Difference between revisions of "Pandora: Documentation en: Events"

From Pandora FMS Wiki
Jump to: navigation, search
(Generating Events from the Command Line)
(Event Responses)
 
(42 intermediate revisions by 8 users not shown)
Line 3: Line 3:
 
= Events =
 
= Events =
 
==Introduction==
 
==Introduction==
Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a picture of what is happening at that time will be shown. It is one of the views that is used the most by operation teams in any type of professional monitoring software.
+
Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, '''a ''screenshot'' of what is happening at that time will be shown'''.
  
 
Events are classified by their severity:
 
Events are classified by their severity:
  
* '''Maintenance''' (grey)
+
[[Image:PFMS color legend.png|right|300px]]
* '''Informational''' (blue)
+
 
* '''Normal''' (green)
+
* '''Maintenance''' (grey).
* '''Warning''' (yellow)
+
* '''Informational''' (blue).
* '''Critical''' (red)
+
* '''Normal''' (green).
 +
* '''Warning''' (yellow).
 +
* '''Critical''' (red).
 +
* '''Major''' (brown).
 +
* '''Minor''' (pink).
  
 
The following actions can be performed in regard to an event:
 
The following actions can be performed in regard to an event:
  
* '''Change its status''' (validated or in progress)
+
* '''Change its status''' (validated or in progress).
* '''Change the owner'''
+
* '''Change the owner'''.
* '''Delete'''
+
* '''Delete'''.
* '''Show additional information'''
+
* '''Show additional information'''.
* '''Add a comment'''
+
* '''Add a comment'''.
* '''Apply custom responses'''
+
* '''Apply custom responses'''.
  
 
== General information==
 
== General information==
  
Events are managed in Events > View Events, where there is the following menu:
+
Events are managed in '''Events''' > '''View Events''':
  
 
<center>
 
<center>
Line 30: Line 34:
 
</center>
 
</center>
  
This is an example of the default event viewer. The fields displayed in this view can be customized (see Customize Event View section):
+
This is an example of the default event viewer:
  
 
<CENTER>
 
<CENTER>
Line 36: Line 40:
 
</CENTER>
 
</CENTER>
  
Pandora FMS version 726 includes the possibility of sorting out events by ID, status, name...
+
From Pandora FMS version 726, you may sort out events by ID, status, name...
  
 
<CENTER>
 
<CENTER>
Line 42: Line 46:
 
</CENTER>
 
</CENTER>
  
The event viewer shows the event itself, which is a descriptive text of the problem, its source (agent) and the event's date. Sometimes, there is some other linked data (e.g. agent module that generated the event, the group, module related tags, etc.).
+
The event viewer shows shows a summary of each event and sometimes other associated data, such as the agent module that generated the event, the group, module-related tags, etc.).
  
 
<CENTER>
 
<CENTER>
Line 54: Line 58:
 
</CENTER>
 
</CENTER>
  
By default, events are shown through a specific search, which can be modified, showing the information in the most suitable way through its different filtering options:
+
By default, events are shown through a specific search for the last 8 hours and for those that are ''not validated'' ([[Pandora:Documentation_en:Events#Event_filtering|and it can also be customized]]), in addition to grouping to avoid redundancy:
  
 
<CENTER>
 
<CENTER>
Line 60: Line 64:
 
</CENTER>
 
</CENTER>
  
As seen here, by default (although it can be modified in setup options), Pandora FMS shows events that are up to eight hours old or less, and shows only those that have not been validated. A user who only has access to one group will only see events from that group. It '''groups events''' by default. That is, if there are several events from the same source and of the same type, it will show only one. However, the detailed event view will specify the number of events of the same type, grouped in that single item of the list.
+
{{Tip|The user will be able to see only the groups to which he/she belongs, unless the user explicitly belongs to the [[Pandora:Documentation_en:Managing_and_Administration#Group_all|ALL group]].}}
 
 
There is also the possibility of saving searches as filters, or applying a previously created filter (see Event filter creation section).
 
  
'''The events are the record and a key point of a monitoring system.'''
+
You may save searchers such as filters or either apply [[Pandora:Documentation_en:Events#Event_filtering|a previously created filter]].
  
The operators who see this screen are able to find out the current status (active events) and the history (seeing all validated events), without going through the trouble of looking at every single agent. They are also capable of browsing through global figures, data trees, names and visual screens.
+
You may get more information in our video tutorial [https://www.youtube.com/watch?v=XIiI-xSR0GU "Event management in Pandora FMS"].
  
Operators should see a "clean" event console, that only shows active problems. That way, there is no need to create alerts. Just by looking at the screen, you become aware of what is going on at all times.
+
'''Events are the record and a key point of a monitoring system.'''
  
 
== Operating with events ==
 
== Operating with events ==
Line 74: Line 76:
 
=== Event validation and status. Autovalidation ===
 
=== Event validation and status. Autovalidation ===
  
An event may go into three different status: new, in process or validated. A default event, newly arrived, goes into ''New'' status. When events take place due to module status changes, there will usually be two events: the first event is the change from normal to faulty state, and the second one is the event going back to normal once the problem is solved.
+
An event may be in three different status:
 
+
* New.
In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an key feature, since it allows to hide information that is no longer relevant in the event console. When an event is validated, it disappears from the default initial event view, since this view does not show validated events by default because they are not considered active problems but past problems.
+
* In process.
 
+
* Validated.  
When finding an event, it can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:
+
When events take place due to module status changes, there will usually be two events: the first event is the change from normal to "faulty" state, and the second one is the event going back to normal once the problem is solved. In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an extremely useful feature.
 
 
 
 
<CENTER>
 
[[File:Event_sample4.png]]
 
</CENTER>
 
  
By clicking on the validate button, the screen is refreshed and the validated event "disappears". This is because the default event view only displays non-validated or assigned events, but not validated ones.
+
[[Image:Event_sample5.png|center|800px]]
  
<CENTER>
+
When working manually, an event can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:
[[File:Event_sample5.png]]
 
</CENTER>
 
  
If the event view is reloaded, filtering and displaying all events, the validated event (with a green "x" on the left) will be displayed together with the information of who validated it, when, and the text entered at that time.
+
[[Image:Event_sample4.png|center|600px]]
  
On the other hand, instead of validating an event, it can be marked as "in process" in the ''Responses'' tab, as shown below:
+
By clicking on the validate button, the screen is refreshed and the validated event "disappears".
  
<CENTER>
+
Un event can be checked as "in process" in the '''Responses''' tab:
[[File:Event_sample6.png]]
 
</CENTER>
 
  
An event can be "stopped", or blocked, so that it does not validate itself, and it still appears in the event view as pending work. It will group the other events of the same kind that arrive (see grouping of events), but it will not validate itself. The event will look something like this:
+
[[Image:Event_sample6.png|center|800px]]
  
<CENTER>
+
That way the event will not get auto-validated and will stay as pendant. Notice the possible actions: execute custom responses such as pinging the host or assigning to name a couple of them.
[[File:Event_sample7.png]]
 
</CENTER>
 
  
In addition, in the ''Responses'' tab you may find some other possible actions on the event, such as deleting it or executing custom responses such as the ping on the host.
+
[[Image:Event_sample7.png|center|700px]]
  
They can also be validated, marked as "in process" and deleted individually with these features:
+
You may validate, check as "in process" or delete events individually by clicking on the corresponding icons:
  
<CENTER>
+
[[Image:Op_indi.png|center|113px]]
[[File:Op_indi.png]]
 
</CENTER>
 
  
It is also possible to validate, mark as "in process" and delete events as well as executing mass custom responses of the command type as shown below:
+
Or mass apply them to a selection:
  
<CENTER>
+
[[Image:Op_masiva2.png|center|650px]]
[[File:Op_masiva2.png]]
 
</CENTER>
 
  
Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.
+
{{Tip|Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.}}
  
 
=== Event filtering ===
 
=== Event filtering ===
  
From the Event View page, it is possible to filter the event list to search for specific events.
+
Filtering options are found in '''Event control filter''', and advanced options in '''Advanced options''':
 
 
From the event view, access the filtering options in ''Event control filter'', and the advanced options through'' Advanced options'':
 
  
 
<br>
 
<br>
Line 131: Line 116:
 
<br>
 
<br>
  
There are many fields and some of them do not need further explanation, so only the most relevant or complicated ones are detailed in here:
+
Important aspects of this feature:
 
 
* '''Event Type:''' In Pandora FMS, there is a limited number of events, which are the following ones:
 
**Agent created
 
** Alert triggered
 
** Alert stopped (oudated)
 
** Alert recovered (different to alert stopped)
 
**Configuration change (affects an inventory module)
 
** Unknown (generic)
 
**New host detected via recon
 
** Error (generic)
 
**Unknown monitor (unknown)
 
**Monitor in critical status
 
**Monitor in warning status (warning)
 
**Monitor in normal status
 
**Not normal (generic)
 
**System (generic)
 
** Manual alert validation
 
 
 
* '''Severity:''' It details the severity of the event, which has nothing to do with the status of the module related to that event. If the event is linked to an alert, it will have the same level of severity. These are the five levels of severity through which you may filter:
 
** Maintenance
 
** Informational
 
** Normal
 
** Minor
 
** Warning
 
** Major
 
** Critical
 
** Warning/Critical
 
** Not normal
 
** Critical/Normal
 
 
 
* '''Max. hour old:''' The field in which the max. amount of hours old an event may be for it to be added to visible event list is set.
 
 
 
* '''Repeated:''' By default, Pandora FMS groups events, that means that if 10 events of the same type have the same source, only one will be shown. And the detailed event view will include the number of events of the same type, grouped in that single item of the list. This can be modified so that events are shown individually.
 
 
 
* '''Timestamp:''' It is the date when the event was created. It is possible to filter event creation dates using the ''timestamp from'' and ''timestamp to'' fields.
 
  
You may save the current filter to use it later on or load an existing filter.
+
* Filters can be saved to be used again later on.
 +
* Pandora FMS groups repeated events by default, however this setting can be modified to show events individually.
 +
* The limit for old events can be customized ('''Max. hours old'''), as well as requesting the events during a specific time lapse, see advanced options: '''From (date)''' and '''To (date)'''.
  
 
=== Deleting an Event ===
 
=== Deleting an Event ===
  
Another way of managing events is deleting those that are not relevant any more. Use the 'deleting events' option to do so. From the list located at ''Events > View Events'' they can be deleted individually or several can be marked to be deleted.  
+
Events can be deleted individually and/or automatically.
 +
 +
There is also the possibility in the [[Image:icono-modulo-enterprise.png|Enterprise version.]], to keep them in order to create special reports.
  
Click on the gray trash can icon.
+
'''Individually:'''
  
 
<center>
 
<center>
Line 180: Line 134:
 
</center>
 
</center>
  
'''Automatic event purging'''
+
'''Automatic event purging:'''
 
 
From the configuration, it is possible to define the maximum number of history events to be kept for deleting. This purging is performed by the automatic maintenance process of the database (Pandora_DB) that should be executed automatically every hour.
 
  
 
<center>
 
<center>
Line 188: Line 140:
 
</center>
 
</center>
  
'''Event history'''
+
'''Event history [[Image:icono-modulo-enterprise.png|Enterprise version.]]'''
 
 
There is also an Enterprise feature called "event history" that allows to store in the historical database those events that exceed the deleting date. These events are not accessible through the event view, and they are only used for special event history reports.
 
  
 
<center>
 
<center>
Line 198: Line 148:
 
=== Other ways of viewing Events ===
 
=== Other ways of viewing Events ===
  
Besides the event's classic view in 'Events' > 'View Events', events can also be published in news channels or as 'sliding Marquee' (a moving list at the top of the browser on a black screen) by clicking on the 'Events' drop-down and the 'RSS' or 'Marquee' options accordingly.
+
Events can also be published in news channels or as sliding Marquee (a moving list at the top of the browser on a black screen) by clicking on the '''Events''' > '''RSS''' > '''Marquee''' accordingly.
  
 
<center>
 
<center>
Line 206: Line 156:
 
==== RSS Events ====
 
==== RSS Events ====
  
Pandora FMS also has an RSS Event Provider in order for you to subscribe to it from your favorite news reader.
+
{{warning|To access event RSS feed, configure the IPs that have access allowed in the field '''IP list with API access''' within '''Setup'''.}}
To see the events within a news channel or RSS, click on 'Events' and 'RSS' and subscribe to it from the news reader.
 
 
 
  
{{warning|It is necessary to have a '''RSS reader''' and register to receive Pandora FMS notifications, otherwise a window with the report in XML code will appear.}}
+
To see events in a news channel or RSS go to '''Events''' > '''RSS''' and subscribe from the news reader of your choice.
  
 
<center>
 
<center>
Line 216: Line 164:
 
</center>
 
</center>
  
{{warning|To access the event RSS feed, configure which IPs are allowed to access it. To do so, click on the field named 'IP list with API access' within 'Setup'.}}
 
  
 
==== Events in the horizontal Marquee ====
 
==== Events in the horizontal Marquee ====
  
If you access 'Events' > 'Marquee', you will see the last events in a sliding text-line format. This option may be used to display the last events within a monitor as a text screen. The number of visualized events or the size, color and filtering of the messages can be easily customized by modifying the code within the file named 'operation/events/events_marquee.php'.
+
To see the last events in sliding text-line format, go to '''Events''' > '''Marquee'''.
  
 
<center>
 
<center>
 
[[image:gest65.png]]
 
[[image:gest65.png]]
 
</center>
 
</center>
 +
 +
Customize their presentation by modifying the code within the file named <code>operation/events/events_marquee.php</code>.
  
 
==== Event sound console ====
 
==== Event sound console ====
  
It allows to manage a system without having to check Pandora FMS console constantly. Just by having your speakers connected and making sure that the volume is high enough, you will be able to hear the different tunes if an event takes place, even if you are far from the computer. The tune will be played until you pause the sound event or press the 'OK' button.
+
It allows to spread the sound alerts when an event takes place. The tune will be played until you pause the sound event or press the '''OK''' button.
 +
 
 +
[[Image:Sound_console.jpg|center|600px]]
  
The list of sound events that generate a sound alert:
+
The list of sound events that generate a sound alert by default (and may be customized) is:
  
* A triggered alert
+
* A triggered alert.
 
* A module going into '''warning''' state.
 
* A module going into '''warning''' state.
 
* A module going into '''critical''' state.
 
* A module going into '''critical''' state.
 
* A module going into '''unknown''' state.
 
* A module going into '''unknown''' state.
  
It is also possible to filter events by group/agent.
+
Go to '''View events''' > '''Operation'''. In the event's window, clicking on the icon '''Sound Events''' opens the control window of sound events.  
  
<center>
+
[[Image:Event_sound.png|center|313px]]
[[File:Sound_console.jpg]]
 
</center>
 
  
 +
Sound events are explored every 10 seconds asynchronously, when an event takes place, the window will start blinking in red or vibratind and in addition, depending on the configuration of your browser or operative system, the window will keep the focus and stay over the rest of the open windows.
  
 
===== Advanced Configuration =====
 
===== Advanced Configuration =====
  
It is also possible to widen the list of tunes for all sound events. Go to the Pandora Console Server and into the Pandora FMS console (usually '/var/www/pandora_console/') and within the directory named '''include/sounds/''' where you may add the files with the new tunes. But take into account several key points to achieve the right performance:
+
To add new tunes, copy said files in '''WAV format''', to the directory:
 +
 
 +
/var/www/pandora_console/include/sounds/
  
* The file has to be in 'WAV' format.
+
keep in mind that each tune must be sent to the browser and takes some bandwidth; it is recommended:
* It is recommended to take the smallest file possible, because this file must be sent to the browser in order to be played within your browser's window. There are several tips to achieve this:
 
  
** Select an audio file only a few seconds long (or even less) for the main alert sound, because it will be played on a loop.
+
** Select an audio file only a few seconds long as the main alert sound, because it will be played on loop.
 
** Convert the audio to ''mono''.  
 
** Convert the audio to ''mono''.  
 
** Change the audio's coding to ''16bits signed'' or even less. Quality will be lost but the file's size will decrease by doing this.
 
** Change the audio's coding to ''16bits signed'' or even less. Quality will be lost but the file's size will decrease by doing this.
* In order to create or edit audio files, it is recommended to use tools as [http://audacity.sourceforge.net/ '''Audacity'''] which is a user-friendly multi platform open-source tool.
+
* In order to create or edit audio files, it is recommended to use tools as [http://audacity.sourceforge.net/ '''Audacity'''].
 
 
===== Use =====
 
 
 
The event sounds are asynchronously 'scanned' every 10 seconds. If an event is received, the preconfigured or default sound for this event will be replayed and the window will start flickering in red and waving. This window will also be placed in foreground of all other opened windows, depending on the browser's and operating system's configuration.
 
 
 
To gain access to the sound events window, go to the Pandora FMS Console's left menu and click on '''Operation''' and '''View Events'''. Within the header's event window, click on the '''Sound Events''' icon.
 
 
 
<center>
 
[[File:event_sound.png|350px]]
 
</center>
 
 
 
This small window will be the one to manage all sound events. That is why it is recommended to leave it open, so that is sounds whenever any event is received. Inside the window, there are several controls that enable filtering so that the console only goes off according to several filters: group, type of event or specific agent(s). Also, in case it goes off, a small window will indicate which event has gone off.
 
 
 
Press the "Play" button to start the sound console. When an event goes off, press "OK" to restart the console and stop the sound (until another new event makes it go off again).
 
 
 
<center>
 
[[File:Window.event sound.screenshot.png|250px]]
 
</center>
 
  
 
=== Exporting Events to a CSV ===
 
=== Exporting Events to a CSV ===
  
It is possible to export the event list to a CSV file in order for these events to be processed or incorporated into other applications.
+
In order to export the events to a CSV file, click on '''Operation''' -> '''View Events''' and '''Export to CSV File'''.
 
 
In order to export the events to a CSV file, click on 'Operation' -> 'View Events' and 'Export to CSV File'.
 
  
 
<center>
 
<center>
Line 286: Line 217:
 
=== Event Statistics ===
 
=== Event Statistics ===
  
It is possible to access event statistics by clicking on 'Events'> 'Statistics' to see a brief report under the form of a graphic and in real time about the current events.There are four times of graphics that report said information:
+
To access event statistics go to '''Events'''> '''Statistics'''.
 
 
* Event graph
 
* Event graph by user
 
* Event grpah by agent
 
* Number of validated events
 
  
 
<center>
 
<center>
Line 297: Line 223:
 
</center>
 
</center>
  
Besides, by clicking on one of the sections that make up the graphic, the report will be shown in percentage format as well as the event value and its current status.
+
;Event graph: Event percentage according to their status.
 +
;Event graph by user: Percentage grouped by user.
 +
;Event graph by agent: Percentage by agent generated by each event.
 +
;Number of validated events: Validated events and to-be-validated.
 +
 
 +
When clicking on any of the sections, detailed information will appear.
  
 
<center>
 
<center>
Line 304: Line 235:
 
<br><br>
 
<br><br>
  
== Event Alerts and Event Correlation ==
+
== Event alerts. Event correlation ==
=== Introduction===
 
Pandora FMS allows to define alerts on events, which allows working from a much more flexible perspective, since alerts are not generated according to the status of a specific module, but on an event -which may have been generated by several different modules of different agents. This is a Pandora FMS Enterprise feature.
 
  
There is a corresponding section for creating event alerts in the 'Alerts' > 'Event alerts' menu.
+
For Pandora FMS release 741 onwards, there is [https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Alerts#Alert_correlation:_event_and_log_alerts event related alert management], a specific wiki section.
  
 +
==Events from the Command Line ==
  
<center>
+
=== Generating Events from the Command Line  ===
[[image:Menu_event_alert.jpg]]
 
</center>
 
  
Event alerts are based on filtering rules using logical operators (and, or, xor, nand, nor, nxor) to search for events matching the configured filtering rules and if matches are found, the alert will be triggered.
+
[[Pandora:Documentation_es:Anexo_API_external|Pandora FMS external API]] is used making remote calls (through HTTPS) on the <code>/include/api.php</code> file. This is the method defined in Pandora FMS to integrate third party applications. It basically consists of a call with the parameters formatted to receive a value or a list of values that this application will use to carry out operations.  
  
They also use the templates to define some parameters, such as the days on which the alert will work, however in this case '''the templates do not determine when the event alert is triggered''', but rather it is through the filtering rules that the events that match will be searched and the corresponding alerts will be triggered.
+
By using the WEB API, you may interact with Pandora FMS from any remote system, even if you do not have connection to the database with an installed Software agent.
  
<CENTER>
+
The three main points to activate Pandora FMS API:
[[File:Event_alerts.png|800px]]
+
#Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
</CENTER>
+
#Set an API password
 
+
#Use a user/password to login, or define a specific user to access it through API.
=== Event Alert creation ===
 
 
 
Event alert template configuration parameters are similar to those of a module alert. A detailed explanation for all of them can be found [http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Alerts#Alert_Templates '''here.'''] There are only two specific parameters for event alerts:
 
 
 
* '''Rule Evaluation Mode:''' If provides two options: 'Pass' and 'Drop'. 'Pass' means that if an event matches an alert, the rest of the alerts will be evaluated too. 'Drop' means that if an event matches an alert, the alerts left will no longer be evaluated.
 
 
 
* '''Group by:''' It allows to group the rules by agent, module, alert or group. E.g. If a rule is configured to go off when two critical events are received and it is grouped by agent, two critical events are required to come from the same agent. This can be disabled.
 
 
 
Each rule is configured to go off due to a specific type of event. The alert will be triggered if the condition of the logical equation, which is defined by the rules and its operators, is met. These rules can be set in 'Alerts' > 'Event alerts' > 'View associated rules'.
 
 
 
<CENTER>
 
[[File:Event_alert.jpg]]
 
</CENTER>
 
 
 
A rule's configuration parameters are the following:
 
 
 
 
 
* '''Name:''' The name of the rule, just as a description.
 
* '''Comment:''' A free-text field intended for describing the alert in detail.
 
* '''Event:''' Regular expression that matches the event's text, if left blank it will be "for any event"
 
* '''Window (time):''' The events which have been generated outside the defined time range will be rejected. * It defines a time range where the rule is evaluated (in case several requirements have to be met).
 
* '''Count:''' The number of events which have to match the rule to trigger the alert.
 
* '''Agent:''' Regular expression that matches the alias of the agent that generated the event.
 
* '''Module:''' Regular expression that matches the name of the module that generated the event.
 
* '''Module Alerts (template):''' Regular expression that matches the name of the alert that generated the event.
 
* '''Group:''' Group the agent belongs to. If the recursion box is checked, the rule will also be applied to the child groups of the selected group.
 
* '''Severity:''' Event severity.
 
* '''Tag:''' Event associated tags.
 
* '''User:''' Event associated user (the one who validated it).
 
* '''Event Type''' .
 
 
 
E.g. A rule which matches the events of the CRITICAL type generated by any module called cpu_load from any agent of the group Applications:
 
 
 
<CENTER>
 
[[File:Event_rule.jpg]]
 
</CENTER>
 
 
 
 
 
{{tip|Given the high number of events Pandora FMS Database is able to store, the server works on an maximal event window which is defined in the ''pandora_server.conf'' configuration file by a parameter named ''event_window''. Events generated outside the specified time range will not be processed by the server. So it does not make any sense to specify in a rule a time range wider than the one configured within the Server.}}
 
 
 
{{Warning|In order for event correlation alerts to work, it is necessary to activate the event correlation server with the parameter ''eventserver 1'' in the Pandora FMS server configuration file.}}
 
 
 
=== Event Alert macros ===
 
 
 
The macros that can be used in the event alerts are:
 
 
 
 
 
* '''_address_:''' Address of the agent that triggered the alert.
 
* '''_address_n_ :'''  The address of the agent that corresponds to the position indicated in "n" e.g: address_1_ , address_2__
 
* '''_agent_:'''  Alias of the agent that triggered the alert. If there is no alias assigned, the name of the agent will be used instead.
 
* '''_agentalias_:'''  Alias of the agent that triggered the alert.
 
* '''_agentcustomfield_n_:'''  Agent number n custom field (e.g. _agentcustomfield_9_).
 
* '''_agentcustomid_:'''  Agent custom ID.
 
* '''_agentdescription_:'''  Description of the agent that triggered the alert.
 
* '''_agentgroup_ :'''  Agent group name.
 
* '''_agentname_:'''  Name of the agent that triggered the alert.
 
* '''_agentos_:'''  Agent's operative system.
 
* '''_agentstatus_ :'''  Current agent status.
 
* '''_alert_critical_instructions_:'''  Instructions for CRITICAL status contained in the module.
 
* '''_alert_description_:'''  Alert description.
 
* '''_alert_name_:'''  Alert name.
 
* '''_alert_priority_:'''  Alert’s numeric priority.
 
* '''_alert_text_severity_:'''  Priority level, in text, for the alert (Maintenance, Informational, Normal Minor, Major, Critical).
 
* '''_alert_threshold_:'''  Alert threshold.
 
* '''_alert_times_fired_:'''  Number of times the alert has been triggered.
 
* '''_alert_unknown_instructions_:'''  Instructions for UNKNOWN status contained in the module.
 
* '''_alert_warning_instructions_:'''  Instructions for WARNING status contained in the module.
 
* '''_all_address_ :'''  All addresses of the agent that fired the alert.
 
* '''_data_:'''  Module data that caused the alert to be triggered.
 
* '''_email_tag_:'''  Emails associated to the module’s tags.
 
* '''_event_cfX_:'''  (Only event alerts) Key of the event custom field that triggered the alert. For example, if there is a custom field whose key is IPAM, its value can be obtained using the _event_cfIPAM_ macro.
 
* '''_event_description_:'''  (Only event alerts) Textual description of the Pandora FMS event.
 
* '''_event_extra_id_:'''  (Only event alerts) Extra id.
 
* '''_event_id_:'''  (Only event alerts) ID of the event that triggered the alert.
 
* '''_event_text_severity_:'''  (Only event alerts) Priority text about the event that triggered the alert (Maintenance, Informational, Normal Minor, Warning, Major, Critical).
 
* '''_eventTimestamp_:'''  Timestamp in which the event was created.
 
* '''_fieldX_:'''  User defined field C.
 
* '''_groupcontact_:'''  Group contact information. Configured when the group is created.
 
* '''_groupcustomid_:'''  Group custom ID.
 
* '''_groupother_:'''  Other information about the group. Configured when the group is created.
 
* '''_homeurl_ :'''  It is a link of the public URL this must be configured in the general options of the setup.
 
* '''_id_agent_:'''  Agent ID, useful for building a direct URL with to Pandora FMS console.
 
* '''_id_alert_:'''  Alert ID, used to correlate the alert with third party tools.
 
* '''_id_group_ :'''  Agent group ID.
 
* '''_id_module_:'''  Module ID.
 
* '''_interval_:'''  Module execution interval.
 
* '''_module_:'''  Module name.
 
* '''_modulecustomid_:'''  Module custom ID.
 
* '''_moduledata_X_:'''  Using this macro ("X" is the module name) the last piece of data of this module is collected, and if it is a number it is returned with the decimals specified in the console and its unit (if it has it). This could be useful for example for sending an email once a module alert is triggered, and also send additional information about other modules of the same agent (which could be very relevant).
 
* '''_moduledescription_:'''  Module description.
 
* '''_modulegraph_nh_:'''  (Only for alerts that use the eMail command) It returns an image encoded in base64 of a module graph with a period of n hours (e.g. _modulegraph_24h_). A correct setup of the connection between the server and the console's API is required. This setup is done in the server configuration file.
 
* '''_modulegraphth_nh_:'''  (Only for alerts that use the eMail command) Same operation as the previous macro, but with the critical and warning thresholds of the module provided they are defined.
 
* '''_modulegroup_:'''  Module’s group name.
 
* '''_modulestatus_:'''  Module status.
 
* '''_moduletags_:'''  URLs associated to the module tags.
 
* '''_name_tag_:'''  Names of the tags related to the module.
 
* '''_phone_tag_:'''  Phone numbers associated to the module tags.
 
* '''_plugin_parameters_:'''  Module plugin parameters.
 
* '''_policy_:'''  Name of the policy that the module belongs to (if applies).
 
* '''_prevdata_:'''  Module previous data before the alert was triggered.
 
* '''_rca_:'''  Root cause analysis chain (only for services).
 
* '''_server_ip_:'''  Ip of server assigned to agent.
 
* '''_server_name_:'''  Name of server assigned to agent.
 
* '''_target_ip_:'''  IP address for the module’s target.
 
* '''_target_port_:'''  Port number for the module’s target.
 
* '''_timestamp_:'''  Time and date on which the alert was triggered (yy-mm-dd hh:mm:ss).
 
* '''_timezone_:'''  Timezone that is represented on _timestamp_.
 
 
 
==Events from the Command Line ==
 
 
 
=== Generating Events from the Command Line  ===
 
  
By using the WEB API, you may interact with Pandora FMS from remote sites, even if you do not have a Database connection or an agent installed. You may do it using the tool that you can find here:
+
The password devoted to creating or validating events through Pandora FMS API may be copied from:
  
 
  /usr/share/pandora_server/util/pandora_revent.pl
 
  /usr/share/pandora_server/util/pandora_revent.pl
  
This tool uses a HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax translated here:
+
When executed in the client device, without parameters, you may see its syntax (here translated):
  
 
<pre>
 
<pre>
 
 
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST
 
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST
 
This program is Free Software, licensed under the terms of GPL License v2
 
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at http://www.pandorafms.org
+
You can download latest versions and documentation at https://www.pandorafms.org
  
Options to create event:  
+
Opciones para crear un evento:
  
./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -create_event <options>  
+
  ./pandora_revent.pl -p <path_consoleAPI> -u <credentials> -create_event <opts>  
  
Where options:
+
Donde las opciones :
  
-u <credentials> : API credentials separated by comma: <api_pass>,<user>,<pass>
+
-u <credentials>:
-name <event_name> : Free text
+
    Credenciales API separados por comas: <api_pass>,<user_name>,<user_pass>
-group <id_group> : Group ID (use 0 for 'all')  
+
-name <event_name>:
-agent : Agent ID
+
  Texto libre
+
-group <id_group>:
Optional parameters:
+
  Identificador de Grupo (use 0 para 'todos')
+
-agent:
[-status <status>] : 0 New, 1 Validated, 2 In process
+
  Especifica agente por su identificador.
[-user <id_user>] : User comment (use in combination with -comment option)
+
[-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased
+
Parámetros opcionales:
  alert_manual_validation, system, error, new_agent
+
  configuration_change, going_unknown, going_down_critical,
+
[-status <status>] : 0 Nuevo, 1 Validado, 2 En proceso
  going_down_warning, going_up_normal
+
[-user <id_user>]   : Usuario del comentario (combinar con -comment)
[-severity <severity>] : 0 Maintance,
+
[-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased
  1 Informative,
+
        alert_manual_validation, system, error, new_agent
  2 Normal,
+
        configuration_change, going_unknown, going_down_critical,
  3 Warning,
+
        going_down_warning, going_up_normal
  4 Crit,
+
[-severity <severity>] :  
  5 Minor,
+
        0 Mantenimiento,
  6 Major
+
        1 Informativo,
[-am <id_agent_module>] : ID Agent Module linked to event
+
        2 Normal,
[-alert <id_alert_am>] : ID Alert Module linked to event
+
        3 Advertencia,
[-c_instructions <critical_instructions>]
+
        4 Critico,
[-w_instructions <warning_instructions>]
+
        5 Menor,
[-u_instructions <unknown_instructions>]
+
        6 Mayor.
[-user_comment <comment>]
+
[-am <id_agent_module>]       : ID del modulo de agente origen del evento
[-owner_user <owner event>] : Use the login name, not the descriptive
+
[-alert <id_alert_am>]       : ID de la alerta/modulo origen del evento
[-source <source>] : (By default 'Pandora')
+
[-c_instructions <critical_instructions>]
[-tag <tags>] : Tag (must exist in the system to be imported)
+
[-w_instructions <warning_instructions>]
[-custom_data <custom_data>] : Custom data should be a base 64 encoded JSON document (>=6.0)
+
[-u_instructions <unknown_instructions>]
[-server_id <server_id>] : The pandora node server_id (>=6.0)
+
[-user_comment <comment>]
         [-id_extra <id extra>]     : Id extra
+
[-owner_user <owner event>]   : Propietario del evento, usar el login name
        [-agent_name <Agent name>] : Agent name, do not confuse with agent alias.
+
[-source <source>]           : (Por defecto 'Pandora')
[-force_create_agent<0 o 1>]: Force the creation of agent through an event this will create when it is 1.
+
[-tag <tags>]                 : Tag (debe existir ya en el sistema)
 +
[-custom_data <custom_data>] : Los datos personalizados debe ser un base 64  
 +
                                encoded JSON document (>=6.0)
 +
[-server_id <server_id>]     : ID del nodo del server (>=6.0)
 +
         [-id_extra <id extra>] : Id extra
 +
[-agent_name <Agent name>]   : Nombre del agente, NO confundir con el alias.
 +
[-force_create_agent<0 o 1>] : Fuerza la creación del agente si no existe para
 +
                                ello el parámetro a 1 y llevar la opción de
 +
                                agent_name.
 +
</pre>
 
          
 
          
Example of event generation:
+
Example of event generation, using <code>\</code> as order connector and didactic indenting:
  
./pandora_revent.pl -p http://localhost/pandora_console/include/api.php -u 1234,admin,pandora
+
./pandora_revent.pl \
-create_event -name "SampleEvent" -group 2 -agent 189 -status 0 -user "admin" -type "system"  
+
      -p <nowiki>https://$path_consoleAPI/pandora_console/include/api.php</nowiki> \
-severity 3 -am 0 -alert 9 -c_instructions "Critical instructions" -w_instructions "Warning instructions"  
+
      -u $api_pass, $user_name, $user_pass \
 +
      -create_event \
 +
                    -name "SampleEvent" \
 +
                    -group 2 -agent 189 \
 +
                    -status 0 \
 +
                    -user "admin" -type "system" \
 +
                    -severity 3 \
 +
                    -am 0 \
 +
                    -alert 9 \
 +
                    -c_instructions "Critical instructions" \
 +
                    -w_instructions "Warning instructions"  
  
  
Options to validate event:  
+
Options to validate an event:  
  
./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>
+
./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>
  
 
Sample of event validation:  
 
Sample of event validation:  
  
./pandora_revent.pl -p http://localhost/pandora/include/api.php -u pot12,admin,pandora -validate_event -id 234
+
./pandora_revent.pl \
 
+
    -p <nowiki>https://$path_consoleAPI/pandora/include/api.php</nowiki> \
</pre>
+
    -u $api_pass, $user_name, $user_pass \
 
+
    -validate_event \
Firstly, enable the API access and configure it. To do so, follow the below mentioned steps:
+
                    -id 234
 
 
#Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
 
#Set an API password
 
#Use a user/password to login, or define a specific user to access it through API.
 
 
 
In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type must be 'going_unknown', 'going_down_critical' or 'going_down_warning' accordingly.
 
 
 
More examples:
 
  
<pre>
+
{{Tip|For instruction <code>unknown</code>, <code>critical</code> o <code>warning</code> fields to appear in the details of the generated event, said event must be <code>going_unknown</code>, <code>going_down_critical</code>, or else <code>going_down_warning</code>, respectively.}}
/pandora_revent.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora
 
-create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4
 
-user "davidv" -owner_user "admin" -source "Commandline" -user_comment "Comment test"
 
</pre>
 
  
=== Only generating events from the Command Line:  'pandora_revent_create'===
+
=== Just event generation ===
  
It is the same feature as the 'pandora_revent' script with the exception of not being able to validate events. You may do it using the tool found at:
+
Sometimes, maybe for security reasons, just count on the event creating option. For that you may copy <code>pandora_revent_create.pl</code> to the client device. It is found at:
  
 
  /usr/share/pandora_server/util/pandora_revent_create.pl
 
  /usr/share/pandora_server/util/pandora_revent_create.pl
  
This tool uses an HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax here translated:
+
This tool shares similar features to those explained in the previous section.
 
 
<pre>
 
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST
 
This program is Free Software, licensed under the terms of GPL License v2
 
You can download latest versions and documentation at http://www.pandorafms.org
 
 
 
Options to create event:
 
 
 
./pandora_revent_create.pl -p <path_to_consoleAPI> -u <credentials> -create_event <options>
 
 
 
Where options:
 
 
 
-u <credentials> : API credentials separated by comma: <api_pass>,<user>,<pass>
 
-name <event_name> : Free text
 
-group <id_group> : Group ID (use 0 for 'all')
 
-agent : Agent ID
 
 
Optional parameters:
 
 
[-status <status>] : 0 New, 1 Validated, 2 In process
 
[-user <id_user>] : User comment (use in combination with -comment option)
 
[-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased
 
  alert_manual_validation, system, error, new_agent
 
  configuration_change, going_unknown, going_down_critical,
 
  going_down_warning, going_up_normal
 
[-severity <severity>] : 0 Maintance,
 
  1 Informative,
 
  2 Normal,
 
  3 Warning,
 
  4 Crit,
 
  5 Minor,
 
  6 Major
 
[-am <id_agent_module>] : ID Agent Module linked to event
 
[-alert <id_alert_am>] : ID Alert Module linked to event
 
[-c_instructions <critical_instructions>]
 
[-w_instructions <warning_instructions>]
 
[-u_instructions <unknown_instructions>]
 
[-user_comment <comment>]
 
[-owner_user <owner event>] : Use the login name, not the descriptive
 
[-source <source>] : (By default 'Pandora')
 
[-tag <tags>] : Tag (must exist in the system to be imported)
 
[-custom_data <custom_data>] : Custom data should be a base 64 encoded JSON document (>=6.0)
 
[-server_id <server_id>] : The pandora node server_id (>=6.0)
 
 
 
Example of event generation:
 
 
 
./pandora_revent_create.pl -p http://localhost/pandora_console/include/api.php -u 1234,admin,pandora
 
-create_event -name "SampleEvent" -group 2 -agent 189 -status 0 -user "admin" -type "system"
 
-severity 3 -am 0 -alert 9 -c_instructions "Critical instructions" -w_instructions "Warning instructions"
 
 
 
</pre>
 
 
 
Enable the API access and configure it first. Follow these three steps to do so:
 
 
 
#Enable the API access for the IP from which the command will be executed or use '*' for all IPs.
 
#Set an API password.
 
#Use a regular user/password or define a specific user to have access through the API.
 
 
 
In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type is required to be 'going_unknown', 'going_down_critical' or 'going_down_warning'.
 
 
 
More examples:
 
  
 +
Example:
 
<pre>
 
<pre>
/pandora_revent_create.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora
+
/pandora_revent_create.pl \
-create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4
+
                      -p http://$path_consoleAPI/pandora_console/include/api.php \
-user "davidv" -owner_user "admin" -source "Commandline" -comment "Prueba de comentario"
+
                      -u $api_pass, $user_name, $user_pass \
 +
                      -create_event -name "Another nice event" \
 +
                        -group 0 \
 +
                        -type "system" \
 +
                        -status 0 \
 +
                        -severity 4 \
 +
                        -user "johndoe" \
 +
                        -owner_user "admin" \
 +
                        -source "Commandline" \
 +
                        -comment "testing event creation"
 
</pre>
 
</pre>
  
Line 608: Line 380:
 
== Event setup ==
 
== Event setup ==
 
   
 
   
In the Event section in the management part of Pandora FMS console('Events' > 'View events' > 'Manage events'), the following aspects regarding events can be configured:
+
Through '''Events''' > '''View events''' > '''Manage events'''), it is possible to configure:
  
* ''' Event filtering.
+
* ''' Filtering.
* ''' Event responses.
+
* ''' Responses.
* ''' Event display.
+
* ''' Display.
  
 
<center>
 
<center>
Line 619: Line 391:
  
  
=== Custom event view ===
+
=== Event view customization ===
 +
 
 +
It is possible to customize the fields that the Event View shows by default; from '''Events''' > '''View events''' > '''Manage events''' > '''Custom fields''' section, choose the fields to be shown.
 +
 
 +
[[Image:menuvistaeventos.png|center|400px]]
 +
 
 +
[[Image:menuvistaeventosmanage.png|center|300px]]
 +
 
 +
[[Image:menuvistaeventosmanagecustom.png|center|200px]]
 +
 
 +
You can also access this section from '''Events''' > '''Custom events'''
  
It is possible to customize the fields that the Event View shows by default from the ''Events > View events > Manage events > Custom fields '' section, where the fields to be shown can be chosen.
+
[[Image:menuvistaeventos2.png|center|400px]]
  
 
By default, the fields displayed are:
 
By default, the fields displayed are:
  
* '''Event name  
+
*'''Severity mini''': Event severity in reduced format.
* '''Agent ID
+
*'''Event name''': Event name.
* '''Status
+
*'''Agent ID''': Agent ID.
* '''Timestamp
+
*'''Status''': Event status.
 +
*'''Timestamp''': Date when the event was created.
  
 
However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list:
 
However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list:
  
*'''Event name''' : Event name.
+
*'''Event ID''': Event ID.
*'''Event ID''' : Event ID.
+
*'''Agent name''': Agent name.
*'''Event type''' : Event type.
+
*'''User''': Event creator user.
*'''Agent name''' : Agent name.
+
*'''Group''': Group the module belongs to.
*'''Agent ID''' : Agent ID.
+
*'''Event type''': Event type.
*'''Status''' : Event status.
+
*'''Module name''': Module name.
*'''Timestamp''' : Date when the event was created.
+
*'''Alert''': Alert linked to the event.
*'''ACK Timestamp''' : Date when the evnet was validated.
+
*'''Severity''': Event severity.
*'''User''' : Event creator user.
+
*'''Comment''': Event comments.
*'''Group''' : Group the module belongs to.
+
*'''Tags''': Module tags.
*'''Module name''' : Module name.
+
*'''Source''': Event source.
*'''Module status''' : Module current status.
+
*'''Extra ID''': Extra ID.
*'''Alert''' : Alert linked to the event.
+
*'''Owner''': Owner.
*'''Severity''' : Event severity.
+
*'''ACK Timestamp''': Date when the evnet was validated.
*'''Comment''' : Event comments.
+
*'''Instructions''': Critical or warning instructions.
*'''Tags''' : Module tags.
+
*'''Server name''': Name of the server the event came from.
*'''Source''' : Event source.
+
*'''Data''': Numerical data reported by the event.
*'''Extra ID''' : Extra ID.
+
*'''Module status''': Module current status.
*'''Owner''' : Owner.
+
*'''Module custom ID''': Valor del campo Module custom ID del módulo.
*'''Instructions''' : Critical or warning instructions.
 
*'''Server name''' : Name of the server the event came from.
 
*'''Data''' : Numerical data reported by the event.
 
*'''Severity mini''' : Event severity in reduced format.
 
 
 
Select the fields you wish to display from the "Fields available" list and move them to "Fields selected" using the arrows. Once selected, press the "Update" button.
 
  
 +
Select the fields you wish to display from '''Fields available''' list and move them to '''Fields selected''' using the arrows.
  
 
<center>
 
<center>
 
[[image:custom_events.png|800px]]
 
[[image:custom_events.png|800px]]
 
</center>
 
</center>
 +
 +
Once selected, click '''Update'''.
  
 
=== Creating Event Filters ===
 
=== Creating Event Filters ===
  
In this section you may create, remove and edit filters applied to the event view.
+
[[Image:filtros_evento.png|center|800px]]
 
 
<center>
 
[[image:filtros_evento.png|800px]]
 
</center>
 
 
 
By clicking on the ''Create Filter'' button, the following view is shown, where the fields by wich you wish to filter may be chosen.
 
  
<br>
+
For the event view, you may create, delete and edit filters; with '''Create new filter''' you may create and choose the fields to filter:
[[image:crear_filtro_evento.png|700px|center]]
 
<br>
 
  
Once the filters have been saved, right from the Event View itself they can be loaded to display the desired information quickly without having to reconfigure the filter each time:
+
[[image:crear_filtro_evento.png|center|500px]]
  
<br>
+
After saving, at any time you may reload the stored preferences:
[[image:Event1.JPG|660px|center]]
 
<br>
 
  
 +
[[image:Event1.JPG|center|700px]]
  
 
=== Event Responses ===
 
=== Event Responses ===
 
====Introduction====
 
====Introduction====
In this section, event responses can be created, edited and deleted. An event response is a custom action that can be executed on an event, for example, creating a ticket in Integria with the relevant information about the event.
+
An event response is a custom action that can be executed on an event, for example, creating a ticket in [https://integriaims.com/docs/en/guia_administracion/caracteristicas_generales Integria IMS] with the relevant information about the event.
  
  
Line 701: Line 472:
 
The accepted macros are:
 
The accepted macros are:
  
* '''Agent address:''' _agent_address_
+
* '''Agent alias''': _agent_alias_
* '''Agent ID:''' _agent_id_
+
* '''Agent name''': _agent_name_
* '''Event related alert ID:''' _alert_id_
+
* '''Agent address''': _agent_address_
* '''Date on which the event took place:''' _event_date_
+
* '''Agent ID''': _agent_id_
* '''Extra ID:''' _event_extra_id_
+
* '''Event related alert ID''': _alert_id_
* '''Event ID:''' _event_id_
+
* '''Date on which the event took place''': _event_date_
* '''Event instructions:''' _event_instruction_
+
* '''Extra ID''': _event_extra_id_
* '''Event severity ID:''' _event_severity_id_
+
* '''Event ID''': _event_id_
* '''Event severity (translated by Pandora FMS console):''' _event_severity_text_
+
* '''Event instructions''': _event_instruction_
* '''Event source:''' _event_source_
+
* '''Event severity ID''': _event_severity_id_
* '''Event status (new, validated or event in process):''' _event_status_
+
* '''Event severity (translated by Pandora FMS console)''': _event_severity_text_
* '''Event tags separated by commas:''' _event_tags_
+
* '''Event source''': _event_source_
* '''Full text of the event:''' _event_text_
+
* '''Event status (new, validated or event in process)''': _event_status_
* '''Event type (System, going into Unknown Status...):''' _event_type_
+
* '''Event tags separated by commas''': _event_tags_
* '''Date on which the event occurred in utimestamp format:''' _event_utimestamp_
+
* '''Full text of the event''': _event_text_
* '''Group ID:''' _group_id_
+
* '''Event type (System, going into Unknown Status...)''': _event_type_
* '''Group name in database:''' _group_name_
+
* '''Date on which the event occurred in utimestamp format''': _event_utimestamp_
* '''Event associated module address:''' _module_address_
+
* '''Group ID''': _group_id_
* '''Event associated module ID:''' _module_id_
+
* '''Group name in database''': _group_name_
* '''Event associated module name:''' _module_name_
+
* '''Event associated module address''': _module_address_
* '''Event owner user:''' _owner_user_
+
* '''Event associated module ID''': _module_id_
* '''User ID:''' _user_id_
+
* '''Event associated module name''': _module_name_
* '''Id of the user who executes the response:''' _current_user_
+
* '''Event owner user''': _owner_user_
 +
* '''User ID''': _user_id_
 +
* '''Id of the user who executes the response''': _current_user_
 +
* '''Command response time (seconds)''': _command_timeout_
  
  

Latest revision as of 09:25, 22 February 2021

Go back to Pandora FMS documentation index

1 Events

1.1 Introduction

Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a screenshot of what is happening at that time will be shown.

Events are classified by their severity:

PFMS color legend.png
  • Maintenance (grey).
  • Informational (blue).
  • Normal (green).
  • Warning (yellow).
  • Critical (red).
  • Major (brown).
  • Minor (pink).

The following actions can be performed in regard to an event:

  • Change its status (validated or in progress).
  • Change the owner.
  • Delete.
  • Show additional information.
  • Add a comment.
  • Apply custom responses.

1.2 General information

Events are managed in Events > View Events:

Menu eventos.png

This is an example of the default event viewer:

Event list.png

From Pandora FMS version 726, you may sort out events by ID, status, name...

Event orden.png

The event viewer shows shows a summary of each event and sometimes other associated data, such as the agent module that generated the event, the group, module-related tags, etc.).

Detalle evento 1.jpg

By clicking on the magnifying glass, all event details are shown:

Detalle evento 2.jpg

By default, events are shown through a specific search for the last 8 hours and for those that are not validated (and it can also be customized), in addition to grouping to avoid redundancy:

Filtro evento.png

Info.png

The user will be able to see only the groups to which he/she belongs, unless the user explicitly belongs to the ALL group.

 


You may save searchers such as filters or either apply a previously created filter.

You may get more information in our video tutorial "Event management in Pandora FMS".

Events are the record and a key point of a monitoring system.

1.3 Operating with events

1.3.1 Event validation and status. Autovalidation

An event may be in three different status:

  • New.
  • In process.
  • Validated.

When events take place due to module status changes, there will usually be two events: the first event is the change from normal to "faulty" state, and the second one is the event going back to normal once the problem is solved. In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an extremely useful feature.

Event sample5.png

When working manually, an event can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:

Event sample4.png

By clicking on the validate button, the screen is refreshed and the validated event "disappears".

Un event can be checked as "in process" in the Responses tab:

Event sample6.png

That way the event will not get auto-validated and will stay as pendant. Notice the possible actions: execute custom responses such as pinging the host or assigning to name a couple of them.

Event sample7.png

You may validate, check as "in process" or delete events individually by clicking on the corresponding icons:

Op indi.png

Or mass apply them to a selection:

Op masiva2.png

Info.png

Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.

 


1.3.2 Event filtering

Filtering options are found in Event control filter, and advanced options in Advanced options:


Event6.JPG


Important aspects of this feature:

  • Filters can be saved to be used again later on.
  • Pandora FMS groups repeated events by default, however this setting can be modified to show events individually.
  • The limit for old events can be customized (Max. hours old), as well as requesting the events during a specific time lapse, see advanced options: From (date) and To (date).

1.3.3 Deleting an Event

Events can be deleted individually and/or automatically.

There is also the possibility in the Enterprise version., to keep them in order to create special reports.

Individually:

Gest62.png

Automatic event purging:

Event purge.jpg

Event history Enterprise version.

Event history.jpg

1.3.4 Other ways of viewing Events

Events can also be published in news channels or as sliding Marquee (a moving list at the top of the browser on a black screen) by clicking on the Events > RSS > Marquee accordingly.

View events1.jpg

1.3.4.1 RSS Events

Template warning.png

To access event RSS feed, configure the IPs that have access allowed in the field IP list with API access within Setup.

 


To see events in a news channel or RSS go to Events > RSS and subscribe from the news reader of your choice.

Gest64.png


1.3.4.2 Events in the horizontal Marquee

To see the last events in sliding text-line format, go to Events > Marquee.

Gest65.png

Customize their presentation by modifying the code within the file named operation/events/events_marquee.php.

1.3.4.3 Event sound console

It allows to spread the sound alerts when an event takes place. The tune will be played until you pause the sound event or press the OK button.

Sound console.jpg

The list of sound events that generate a sound alert by default (and may be customized) is:

  • A triggered alert.
  • A module going into warning state.
  • A module going into critical state.
  • A module going into unknown state.

Go to View events > Operation. In the event's window, clicking on the icon Sound Events opens the control window of sound events.

Event sound.png

Sound events are explored every 10 seconds asynchronously, when an event takes place, the window will start blinking in red or vibratind and in addition, depending on the configuration of your browser or operative system, the window will keep the focus and stay over the rest of the open windows.

1.3.4.3.1 Advanced Configuration

To add new tunes, copy said files in WAV format, to the directory:

/var/www/pandora_console/include/sounds/

keep in mind that each tune must be sent to the browser and takes some bandwidth; it is recommended:

    • Select an audio file only a few seconds long as the main alert sound, because it will be played on loop.
    • Convert the audio to mono.
    • Change the audio's coding to 16bits signed or even less. Quality will be lost but the file's size will decrease by doing this.
  • In order to create or edit audio files, it is recommended to use tools as Audacity.

1.3.5 Exporting Events to a CSV

In order to export the events to a CSV file, click on Operation -> View Events and Export to CSV File.

Export to csv.jpg

1.3.6 Event Statistics

To access event statistics go to Events> Statistics.

Gest66.png

Event graph
Event percentage according to their status.
Event graph by user
Percentage grouped by user.
Event graph by agent
Percentage by agent generated by each event.
Number of validated events
Validated events and to-be-validated.

When clicking on any of the sections, detailed information will appear.

Estadisticas eventos.jpg



1.4 Event alerts. Event correlation

For Pandora FMS release 741 onwards, there is event related alert management, a specific wiki section.

1.5 Events from the Command Line

1.5.1 Generating Events from the Command Line

Pandora FMS external API is used making remote calls (through HTTPS) on the /include/api.php file. This is the method defined in Pandora FMS to integrate third party applications. It basically consists of a call with the parameters formatted to receive a value or a list of values that this application will use to carry out operations.

By using the WEB API, you may interact with Pandora FMS from any remote system, even if you do not have connection to the database with an installed Software agent.

The three main points to activate Pandora FMS API:

  1. Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
  2. Set an API password
  3. Use a user/password to login, or define a specific user to access it through API.

The password devoted to creating or validating events through Pandora FMS API may be copied from:

/usr/share/pandora_server/util/pandora_revent.pl

When executed in the client device, without parameters, you may see its syntax (here translated):

Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at https://www.pandorafms.org

Opciones para crear un evento:

  ./pandora_revent.pl -p <path_consoleAPI> -u <credentials> -create_event <opts> 

Donde las opciones :

 -u <credentials>:
     Credenciales API separados por comas: <api_pass>,<user_name>,<user_pass>
 -name <event_name>:
   Texto libre
 -group <id_group>:
   Identificador de Grupo (use 0 para 'todos')  
 -agent:
   Especifica agente por su identificador.
 
Parámetros opcionales:
 
 [-status <status>]  : 0 Nuevo, 1 Validado, 2 En proceso
 [-user <id_user>]   : Usuario del comentario (combinar con -comment)
 [-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased
         alert_manual_validation, system, error, new_agent
         configuration_change, going_unknown, going_down_critical,
         going_down_warning, going_up_normal
 [-severity <severity>] : 
        0 Mantenimiento,
        1 Informativo,
        2 Normal,
        3 Advertencia,
        4 Critico,
        5 Menor,
        6 Mayor.
 [-am <id_agent_module>]       : ID del modulo de agente origen del evento
 [-alert <id_alert_am>]        : ID de la alerta/modulo origen del evento
 [-c_instructions <critical_instructions>]
 [-w_instructions <warning_instructions>]
 [-u_instructions <unknown_instructions>]
 [-user_comment <comment>]
 [-owner_user <owner event>]   : Propietario del evento, usar el login name
 [-source <source>]            : (Por defecto 'Pandora')
 [-tag <tags>]                 : Tag (debe existir ya en el sistema)
 [-custom_data <custom_data>]  : Los datos personalizados debe ser un base 64 
                                 encoded JSON document (>=6.0)
 [-server_id <server_id>]      : ID del nodo del server (>=6.0)
        [-id_extra <id extra>] : Id extra
 [-agent_name <Agent name>]    : Nombre del agente,  NO confundir con el alias.
 [-force_create_agent<0 o 1>]  : Fuerza la creación del agente si no existe para 
                                 ello el parámetro a 1 y llevar la opción de 
                                 agent_name.

Example of event generation, using \ as order connector and didactic indenting:

./pandora_revent.pl \
     -p https://$path_consoleAPI/pandora_console/include/api.php \
     -u $api_pass, $user_name, $user_pass \
     -create_event \
                   -name "SampleEvent" \
                   -group 2 -agent 189 \
                   -status 0 \
                   -user "admin" -type "system" \
                   -severity 3 \
                   -am 0 \
                   -alert 9 \
                   -c_instructions "Critical instructions" \
                   -w_instructions "Warning instructions" 


Options to validate an event:

./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>

Sample of event validation:

./pandora_revent.pl \
    -p https://$path_consoleAPI/pandora/include/api.php \
    -u $api_pass, $user_name, $user_pass \
    -validate_event \
                   -id 234

Info.png

For instruction unknown, critical o warning fields to appear in the details of the generated event, said event must be going_unknown, going_down_critical, or else going_down_warning, respectively.

 


1.5.2 Just event generation

Sometimes, maybe for security reasons, just count on the event creating option. For that you may copy pandora_revent_create.pl to the client device. It is found at:

/usr/share/pandora_server/util/pandora_revent_create.pl

This tool shares similar features to those explained in the previous section.

Example:

/pandora_revent_create.pl \
                       -p http://$path_consoleAPI/pandora_console/include/api.php \
                       -u $api_pass, $user_name, $user_pass \
                       -create_event -name "Another nice event" \
                         -group 0 \
                         -type "system" \
                         -status 0 \
                         -severity 4 \
                         -user "johndoe" \
                         -owner_user "admin" \
                         -source "Commandline" \
                         -comment "testing event creation"

1.5.3 Custom fields within events

Events with custom fields may be generated by the Pandora FMS CLI, e.g. An event generated by the following command:

perl pandora_manage.pl /etc/pandora/pandora_server.conf --create_event 'Custom event' system Firewalls 'localhost' 'module' 0 4  'admin'     '{"Location": "Office", "Priority": 42}'

It would look like the one shown below.

Event custom data.png

1.6 Event setup

Through Events > View events > Manage events), it is possible to configure:

  • Filtering.
  • Responses.
  • Display.

Configuracion eventos.jpg


1.6.1 Event view customization

It is possible to customize the fields that the Event View shows by default; from Events > View events > Manage events > Custom fields section, choose the fields to be shown.

Menuvistaeventos.png
Menuvistaeventosmanage.png
Menuvistaeventosmanagecustom.png

You can also access this section from Events > Custom events

Menuvistaeventos2.png

By default, the fields displayed are:

  • Severity mini: Event severity in reduced format.
  • Event name: Event name.
  • Agent ID: Agent ID.
  • Status: Event status.
  • Timestamp: Date when the event was created.

However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list:

  • Event ID: Event ID.
  • Agent name: Agent name.
  • User: Event creator user.
  • Group: Group the module belongs to.
  • Event type: Event type.
  • Module name: Module name.
  • Alert: Alert linked to the event.
  • Severity: Event severity.
  • Comment: Event comments.
  • Tags: Module tags.
  • Source: Event source.
  • Extra ID: Extra ID.
  • Owner: Owner.
  • ACK Timestamp: Date when the evnet was validated.
  • Instructions: Critical or warning instructions.
  • Server name: Name of the server the event came from.
  • Data: Numerical data reported by the event.
  • Module status: Module current status.
  • Module custom ID: Valor del campo Module custom ID del módulo.

Select the fields you wish to display from Fields available list and move them to Fields selected using the arrows.

Custom events.png

Once selected, click Update.

1.6.2 Creating Event Filters

Filtros evento.png

For the event view, you may create, delete and edit filters; with Create new filter you may create and choose the fields to filter:

Crear filtro evento.png

After saving, at any time you may reload the stored preferences:

Event1.JPG

1.6.3 Event Responses

1.6.3.1 Introduction

An event response is a custom action that can be executed on an event, for example, creating a ticket in Integria IMS with the relevant information about the event.


Event responses config list.png

Enter a representative name, a description, the parameters to use, separated by commas, the command to use (the last ones allow the use of macros), the type and the server that will execute the command.


Event responses config create.png

1.6.3.2 Event Responses macros

The accepted macros are:

  • Agent alias: _agent_alias_
  • Agent name: _agent_name_
  • Agent address: _agent_address_
  • Agent ID: _agent_id_
  • Event related alert ID: _alert_id_
  • Date on which the event took place: _event_date_
  • Extra ID: _event_extra_id_
  • Event ID: _event_id_
  • Event instructions: _event_instruction_
  • Event severity ID: _event_severity_id_
  • Event severity (translated by Pandora FMS console): _event_severity_text_
  • Event source: _event_source_
  • Event status (new, validated or event in process): _event_status_
  • Event tags separated by commas: _event_tags_
  • Full text of the event: _event_text_
  • Event type (System, going into Unknown Status...): _event_type_
  • Date on which the event occurred in utimestamp format: _event_utimestamp_
  • Group ID: _group_id_
  • Group name in database: _group_name_
  • Event associated module address: _module_address_
  • Event associated module ID: _module_id_
  • Event associated module name: _module_name_
  • Event owner user: _owner_user_
  • User ID: _user_id_
  • Id of the user who executes the response: _current_user_
  • Command response time (seconds): _command_timeout_


Go back to Pandora FMS Documentation Index