '''Event severity (translated by Pandora FMS console):''' _event_severity_text_
 +
* '''Event source:''' _event_source_
 +
* '''Event status (new, validated or event in process):''' _event_status_
 +
* '''Event tags separated by commas:''' _event_tags_
 +
* '''Full text of the event:''' _event_text_
 +
* '''Event type (System, going into Unknown Status...):''' _event_type_
 +
* '''Date on which the event occurred in utimestamp format:''' _event_utimestamp_
 +
* '''Group ID:''' _group_id_
 +
* '''Group name in database:''' _group_name_
 +
* '''Event associated module address:''' _module_address_
 +
* '''Event associated module ID:''' _module_id_
 +
* '''Event associated module name:''' _module_name_
 +
* '''Event owner user:''' _owner_user_
 +
* '''User ID:''' _user_id_
 +
* '''Id of the user who executes the response:''' _current_user_
 +
* '''Command response time (seconds)''': _command_timeout_
 +
  
 
[[Pandora:Documentation_en|Go back to Pandora FMS Documentation Index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS Documentation Index]]
  
 
[[Category:Pandora FMS]]
 
[[Category:Pandora FMS]]

Latest revision as of 12:47, 16 July 2020

Go back to Pandora FMS documentation index

1 Events

1.1 Introduction

Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a picture of what is happening at that time will be shown. It is one of the views that is used the most by operation teams in any type of professional monitoring software.

Events are classified by their severity:

  • Maintenance (grey)
  • Informational (blue)
  • Normal (green)
  • Warning (yellow)
  • Critical (red)
  • Major (brown)
  • Minor (pink)

The following actions can be performed in regard to an event:

  • Change its status (validated or in progress)
  • Change the owner
  • Delete
  • Show additional information
  • Add a comment
  • Apply custom responses

1.2 General information

Events are managed in Events > View Events, where there is the following menu:

Menu eventos.png

This is an example of the default event viewer. The fields displayed in this view can be customized (see Customize Event View section):

Event list.png

Pandora FMS version 726 includes the possibility of sorting out events by ID, status, name...

Event orden.png

The event viewer shows the event itself, which is a descriptive text of the problem, its source (agent) and the event's date. Sometimes, there is some other linked data (e.g. agent module that generated the event, the group, module related tags, etc.).

Detalle evento 1.jpg

By clicking on the magnifying glass, all event details are shown:

Detalle evento 2.jpg

By default, events are shown through a specific search, which can be modified, showing the information in the most suitable way through its different filtering options:

Filtro evento.png

As seen here, by default (although it can be modified in setup options), Pandora FMS shows events that are up to eight hours old or less, and shows only those that have not been validated. A user who only has access to one group will only see events from that group. It groups events by default. That is, if there are several events from the same source and of the same type, it will show only one. However, the detailed event view will specify the number of events of the same type, grouped in that single item of the list.

There is also the possibility of saving searches as filters, or applying a previously created filter (see Event filter creation section).

The events are the record and a key point of a monitoring system.

The operators who see this screen are able to find out the current status (active events) and the history (seeing all validated events), without going through the trouble of looking at every single agent. They are also capable of browsing through global figures, data trees, names and visual screens.

Operators should see a "clean" event console, that only shows active problems. That way, there is no need to create alerts. Just by looking at the screen, you become aware of what is going on at all times.

1.3 Operating with events

1.3.1 Event validation and status. Autovalidation

An event may go into three different status: new, in process or validated. A default event, newly arrived, goes into New status. When events take place due to module status changes, there will usually be two events: the first event is the change from normal to faulty state, and the second one is the event going back to normal once the problem is solved.

In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an key feature, since it allows to hide information that is no longer relevant in the event console. When an event is validated, it disappears from the default initial event view, since this view does not show validated events by default because they are not considered active problems but past problems.

When finding an event, it can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:


Event sample4.png

By clicking on the validate button, the screen is refreshed and the validated event "disappears". This is because the default event view only displays non-validated or assigned events, but not validated ones.

Event sample5.png

If the event view is reloaded, filtering and displaying all events, the validated event (with a green "x" on the left) will be displayed together with the information of who validated it, when, and the text entered at that time.

On the other hand, instead of validating an event, it can be marked as "in process" in the Responses tab, as shown below:

Event sample6.png

An event can be "stopped", or blocked, so that it does not validate itself, and it still appears in the event view as pending work. It will group the other events of the same kind that arrive (see grouping of events), but it will not validate itself. The event will look something like this:

Event sample7.png

In addition, in the Responses tab you may find some other possible actions on the event, such as deleting it or executing custom responses such as the ping on the host.

They can also be validated, marked as "in process" and deleted individually with these features:

Op indi.png

It is also possible to validate, mark as "in process" and delete events as well as executing mass custom responses of the command type as shown below:

Op masiva2.png

Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.

1.3.2 Event filtering

From the Event View page, it is possible to filter the event list to search for specific events.

From the event view, access the filtering options in Event control filter, and the advanced options through Advanced options:


Event6.JPG


There are many fields and some of them do not need further explanation, so only the most relevant or complicated ones are detailed in here:

  • Event Type: In Pandora FMS, there is a limited number of events, which are the following ones:
    • Agent created
    • Alert triggered
    • Alert stopped (oudated)
    • Alert recovered (different to alert stopped)
    • Configuration change (affects an inventory module)
    • Unknown (generic)
    • New host detected via recon
    • Error (generic)
    • Unknown monitor (unknown)
    • Monitor in critical status
    • Monitor in warning status (warning)
    • Monitor in normal status
    • Not normal (generic)
    • System (generic)
    • Manual alert validation
  • Severity: It details the severity of the event, which has nothing to do with the status of the module related to that event. If the event is linked to an alert, it will have the same level of severity. These are the five levels of severity through which you may filter:
    • Maintenance
    • Informational
    • Normal
    • Minor
    • Warning
    • Major
    • Critical
    • Warning/Critical
    • Not normal
    • Critical/Normal
  • Max. hour old: The field in which the max. amount of hours old an event may be for it to be added to visible event list is set.
  • Repeated: By default, Pandora FMS groups events, that means that if 10 events of the same type have the same source, only one will be shown. And the detailed event view will include the number of events of the same type, grouped in that single item of the list. This can be modified so that events are shown individually.
  • Timestamp: It is the date when the event was created. It is possible to filter event creation dates using the timestamp from and timestamp to fields.

You may save the current filter to use it later on or load an existing filter.

1.3.3 Deleting an Event

Another way of managing events is deleting those that are not relevant any more. Use the 'deleting events' option to do so. From the list located at Events > View Events they can be deleted individually or several can be marked to be deleted.

Click on the gray trash can icon.

Gest62.png

Automatic event purging

From the configuration, it is possible to define the maximum number of history events to be kept for deleting. This purging is performed by the automatic maintenance process of the database (Pandora_DB) that should be executed automatically every hour.

Event purge.jpg

Event history

There is also an Enterprise feature called "event history" that allows to store in the historical database those events that exceed the deleting date. These events are not accessible through the event view, and they are only used for special event history reports.

Event history.jpg

1.3.4 Other ways of viewing Events

Besides the event's classic view in 'Events' > 'View Events', events can also be published in news channels or as 'sliding Marquee' (a moving list at the top of the browser on a black screen) by clicking on the 'Events' drop-down and the 'RSS' or 'Marquee' options accordingly.

View events1.jpg

1.3.4.1 RSS Events

Pandora FMS also has an RSS Event Provider in order for you to subscribe to it from your favorite news reader. To see the events within a news channel or RSS, click on 'Events' and 'RSS' and subscribe to it from the news reader.


Template warning.png

It is necessary to have a RSS reader and register to receive Pandora FMS notifications, otherwise a window with the report in XML code will appear.

 


Gest64.png

Template warning.png

To access the event RSS feed, configure which IPs are allowed to access it. To do so, click on the field named 'IP list with API access' within 'Setup'.

 


1.3.4.2 Events in the horizontal Marquee

If you access 'Events' > 'Marquee', you will see the last events in a sliding text-line format. This option may be used to display the last events within a monitor as a text screen. The number of visualized events or the size, color and filtering of the messages can be easily customized by modifying the code within the file named 'operation/events/events_marquee.php'.

Gest65.png

1.3.4.3 Event sound console

It allows to manage a system without having to check Pandora FMS console constantly. Just by having your speakers connected and making sure that the volume is high enough, you will be able to hear the different tunes if an event takes place, even if you are far from the computer. The tune will be played until you pause the sound event or press the 'OK' button.

The list of sound events that generate a sound alert:

  • A triggered alert
  • A module going into warning state.
  • A module going into critical state.
  • A module going into unknown state.

It is also possible to filter events by group/agent.

Sound console.jpg


1.3.4.3.1 Advanced Configuration

It is also possible to widen the list of tunes for all sound events. Go to the Pandora Console Server and into the Pandora FMS console (usually '/var/www/pandora_console/') and within the directory named include/sounds/ where you may add the files with the new tunes. But take into account several key points to achieve the right performance:

  • The file has to be in 'WAV' format.
  • It is recommended to take the smallest file possible, because this file must be sent to the browser in order to be played within your browser's window. There are several tips to achieve this:
    • Select an audio file only a few seconds long (or even less) for the main alert sound, because it will be played on a loop.
    • Convert the audio to mono.
    • Change the audio's coding to 16bits signed or even less. Quality will be lost but the file's size will decrease by doing this.
  • In order to create or edit audio files, it is recommended to use tools as Audacity which is a user-friendly multi platform open-source tool.
1.3.4.3.2 Use

The event sounds are asynchronously 'scanned' every 10 seconds. If an event is received, the preconfigured or default sound for this event will be replayed and the window will start flickering in red and waving. This window will also be placed in foreground of all other opened windows, depending on the browser's and operating system's configuration.

To gain access to the sound events window, go to the Pandora FMS Console's left menu and click on Operation and View Events. Within the header's event window, click on the Sound Events icon.

Event sound.png

This small window will be the one to manage all sound events. That is why it is recommended to leave it open, so that is sounds whenever any event is received. Inside the window, there are several controls that enable filtering so that the console only goes off according to several filters: group, type of event or specific agent(s). Also, in case it goes off, a small window will indicate which event has gone off.

Press the "Play" button to start the sound console. When an event goes off, press "OK" to restart the console and stop the sound (until another new event makes it go off again).

250px

1.3.5 Exporting Events to a CSV

It is possible to export the event list to a CSV file in order for these events to be processed or incorporated into other applications.

In order to export the events to a CSV file, click on 'Operation' -> 'View Events' and 'Export to CSV File'.

Export to csv.jpg

1.3.6 Event Statistics

It is possible to access event statistics by clicking on 'Events'> 'Statistics' to see a brief report under the form of a graphic and in real time about the current events.There are four times of graphics that report said information:

  • Event graph
  • Event graph by user
  • Event graph by agent
  • Number of validated events

Gest66.png

Besides, by clicking on one of the sections that make up the graphic, the report will be shown in percentage format as well as the event value and its current status.

Estadisticas eventos.jpg



1.4 Event alerts. Event correlation

From Pandora FMS release 741 onwards, a series of changes have made, aimed to improve event-related alert performance, check all the information about this topic in Alert correlation: event and log alerts section of the wiki.

1.5 Events from the Command Line

1.5.1 Generating Events from the Command Line

By using the WEB API, you may interact with Pandora FMS from remote sites, even if you do not have a Database connection or an agent installed. You may do it using the tool that you can find here:

/usr/share/pandora_server/util/pandora_revent.pl

This tool uses a HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax translated here:

Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at http://www.pandorafms.org

Options to create event: 

	./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -create_event <options> 

Where options:

	-u <credentials>			: API credentials separated by comma: <api_pass>,<user>,<pass>
	-name <event_name>			: Free text
	-group <id_group>			: Group ID (use 0 for 'all') 
	-agent					: Agent ID
	
Optional parameters:
	
	[-status <status>]			: 0 New, 1 Validated, 2 In process
	[-user <id_user>]			: User comment (use in combination with -comment option)
	[-type <event_type>]			: unknown, alert_fired, alert_recovered, alert_ceased
							  alert_manual_validation, system, error, new_agent
							  configuration_change, going_unknown, going_down_critical,
							  going_down_warning, going_up_normal
	[-severity <severity>] 		: 0 Maintance,
						  1 Informative,
						  2 Normal,
						  3 Warning,
						  4 Crit,
						  5 Minor,
						  6 Major
	[-am <id_agent_module>]		: ID Agent Module linked to event
	[-alert <id_alert_am>]			: ID Alert Module linked to event
	[-c_instructions <critical_instructions>]
	[-w_instructions <warning_instructions>]
	[-u_instructions <unknown_instructions>]
	[-user_comment <comment>]
	[-owner_user <owner event>]		: Use the login name, not the descriptive
	[-source <source>]			: (By default 'Pandora')
	[-tag <tags>]				: Tag (must exist in the system to be imported)
	[-custom_data <custom_data>]		: Custom data should be a base 64 encoded JSON document (>=6.0)
	[-server_id <server_id>]		: The pandora node server_id (>=6.0)
        [-id_extra <id extra>]      : Id extra
        [-agent_name <Agent name>]  : Agent name, do not confuse with agent alias.
	[-force_create_agent<0 o 1>]: Force the creation of agent through an event this will create when it is 1.
        
Example of event generation:

	./pandora_revent.pl -p http://localhost/pandora_console/include/api.php -u 1234,admin,pandora 
		-create_event -name "SampleEvent" -group 2 -agent 189 -status 0 -user "admin" -type "system" 
		-severity 3 -am 0 -alert 9 -c_instructions "Critical instructions" -w_instructions "Warning instructions" 


Options to validate event: 

	./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>

Sample of event validation: 

	./pandora_revent.pl -p http://localhost/pandora/include/api.php -u pot12,admin,pandora -validate_event -id 234

Firstly, enable the API access and configure it. To do so, follow the below mentioned steps:

  1. Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
  2. Set an API password
  3. Use a user/password to login, or define a specific user to access it through API.

In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type must be 'going_unknown', 'going_down_critical' or 'going_down_warning' accordingly.

More examples:

/pandora_revent.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora 
-create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4
-user "davidv" -owner_user "admin" -source "Commandline" -user_comment "Comment test"

1.5.2 Only generating events from the Command Line: 'pandora_revent_create'

It is the same feature as the 'pandora_revent' script with the exception of not being able to validate events. You may do it using the tool found at:

/usr/share/pandora_server/util/pandora_revent_create.pl

This tool uses an HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax here translated:

Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at http://www.pandorafms.org

Options to create event: 

	./pandora_revent_create.pl -p <path_to_consoleAPI> -u <credentials> -create_event <options> 

Where options:

	-u <credentials>			: API credentials separated by comma: <api_pass>,<user>,<pass>
	-name <event_name>			: Free text
	-group <id_group>			: Group ID (use 0 for 'all') 
	-agent					: Agent ID
	
Optional parameters:
	
	[-status <status>]			: 0 New, 1 Validated, 2 In process
	[-user <id_user>]			: User comment (use in combination with -comment option)
	[-type <event_type>]			: unknown, alert_fired, alert_recovered, alert_ceased
							  alert_manual_validation, system, error, new_agent
							  configuration_change, going_unknown, going_down_critical,
							  going_down_warning, going_up_normal
	[-severity <severity>] 		: 0 Maintance,
						  1 Informative,
						  2 Normal,
						  3 Warning,
						  4 Crit,
						  5 Minor,
						  6 Major
	[-am <id_agent_module>]		: ID Agent Module linked to event
	[-alert <id_alert_am>]			: ID Alert Module linked to event
	[-c_instructions <critical_instructions>]
	[-w_instructions <warning_instructions>]
	[-u_instructions <unknown_instructions>]
	[-user_comment <comment>]
	[-owner_user <owner event>]		: Use the login name, not the descriptive
	[-source <source>]			: (By default 'Pandora')
	[-tag <tags>]				: Tag (must exist in the system to be imported)
	[-custom_data <custom_data>]		: Custom data should be a base 64 encoded JSON document (>=6.0)
	[-server_id <server_id>]		: The pandora node server_id (>=6.0)

Example of event generation:

	./pandora_revent_create.pl -p http://localhost/pandora_console/include/api.php -u 1234,admin,pandora 
		-create_event -name "SampleEvent" -group 2 -agent 189 -status 0 -user "admin" -type "system" 
		-severity 3 -am 0 -alert 9 -c_instructions "Critical instructions" -w_instructions "Warning instructions" 

Enable the API access and configure it first. Follow these three steps to do so:

  1. Enable the API access for the IP from which the command will be executed or use '*' for all IPs.
  2. Set an API password.
  3. Use a regular user/password or define a specific user to have access through the API.

In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type is required to be 'going_unknown', 'going_down_critical' or 'going_down_warning'.

More examples:

/pandora_revent_create.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora 
-create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4
-user "davidv" -owner_user "admin" -source "Commandline" -comment "Prueba de comentario"

1.5.3 Custom fields within events

Events with custom fields may be generated by the Pandora FMS CLI, e.g. An event generated by the following command:

perl pandora_manage.pl /etc/pandora/pandora_server.conf --create_event 'Custom event' system Firewalls 'localhost' 'module' 0 4  'admin'     '{"Location": "Office", "Priority": 42}'

It would look like the one shown below.

Event custom data.png

1.6 Event setup

In the Event section in the management part of Pandora FMS console('Events' > 'View events' > 'Manage events'), the following aspects regarding events can be configured:

  • Event filtering.
  • Event responses.
  • Event display.

Configuracion eventos.jpg


1.6.1 Custom event view

It is possible to customize the fields that the Event View shows by default from the Events > View events > Manage events > Custom fields section, where the fields to be shown can be chosen.

By default, the fields displayed are:

  • Event name
  • Agent ID
  • Status
  • Timestamp

However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list:

  • Event name : Event name.
  • Event ID : Event ID.
  • Event type : Event type.
  • Agent name : Agent name.
  • Agent ID : Agent ID.
  • Status : Event status.
  • Timestamp : Date when the event was created.
  • ACK Timestamp : Date when the evnet was validated.
  • User : Event creator user.
  • Group : Group the module belongs to.
  • Module name : Module name.
  • Module status : Module current status.
  • Alert : Alert linked to the event.
  • Severity : Event severity.
  • Comment : Event comments.
  • Tags : Module tags.
  • Source : Event source.
  • Extra ID : Extra ID.
  • Owner : Owner.
  • Instructions : Critical or warning instructions.
  • Server name : Name of the server the event came from.
  • Data : Numerical data reported by the event.
  • Severity mini : Event severity in reduced format.

Select the fields you wish to display from the "Fields available" list and move them to "Fields selected" using the arrows. Once selected, press the "Update" button.


Custom events.png

1.6.2 Creating Event Filters

In this section you may create, remove and edit filters applied to the event view.

Filtros evento.png

By clicking on the Create Filter button, the following view is shown, where the fields by wich you wish to filter may be chosen.


Crear filtro evento.png


Once the filters have been saved, right from the Event View itself they can be loaded to display the desired information quickly without having to reconfigure the filter each time:


Event1.JPG



1.6.3 Event Responses

1.6.3.1 Introduction

In this section, event responses can be created, edited and deleted. An event response is a custom action that can be executed on an event, for example, creating a ticket in Integria with the relevant information about the event.


Event responses config list.png

Enter a representative name, a description, the parameters to use, separated by commas, the command to use (the last ones allow the use of macros), the type and the server that will execute the command.


Event responses config create.png

1.6.3.2 Event Responses macros

The accepted macros are:

  • Agent address: _agent_address_
  • Agent ID: _agent_id_
  • Event related alert ID: _alert_id_
  • Date on which the event took place: _event_date_
  • Extra ID: _event_extra_id_
  • Event ID: _event_id_
  • Event instructions: _event_instruction_
  • Event severity ID: _event_severity_id_
  • Event severity (translated by Pandora FMS console): _event_severity_text_
  • Event source: _event_source_
  • Event status (new, validated or event in process): _event_status_
  • Event tags separated by commas: _event_tags_
  • Full text of the event: _event_text_
  • Event type (System, going into Unknown Status...): _event_type_
  • Date on which the event occurred in utimestamp format: _event_utimestamp_
  • Group ID: _group_id_
  • Group name in database: _group_name_
  • Event associated module address: _module_address_
  • Event associated module ID: _module_id_
  • Event associated module name: _module_name_
  • Event owner user: _owner_user_
  • User ID: _user_id_
  • Id of the user who executes the response: _current_user_
  • Command response time (seconds): _command_timeout_


Go back to Pandora FMS Documentation Index