Difference between revisions of "Pandora: Documentation en: Events"
Edu.corral (talk | contribs) (→Generating Events from the Command Line) |
Laura.cano (talk | contribs) (→Event Responses) |
||
(42 intermediate revisions by 8 users not shown) | |||
Line 3: | Line 3: | ||
= Events = | = Events = | ||
==Introduction== | ==Introduction== | ||
− | Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a | + | Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, '''a ''screenshot'' of what is happening at that time will be shown'''. |
Events are classified by their severity: | Events are classified by their severity: | ||
− | * '''Maintenance''' (grey) | + | [[Image:PFMS color legend.png|right|300px]] |
− | * '''Informational''' (blue) | + | |
− | * '''Normal''' (green) | + | * '''Maintenance''' (grey). |
− | * '''Warning''' (yellow) | + | * '''Informational''' (blue). |
− | * '''Critical''' (red) | + | * '''Normal''' (green). |
+ | * '''Warning''' (yellow). | ||
+ | * '''Critical''' (red). | ||
+ | * '''Major''' (brown). | ||
+ | * '''Minor''' (pink). | ||
The following actions can be performed in regard to an event: | The following actions can be performed in regard to an event: | ||
− | * '''Change its status''' (validated or in progress) | + | * '''Change its status''' (validated or in progress). |
− | * '''Change the owner''' | + | * '''Change the owner'''. |
− | * '''Delete''' | + | * '''Delete'''. |
− | * '''Show additional information''' | + | * '''Show additional information'''. |
− | * '''Add a comment''' | + | * '''Add a comment'''. |
− | * '''Apply custom responses''' | + | * '''Apply custom responses'''. |
== General information== | == General information== | ||
− | Events are managed in Events > View Events | + | Events are managed in '''Events''' > '''View Events''': |
<center> | <center> | ||
Line 30: | Line 34: | ||
</center> | </center> | ||
− | This is an example of the default event viewer | + | This is an example of the default event viewer: |
<CENTER> | <CENTER> | ||
Line 36: | Line 40: | ||
</CENTER> | </CENTER> | ||
− | Pandora FMS version 726 | + | From Pandora FMS version 726, you may sort out events by ID, status, name... |
<CENTER> | <CENTER> | ||
Line 42: | Line 46: | ||
</CENTER> | </CENTER> | ||
− | The event viewer shows | + | The event viewer shows shows a summary of each event and sometimes other associated data, such as the agent module that generated the event, the group, module-related tags, etc.). |
<CENTER> | <CENTER> | ||
Line 54: | Line 58: | ||
</CENTER> | </CENTER> | ||
− | By default, events are shown through a specific search | + | By default, events are shown through a specific search for the last 8 hours and for those that are ''not validated'' ([[Pandora:Documentation_en:Events#Event_filtering|and it can also be customized]]), in addition to grouping to avoid redundancy: |
<CENTER> | <CENTER> | ||
Line 60: | Line 64: | ||
</CENTER> | </CENTER> | ||
− | + | {{Tip|The user will be able to see only the groups to which he/she belongs, unless the user explicitly belongs to the [[Pandora:Documentation_en:Managing_and_Administration#Group_all|ALL group]].}} | |
− | |||
− | |||
− | + | You may save searchers such as filters or either apply [[Pandora:Documentation_en:Events#Event_filtering|a previously created filter]]. | |
− | + | You may get more information in our video tutorial [https://www.youtube.com/watch?v=XIiI-xSR0GU "Event management in Pandora FMS"]. | |
− | + | '''Events are the record and a key point of a monitoring system.''' | |
== Operating with events == | == Operating with events == | ||
Line 74: | Line 76: | ||
=== Event validation and status. Autovalidation === | === Event validation and status. Autovalidation === | ||
− | An event may | + | An event may be in three different status: |
− | + | * New. | |
− | In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an | + | * In process. |
− | + | * Validated. | |
− | + | When events take place due to module status changes, there will usually be two events: the first event is the change from normal to "faulty" state, and the second one is the event going back to normal once the problem is solved. In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an extremely useful feature. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | [[Image:Event_sample5.png|center|800px]] | |
− | + | When working manually, an event can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment: | |
− | |||
− | |||
− | + | [[Image:Event_sample4.png|center|600px]] | |
− | + | By clicking on the validate button, the screen is refreshed and the validated event "disappears". | |
− | + | Un event can be checked as "in process" in the '''Responses''' tab: | |
− | |||
− | |||
− | + | [[Image:Event_sample6.png|center|800px]] | |
− | + | That way the event will not get auto-validated and will stay as pendant. Notice the possible actions: execute custom responses such as pinging the host or assigning to name a couple of them. | |
− | |||
− | |||
− | + | [[Image:Event_sample7.png|center|700px]] | |
− | + | You may validate, check as "in process" or delete events individually by clicking on the corresponding icons: | |
− | + | [[Image:Op_indi.png|center|113px]] | |
− | [[ | ||
− | |||
− | + | Or mass apply them to a selection: | |
− | + | [[Image:Op_masiva2.png|center|650px]] | |
− | [[ | ||
− | |||
− | Regarding custom responses, the maximum number of events to which the operation applies is limited to ten. | + | {{Tip|Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.}} |
=== Event filtering === | === Event filtering === | ||
− | + | Filtering options are found in '''Event control filter''', and advanced options in '''Advanced options''': | |
− | |||
− | |||
<br> | <br> | ||
Line 131: | Line 116: | ||
<br> | <br> | ||
− | + | Important aspects of this feature: | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | * Filters can be saved to be used again later on. | |
+ | * Pandora FMS groups repeated events by default, however this setting can be modified to show events individually. | ||
+ | * The limit for old events can be customized ('''Max. hours old'''), as well as requesting the events during a specific time lapse, see advanced options: '''From (date)''' and '''To (date)'''. | ||
=== Deleting an Event === | === Deleting an Event === | ||
− | + | Events can be deleted individually and/or automatically. | |
+ | |||
+ | There is also the possibility in the [[Image:icono-modulo-enterprise.png|Enterprise version.]], to keep them in order to create special reports. | ||
− | + | '''Individually:''' | |
<center> | <center> | ||
Line 180: | Line 134: | ||
</center> | </center> | ||
− | '''Automatic event purging''' | + | '''Automatic event purging:''' |
− | |||
− | |||
<center> | <center> | ||
Line 188: | Line 140: | ||
</center> | </center> | ||
− | '''Event history''' | + | '''Event history [[Image:icono-modulo-enterprise.png|Enterprise version.]]''' |
− | |||
− | |||
<center> | <center> | ||
Line 198: | Line 148: | ||
=== Other ways of viewing Events === | === Other ways of viewing Events === | ||
− | + | Events can also be published in news channels or as sliding Marquee (a moving list at the top of the browser on a black screen) by clicking on the '''Events''' > '''RSS''' > '''Marquee''' accordingly. | |
<center> | <center> | ||
Line 206: | Line 156: | ||
==== RSS Events ==== | ==== RSS Events ==== | ||
− | + | {{warning|To access event RSS feed, configure the IPs that have access allowed in the field '''IP list with API access''' within '''Setup'''.}} | |
− | |||
− | |||
− | + | To see events in a news channel or RSS go to '''Events''' > '''RSS''' and subscribe from the news reader of your choice. | |
<center> | <center> | ||
Line 216: | Line 164: | ||
</center> | </center> | ||
− | |||
==== Events in the horizontal Marquee ==== | ==== Events in the horizontal Marquee ==== | ||
− | + | To see the last events in sliding text-line format, go to '''Events''' > '''Marquee'''. | |
<center> | <center> | ||
[[image:gest65.png]] | [[image:gest65.png]] | ||
</center> | </center> | ||
+ | |||
+ | Customize their presentation by modifying the code within the file named <code>operation/events/events_marquee.php</code>. | ||
==== Event sound console ==== | ==== Event sound console ==== | ||
− | It allows to | + | It allows to spread the sound alerts when an event takes place. The tune will be played until you pause the sound event or press the '''OK''' button. |
+ | |||
+ | [[Image:Sound_console.jpg|center|600px]] | ||
− | The list of sound events that generate a sound alert: | + | The list of sound events that generate a sound alert by default (and may be customized) is: |
− | * A triggered alert | + | * A triggered alert. |
* A module going into '''warning''' state. | * A module going into '''warning''' state. | ||
* A module going into '''critical''' state. | * A module going into '''critical''' state. | ||
* A module going into '''unknown''' state. | * A module going into '''unknown''' state. | ||
− | + | Go to '''View events''' > '''Operation'''. In the event's window, clicking on the icon '''Sound Events''' opens the control window of sound events. | |
− | + | [[Image:Event_sound.png|center|313px]] | |
− | [[ | ||
− | |||
+ | Sound events are explored every 10 seconds asynchronously, when an event takes place, the window will start blinking in red or vibratind and in addition, depending on the configuration of your browser or operative system, the window will keep the focus and stay over the rest of the open windows. | ||
===== Advanced Configuration ===== | ===== Advanced Configuration ===== | ||
− | + | To add new tunes, copy said files in '''WAV format''', to the directory: | |
+ | |||
+ | /var/www/pandora_console/include/sounds/ | ||
− | + | keep in mind that each tune must be sent to the browser and takes some bandwidth; it is recommended: | |
− | |||
− | ** Select an audio file only a few seconds long | + | ** Select an audio file only a few seconds long as the main alert sound, because it will be played on loop. |
** Convert the audio to ''mono''. | ** Convert the audio to ''mono''. | ||
** Change the audio's coding to ''16bits signed'' or even less. Quality will be lost but the file's size will decrease by doing this. | ** Change the audio's coding to ''16bits signed'' or even less. Quality will be lost but the file's size will decrease by doing this. | ||
− | * In order to create or edit audio files, it is recommended to use tools as [http://audacity.sourceforge.net/ '''Audacity'''] | + | * In order to create or edit audio files, it is recommended to use tools as [http://audacity.sourceforge.net/ '''Audacity''']. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Exporting Events to a CSV === | === Exporting Events to a CSV === | ||
− | + | In order to export the events to a CSV file, click on '''Operation''' -> '''View Events''' and '''Export to CSV File'''. | |
− | |||
− | In order to export the events to a CSV file, click on 'Operation' -> 'View Events' and 'Export to CSV File'. | ||
<center> | <center> | ||
Line 286: | Line 217: | ||
=== Event Statistics === | === Event Statistics === | ||
− | + | To access event statistics go to '''Events'''> '''Statistics'''. | |
− | |||
− | |||
− | |||
− | |||
− | |||
<center> | <center> | ||
Line 297: | Line 223: | ||
</center> | </center> | ||
− | + | ;Event graph: Event percentage according to their status. | |
+ | ;Event graph by user: Percentage grouped by user. | ||
+ | ;Event graph by agent: Percentage by agent generated by each event. | ||
+ | ;Number of validated events: Validated events and to-be-validated. | ||
+ | |||
+ | When clicking on any of the sections, detailed information will appear. | ||
<center> | <center> | ||
Line 304: | Line 235: | ||
<br><br> | <br><br> | ||
− | == Event | + | == Event alerts. Event correlation == |
− | |||
− | |||
− | + | For Pandora FMS release 741 onwards, there is [https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:Alerts#Alert_correlation:_event_and_log_alerts event related alert management], a specific wiki section. | |
+ | ==Events from the Command Line == | ||
− | + | === Generating Events from the Command Line === | |
− | |||
− | |||
− | + | [[Pandora:Documentation_es:Anexo_API_external|Pandora FMS external API]] is used making remote calls (through HTTPS) on the <code>/include/api.php</code> file. This is the method defined in Pandora FMS to integrate third party applications. It basically consists of a call with the parameters formatted to receive a value or a list of values that this application will use to carry out operations. | |
− | + | By using the WEB API, you may interact with Pandora FMS from any remote system, even if you do not have connection to the database with an installed Software agent. | |
− | + | The three main points to activate Pandora FMS API: | |
− | + | #Enable the API access for the IP from wich the command will be executed or use '*' for all IPs. | |
− | + | #Set an API password | |
− | + | #Use a user/password to login, or define a specific user to access it through API. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | * ' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | The password devoted to creating or validating events through Pandora FMS API may be copied from: | |
/usr/share/pandora_server/util/pandora_revent.pl | /usr/share/pandora_server/util/pandora_revent.pl | ||
− | + | When executed in the client device, without parameters, you may see its syntax (here translated): | |
<pre> | <pre> | ||
− | |||
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST | Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST | ||
This program is Free Software, licensed under the terms of GPL License v2 | This program is Free Software, licensed under the terms of GPL License v2 | ||
− | You can download latest versions and documentation at | + | You can download latest versions and documentation at https://www.pandorafms.org |
− | + | Opciones para crear un evento: | |
− | + | ./pandora_revent.pl -p <path_consoleAPI> -u <credentials> -create_event <opts> | |
− | + | Donde las opciones : | |
− | + | -u <credentials>: | |
− | + | Credenciales API separados por comas: <api_pass>,<user_name>,<user_pass> | |
− | + | -name <event_name>: | |
− | + | Texto libre | |
− | + | -group <id_group>: | |
− | + | Identificador de Grupo (use 0 para 'todos') | |
− | + | -agent: | |
− | + | Especifica agente por su identificador. | |
− | + | ||
− | + | Parámetros opcionales: | |
− | + | ||
− | + | [-status <status>] : 0 Nuevo, 1 Validado, 2 En proceso | |
− | + | [-user <id_user>] : Usuario del comentario (combinar con -comment) | |
− | + | [-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased | |
− | + | alert_manual_validation, system, error, new_agent | |
− | + | configuration_change, going_unknown, going_down_critical, | |
− | + | going_down_warning, going_up_normal | |
− | + | [-severity <severity>] : | |
− | + | 0 Mantenimiento, | |
− | + | 1 Informativo, | |
− | + | 2 Normal, | |
− | + | 3 Advertencia, | |
− | + | 4 Critico, | |
− | + | 5 Menor, | |
− | + | 6 Mayor. | |
− | + | [-am <id_agent_module>] : ID del modulo de agente origen del evento | |
− | + | [-alert <id_alert_am>] : ID de la alerta/modulo origen del evento | |
− | + | [-c_instructions <critical_instructions>] | |
− | + | [-w_instructions <warning_instructions>] | |
− | + | [-u_instructions <unknown_instructions>] | |
− | + | [-user_comment <comment>] | |
− | [-id_extra <id extra>] | + | [-owner_user <owner event>] : Propietario del evento, usar el login name |
− | + | [-source <source>] : (Por defecto 'Pandora') | |
− | + | [-tag <tags>] : Tag (debe existir ya en el sistema) | |
+ | [-custom_data <custom_data>] : Los datos personalizados debe ser un base 64 | ||
+ | encoded JSON document (>=6.0) | ||
+ | [-server_id <server_id>] : ID del nodo del server (>=6.0) | ||
+ | [-id_extra <id extra>] : Id extra | ||
+ | [-agent_name <Agent name>] : Nombre del agente, NO confundir con el alias. | ||
+ | [-force_create_agent<0 o 1>] : Fuerza la creación del agente si no existe para | ||
+ | ello el parámetro a 1 y llevar la opción de | ||
+ | agent_name. | ||
+ | </pre> | ||
− | Example of event generation: | + | Example of event generation, using <code>\</code> as order connector and didactic indenting: |
− | + | ./pandora_revent.pl \ | |
− | + | -p <nowiki>https://$path_consoleAPI/pandora_console/include/api.php</nowiki> \ | |
− | + | -u $api_pass, $user_name, $user_pass \ | |
+ | -create_event \ | ||
+ | -name "SampleEvent" \ | ||
+ | -group 2 -agent 189 \ | ||
+ | -status 0 \ | ||
+ | -user "admin" -type "system" \ | ||
+ | -severity 3 \ | ||
+ | -am 0 \ | ||
+ | -alert 9 \ | ||
+ | -c_instructions "Critical instructions" \ | ||
+ | -w_instructions "Warning instructions" | ||
− | Options to validate event: | + | Options to validate an event: |
− | + | ./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event> | |
Sample of event validation: | Sample of event validation: | ||
− | + | ./pandora_revent.pl \ | |
− | + | -p <nowiki>https://$path_consoleAPI/pandora/include/api.php</nowiki> \ | |
− | + | -u $api_pass, $user_name, $user_pass \ | |
− | + | -validate_event \ | |
− | + | -id 234 | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | < | + | {{Tip|For instruction <code>unknown</code>, <code>critical</code> o <code>warning</code> fields to appear in the details of the generated event, said event must be <code>going_unknown</code>, <code>going_down_critical</code>, or else <code>going_down_warning</code>, respectively.}} |
− | / | ||
− | |||
− | |||
− | </ | ||
− | === | + | === Just event generation === |
− | + | Sometimes, maybe for security reasons, just count on the event creating option. For that you may copy <code>pandora_revent_create.pl</code> to the client device. It is found at: | |
/usr/share/pandora_server/util/pandora_revent_create.pl | /usr/share/pandora_server/util/pandora_revent_create.pl | ||
− | This tool | + | This tool shares similar features to those explained in the previous section. |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | Example: | ||
<pre> | <pre> | ||
− | /pandora_revent_create.pl -p http:// | + | /pandora_revent_create.pl \ |
− | -create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4 | + | -p http://$path_consoleAPI/pandora_console/include/api.php \ |
− | -user " | + | -u $api_pass, $user_name, $user_pass \ |
+ | -create_event -name "Another nice event" \ | ||
+ | -group 0 \ | ||
+ | -type "system" \ | ||
+ | -status 0 \ | ||
+ | -severity 4 \ | ||
+ | -user "johndoe" \ | ||
+ | -owner_user "admin" \ | ||
+ | -source "Commandline" \ | ||
+ | -comment "testing event creation" | ||
</pre> | </pre> | ||
Line 608: | Line 380: | ||
== Event setup == | == Event setup == | ||
− | + | Through '''Events''' > '''View events''' > '''Manage events'''), it is possible to configure: | |
− | * ''' | + | * ''' Filtering. |
− | * ''' | + | * ''' Responses. |
− | * ''' | + | * ''' Display. |
<center> | <center> | ||
Line 619: | Line 391: | ||
− | === | + | === Event view customization === |
+ | |||
+ | It is possible to customize the fields that the Event View shows by default; from '''Events''' > '''View events''' > '''Manage events''' > '''Custom fields''' section, choose the fields to be shown. | ||
+ | |||
+ | [[Image:menuvistaeventos.png|center|400px]] | ||
+ | |||
+ | [[Image:menuvistaeventosmanage.png|center|300px]] | ||
+ | |||
+ | [[Image:menuvistaeventosmanagecustom.png|center|200px]] | ||
+ | |||
+ | You can also access this section from '''Events''' > '''Custom events''' | ||
− | + | [[Image:menuvistaeventos2.png|center|400px]] | |
By default, the fields displayed are: | By default, the fields displayed are: | ||
− | * '''Event name | + | *'''Severity mini''': Event severity in reduced format. |
− | * '''Agent ID | + | *'''Event name''': Event name. |
− | * '''Status | + | *'''Agent ID''': Agent ID. |
− | * '''Timestamp | + | *'''Status''': Event status. |
+ | *'''Timestamp''': Date when the event was created. | ||
However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list: | However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list: | ||
− | + | *'''Event ID''': Event ID. | |
− | *'''Event ID''' : Event ID | + | *'''Agent name''': Agent name. |
− | + | *'''User''': Event creator user. | |
− | *'''Agent name''' : Agent name | + | *'''Group''': Group the module belongs to. |
− | + | *'''Event type''': Event type. | |
− | + | *'''Module name''': Module name. | |
− | + | *'''Alert''': Alert linked to the event. | |
− | + | *'''Severity''': Event severity. | |
− | *'''User''' : Event creator user. | + | *'''Comment''': Event comments. |
− | *'''Group''' : Group the module belongs to. | + | *'''Tags''': Module tags. |
− | *''' | + | *'''Source''': Event source. |
− | *'''Module | + | *'''Extra ID''': Extra ID. |
− | *'''Alert''' : Alert linked to the event. | + | *'''Owner''': Owner. |
− | *'''Severity''' : Event severity. | + | *'''ACK Timestamp''': Date when the evnet was validated. |
− | *'''Comment''' : Event comments. | + | *'''Instructions''': Critical or warning instructions. |
− | *'''Tags''' : Module tags. | + | *'''Server name''': Name of the server the event came from. |
− | *'''Source''' : Event source. | + | *'''Data''': Numerical data reported by the event. |
− | *'''Extra ID''' : Extra ID. | + | *'''Module status''': Module current status. |
− | *'''Owner''' : Owner. | + | *'''Module custom ID''': Valor del campo Module custom ID del módulo. |
− | *'''Instructions''' : Critical or warning instructions. | ||
− | *'''Server name''' : Name of the server the event came from. | ||
− | *'''Data''' : Numerical data reported by the event. | ||
− | *''' | ||
− | |||
− | |||
+ | Select the fields you wish to display from '''Fields available''' list and move them to '''Fields selected''' using the arrows. | ||
<center> | <center> | ||
[[image:custom_events.png|800px]] | [[image:custom_events.png|800px]] | ||
</center> | </center> | ||
+ | |||
+ | Once selected, click '''Update'''. | ||
=== Creating Event Filters === | === Creating Event Filters === | ||
− | + | [[Image:filtros_evento.png|center|800px]] | |
− | |||
− | |||
− | [[ | ||
− | |||
− | |||
− | |||
− | + | For the event view, you may create, delete and edit filters; with '''Create new filter''' you may create and choose the fields to filter: | |
− | |||
− | |||
− | + | [[image:crear_filtro_evento.png|center|500px]] | |
− | + | After saving, at any time you may reload the stored preferences: | |
− | |||
− | |||
+ | [[image:Event1.JPG|center|700px]] | ||
=== Event Responses === | === Event Responses === | ||
====Introduction==== | ====Introduction==== | ||
− | + | An event response is a custom action that can be executed on an event, for example, creating a ticket in [https://integriaims.com/docs/en/guia_administracion/caracteristicas_generales Integria IMS] with the relevant information about the event. | |
Line 701: | Line 472: | ||
The accepted macros are: | The accepted macros are: | ||
− | * '''Agent address | + | * '''Agent alias''': _agent_alias_ |
− | * '''Agent ID | + | * '''Agent name''': _agent_name_ |
− | * '''Event related alert ID | + | * '''Agent address''': _agent_address_ |
− | * '''Date on which the event took place | + | * '''Agent ID''': _agent_id_ |
− | * '''Extra ID | + | * '''Event related alert ID''': _alert_id_ |
− | * '''Event ID | + | * '''Date on which the event took place''': _event_date_ |
− | * '''Event instructions | + | * '''Extra ID''': _event_extra_id_ |
− | * '''Event severity ID | + | * '''Event ID''': _event_id_ |
− | * '''Event severity (translated by Pandora FMS console) | + | * '''Event instructions''': _event_instruction_ |
− | * '''Event source | + | * '''Event severity ID''': _event_severity_id_ |
− | * '''Event status (new, validated or event in process) | + | * '''Event severity (translated by Pandora FMS console)''': _event_severity_text_ |
− | * '''Event tags separated by commas | + | * '''Event source''': _event_source_ |
− | * '''Full text of the event | + | * '''Event status (new, validated or event in process)''': _event_status_ |
− | * '''Event type (System, going into Unknown Status...) | + | * '''Event tags separated by commas''': _event_tags_ |
− | * '''Date on which the event occurred in utimestamp format | + | * '''Full text of the event''': _event_text_ |
− | * '''Group ID | + | * '''Event type (System, going into Unknown Status...)''': _event_type_ |
− | * '''Group name in database | + | * '''Date on which the event occurred in utimestamp format''': _event_utimestamp_ |
− | * '''Event associated module address | + | * '''Group ID''': _group_id_ |
− | * '''Event associated module ID | + | * '''Group name in database''': _group_name_ |
− | * '''Event associated module name | + | * '''Event associated module address''': _module_address_ |
− | * '''Event owner user | + | * '''Event associated module ID''': _module_id_ |
− | * '''User ID | + | * '''Event associated module name''': _module_name_ |
− | * '''Id of the user who executes the response:''' | + | * '''Event owner user''': _owner_user_ |
+ | * '''User ID''': _user_id_ | ||
+ | * '''Id of the user who executes the response''': _current_user_ | ||
+ | * '''Command response time (seconds)''': _command_timeout_ | ||
Latest revision as of 09:25, 22 February 2021
Go back to Pandora FMS documentation index
Contents
- 1 Events
- 1.1 Introduction
- 1.2 General information
- 1.3 Operating with events
- 1.4 Event alerts. Event correlation
- 1.5 Events from the Command Line
- 1.6 Event setup
1 Events
1.1 Introduction
Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a screenshot of what is happening at that time will be shown.
Events are classified by their severity:
- Maintenance (grey).
- Informational (blue).
- Normal (green).
- Warning (yellow).
- Critical (red).
- Major (brown).
- Minor (pink).
The following actions can be performed in regard to an event:
- Change its status (validated or in progress).
- Change the owner.
- Delete.
- Show additional information.
- Add a comment.
- Apply custom responses.
1.2 General information
Events are managed in Events > View Events:
This is an example of the default event viewer:
From Pandora FMS version 726, you may sort out events by ID, status, name...
The event viewer shows shows a summary of each event and sometimes other associated data, such as the agent module that generated the event, the group, module-related tags, etc.).
By clicking on the magnifying glass, all event details are shown:
By default, events are shown through a specific search for the last 8 hours and for those that are not validated (and it can also be customized), in addition to grouping to avoid redundancy:
The user will be able to see only the groups to which he/she belongs, unless the user explicitly belongs to the ALL group. |
|
You may save searchers such as filters or either apply a previously created filter.
You may get more information in our video tutorial "Event management in Pandora FMS".
Events are the record and a key point of a monitoring system.
1.3 Operating with events
1.3.1 Event validation and status. Autovalidation
An event may be in three different status:
- New.
- In process.
- Validated.
When events take place due to module status changes, there will usually be two events: the first event is the change from normal to "faulty" state, and the second one is the event going back to normal once the problem is solved. In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an extremely useful feature.
When working manually, an event can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:
By clicking on the validate button, the screen is refreshed and the validated event "disappears".
Un event can be checked as "in process" in the Responses tab:
That way the event will not get auto-validated and will stay as pendant. Notice the possible actions: execute custom responses such as pinging the host or assigning to name a couple of them.
You may validate, check as "in process" or delete events individually by clicking on the corresponding icons:
Or mass apply them to a selection:
Regarding custom responses, the maximum number of events to which the operation applies is limited to ten. |
|
1.3.2 Event filtering
Filtering options are found in Event control filter, and advanced options in Advanced options:
Important aspects of this feature:
- Filters can be saved to be used again later on.
- Pandora FMS groups repeated events by default, however this setting can be modified to show events individually.
- The limit for old events can be customized (Max. hours old), as well as requesting the events during a specific time lapse, see advanced options: From (date) and To (date).
1.3.3 Deleting an Event
Events can be deleted individually and/or automatically.
There is also the possibility in the , to keep them in order to create special reports.
Individually:
Automatic event purging:
1.3.4 Other ways of viewing Events
Events can also be published in news channels or as sliding Marquee (a moving list at the top of the browser on a black screen) by clicking on the Events > RSS > Marquee accordingly.
1.3.4.1 RSS Events
To access event RSS feed, configure the IPs that have access allowed in the field IP list with API access within Setup. |
|
To see events in a news channel or RSS go to Events > RSS and subscribe from the news reader of your choice.
1.3.4.2 Events in the horizontal Marquee
To see the last events in sliding text-line format, go to Events > Marquee.
Customize their presentation by modifying the code within the file named operation/events/events_marquee.php
.
1.3.4.3 Event sound console
It allows to spread the sound alerts when an event takes place. The tune will be played until you pause the sound event or press the OK button.
The list of sound events that generate a sound alert by default (and may be customized) is:
- A triggered alert.
- A module going into warning state.
- A module going into critical state.
- A module going into unknown state.
Go to View events > Operation. In the event's window, clicking on the icon Sound Events opens the control window of sound events.
Sound events are explored every 10 seconds asynchronously, when an event takes place, the window will start blinking in red or vibratind and in addition, depending on the configuration of your browser or operative system, the window will keep the focus and stay over the rest of the open windows.
1.3.4.3.1 Advanced Configuration
To add new tunes, copy said files in WAV format, to the directory:
/var/www/pandora_console/include/sounds/
keep in mind that each tune must be sent to the browser and takes some bandwidth; it is recommended:
- Select an audio file only a few seconds long as the main alert sound, because it will be played on loop.
- Convert the audio to mono.
- Change the audio's coding to 16bits signed or even less. Quality will be lost but the file's size will decrease by doing this.
- In order to create or edit audio files, it is recommended to use tools as Audacity.
1.3.5 Exporting Events to a CSV
In order to export the events to a CSV file, click on Operation -> View Events and Export to CSV File.
1.3.6 Event Statistics
To access event statistics go to Events> Statistics.
- Event graph
- Event percentage according to their status.
- Event graph by user
- Percentage grouped by user.
- Event graph by agent
- Percentage by agent generated by each event.
- Number of validated events
- Validated events and to-be-validated.
When clicking on any of the sections, detailed information will appear.
1.4 Event alerts. Event correlation
For Pandora FMS release 741 onwards, there is event related alert management, a specific wiki section.
1.5 Events from the Command Line
1.5.1 Generating Events from the Command Line
Pandora FMS external API is used making remote calls (through HTTPS) on the /include/api.php
file. This is the method defined in Pandora FMS to integrate third party applications. It basically consists of a call with the parameters formatted to receive a value or a list of values that this application will use to carry out operations.
By using the WEB API, you may interact with Pandora FMS from any remote system, even if you do not have connection to the database with an installed Software agent.
The three main points to activate Pandora FMS API:
- Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
- Set an API password
- Use a user/password to login, or define a specific user to access it through API.
The password devoted to creating or validating events through Pandora FMS API may be copied from:
/usr/share/pandora_server/util/pandora_revent.pl
When executed in the client device, without parameters, you may see its syntax (here translated):
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST This program is Free Software, licensed under the terms of GPL License v2 You can download latest versions and documentation at https://www.pandorafms.org Opciones para crear un evento: ./pandora_revent.pl -p <path_consoleAPI> -u <credentials> -create_event <opts> Donde las opciones : -u <credentials>: Credenciales API separados por comas: <api_pass>,<user_name>,<user_pass> -name <event_name>: Texto libre -group <id_group>: Identificador de Grupo (use 0 para 'todos') -agent: Especifica agente por su identificador. Parámetros opcionales: [-status <status>] : 0 Nuevo, 1 Validado, 2 En proceso [-user <id_user>] : Usuario del comentario (combinar con -comment) [-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased alert_manual_validation, system, error, new_agent configuration_change, going_unknown, going_down_critical, going_down_warning, going_up_normal [-severity <severity>] : 0 Mantenimiento, 1 Informativo, 2 Normal, 3 Advertencia, 4 Critico, 5 Menor, 6 Mayor. [-am <id_agent_module>] : ID del modulo de agente origen del evento [-alert <id_alert_am>] : ID de la alerta/modulo origen del evento [-c_instructions <critical_instructions>] [-w_instructions <warning_instructions>] [-u_instructions <unknown_instructions>] [-user_comment <comment>] [-owner_user <owner event>] : Propietario del evento, usar el login name [-source <source>] : (Por defecto 'Pandora') [-tag <tags>] : Tag (debe existir ya en el sistema) [-custom_data <custom_data>] : Los datos personalizados debe ser un base 64 encoded JSON document (>=6.0) [-server_id <server_id>] : ID del nodo del server (>=6.0) [-id_extra <id extra>] : Id extra [-agent_name <Agent name>] : Nombre del agente, NO confundir con el alias. [-force_create_agent<0 o 1>] : Fuerza la creación del agente si no existe para ello el parámetro a 1 y llevar la opción de agent_name.
Example of event generation, using \
as order connector and didactic indenting:
./pandora_revent.pl \ -p https://$path_consoleAPI/pandora_console/include/api.php \ -u $api_pass, $user_name, $user_pass \ -create_event \ -name "SampleEvent" \ -group 2 -agent 189 \ -status 0 \ -user "admin" -type "system" \ -severity 3 \ -am 0 \ -alert 9 \ -c_instructions "Critical instructions" \ -w_instructions "Warning instructions"
Options to validate an event:
./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>
Sample of event validation:
./pandora_revent.pl \ -p https://$path_consoleAPI/pandora/include/api.php \ -u $api_pass, $user_name, $user_pass \ -validate_event \ -id 234
For instruction |
|
1.5.2 Just event generation
Sometimes, maybe for security reasons, just count on the event creating option. For that you may copy pandora_revent_create.pl
to the client device. It is found at:
/usr/share/pandora_server/util/pandora_revent_create.pl
This tool shares similar features to those explained in the previous section.
Example:
/pandora_revent_create.pl \ -p http://$path_consoleAPI/pandora_console/include/api.php \ -u $api_pass, $user_name, $user_pass \ -create_event -name "Another nice event" \ -group 0 \ -type "system" \ -status 0 \ -severity 4 \ -user "johndoe" \ -owner_user "admin" \ -source "Commandline" \ -comment "testing event creation"
1.5.3 Custom fields within events
Events with custom fields may be generated by the Pandora FMS CLI, e.g. An event generated by the following command:
perl pandora_manage.pl /etc/pandora/pandora_server.conf --create_event 'Custom event' system Firewalls 'localhost' 'module' 0 4 'admin' '{"Location": "Office", "Priority": 42}'
It would look like the one shown below.
1.6 Event setup
Through Events > View events > Manage events), it is possible to configure:
- Filtering.
- Responses.
- Display.
1.6.1 Event view customization
It is possible to customize the fields that the Event View shows by default; from Events > View events > Manage events > Custom fields section, choose the fields to be shown.
You can also access this section from Events > Custom events
By default, the fields displayed are:
- Severity mini: Event severity in reduced format.
- Event name: Event name.
- Agent ID: Agent ID.
- Status: Event status.
- Timestamp: Date when the event was created.
However, there is a great number of fields apart from those shown by default that can be added to the "Fields selected" list:
- Event ID: Event ID.
- Agent name: Agent name.
- User: Event creator user.
- Group: Group the module belongs to.
- Event type: Event type.
- Module name: Module name.
- Alert: Alert linked to the event.
- Severity: Event severity.
- Comment: Event comments.
- Tags: Module tags.
- Source: Event source.
- Extra ID: Extra ID.
- Owner: Owner.
- ACK Timestamp: Date when the evnet was validated.
- Instructions: Critical or warning instructions.
- Server name: Name of the server the event came from.
- Data: Numerical data reported by the event.
- Module status: Module current status.
- Module custom ID: Valor del campo Module custom ID del módulo.
Select the fields you wish to display from Fields available list and move them to Fields selected using the arrows.
Once selected, click Update.
1.6.2 Creating Event Filters
For the event view, you may create, delete and edit filters; with Create new filter you may create and choose the fields to filter:
After saving, at any time you may reload the stored preferences:
1.6.3 Event Responses
1.6.3.1 Introduction
An event response is a custom action that can be executed on an event, for example, creating a ticket in Integria IMS with the relevant information about the event.
Enter a representative name, a description, the parameters to use, separated by commas, the command to use (the last ones allow the use of macros), the type and the server that will execute the command.
1.6.3.2 Event Responses macros
The accepted macros are:
- Agent alias: _agent_alias_
- Agent name: _agent_name_
- Agent address: _agent_address_
- Agent ID: _agent_id_
- Event related alert ID: _alert_id_
- Date on which the event took place: _event_date_
- Extra ID: _event_extra_id_
- Event ID: _event_id_
- Event instructions: _event_instruction_
- Event severity ID: _event_severity_id_
- Event severity (translated by Pandora FMS console): _event_severity_text_
- Event source: _event_source_
- Event status (new, validated or event in process): _event_status_
- Event tags separated by commas: _event_tags_
- Full text of the event: _event_text_
- Event type (System, going into Unknown Status...): _event_type_
- Date on which the event occurred in utimestamp format: _event_utimestamp_
- Group ID: _group_id_
- Group name in database: _group_name_
- Event associated module address: _module_address_
- Event associated module ID: _module_id_
- Event associated module name: _module_name_
- Event owner user: _owner_user_
- User ID: _user_id_
- Id of the user who executes the response: _current_user_
- Command response time (seconds): _command_timeout_