Difference between revisions of "Pandora: Documentation en: Managing and Administration"

From Pandora FMS Wiki
Jump to: navigation, search
(Users in Pandora FMS)
(Assignment of profiles and groups with user management permission (UM).)
 
(338 intermediate revisions by 22 users not shown)
Line 1: Line 1:
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
  
= Management of Pandora FMS =
+
{{WIP}}
 +
 
 +
= Pandora FMS Management=
  
 
== Introduction ==
 
== Introduction ==
  
In this chapter are discussed several topics on daily management of Pandora FMS, such as: group administration, user creation, etc.
+
This chapter deals with several aspects of Pandora FMS daily management such as: group administration, user creation, backups, workspace, etc.
 +
 
 +
==  Profiles, users, groups and ACL ==
 +
 
 +
Pandora FMS is a Web management tool. Thanks to its 100% multitenant permission system, multiple users can work with different permissions accessing Pandora FMS setup without seeing each other's information.
  
== Profiles, Users, Groups and ACL ==
+
To add users, it is important to have groups and profiles properly defined, and know exactly which data you want each user to see and/or modify.
  
Pandora FMS is a Web management tool that allows multiple users to work with different permissions in multiple defined agent groups. Before adding users, groups and profiles must be well defined, as well as the data visibility we want each user to have.
+
<center>
 +
[[image:Standard-user-profile.jpg]]
 +
</center><br>
  
=== Profiles in Pandora FMS ===
+
=== Users in Pandora FMS ===
  
The permissions an user can have are defined in profiles. Profiles are managed at Administration>Manage Profiles
+
Users are managed from ''Profiles > Users management'', where you may see the list of defined users.
  
 
<center><br><br>
 
<center><br><br>
[[image:gest1.png|600px]]
+
[[image:user_list_new.png]]
 
</center><br><br>
 
</center><br><br>
  
The following list defines what ACL control allows in each feature at the console:
+
User definition consists of the following fields:
  
<table cellpadding=4 cellspacing=0 style='background-color: #f0f0f0; border: 1px solid #acacac'>
+
<center><br><br>
<tr><th style='background-color: #cacaca'>Feature<Th  style='background-color: #cacaca'>ACL Control
+
[[image:detalle_usuario_2018.png]]
 +
</center><br><br>
  
<tr><td>View agent data (all tabs)<td>AR
+
Here are the relevant user fields:
<tr><td>Tactical view<td>AR
 
<tr><td>Network map view<td>AR
 
<tr><td>Group view<td>AR
 
<tr><td>Visual console edition<td>IW (RW from 5.0)
 
<tr><td>Create report<td>IW (RW from 5.0)
 
<tr><td>Create user custom-defined graph<td>IW (RW from 5.0)
 
<tr><td>View report, visual map and/or custom graph<td>IR (RR from 5.0)
 
<tr><td>Apply report template (>=5.0)<td>RW
 
<tr><td>Create report template (>=5.0)<td>RM
 
<tr><td>Create incident<td>IW
 
<tr><td>Read incident<td>IR
 
<tr><td>Delete Incident<td>IW
 
<tr><td>Become owner of another incident<td>IM
 
<tr><td>Delete incident of another user<td>IM
 
<tr><td>View event<td>AR (ER from 5.0)
 
<tr><td>Validate/Comment event<td>IW (EW from 5.0)
 
<tr><td>Delete event<td>IW (EW from 5.0)
 
<tr><td>Execute response (>=5.0) <td>EW
 
<tr><td>Create incident from event (From 5.0 is a response)<td>IW
 
<tr><td>Change owner/Re-open event (>=5.0) <td>EM
 
<tr><td>View user<td>AR
 
<tr><td>SNMP Console view<td>AR
 
<tr><td>Validate traps<td>IW
 
<tr><td>Message<td>IW
 
<tr><td>Cron jobs <td>PM
 
<tr><td>Tree view <td>AR
 
<tr><td>Update manager (Operation & Admin) <td>PM
 
<tr><td>Extension Module Group<td>AR
 
<tr><td>Agent management<td>AW
 
<tr><td>Remote agent configuration management <td>AW
 
<tr><td>Assign alerts to agents<td>LW
 
<tr><td>Define, alter and delete alert templates, actions and commands<td>LM
 
<tr><td>Group management<td>PM
 
<tr><td>Create inventory modules<td>PM
 
<tr><td>Module management (includes all suboptions)<td>PM
 
<tr><td>Massive management operations <td>AW
 
<tr><td>Create agent<td>AW
 
<tr><td>Duplicate remote configurations<td>AW
 
<tr><td>Downtime management<td>AW
 
<tr><td>Alert management<td>AM
 
<tr><td>User management<td>UM
 
<tr><td>SNMP Console management (alerts and MIB load)<td>PM
 
<tr><td>Profile management<td>PM
 
<tr><td>Server management<td>PM
 
<tr><td>System audit<td>PM
 
<tr><td>Setup<td>PM
 
<tr><td>Database maintance<td>DM
 
<tr><td>Administrator extension menu<td>PM
 
<tr><td>Search bar<td>AR
 
<tr><td>Policy management<td>AW
 
<tr><td>Disable agent/module/alert (>=5.0)<td>AD
 
  
</table>
+
* '''User ID''': Identifier that the user will use to authenticate himself in the application. This identifier is a value that should not have rare characters or spaces.
 +
* '''Full Display Name''': Field where you put the full name, this if it is a descriptive field and can contain spaces and non-standard characters.
 +
* '''Password''': Password that the user will have to access.
 +
* '''Global Profile''': An Administrator user will not be governed by the internal ACL system and will have access to everything. The standard user will be ruled by the Pandora FMS ACL permissions assigned to him.
 +
* '''E-mail and phone''': Optional fields where we can add extra user information.
 +
* '''Login Error''': If this field is marked, the user will only be able to access to the API but not in an interactive way through the console.
 +
* '''Session time''': Time in which the user can be connected without activity before the user considers his session expired and forces him to authenticate again.
 +
* '''Language''': By default is the system language. You can also assign a specific language in which the user will see the Pandora FMS console.
 +
* '''Timezone''': Field to put the console time zone to visualize different elements (Agents General View, Modules View, ...).
 +
* '''Block size for pagination''': Default size of pagination for this user.
 +
* '''Skin''': Field where you can choose a custom skin.
 +
* '''Home screen''': Change the default screen the user enters after logging in the console, for example, the event viewer, or a visual console defined by the administrator.
 +
* '''Default event filter''': Allows to define the default filter that the user will have when entering the event view. Later you can change it, but this will be the one applied "by default".
 +
* '''Disabled newsletter''': Activate or deactivate the Pandora FMS newsletters.
 +
* '''Comments''': Additional information to the fields defined above.
 +
* '''Profiles/Groups assigned to this user''': Selection of profiles and/or groups in which the user will be organized or have access to.
 +
 
 +
==== User Edition by the User itself ====
  
==== Adding a Profile ====
+
All users can modify certain parameters of their own settings in ''Workspace > Edit my User''.
  
To add a profile, go to Administration>Manage Profiles and click on “Create”.
+
The user creation form will appear, where you can configure some sections, except for group permissions.
The following form will be displayed:
 
  
 
<center><br><br>
 
<center><br><br>
[[image:gest2.png]]
+
[[image:gestusuario.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
To create a profile, give it a name, choose the permissions it will have and click on “Create”.
+
===== Notification setup =====
  
==== Editing a Profile ====
+
To customize logged-in user’s notifications, the administrator must have previously granted him notification edition permissions. In case of having said permissions, as well as all options activated, notifications and their forwarding by email can be enabled/disabled.
  
To edit a profile, go to Administration>Manage Profiles and click on the name of the profile to be edited.
+
<center>
 +
[[image:Notificaciones1.PNG]]
 +
</center><br>
  
<center><br><br>
+
Notifications allow to see warning messages related to the following sections on screen:  
[[image:gest3.png]]
 
</center><br><br>
 
  
==== Deleting a Profile ====
+
* <b>System status</b>. Where the following notifications are generated:
 +
** Expired or nearly expired license warning (~15 days or less).
 +
** Too many files attached warning.
 +
** Piled-up .data files in data_in warning (> 1000 files and increasing).
 +
** Piled-up BADXML files in data_in warning (> 150 files).
 +
** Overall module queuing (increasing) by server warning.
 +
** PHP setup warning.
 +
** Review whether pandora_db is running on the main database.
 +
** Review whether pandora_db is running on the history database.
 +
** History database update status (MR correct).
 +
** Status warnings, component down or uninitiated => Any of the Pandora FMS servers with status=1 and ''keepalive - now()'' may be higher than ''server_keepalive * 2''.
 +
** Tentacle service down.
 +
** No master-mode server warning.
 +
** In the case of activated logs, Elastic/Logstash connectivity status.
 +
** In case of using Pandora FMS HA, error in DB replication.
 +
** Connection error with GIS map servers GIS (WMS).
 +
** Log size.
 +
** Mounting point/disk/almost full volume warning (data_in/mysql/tmp...)(> 90%).
 +
** History database connection failure.
 +
** Metaconsole synchronization failure.
 +
** Next scheduled shutdowns (in less than 15 days).
 +
** Metaconsole: Synchronization status:
 +
*** Node synchronization failures.
 +
*** Event replication failures.
 +
*** Agent cache.
  
To delete a profile go to Administration>Manage Profiles and then click on the red "x" at the right hand side of the name of the profile to be deleted.
+
* <b>Message</b>:
 +
** Messages received by the user yet to be read.
 +
 +
* <b>Pending task</b>:
 +
** Policies yet to be applied.
 +
** Queued policies running/complete, and acknowledged once completed.
 +
** Pending re-creation policies.
 +
** Defined server plugins whose executable does not exist.
 +
** Metaconsole:
 +
*** Pending synchronization tasks.
 +
*** Completed synchronization tasks.
 +
*** Pending notifications by node.
 +
*** Policy queue status.
 +
 +
* <b>Advertisement</b>.
 +
** Enterprise version not installed reminder.
 +
** Do you know our Enterprise version?
 +
** Do you know the module library?
 +
** Discover eHorus.
 +
** Discover Integria IMS.  
  
<center><br><br>
+
* <b>Official communication</b>:
[[image:gest4.png]]
+
** Update notifications.
</center><br><br>
+
** Messages generated from Ártica ST headquarters (update to PHP7, phantomjs, etc.)
  
=== Pandora FMS Groups===
+
* <b>Suggestion</b>:
 +
** Did you know Pandora FMS can be integrated with Telegram?
 +
** Did you know alerts can be scaled?
 +
** Monitor your complete applications using services.
  
The accesses are related with the groups that are used to group agents. An user could have different permissions in each of the groups to which it has access. The agents could only belong to one group.
+
The options found in notification setup are these:
  
The groups are defined at Adminitration>Manage Agents>Manage Groups.
+
* <b>Notified users</b>: Users that will receive the activated notifications.
 +
* <b>Notified groups</b>: Groups that will receive the activated notifications.
 +
* <b>Notify all users</b>: Option that will allow to notify all users.
 +
* <b>Also email users with notification content</b>: To enable sending emails for each notification.
 +
* <b>Users can modify notification preferences</b>: To allow users to modify notification preferences (the system administrator can restrict this option).
 +
* <b>Users can postpone notifications up to</b>: It allows to postpone notifications so that they are not received more than once in a certain interval (which can be chosen in the drop-down).
  
<center><br><br>
+
=== Groups in Pandora FMS ===
[[image:gest5.png|600px]]
+
====Introduction====
</center><br><br>
+
The concept of group in Pandora FMS is fundamental. The groups are sets of elements with their own rules whose purpose is to help to control user access to certain elements inside Pandora FMS.  
  
==== Adding a Group ====
+
It is important to know that an agent can only belong to one group, but that a user can have access to one or several of these groups.
  
To add a group go to Administration>Manage Agents>Manage Groups and click on “Create Group”.
+
When configuring the groups, it will be necessary to take into account that the group All is a special group that cannot be eliminated, and all the groups are its subgroups. Any element that is associated to the All group can be seen/administered by a user that has permissions in any group.  
  
Following form is displayed:
+
====Group all====
 
 
<center><br><br>
 
[[image:gest6.png]]
 
</center><br><br>
 
  
Next, form fields are discussed.
+
Pandora FMS has a group system, which are entities into which agents are classified and which are used to grant permissions. That way users are granted some permissions assigned to one or several groups, and thus they will be able to interact with agentes and other elements in their context.
* '''Name''': Group name
 
* '''Icon''': Combo box to choose the icon the group will have.
 
* '''Parent''': Combo box to assign another group as parent of the group under creation.
 
* '''Alerts''': If enabled, agents belonging to the group will be able to send alerts, if not marked they won't be able to do so.
 
* '''Custom ID''': Groups have an ID in the Database, in this field you can input another customized ID to be used by an external program in an integration (e.g.: CMDB's).
 
  
Once the fields have been filled in click on the “Create” button.
+
To make group assigning and filtering easier, there is a tool called group "All". Group "All", depending on the context, means ALL groups or ANY of them. From version 3.1 is exclusive identifier is ID 0. But it is totally controlled by the code, ther is no group with that ID in the DB.
  
==== Editing a Group ====
+
====Group creation====
  
To edit a group got o Administration > Manage Agents > Manage Groups and click on the name of the group you want to edit.
+
Groups are defined in the section  ''Profiles > Manage agent groups''.
  
 
<center><br><br>
 
<center><br><br>
[[image:gest7.png]]
+
[[image:gest5.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
==== Deleting a Group ====
+
Inside group creation / modification, there is the following form:
 
 
To delete a group go to Administration > Manage Agents > Manage Groups and click on the red x at the right hand side of the name of the group to be deleted.
 
  
 
<center><br><br>
 
<center><br><br>
[[image:gest8.png]]
+
[[image:gestion_grupo.png]]
 
</center><br><br>
 
</center><br><br>
  
=== Tags in Pandora FMS ===
+
These are the relevant user fields:
  
The access to the modules can be configurated with a Tags system. A tags are configurated on the system, and be assigned to the choosed modules. In this way the access of the user can be limited to the modules with certain tags.
+
* '''Name''': Group name. This group can be used in the automatic agent provisioning, so it is not recommended that it contains spaces or rare characters (although it is supported).
 +
* '''Icon''': Combo where the icon for the group can be chosen.
 +
* '''Parent''': Combo where another group can be defined as the parent of the group being created.
 +
* '''Password''': Optional. It allows restricting automatic agent creation (automatic software or satellite agent provision) so that only agents with the same password as the one defined in this field can be created.
 +
* '''Alerts''': If checked, the agents belonging to the group will be able to send alerts. If not checked, alerts will not be sent. You can use this property to quickly disable alert generation for a certain group of agents.
 +
* '''Propagate ACL''': If enabled, the child groups will have the same ACL permissions as the group.
 +
* '''Custom ID''': Groups have an ID in the database. In this field it is possible to set another custom ID that can be used from an external program to perform an integration (e.g. CMDBs).
 +
* '''Contact''': Contact information accessible through _groupcontact_ macro.
 +
* '''Skin''': A skin can be assigned to the group.
  
{{Tip|The Tags access doesnt replace the group access. It complement it}}
+
====Importing groups from CSV====
 +
<br>
 +
{{Metaconsole}}
  
The tags are managed at Adminitration>Manage Modules>Manage Tags.
+
This is an Enterprise feature. The extension allows to import a file separated by some separating character in Pandora FMS server.
  
<center><br><br>
+
Access the extension from ''Admin tools > Extensions manager > CSV import group''.
[[image:gesttags5.png|600px]]
 
</center><br><br>
 
  
==== Adding a Tag ====
+
<center>
 +
[[image:ex17.png|800px]]
 +
</center><br>
  
To add a tag go to Administration>Manage Modules>Manage Tags and click on “Create Tag”.
+
The file to be imported is chosen by clicking on “Select file” and the combo is chosen from a combo. Once the previous fields are filled out, click “Go”.
  
The following form is displayed:
+
The CSV file must contain the following fields in the following order: Group name, icon, parent id and propagation (1 or 0).
  
<center><br><br>
+
=== Profiles in Pandora FMS ===
[[image:gesttags6.png]]
 
</center><br><br>
 
 
 
Next, form fields are discussed:
 
 
 
* '''Name''': Tag name
 
* '''Description''': Tag description
 
* '''Url''': Extern link to add more extra information to the tag
 
* '''Email''': Email address used in alerts associated to the tag
 
 
 
Once the form is complete, click on “Create”
 
 
 
==== Editing Tag ====
 
  
To edit a tag go to Administration > Manage Modules > Manage Tags and click on the tag name that you want to edit or on the edition icon in the actions column.
+
Pandora FMS profiles allow to define which permissions a user is granted. The combination of profiles and a group associated to a user allows to define which permissions a user has on a group of agents, so that he can have different profiles in different groups. Profiles are managed from ''Profiles'' > ''Profile management''.  
  
 
<center><br><br>
 
<center><br><br>
[[image:gesttag7.png]]
+
[[image:gest1.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
==== Deleting a Tag ====
+
==== List of profiles ====
  
To delete a tag go to Administration > Manage Modules > Manage Tags and click on the red X of the actions column.
+
This list defines what each profile enables:
  
<center><br><br>
+
<table cellpadding=1 cellspacing=1 style='background-color: #f0f0f0; border: 1px solid #acacac'>
[[image:gestag8.png]]
+
<tr><th style='background-color: #cacaca'>BIT ACCESS<th  style='background-color: #cacaca'>OPERATION
</center><br><br>
+
<tr><td>IR<td>- See incidents
 +
<tr><td>IW<td>- Validate traps<br>- Messages
 +
<tr><td>IM<td>- Manage incidents<br>- View agent data (all views)<br>- Tactical view<br>- Group view<br>- See users<br>- See SNMP console<br>- Tree view<br>- Extension Module Group<br>- Search bar
 +
<tr><td>AW<td>- Agent management view<br>- Edit agent and its .conf<br>- Massive operations<br>- Create agent<br>- Duplicate remote configuration<br>- Policy management
 +
<tr><td>AD<td>- Management of service stops<br>- Deactivate agent/module/alert
 +
<tr><td>LW<td>- Alert assignment already created<br>- Alert management
 +
<tr><td>LM<td>- Define, modify templates, commands and actions
 +
<tr><td>UM<td>- User management
 +
<tr><td>DM<td>- Database Maintenance
 +
<tr><td>ER<td>- See event
 +
<tr><td>EW<td>- Validate/Comment event<br>- Manage filters<br>- Execute responses
 +
<tr><td>EM<td>- Delete event<br>- Change owner/Re-open event
 +
<tr><td>RR<td>- View report, graph, etc<br>- Apply a report template
 +
<tr><td>RW<td>- Create a visual console<br>- Create report<br>- Create combined Graph
 +
<tr><td>RM<td>- Create a report template
 +
<tr><td>MR<td>- Network map view
 +
<tr><td>MW<td>- Editing network maps<br>- Deleting own network maps
 +
<tr><td>MM<td>- Deletion of any network map
 +
<tr><td>VR<td>- Visual console view
 +
<tr><td>VW<td>- Visual console edition<br>- Deletion of own visual consoles<br>- Deletion of any visual console
 +
<tr><td>VM<td>- Visual console management
 +
<tr><td>PM<td>- Manage responses<br>- Customize event columns<br>- Update manager (Operation and Administration)<br>- Manage groups<br>- Create inventory modules<br>- Manage modules (including all sub-options)<br>- Manage SNMP console<br>- Manage profiles<br>- Manage servers<br>- System audit (edit and view)<br>- Setup (all lower tabs incl)<br>- Administration extensions
 +
<tr><th style='background-color: #cacaca'><th style='background-color: #cacaca'>PERMITS COMBINATION
 +
<tr><td>EW & IW<td>- Create incidence through the event (Response)
 +
<tr><td>LM & AR / AW & LW<td>- Validate alerts
  
=== Users in Pandora FMS ===
+
</table>
  
Once the profiles and groups that are going to be used in Pandora FMS have been defined, it's time to define users.
+
=== Permission granting ===
 +
From user editing, you may grant a user access to a group with a certain profile:
  
Users are managed at Administration > Manage users, where one can see the list of defined users, as well as the created profiles.
+
<center>
 +
[[Image:acl_groups.png|center]]
 +
</center>
  
<center><br><br>
+
If you do not assign any group or profile to the user, when the user tries to log in, there will be a login error like the one below:
[[image:gest9.png]]
 
</center><br><br>
 
  
==== Adding a User ====
+
<center>
 +
[[Image:Fallo_login.png|center]]
 +
</center>
  
To add a user go to Administration>Manage users and click on “Create User”.
+
==== Assignment of profiles and groups with user management permission (UM).====
  
The following form is displayed:
+
From Pandora FMS version 748 on, an improvement in the management of users, permissions and groups is enabled.
  
<center><br><br>
+
Several possible scenarios have been taken into account, which we will now explain:
[[image:gest11.png|400px]]
 
</center><br><br>
 
  
Next, form fields are discussed:
+
*A "manager" user with UM permissions that belongs to the group ALL will be able to manage any user regardless of the group he belongs to.
 +
*Accesses to groups can be added before creating a user as such.
 +
*A "manager" user can edit profiles and groups only on the users he can see because they belong to the groups he manages with UM permissions.
 +
*An administrator user can create other administrator users and can manage any other user, but in no case a "manager" user with UM permissions can remove UM permissions to another user who has the same permissions on the same group. This can only be modified by an administrator.
 +
*A "manager" user without UM permissions on a group, can not see which users belong to that group.
 +
*A "manager" user can eliminate the relation of users with the groups that it manages and even the complete user if only this one has relation with the groups that it manages.
  
* '''User ID''': Identifier the user will use to log into the application.
+
{{warning|In case the last profile/group relationship of an user is going to be deleted and the user is going to be deleted Pandora shows a warning.}}
* '''Full Display Name''': Field to store the full name.
 
* '''First Name''': Field to store the person name.
 
* '''Last Name''': Field to store the family name.
 
* '''Password''': Field to input the password.
 
* '''Password confirmation''': Field to input the password again for confirmation.
 
* '''Global Profile''': Choose among Administrator or Standar User. An administrator will have absolute permissions on the application for the assigned groups. An standard user will have the permissions defined in the assigned profile.
 
* '''E-mail''': Field to store the user's e-mail.
 
* '''Phone Number''': Field to store the user's phone number.
 
* '''Comments''': Field to store comments on the user.
 
  
Once the form is complete, click on “Create”. The created user appears, as a new section does, to input the groups the user will have access to, and the applicable profile.
+
*A "manager" user that has UM permissions in a group and not in another one, can only see the profile/group information of the groups that he manages, even if the user he observes has more permissions of other groups. The rest of the user's information will be unrelated to the "manager" user. In this way the "manager" user will only be able to obtain information or modify the permissions on the groups that he manages, but at no time will he be able to remove more permissions or eliminate the user.
  
<center><br><br>
+
==== Permission system extended by tags ====
[[image:gest12.png|400px]]
 
</center><br><br>
 
  
A user can be given access to as much groups as you want. Select a profile and the group and click on the blue + symbol.
+
In the Enterprise version, individual access to the modules of an agent can be configured by a Tag system. Some tags are configured in the system, they are assigned to the modules you wish, and additionally, access may be restricted to a user only to the modules that have those tags defined.  
  
<center><br><br>
+
<br>
[[image:gest13.png|400px]]
+
{{Tip|Access by Tags does not replace access by groups, it only complements it.}}
</center><br><br>
 
  
In case you want to remove access to a group, click on the red "x" at the right hand side of the access to be removed.
+
Tags are defined in ''Profiles'' > ''Module Tags''.
  
 
<center><br><br>
 
<center><br><br>
[[image:gest14.png|400px]]
+
[[image:gesttags5.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
In addition, the user can be given access to foreign political groups. This allows him to access all the content of these policies regardless of which group they belong to.
+
In module configuration, one or more tags can (optionally) can assigned:
  
<center><br><br>
+
<center>
[[image:extra_policies.png|700px]]
+
[[Image:tags_1.png|center]]
</center><br><br>
+
</center>
  
To know more about this setup visit [[Pandora:Documentation_en:Policy#Extra_access_to_policies|Extra access to policies]]
+
You may assign specific access to a tag through the user editor, in profile and group assigning, by adding a tag:
  
==== Displaying a User ====
+
<center>
 +
[[Image:acl_tags.png|center]]
 +
</center>
  
On top of the option at Administration>Manage users  it is also possible to see the users at Operation>View Users.
+
In this example, the user has access by means of the operator profile to the "eHorus" and "hosting" group and also to the "Infrastructure" group, but only to modules labeled with the "Security" tag.
  
<center><br><br>
+
{{Warning|This system, which is called Tag-based security mode allows restricting access to all agent content, but it has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.}}
[[image:gest15.png|600px]]
 
</center><br><br>
 
  
==== Editing the Own User Settings ====
+
{{Tip|In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the ones "visible" by the tag. }}
  
If the user has administrator permissions, he can modify certain parameters of her configuration at Operation>View Users>Edit my User.
+
==== Hierarchy ====
  
The user creation form is displayed, where everything can be edited except group permissions.
+
In previous sections, we explained that the permissions of a group can be extended to the children by means of the configuration option ''Propagate ACL''. However, from user configuration, you may limit this feature and prevent the ACL from propagating by checking ''No hierarchy''.
  
<center><br><br>
+
As a reference for the examples, here we propose a configuration with the two parent groups "Applications" and "Databases" with two children each, "Development_Apps" and "Management_Apps" for the first one and "Databases_America" and "Databases_Asia" for the second one. Both parent groups are set for ACL to be spread.
[[image:gest16.png|550px]]
 
</center><br><br>
 
  
In case of lacking administrator permissions, following page will be displayed:
+
<center>
 +
[[Image:Acl_hierarchy_groups.png|center]]
 +
</center>
  
<center><br><br>
+
In the user edit view, the following profiles are added:
[[image:gest17.png]]
 
</center><br><br>
 
  
==== User Edition by the Administrator ====
+
<center>
 +
[[Image:Acl_hierarchy_1.png|center]]
 +
</center>
  
To edit a user completely, including the permissions and groups part, go to Administration>Manage users and click on the user's name.
+
The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps" and "Databases".
  
<center><br><br>
+
However, if a child of "Databases" is added:
[[image:gest18.png]]
 
</center><br><br>
 
  
==== Removing an User ====
+
<center>
 +
[[Image:Acl_hierarchy_2.png|center]]
 +
</center>
  
To completely remove an user, go to Administration>Manage users and click on the red "x" at the right hand side of the user's name.
+
The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps", "Databases" and "Databases_Asia", but not to "Databases_America".
  
<center><br><br>
+
==== Secondary groups ====
[[image:gest19.png]]
 
</center><br><br>
 
  
==The "All" Group==
+
From update package 721 agents may have secondary groups. Unlike the primary group, these secondary groups are optional.
  
Pandora FMS has a system of groups that are entities in which the agents will be classified and that are used to disperse privileges. In that way, it gives the users some permissions framed into one or several groups, and they will have then, the possibility of seeing and interact with the agents and the others objects from its environment.
+
<center>
 +
[[File:Secondary agent.png|center]]
 +
</center>
  
To make easier the assignation and filtering of the groups, we have a tool named "All" group. The "All" group means, depending on the context, ALL groups , or ANY of them. Theoretically speaking, it's the same in version 3.1, but its implementation has changed.
+
An agent belonging to a secondary group means that it actually belongs to several groups at the same time. With this feature, two users with different permissions may have access to the same agent by just adding the appropriate secondary groups.
  
''' In version 3.0''' the "All" group is an '''special group contained in the database''' with Identifier 1. This one was booked, in this way, to this group. So, throughout the console code, the group with id 1, was managed as an exception, with the necessity of the subsequent control when the groups where listed, and where it was necessary to omit this group sometimes.
+
For example, if an agent called "Portal" has "Infrastructures" as main group and "Hosting" as secondary group, any user that has access to "Infrastructures" and/or a "Hosting" may access it.
  
''' In version 3.1''' the "All" group '''has disappear from the Database''', so the identifier 1 has been released for the use of any normal group. Now, the identifier reserved for the "All" group is the 0, with the difference, that it is completely controlled through code, and there doesn't exist this group as before. Simply, now it's controlled that the objects associated with the 0 group will be associated to all groups, without needing to control if a group token out from the database is special or not.
+
Some views, such as ''Tree View'', may show repeated agents. That is the usual performance when using secondary groups.
  
When we take out the agents from a group or vice versa, there isn't any problem, so an agent belongs only to a group. But, for example, when extracting the groups to which an user belongs to or the users that belong to one group, you should consider that when we list the users that belongs to a group, we should show the ones that belong to all of them (group 0) and if we show the groups of an user, then we should show all of them in case that this user belongs to the "All" group (group 0)
+
=== ACL Enterprise System ===
 +
====Introduction====
 +
The ACL Open Source model is based on "unix style" role/action/group/user (4 items).
  
 +
The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by "groups") users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to see only the "Group" view and the "Detailed" agent view, skipping pages such as "Alert view" or "Monitor view", already grouped in the classic Pandora FMS ACL system as "AR" (Agent Read Privileges).
  
== Enterprise ACL System ==
+
This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations.
  
The Open Source ACL model is based on “unix style” role/action/group/user (4 items).
+
{{Tip|Both models are "parallel" and compatible. The classic ACL system is complementary and it is evaluated prior to the ACL Enterprise system.}}
  
The Enterprise ACL system, implemented in version 3.1, will allow to define per profile, which pages (defined one by one or by “groups”) has user access. This will allow for example, to let a user view only “Group” view, and “Detailed” agent view, skipping pages as “Alert view” or “Monitor view”, grouped already in Pandora FMS classic ACL system as “AR” (Agent Read privileges).
+
====Configuration====
  
This even allow to restrict administration per page. Very useful to let specific low-level operations allowed.
+
In order to be able to use the new ACL system, the first step is to activate it in the configuration tab. This option is only visible if you use the Enterprise version.  
  
Both models are “paralel” and compatible, and this is an Enteprise feature only. Classic ACL system will continue to exist, and provides as now, a very easy ACL system for Pandora FMS.
+
<br><br><center>
 
+
[[Image:Enterprise_acl_setup.png]]
In order to use the new ACL system, first this should be activated in setup. This option is only visible if you're running the enterprise version
+
</center><br><br>
 
 
 
 
<br>
 
<br>
 
<center>
 
[[Image:Acl_setup2.png|700px]]
 
</center>
 
<br>
 
<br>
 
  
To use the Enterprise ACL system, go to the specific option for ACL Enterprise at Administration -> Setup. In this screen you can add new items in the new ACL System and see the items defined by profile. You can also delete items from the Enterprise ACL system.
+
To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in ''Administration'' > ''Setup''. On this screen you may add new items in the new ACL System and see the items defined by profile. You can also delete items from the Enterprise ACL system.  
  
 
<br>
 
<br>
 
<br>
 
<br>
 
<center>
 
<center>
[[Image:Acl_setup1.png|700px]]
+
[[Image:Acl_setup1.png|850px]]
 
</center>
 
</center>
 
<br>
 
<br>
 
<br>
 
<br>
  
Enterprise ACL systems, if activated, restrict ALL pages to ALL groups (even the Administrator!) to pages defined (allowed) in the Enterprise ACL system. If a user with "Administrator" profile, has no pages included in the Enterprise ACL system, he cannot see anything.  
+
{{warning|If the Enterprise ACL system is enabled, it restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the "Administrator" profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.}}
  
 +
{{warning|Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.}}
  
{{warning|Please be careful with this because you can loose console access if you set incorrect Enterprise ACL configuration to your running user!}}
+
If you have mistakenly lost access to the console, you may disable the Enterprise ACL system from the command line:
 
 
To disable enterprise ACL system from command line, execute:
 
  
 
  /usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
 
  /usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
  
You can define "page by page", "whole sections", set a "any" rule or add "custom pages" no accessibles from menu.
+
You can define "page by page", "complete sections", set "any" rule or add "custom pages" that are not accessible from the menu.
  
There are two modes to add pages to a profile: With the '''wizard''' (by default) or with the '''custom edition'''. Over the add rules button there is a button to change this mode.
+
There are two ways to add pages to a profile: with the'' wizard'' (default) or with ''custom edit''. Above the button to add a rule, there is a button to change this mode.
  
===Wizard===
+
=====Wizard=====
  
With the wizard, we choose the sections and pages from a combo controls.
+
In the wizard we will choose the sections and pages of some combo controls.
  
{{warning|The pages of this combos there are the accessibles from menu. To give access to pages that are accesible by another way (For example, the main view of the agents) we must use the custom editor}}
+
{{warning|The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent main view) use the custom editor.}}
  
To include a Pandora FMS page into "allowed pages" you must select the profile to which the acl will be applied to and then choose the section  allowed from the "Section" control. At this moment, you will can select from "Page" control, whatever of the section pages.
+
To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in "Section" control the section that contains the desired page. You can then select any of your pages in the "Page" control.
  
 
<br>
 
<br>
 
<br>
 
<br>
 
<center>
 
<center>
[[Image:Acl_setup4.png|700px]]
+
[[Image:Acl_setup4.png|800px]]
 
</center>
 
</center>
 
<br>
 
<br>
 
<br>
 
<br>
  
Another option is to select a section and set the value "All" for "Page". This will allow the selected profile to see "everything", just as would be without the Enterprise ACL system for that profile. In the same way if you select "All" in both controls this profile could se "all" of "all" sections, as this sections without Enterprise ACL system.
+
Another option is to select a section and the value "All" in the "Page" control. This will allow the chosen profile to see "all" of the selected section. Also by selecting "All" in both controls, users of that profile will be allowed to view "all" of "all" sections, just as it would be without the Enterprise ACL System for that profile.
  
{{warning|To do section visible in the menu, the user must has access to at least the first page of this section. For example, to show section "Monitoring", the user must has access to al least the "Tactical View" page}}
+
{{warning|For a section in the menu to be displayed, the user must have access to at least the first page of the section. For example, for the "Monitoring" section to be displayed they must have access to at least "Tactical View".}}
  
===Custom edition===
+
=====Custom editing=====
  
To add single pages that are not accessibles from the menu, we can interoduce their sec2 manually. For this, we will access to the page that we want to add and copy the sec2 parameter.  
+
To add individual pages that are not accessible from the menu, you may manually enter your sec2. To that end, access the page you wish to add and copy the parameter sec2.  
  
For example if we want add the main view of the agents, we go to any agent main view where the URL will be like this:
+
For example, if you wish to add the main view of the agents, enter the view of any agent and find a URL similar to this one:
  
http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
+
http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
  
We write the sec2 parameter (operation/agentes/ver_agente) into the text box.
+
Enter the contents of parameter sec2 (operation/agents/see_agent) in the text box.
  
 
<br>
 
<br>
 
<br>
 
<br>
 
<center>
 
<center>
[[Image:Acl_setup5.png|700px]]
+
[[Image:Acl_setup5.png|850px]]
 
</center>
 
</center>
 
<br>
 
<br>
 
<br>
 
<br>
  
===Security===
+
====Security====
  
Any page not "allowed" will not be shown in the menu, and will not allowed to be used, even if the user enter the URL "manually". Any page not allowed by "Classic" Pandora FMS ACL system, will not be allowed by the enterprise ACL system (this runs over the classic ACL system). This is an example with several filters:
+
Any page that is not "allowed" will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in "manual" mode. Any page that isn't allowed by the "Classic" Pandora FMS ACL system will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a specific example of several filters:
  
 
<br>
 
<br>
 
<br>
 
<br>
 
<center>
 
<center>
[[Image:Acl_example.png|700px]]
+
[[Image:Acl_example.png|800px]]
 
</center>
 
</center>
 
<br>
 
<br>
 
<br>
 
<br>
  
Also, there is a control that checks if a page belongs to a section, improving the security against manually modifications of the URL. This check will be avoided with pages added with the custom editor and when the user has access to all the pages of a section, to optimize the performance.
+
In addition, there is a control that checks whether a page belongs to a section, which reinforces security against manual URL modifications. This check will be skipped for pages added with the custom editor, as well as the access to each pages belonging to a full section whose access is granted, thus optimizing the load.
  
== Workspace ==
+
== Servers ==
  
=== Chat ===
+
The detailed view of the servers is used to know, besides the general state of the Pandora FMS servers, their load level and delay. Let us see a screenshot of a server status screen that is reached through the operation menu > Pandora Servers.
  
This tool allows to interact with other pandora users connected to the console in realtime. This is helpful to share comments or issues about the service with other operators/administrators.
+
<center>
 +
[[image:Server_explained_2017.png]]
 +
</center>
  
=== Users connected ===
+
Some icons have special relevance, as seen in the above caption:
  
This extension shows other users connected to Pandora FMS console different that our own user. This functionality have importance because Pandora FMS Console allows conections from different users.
+
* Poll request: It asks the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
 +
* Editing Discovery server tasks.
 +
* Edit remote server configuration. Valid for Pandora FMS servers or satellite servers .
  
Go to the extension from Operation>Extansions>Users connected.
+
In addition, in this view you may see several important data, each column shows the following information:
 
 
<center><br><br>
 
[[image:ex4b.png|650px]]
 
</center><br><br>
 
  
=== Messages ===
+
*Server name, usually the hostname of the machine.
 +
*Status (green = active, grey = stopped or down).
 +
*Server type: data server, network server, etc.
 +
*Progress bar indicating the total module load percentage for that type of server. In this case, all servers are at 100% except for recon server, which has no associated tasks so it is at 0%.
 +
*Number of such modules executed by the server with respect to the total number of such modules.
 +
*Server Lag: Highest amount of time spent by the oldest module waiting to receive data / Nº of modules out of their lifetime. In this example, there are approx. 3000 modules out of their lifespan, with a lag time of 10 minutes 13 seconds. This indicator is useful to know if you have many modules and to know if the server is at load capacity limit, as it is this case. Although it does not have an excessive delay (10 minutes 13 sec, for modules that have a lifespan average of 5 min), the number of modules out of time is considerable. In the case of the network server, this figure is much lower, being only 19 modules with a lag (10 minutes) of a total of almost 1500 modules.
 +
*Total number of threads configured on the server: Total number of modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules. This reflects the server's inability to process the data.
 +
*Number of seconds since the server updated its data. Each server has a "Keepalive" that updates its status, to make sure it is active and updating its statistics.
  
Pandora FMS has a tool that allows that the different users could send messages between them. Pending messages has a blinking icon in the header.
+
==Credential store==
  
==== See Messages====
 
  
When a user has a message, an icon (envelope) appears on the right at the top of the console.
+
Pandora FMS features a credential store. This repository manages the IDs used in sections such as Discovery Cloud or agent automatic deployment.
  
<center><br><br>
+
<center>
[[image:gest20.png|660px]]
+
[[File:Cred_store.png]]
</center><br><br>
+
</center>
  
You can see the messages that have an user at Operation> Messages
+
Next, the "Credential store" tab is displayed.
  
<center><br><br>
+
<center>
[[image:gest21.png|660px]]
+
[[File:Cred_store1.png]]
</center><br><br>
+
</center>
  
<center><br><br>
 
[[image:gest22.png|660px]]
 
</center><br><br>
 
  
Clicking on the envelope you can read the message that is over the messages list.
+
There are three different login information types to register:
  
Clicking on "Reply" you can answer the message.
+
# Amazon Web Services (AWS) login information
 +
# Microsoft Azure login information
 +
# Custom login information
  
<center><br><br>
 
[[image:gest23.png|660px]]
 
</center><br><br>
 
  
Once answered, send by clicking on "Send Message".
+
[[File:Cred_store2.png]]
  
===== Sending Messages=====
 
  
To send a message, go to Operation> Messages> New Message
+
To add a new entry, press the "add" button and fill out the pop-up form.
  
<center><br><br>
 
[[image:gest25.png]]
 
</center><br><br>
 
  
Once you have written the message, send it clicking on "Send Message".
+
The group assigned to the password controls its '''visibility'''. That means that if the password 'test' is assigned to the group named 'All', '''all''' Pandora FMS console users will be able to see said password.
  
===== Deleting Messages=====
+
In a similar way, if 'test' is allocated to the group named 'Applications', only users with permissions on 'Applications' will have access to the password.
  
To delete the messages that have an user, go to Operation> Messages, and press on the red "X" that is on the right of the message.
 
  
<center><br><br>
+
[[File:Cred_store3.png]]
[[image:gest24.png|750px]]
 
</center><br><br>
 
  
== Incidents ==
 
  
In the system monitoring process, besides receiving and processing data to monitor systems or applications, you need also to monitor the possible incidents that could take place in these systems.
 
  
For it, Pandora FMS has an incident manager where any user could open incidents explaining what has happened in the network and updating them with comments and files any time that there would be any new.
+
Once added, it can be checked, filtered etc.
  
This system allows a work team, with different roles and «workflow» systems that allows that an incident could go from one group to another, and that members from different groups and different people could work on the same incident, sharing information and files.
+
[[File:Cred_store5.png]]
  
  
=== Seeing all Incidents ===
+
Within password customization, the only thing that cannot be modified is the type of login information:
  
To see all the created incidents go to Operación> Manage Incidents
 
  
<center><br><br>
+
[[File:Cred_store6.png]]
[[image:gest26.png|750px]]
 
</center><br><br>
 
  
There is a list with all the incidents, classified by update order
+
== Scheduled downtimes ==
 +
===Introduction===
 +
Pandora FMS has a small scheduled downtime management system. This system allows you to disable alerts at intervals when there is a downtime, disabling the agent. When an agent is disabled it does not collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.
  
In the list of incidents, each of them is with information distributed in the following columns:
+
<center>
 
+
<br><br>
'''ID'''
+
[[Image:Downtimegeneral.png|800px]]
Incident identifier.
 
 
 
'''State'''
 
 
 
State of the incident with the following icons:
 
 
 
<center><br><br>
 
[[image:gest27.png]]
 
</center><br><br>
 
 
 
'''Incident name'''
 
 
 
Name for the incident
 
 
 
'''Priority'''
 
 
 
Shows the priority that the incident has assigned through the priority icons.
 
 
 
<center><br><br>
 
[[image:gest28.png]]
 
</center><br><br>
 
 
 
'''Group'''
 
 
 
Defines the group the incident has been assigned to. An incident only could belong to one group.
 
 
 
''' Updated the'''
 
Last time that there was an incident update.
 
 
 
'''Origin'''
 
 
 
Tab that is applied to assign an origin to the incident. It could be selected from a list that is kept on the database. Though the origin list is fixed and predefined, it could be modified by the administrator in the database.
 
 
 
 
'''Owner'''
 
 
 
User that has assigned the incident at present. Do not confuse it with the incident creator, so the incident could have changed of owner. The owner can always assign the incident to another user. Other any user could also do the same thing, as long as it has incident privileges management on the group the incident belongs to.
 
 
 
=== Incident Tracking ===
 
 
 
To see an specific incident, click on the incident Id or on the incident name.
 
 
 
<center><br><br>
 
[[image:gest29.png|550px]]
 
</center><br><br>
 
 
 
The incident is shown at an screen with three sections:
 
 
 
* Incident Data
 
 
 
<center><br><br>
 
[[image:gest30.png|550px]]
 
</center><br><br>
 
 
 
In this section is shown the incident basic data
 
 
 
You can update the fields: Incident, Owner,State, Origin,Group,Priority, and the description.
 
 
 
Once they have been updated, click on "Update Manager".
 
 
 
* Notes that the users write
 
 
 
<center><br><br>
 
[[image:gest31.png]]
 
</center><br><br>
 
 
 
In this section are the notes from the different users that have participated on the incident.
 
 
 
To add notes to the incident, click on «Insert Note». It will show a page that has a text area. Write the note and click on
 
«Add».
 
 
 
<center><br><br>
 
[[image:gest32.png]]
 
</center><br><br>
 
 
 
Any user with permission for reading an incident could add a note. Only the incident or the note owners could delete them.
 
 
 
 
 
* Attached Files
 
 
 
<center><br><br>
 
[[image:gest33.png]]
 
</center><br><br>
 
 
 
In this field are the attached files that the different users who have take part add.
 
 
 
To add a file click on " Add file".
 
 
 
<center><br><br>
 
[[image:gest34.png]]
 
</center><br><br>
 
 
 
Two entry fields will be shown. Look for the file in the local system and, if you want, write a description. When you have finished click «Upload» to start the file upload to the server.
 
 
 
To see the file click on the file name.
 
 
 
Any user that has permission for reading an incident could add a file. Only the incident or file owners could delete them.
 
 
 
===Searching Incidents ===
 
 
 
There are some fields for searching incidents that could be combined.
 
 
 
<center><br><br>
 
[[image:gest35.png]]
 
</center><br><br>
 
 
 
It is possible to filter by the following fields:
 
 
 
* '''Filter by incident state'''.Where you can filter by incident state between the following values:
 
** All incidents
 
** Active incidents
 
** Closed incidents
 
** Rejected incidents
 
** Expired incidents
 
* '''Filter by priority'''.  Where you can filter by incident priority between the following values:
 
** By all Priority
 
** By informative priority
 
** By low priority
 
** By medium priority
 
** By serious priority
 
** By very serious priority
 
** By maintenance
 
* '''Filter by user''': it is possible to filter by user owner of the incident.
 
* '''Free text''': where it is possible to filter by searching a text.
 
* '''Filter by groups'''. Where it is possible to filter by incidents associated to each of the groups that are in Pandora FMS.
 
 
 
=== Opening a New Incident ===
 
 
 
To open a new incident, go to Operación> Manage Incidents and click on "Create Incident".
 
 
 
<center><br><br>
 
[[image:gest36.png]]
 
</center><br><br>
 
 
 
It shows the page to create it.
 
 
 
<center><br><br>
 
[[image:gest37.png]]
 
</center><br><br>
 
 
 
=== Changing the Owner of an Incident ===
 
 
 
To change the owner of an incident, go to Operación> Manage Incidents, select the chosen incident in the last column and click on "Become Owner".
 
 
 
<center><br><br>
 
[[image:gest38.png|450px]]
 
</center><br><br>
 
 
 
This way, the user that does the operation will be the incident owner.
 
 
 
=== Deleting an Incident ===
 
 
 
To delete an incident, go to Operación> Manage Incidents. Select the chosen incident in the last column and click on “Delete Incident”.
 
 
 
=== Incident Statistic ===
 
 
 
At Operation>Manage Incident>Statistic you can have access to five kinds of the incidents graphic statistics:
 
 
 
* Incidents state
 
* Priorities assigned to the incidents.
 
* Users that have an incident opened.
 
* Incidents by groups.
 
* Incidents Origin.
 
 
 
=== Self generated Incidents (servidor recon) ===
 
 
 
With the recon server integration we have also added the incidents self-generated from the events processed by the recon server, such as the detection of new systems in the network we are working with. This incidents are exactly the same to the rest of them and they also are listed in the  «Managing Incidents» section from the «Operation» menu.
 
 
 
== Manage incidents (Pandora FMS and Integria integration) ==
 
 
 
Integration between Pandora FMS and Integria allows to share all information that have these applications and work on it in a syncronized way.
 
 
 
First, it is necesary to enable integration between Pandora FMS and Integria. To see configuration about this parameters see [[Pandora:Documentation_en:Console_Setup#Setup|Setup]] (Integria URL, API password and Integria inventory).
 
 
 
In Operation > Manage Incidents section will appear Integria incidents:
 
 
 
<center><br><br>
 
[[image:Incidents1.png|700px]]
 
</center><br><br>
 
 
 
Incidents search is similar to Pandora FMS incidents (previouly described). 
 
 
 
You can see on Integria all incidents created in Pandora FMS:
 
 
 
<center><br><br>
 
[[image:Incidents2.png|700px]]
 
</center><br><br>
 
 
 
You can see details like group, severity, source, resolution, state (new, unconfirmed, assigned, etc.), description, etc.
 
 
 
<center><br><br>
 
[[image:Incidents3.png|700px]]
 
</center><br><br>
 
 
 
You can add workunits that keep communication between incident source and the resolutor. Also you can see time used by entry, if it is public or has cost.
 
 
 
<center><br><br>
 
[[image:Incidents4.png|700px]]
 
</center><br><br>
 
 
 
You can upload files associated to incidents:
 
 
 
<center><br><br>
 
[[image:Incidents5.png|700px]]
 
</center><br><br>
 
 
 
Last, you can keep track of all interactions between users by each incident:
 
 
 
<center><br><br>
 
[[image:Incidents6.png|700px]]
 
</center><br><br>
 
 
 
== Servers ==
 
 
 
The servers detailed view is used to know, besides the Pandora FMS servers general state, its load level and its delay. We are going to show one snapshot with the servers state. To get it go to the Operation menu -> Pandora Servers.
 
 
 
<center><br><br>
 
[[image:Server_info.png|700px]]
 
</center><br><br>
 
 
 
In this view we could see several important data. In each column is showed the following information:
 
 
 
* Server name, usually uses the system hostname.
 
* State (green = right, red = not fired, stopped or down.)
 
* Kind of server: data server, network server, etc.
 
* progressing bar: that shows the load percentage of the total of modules to this kind of server. In this case all servers are to 100% except recon, that has no associated tasks, so it is at 0%
 
* Nº of modules of this kind executed by the server regarding to the total nº of modules of this kind.
 
* Server Lag: Higher time that the oldest module has been waiting for data/Nº of modules that are out of its life time.In this example there are near 3000 modules out of its life time, whit a lag time (lag) of 10 minutes, 13 seconds. This indicator is useful to know if we have al lot of modules and to know if the server is at the limit of its load capacity, such it is at this case, that thought it is not an excessive delay (10 minutes, 13 seconds) for modules that have an average life time lower, being only 19 modules with lag (of 10 minutes) from a total of almost 1500 modules.
 
*Total nº of threads configured at the server: total nº of modules in queue waiting for be attended. These parameters show
 
states of excessive load.There should not be hardly ever modules in queue. This shows the incapacity of the server to process data.
 
* Nº of seconds since the server updated its data. Each server has a "Keepalive" that updates its state in order to make sure that it is active, updating its statistics too.
 
 
 
== Backup ==
 
 
 
Extension that allows to do a DDBB Backup and restore it.
 
Go to the extension from Administration>Extensions> Backup
 
To do the Backup write the backup description and click on "Create":
 
 
 
<center><br><br>
 
[[image:ex12.png]]
 
</center><br><br>
 
 
 
When the Backup is done it will appear in the Backup list with the running icon.
 
 
 
<center><br><br>
 
[[image:ex13.png]]
 
</center><br><br>
 
Once the Backup has been created it is possible:
 
 
 
* Download it clicking on the image icon.
 
 
 
<center><br><br>
 
[[image:ex14.png]]
 
</center><br><br>
 
 
 
Doing a rollback clicking on the image icon.
 
 
 
<center><br><br>
 
[[image:ex15.png]]
 
</center><br><br>
 
 
 
The rollback applies a backup that have been created before and restore it. This will destroy all existing data in the console and will apply data that already exist in the backup where the rollback is done.
 
 
 
* Delete it clicking on the image icon.
 
 
 
<center><br><br>
 
[[image:ex16.png]]
 
</center><br><br>
 
 
 
== Cron Job ==
 
 
 
''(Only for Enterprise version)''
 
 
 
Extension that allows to schedule the fulfilment of tasks from Pandora FMS server.
 
 
 
Go to the extension from Operation>Extensions>Cron jobs
 
 
 
<center><br><br>
 
[[File:Cron_jobs.jpg|800px]]
 
</center><br><br>
 
 
 
To add a task, you should fill in the following fields:
 
* '''Task''': Combo to choose the task that is going to be done.
 
** Send custom report by e-mail
 
** Execute custom script
 
** Backup Pandora database
 
** Save custom report to disk
 
* '''Scheduled''': Field to choose how often the task will be executed.
 
** Not Scheduled: These tasks will be executed only once, at the specified time
 
** Hourly
 
** Daily
 
** Weekly
 
** Monthly
 
** Yearly
 
* '''First Execution''': Field to choose the date and hour of the task first execution.It will be executed periodically taking the date and hour established as the reference.
 
* '''Parameter''': Field that allows to introduce parameters in the task to fulfill. It is changeable depending on the task to fulfill.
 
** ''Backup Pandora database'': Description.
 
** ''Send custom report by e-mail'': report to send and destination e-mail.
 
** ''Execute custom script'': script to execute.
 
** ''Save custom report to disk'' report to save and destination folder.
 
 
 
Once you have filled all data, click on create and the task will be shown in the Scheduled task list.
 
 
 
<center><br><br>
 
[[File:Cron_jobs_list.jpg|800px]]
 
</center><br><br>
 
 
 
Once you have created the scheduled task, it is possible to force its execution by clicking on the green circle that there is on the right of the task or deleting it clicking on the red cross that is on the left.
 
 
 
== Planned Downtime ==
 
 
 
Pandora FMS has an small scheduled downtime management system. This system allows to deactivate the alerts in the intervals where there is down time by deactivating the agent. When an agent is deactivated, it doesn't collect information either, so in a down time, for most of the metrics or kinds of reports, the intervals where there is a down time are not taken into account in the reports because there aren't data in those intervals in the agents.
 
 
 
In order to create a downtime, we should go to the Agent's management -> Downtimes and click on the button to create one:
 
 
 
<center><br><br>
 
[[Image:Downtime1.png|680px]]
 
 
<br><br>
 
<br><br>
 
</center>
 
</center>
  
<center><br><br>
+
=== Create a scheduled downtime ===
[[Image:Downtime2.png|680px]]
 
</center><br><br>
 
 
 
When we create a downtime, we should specify the group and the date hour intervals where it start working
 
 
 
<center><br><br>
 
[[Image:Downtime2.png|680px]]
 
<br><br></center>
 
  
Finally, we specify the specific agents that we want to include in this downtime.
+
To create a downtime, go to the ''Tools > Scheduled downtime'' menu and press the button to create one:
  
 
<center>
 
<center>
 
<br><br>
 
<br><br>
[[Image:Downtime5.png|680px]]
+
[[Image:Downtime1.png|800px]]
 
<br><br>
 
<br><br>
 
</center>
 
</center>
  
When an scheduled downtime is "working", it couldn't be neither modified nor deleted.
+
You will find the following configurable parameters:
 +
 
 +
* '''Name:''' Name of the scheduled downtime.
 +
* '''Group:''' The group you want it to belong to.
 +
* '''Description'''.
 +
* '''Type:''' You may set the following types of downtimes:
 +
** ''Quiet:'' Check as "quiet" the indicated modules, so they will not generate alerts nor events.
 +
** ''Disable Agents:'' It disables the selected agents. It is important to know that if an agent is manually disabled before the task is launched, it will become enabled once this task is completed.
 +
** ''Disable Alerts:'' It disables alerts of selected agents.
 +
* '''Execution:''' It allows to configure whether you want it to run once or periodically.
 +
* '''Set time:''' Setting the day and time at which the scheduled downtime will start and end either once or periodically, depending on what has been previously configured in "Execution".
 +
 
 +
 
 +
{{tip|If the Pandora FMS administrator enables it in the visual configuration section, it is possible to create scheduled downtimes in a past date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.}}
  
 
<center>
 
<center>
<br><br>
+
[[Image:Downtime2.png|800px]]
[[Image:Downtime3.png|680px]]
 
 
<br><br>
 
<br><br>
 
</center>
 
</center>
  
When this downtime ends, we can modify or delete it again.
+
Finally, specify which specific agents you want to include in that downtime.
  
 
<center>
 
<center>
 
<br><br>
 
<br><br>
[[Image:Downtime4.png|680px]]
+
[[Image:Downtime5.png|800px]]
 
<br><br>
 
<br><br>
 
</center>
 
</center>
  
===  Alternatives to the Service Downtime Management in the Console ===
+
When a scheduled downtime is "active", it cannot be modified or deleted, but from version 5.0 onwards there is an option where you may stop the execution in "Stop downtime", so that all agents/modules/alarms that the scheduled downtime disabled temporarily may be re-enabled. This option does not support periodic scheduled downtimes. From version 6.0 onwards, non-periodic scheduled downtimes can be delayed even if they are 'active'. When this downtime is over, you may modify or delete it.
  
There are often some "cyclical" situations that we should take into account and the service downtime management method is too specific. For example, we want to deactivate all agents in a quick and precise way or to schedule a general downtime each week in a precise range of hours. For this kind of operations, there are ways to do it from the command line.
+
=== Alternatives to console downtime management ===
  
There are two ways more "fast" of putting all agents in service mode
+
There are often certain "cyclical" situations to be taken into account and the method of downtime management is too specific: for example, you may want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from time to time. For this type of operations, there are ways to do it from the command line.
  
'''1.''' Through the Pandora management tool ''pandora_manage.pl''through the command line:
+
There is a faster way to set all agents in service mode, through the use of Pandora FMS management CLI, ''pandora_manage. pl'' through the command line:
  
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1
Line 866: Line 567:
 
  [INFO] Enabling group 1
 
  [INFO] Enabling group 1
  
This activate all agents. To deactivate them it would be the same, but:
+
Disabling them would be the following way:
  
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1
 
'''2.''' This can also be done through the MYSQL interface by modifying the data directly:
 
 
echo "UPDATE tagente SET disabled = 1" | mysql -u pandora -ppassword pandora
 
 
Obviously, where "password" is written, you should write the access password to the DDBB. Using the SQL method, you could do a more granular operation, for example to specify by name of agent:
 
 
echo "UPDATE tagente SET disabled = 1 WHERE nombre LIKE '%_XXXX%'" | mysql -u pandora -ppassword pandora
 
  
 
== Audit Log ==
 
== Audit Log ==
  
Pandora FMS keeps a log of all important changes and actions that take place in Pandora FMS console. This log could be seen at Administration > System Audit Log.
+
Pandora FMS keeps a log of all changes and important actions taken in Pandora FMS console. This log can be seen in ''Admin tools'' > ''System Audit Log''.
  
 
<center><br><br>
 
<center><br><br>
Line 886: Line 579:
 
</center><br><br>
 
</center><br><br>
  
=== See the System Logs===
+
On this screen, you may see a series of entries related to console activity, user information, action type, date and a brief description of the events recorded.
  
At Administration>System Audit Log you could go to the system logs.
+
<center>
 +
[[image:audit_1.png]]
 +
</center>
  
<center><br><br>
+
In the upper left corner, you may filter which entry will be displayed by different criteria including: actions, user and IP, you may even perform a text search and determine the maximum amount of hours.
[[image:gest68.png|500px]]
 
</center><br><br>
 
  
In the logs list, each of them has the information distributed in the following columns:
+
The available filtering fields:
  
* '''User''': User that caused the log.
+
* '''Action''': The different possible filtering actions > ACL Violation, Agent management, Agent remote configuration, Alert management, Command management, Dashboard management, Event alert management, Event deleted, Extension DB inface, File collection, Logoff, Logon, Logon Failed, Massive management, Module management, No session, Policy management, Report management, Setup, System, Template alert management, User management, Visual console builder.
* '''Action''': Action that causes the log.
+
* '''User'''.
* '''Date''': Date when the log takes place.
+
* '''Free text for search''': It will search in the fields ''User'', ''Action'' and ''Comments''.
* '''Source IP''':Origin IP of the machine that causes the log.
+
* '''Max. Hours old''': Number of backward hours where to display events.
* '''Comments''': Log comments.
+
* '''IP''': Source IP address.
  
=== Filtering the System Logs  ===
+
It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the top right of the screen.
  
From the log view at Administration>System Audit Log it is possible to filter the logs by the field "action".
+
<center>
 +
[[image:audit_02.png]]
 +
<br>
 +
Available filtering actions
 +
<br>
 +
</center>
 +
<br>
  
<center><br><br>
+
With this tool, you may search, for example, for the task that a user performs on agent management in the last hour.
[[image:gest69.png|500px]]
 
</center><br><br>
 
  
The filter fields show all the fields that there are at the moment of executing the filter. If the TESTING agent has been deleted, it will be an action “Agent TESTING Deleted” to filter.
+
<center>
 +
[[image:audit_03.png]]
 +
</center>
  
In the image you can see an example of actions you can filter with.
+
Or the moment when a given user has logged in the console. You may retrieve all information about the actions performed by the entire user.
 +
In addition, you may see the Pandora FMS server service start date or when the console configuration was changed.
  
<center><br><br>
+
<center>
[[image:gest70.png|500px]]
+
[[image:audit_04.png]]
</center><br><br>
+
</center>
  
== Managing the Database from the Console.==
+
== Local server logs ==
  
Pandora FMS core is its Database. It it are kept all data collected from the monitored systems, the agents configuration, the
+
In latest Pandora FMS console versions, log status can be checked through the menu <i>Extensions > Extension management > System logs</i>.
alarms, the events, the audit data, the different users and his data. This is, all system data.
 
  
The efficiency and reliability of this module is vital to Pandora FMS right working. The maintenance of Pandora FMS Database in good state is critical for it could work well. 
 
  
To do a regular maintenance of the Database, the administrators could use MySQL standard commands from the command line or could manage the Database from the console without being an expert on Mysql.
+
<center>
 +
[[image:System_logs_menu.png]]
 +
</center>
  
The Database management is done from Administration>DB Maintenance, where there are the following options:
+
From this extension you may see the logs of both the console and the local server:
 +
 
 +
<center>
 +
[[image:System_logs_main.png]]
 +
</center>
  
<center><br><br>
 
[[image:gest71.png|600px]]
 
</center><br><br>
 
  
=== Getting Information from the Database ===
+
If you cannot see the content, check your log file permissions:
  
To manage correctly the database is essential to know well the data that it has and the time these data has been in the database.
+
chown -R pandora:apache /var/log/pandora/
From Pandora FMS database it is possible to obtain information from the database of different kinds:
 
  
==== Obtaining General Information====
 
  
By clicking on Administration>DB Maintenance you could get a page with general data of the database.
+
You may change the rotator options to keep these settings by modifying the /etc/logrotate.d/pandora_server file.
This page shows the time that the system takes to compact and the time that the system are kept in the system.
 
  
Packing consist on reducing the amount of kept data, without losing important information. As time goes by, not all data will be obtained, but statistic interpolations that allow to do graphs with the processed data.
+
<pre>
 +
/var/log/pandora/pandora_server.log
 +
/var/log/pandora/websocket.log
 +
/var/log/pandora/pandora_server.error {
 +
weekly
 +
missingok
 +
size 300000
 +
rotate 3
 +
maxage 90
 +
compress
 +
notifempty
 +
        copytruncate
 +
create 660 pandora apache
 +
}
 +
/var/log/pandora/pandora_snmptrap.log {
 +
weekly
 +
missingok
 +
size 500000
 +
rotate 1
 +
maxage 30
 +
notifempty
 +
copytruncate
 +
create 660 pandora apache
 +
}
 +
</pre>
  
<center><br><br>
+
On the other hand, there is also a specific configuration for the console log rotation in <b>/etc/logrotate.d/pandora_console</b>:
[[image:gest71.png|600px]]
 
</center><br><br>
 
  
By putting the mouse over the graph you could obtain data from any piece of the cake.
+
<pre>
 +
/var/www/html/pandora_console/log/audit.log
 +
/var/www/html/pandora_console/log/console.log {
 +
        weekly
 +
        missingok
 +
        size 100000
 +
        rotate 3
 +
        maxage 15
 +
        compress
 +
        notifempty
 +
        create 644 apache root
 +
}
 +
</pre>
  
==== Getting Information about Agents and Modules====
 
  
To obtain information about the number of modules and the data from each agent of Pandora FMS, click on Administration>DB Maintenance> DB Information.
+
<b>Note</b>: If your system is SuSE, replace apache with www-data. In case of using a different system, check the users corresponding to the Apache service.
 +
(httpd)
 +
<br>
  
It will show two bar charts, one that shows the modules by agent, and another that shows the packets by agent.
+
{{Warning|If updating from <b>OUM</b> a version prior to <b>747</b> you will need to manually modify the <b>logrotate</b> file.}}
  
<center><br><br>
+
== Cron Job ==
[[image:gest72.png]]
 
</center><br><br>
 
  
<center><br><br>
+
This Pandora FMS Enterprise extension allows to schedule task execution from Pandora FMS server.
[[image:gest73.png]]
 
</center><br><br>
 
  
In the graphs is showed general information. If you want to get more specific information in text mode, click on “Press here to get database information as text”.
+
The extension can be accessed from ''Servers'' > ''Cron jobs''.
  
 
<center><br><br>
 
<center><br><br>
[[image:gest74.png|600px]]
+
[[File:Cron_jobs.jpg|800px]]
 
</center><br><br>
 
</center><br><br>
  
You will get the information by text with the agent name, the number of assigned modules and the data amount of this agent. The list is classified by agent data and it has all agents configured in Pandora FMS.
+
To add a task, the following fields must be filled in:
 +
* '''Task''': Combo where the task to perform can be chosen.
 +
**Send custom report via e-mail
 +
** Run custom script
 +
** Pandora FMS BD Backup
 +
** Save custom report in disk
 +
* '''Schedule''':  Field where task frequency can be chosen.
 +
** Without schedule: These tasks will be executed only once and at the specified time..
 +
** Hourly
 +
** Daily
 +
** Weekly
 +
** Monthly
 +
** Yearly
 +
* '''First run''': Field where the date and time of the first task execution is chosen. It will be executed periodically, taking this date and time as a reference.
 +
* '''Parameters''': Field that allows entering parameters in the task to be performed. It varies by task.
 +
** ''Pandora FMS BD Backup'': Description and path where the backup will be stored.
 +
** ''Send report via e-mail'': Report to be sent and recipient's e-mail address.
 +
** ''Run script'': Script command to run.
 +
** ''Save report to disk'': Report to be saved and the path to store it.
  
==== Getting Information about Data by Date====
+
Once the data has been filled in, click on create and the task will appear in the scheduled tasks list.
 
 
From Administration>DB Maintenance> Database Purge you could obtain the number of packets of less of three months, one month, two weeks,one week, three days or one day.  
 
  
 
<center><br><br>
 
<center><br><br>
[[image:gest75.png]]
+
[[File:Cron_jobs_list.jpg|800px]]
 
</center><br><br>
 
</center><br><br>
  
You could obtain data from all agents or of one specific agent.
+
Once the scheduled task has been created, it is possible to force its execution by clicking on the green circle to the right of the task or delete it by clicking on the red cross on the left.
 
 
To obtain data from an specific agent, choose the agent you want in the combo and, automatically, you will obtain the agent data.
 
  
<center><br><br>
 
[[image:gest76.png]]
 
</center><br><br>
 
  
==== Getting Data from the Audit Log ====
+
{{tip|If the cron job is "non scheduled", it will be deleted automatically when executed.}}
  
From Administration>DB Maintenance> Database Audit you could get the total number of audit logs, and also the data of the first and last log.
 
  
<center><br><br>
+
== DB management from the console ==
[[image:gest77.png]]
 
</center><br><br>
 
  
==== Getting Data about Events====
+
The core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alerts, events, audit data, different users and their data. That is, all system data.
  
From Administration>DB Maintenance> Database Event you could obtain the total number of events, and also the first log data and the last log data.
+
Efficiency and reliability are vital for Pandora FMS to work properly, so database maintenance is essential.  
  
<center><br><br>
+
To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console although they may not have extensive Mysql knowledge.
[[image:gest78.png]]
 
</center><br><br>
 
  
=== Purging the Database ===
+
Pandora FMS has multiple extensions that can be used from the console to see information from the database.
  
Pandora FMS gives tools for the data purge. It will be done, in a general way, by dates of the data, when is detected that a system is too slow or, in an specific way, when a wrong data is detected and you want to delete it from a module.
+
=== Diagnostic tool ===
  
==== Agent Data Purge by Date ====
+
This section shows general information about Pandora FMS installation. It is necessary to emphasize the high amount of information that is obtained from the database, where the recommended parameters can be seen, as well as warnings about existing values that need to be changed.
 
 
To purge agent data by date in the Database, click on Administration>DB Maintenance> Database Purge
 
Select in the combo the data that is gone to be deleted and click on the "delete" button.
 
  
 
<center><br><br>
 
<center><br><br>
[[image:gest79.png]]
+
[[File:Captura de pantalla de 2017-10-09 13-37-10.png]]
 
</center><br><br>
 
</center><br><br>
  
Is possible to purge data of more than three months, one month, two weeks, one week, three days or one day. The time the system spend purging the selected data will depend on the amount of them.
+
<center>
 +
[[File:Diagnostic_info1.png]]
 +
</center>
 +
<center>
 +
[[File:Diagnostic_info2.png]]
 +
</center>
 +
<center>
 +
[[File:Diagnostic_info3_new.png]]
 +
</center>
 +
<center>
 +
[[File:Diagnostic_info4.png]]
 +
</center>
 +
 
 +
=== DB Interface ===
  
==== Purging Specific Data from a Module ====
+
This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who have a certain amount of knowledge about SQL and the Pandora FMS database schema.
  
When you detect that there are modules with wrong data, it is possible to standardize them from Administration>DB Maintenance> DataBase Debug.
+
{{warning|If misused, this tool may "destroy" data or permanently render the application inoperative.}}
  
Select the Agent and the Module. Fix the maximum and minimum limits and click on "Delete".
+
It is accessed from ''Admin tools > DB interface''.
  
 
<center><br><br>
 
<center><br><br>
[[image:gest80.png]]
+
[[image:ex10.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
All data that is out o the interval [minimum,maximum] will be deleted.
+
Write the command in the blank field and click on "Execute SQL".
  
==== Purging Audit Data ====
+
=== DB Schema Check ===
 +
 
 +
This is an extension that allows to check the structural differences between the database set in your Pandora FMS and a pattern scheme to compare possible errors.
 +
 
 +
It works like this:
 +
* A temporary database is created with the structure that the installation database should have (different depending on the installed version).
 +
* The database created is compared with the database referenced in the installation.
 +
* The temporary database is deleted.
  
To purge audit data in the Database, click on Administration>DB Maintenance> DataBase Audit.
 
Select the data that you want delete in the combo and click on "Do it"
 
  
 
<center><br><br>
 
<center><br><br>
[[image:gest81.png]]
+
[[image:Captura de pantalla de 2017-10-09 13-47-04.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
It is possible to purge data of more than ninety days, thirty days, fourteen days, seven days, three days or all data.The time that the system spend purging the selected data will depend on the amount of them.
+
Enter the data to access your database and click on "Run test".
 
 
==== Purging Event Data====
 
  
To purge event data in the Database, click on Administration>DB Maintenance> DataBase Event.
+
{{Tip|It is recommended to use this extension to check whether a database migration has been correctly performed.}}
  
Select in the combo the data that you are going to delete and click on “Do it”.
+
{{Warning|This check can only be done in MySQL Databases.}}
  
<center><br><br>
+
== Network Tools ==
[[image:gest82.png]]
 
</center><br><br>
 
  
It is possible to purge data of more than ninety days, thirty days, fourteen days, seven days, three days or all data.The time that the system spend purging the selected data will depend on the amount of them.
+
*<b>Traceroute path</b>: If empty, Pandora FMS will search the traceroute system.
 +
*<b>Ping path</b>: If empty, Pandora FMS will search the ping system.
 +
*<b>Nmap path</b>: If empty, Pandora FMS will search the nmap system. 
 +
*<b>Dig path</b>: If empty, Pandora FMS will search the dig system
 +
*<b>Snmpget path</b>: If empty, Pandora FMS will search the snmpget system.
  
=== DDBB Maintenance===
+
== Backup ==
  
Pandora FMS infrastructure does not need external maintenance, but it is very important to purge the old data and to keep compacted the database and also to delete modules that have never been started, this is, that are in the agents but have never received data. To do this, you should execute a Pandora FMS internal script that does the regular maintenance (daily) of the DDBB. For more information, see the chapter Management and Administration of the server.
+
Extension that allows backing up the DB and restoring it.  
  
Nevertheless, you can do some of the task that this script does from the console, as we are going to see in this subsection.
+
To make a backup, first select the destination folder where the data will be stored. Once chosen, write a backup description.
  
 
<center><br><br>
 
<center><br><br>
[[image:gest83.png]]
+
[[image:ex12.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
To execute these tasks, click on Administration>DB Maintenance> DataBase Sanity.
+
When the backup is done, it will appear in the Backup list with the running icon.
  
==== Sanitizing ====
+
<center>
 +
[[image:ex13.png|800px]]
 +
</center>
  
This tool allows to "sanitize" the modules and delete those unfinished structures and/or bad performed( by a pending deleting, e.g)that, in some cases, could do that Pandora FMS works more slow that usual.
+
Once the Backup has been created, it is possible to:
 +
* Download it by clicking on this icon:
  
<center><br><br>
+
<center>
[[image:gest84.png]]
+
[[image:ex14.png]]
</center><br><br>
+
</center>
  
==== Purging Non Initialized Modules ====
+
*Do a rollback by clicking on this icon:.
  
Many times modules are created and assigned to agents that are not initialized, due to they never receive data. It would be advisable to get the non initialized modules out from time to time.
+
<center>
 
+
[[image:ex15.png]]
To execute this task from the console, click on “Delete non-initialized modules now” at Administration>DB Maintenance> DataBase Sanity.
+
</center>
  
<center><br><br>
+
The rollback applies a previously created backup and restores it. This will destroy all existing data in the console and apply the data that exists in the backup on which the rollback is made.
[[image:gest85.png]]
 
</center><br><br>
 
  
Do not forget that these two operations are done in an automatic way with the database maintenance tool described in Server Management and Administration chapter.
+
{{Warning|By means of this tool it is possible to recover the database backup made through this feature. It is not possible to load a manual backup.}}
  
=== DB Interface ===
+
* Delete it by clicking on this icon:
  
Extension that allows to execute commands in the DDBB and to see the result. It is an advanced tool that should only be used by people who know SQL and the Pandora DDBB structure in detail.  
+
<center>
 +
[[image:ex16.png]]
 +
</center>
  
  
{{warning|If this tool is used in a wrong way, it could '''destroy''' data or could make the application useless in a permanent way.}}
 
  
  
Go to the extension from Administration>Extensions> DB interface.
 
  
<center><br><br>
 
[[image:ex10.png|780px]]
 
</center><br><br>
 
  
Writte this command in the blank field and click on Administration>Extensions> DB interface.
+
== Plugin log ==
  
== Plugin Register ==
+
Extension that allows you to easily register server plugins.
  
Section that allows to log server plugins in an easy way.
+
The extension can be accessed through ''Servers'' > ''Register plug-in''.
Go to the extension from Administration > Server > Plugin register.
 
  
 
<center><br><br>
 
<center><br><br>
[[image:ex9.png|750px]]
+
[[image:ex9.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
To log one plugin, choose the file clicking on Examine and click on "Upload".
+
To register a plugin choose the file by clicking on "Browse" and "Upload".
  
You can find more information about the server plugins in the Developing and Extension chapter.
+
More information about server plugins can be found in the development and extension chapter.
  
You can see in [[Pandora:Documentation_en:Anexo_Server_plugins_developement#Servers_Plugin_Development|Server plugin development section]] which is the .pspz format.
+
You may see in section [[https://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Anexo_Agent_Plugins|Server Plugin Development]] the format of the .pspz files.
  
 
== Insert data ==
 
== Insert data ==
  
This extension allow to import data in an comma-separeted file (CSV) to a agent module. You can access to this extension from Administration > Manage Agents > Insert Data.
+
Extension that allows to import data in a comma separated file (CSV) to an agent module. This extension is accessed from ''Resources > Insert Data''.
  
 
<center><br><br>
 
<center><br><br>
Line 1,126: Line 873:
 
</center><br><br>
 
</center><br><br>
  
CSV file format must be date;value by each line. Date format will be Y/m/d H:i:s format. For example:
+
The format of the CSV file must be date;value per line. The date must be given in Y/m/d H:i:s format:
 
 
77.0;2011/08/06 12:20:00
 
66.8;2011/08/06 12:20:50
 
 
 
== CSV Import ==
 
 
 
(Enterprise feature)
 
 
 
Extension that allows to import a file separated by any divider at the Pandora FMS server.
 
 
 
Go to the extension from Administration > Server > CSV import.
 
 
 
<center><br><br>
 
[[image:ex17.png|750px]]
 
</center><br><br>
 
  
Choose the field to import clicking on "Examine". Choose the server where the export will be done and select the divider from a combo. Once the fields before mentioned are completed, click on "Go".
+
2011/08/06 12:20:00;77.0
 +
2011/08/06 12:20:50;68.8
  
The CSV file should contain the following fields in this order:Agent name, Ip Adress, Operative System id, Interval and Group id the agent should belong to.
 
  
 
== Resource registration ==
 
== Resource registration ==
 
+
This extension allows you to import .prt files containing the definition of network component, smnp component, local component or wmi component. You may also add all of them (except for the local component) to a template.
With this extension you can inport .prt files which contains the definition of network components, smnp components, local components or wmi components. Also you can add these components (not local components) to a template.
 
  
 
<center><br><br>
 
<center><br><br>
[[File:Resource registration screenshot.png|750px]]
+
[[File:Resource registration screenshot.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
===File definition for .prt===
+
===.prt file format===
 
 
 
<pre>
 
<pre>
 
<?xml version="1.0"?>
 
<?xml version="1.0"?>
Line 1,213: Line 943:
 
</pre>
 
</pre>
  
==Translate string==
+
==Text string translator==
 +
 
 +
This extension belongs to the menu ''Setup > Translate string'' and allows translating Pandora FMS interface text strings to customize it.
 +
 
 +
<center><br><br>
 +
[[image:Translate_string.png|800px]]
 +
</center><br><br>
 +
 
 +
The fields to be filled in are detailed below:
 +
 
 +
* '''Language''': It allows to filter strings by language.
 +
* '''Free text for search (*)''': Content of the string you wish to customize.
 +
 
 +
Three columns will appear: the first one will show the original string, the second one the current translation and in the third one the custom translation you wish to add.
 +
 
 +
== Workspace ==
 +
 
 +
This section allows interacting with Pandora FMS users, or edit the user's details, as well as several actions, such as access to the issue system (to open tickets), chatting with other users connected to Pandora FMS, etc.
  
This extension it's in godmode menu and allows to translate strings on Pandora FMS interface in order to personalize it.
+
=== Chat ===
 +
 
 +
It allows to interact with other users connected to that Pandora FMS console through a chat. It is useful in case you want to say something to another operator for example.
 +
 
 +
===Issues===
 +
 
 +
Pandora FMS allows managing issues from the console thanks to its integration with Integria IMS.
 +
 
 +
For more information about this tool, check issue management with Integria IMS.
 +
 
 +
=== Messages ===
 +
 
 +
Pandora FMS has a tool that allows different users to send messages among themselves.
 +
 
 +
==== See messages ====
 +
 
 +
When a user has a message, an envelope icon appears at the top right of the console.
 +
 
 +
<center><br><br>
 +
[[image:gest20.png|600px]]
 +
</center><br><br>
 +
 
 +
User messages can be seen in ''Workspace > Messages > Messages list'', and from there you may read, delete or write a message to a specific group or user.
 +
 
 +
=== Connected users ===
 +
 
 +
This extension shows other users connected to the Pandora FMS Console other than their own. This feature is important because Pandora FMS console allows multiple user connections.
 +
 
 +
The extension is accessed from ''Workspace > Connected users''.
  
 
<center><br><br>
 
<center><br><br>
[[image:Translate_string.png|750px]]
+
[[image:ex4b.png|800px]]
 
</center><br><br>
 
</center><br><br>
  
Here are the fields to fill in:
+
==Software agent repository==
 +
 
 +
Software agent repository is part of the deployment center, which controls agent installer available versions (programs) to be deployed.
  
* '''Language''': Allows to filter string by language.
+
You may access it through this menu:
* '''Free text for search (*)''': String content to personalize.
 
  
Three columns will be displayed: the first one will show the original string, the second one will show the current translate string and the third one will contain the custom translate that you want to add.
+
<center>
 +
[[File:Agent_repo1.png]]
 +
</center>
 +
 
 +
 
 +
To add a new installer to the repository, click "Add agent".
 +
 
 +
[[File:Agent_repo2.png]]
 +
 
 +
 
 +
Fill out the information related to the target OS type, the architecture, the installing file, etc.
 +
 
 +
<center>
 +
[[File:Agent_repo3.png]]
 +
</center>
 +
 
 +
 
 +
'''Note:''' Installers for Linux (and all Unix and BSD range) are shared by all architectures. Both x64, x86, ARM, etc share the same installer.
 +
 
 +
 
 +
 
 +
Make sure the upload was successful:
 +
 
 +
<center>
 +
[[File:Agent_repo4.png]]
 +
</center>
 +
 
 +
 
 +
The uploaded agent installer will appear on the list together with the information about its version, by whom and when it was uploaded etc.:
 +
 
 +
<center>
 +
[[File:Agent_repo5.png]]
 +
</center>
 +
 
 +
== Custom themes ==
 +
 
 +
Pandora FMS offers the possibility of uploading CSS files, in order to set custom themes in the visual console.
 +
 
 +
To that end, include the following comment in the CSS file:
 +
 
 +
/*
 +
Name: My custom Theme
 +
*/
 +
 
 +
Then, import the CSS file to the following path:
 +
 
 +
pandorafms/pandora_console/include/styles/CustomTheme.css
 +
 
 +
Once the desired themes are uploaded, go to ''Setup > Setup > Visual styles'' and select the appropriate theme from the ''Style template'' drop-down.
 +
 
 +
<center>
 +
[[File:CustomTheme1.png]]
 +
</center><br>
  
  
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
+
[[Pandora:Documentation_en|Go back to Pandora FMS Documentation Index]]
  
 
[[Category:Pandora FMS]]
 
[[Category:Pandora FMS]]
 
[[Category:Documentation]]
 
[[Category:Documentation]]

Latest revision as of 14:38, 4 September 2020

Go back to Pandora FMS documentation index

Template wip.png

We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.

 


1 Pandora FMS Management

1.1 Introduction

This chapter deals with several aspects of Pandora FMS daily management such as: group administration, user creation, backups, workspace, etc.

1.2 Profiles, users, groups and ACL

Pandora FMS is a Web management tool. Thanks to its 100% multitenant permission system, multiple users can work with different permissions accessing Pandora FMS setup without seeing each other's information.

To add users, it is important to have groups and profiles properly defined, and know exactly which data you want each user to see and/or modify.

Standard-user-profile.jpg


1.2.1 Users in Pandora FMS

Users are managed from Profiles > Users management, where you may see the list of defined users.



User list new.png



User definition consists of the following fields:



Detalle usuario 2018.png



Here are the relevant user fields:

  • User ID: Identifier that the user will use to authenticate himself in the application. This identifier is a value that should not have rare characters or spaces.
  • Full Display Name: Field where you put the full name, this if it is a descriptive field and can contain spaces and non-standard characters.
  • Password: Password that the user will have to access.
  • Global Profile: An Administrator user will not be governed by the internal ACL system and will have access to everything. The standard user will be ruled by the Pandora FMS ACL permissions assigned to him.
  • E-mail and phone: Optional fields where we can add extra user information.
  • Login Error: If this field is marked, the user will only be able to access to the API but not in an interactive way through the console.
  • Session time: Time in which the user can be connected without activity before the user considers his session expired and forces him to authenticate again.
  • Language: By default is the system language. You can also assign a specific language in which the user will see the Pandora FMS console.
  • Timezone: Field to put the console time zone to visualize different elements (Agents General View, Modules View, ...).
  • Block size for pagination: Default size of pagination for this user.
  • Skin: Field where you can choose a custom skin.
  • Home screen: Change the default screen the user enters after logging in the console, for example, the event viewer, or a visual console defined by the administrator.
  • Default event filter: Allows to define the default filter that the user will have when entering the event view. Later you can change it, but this will be the one applied "by default".
  • Disabled newsletter: Activate or deactivate the Pandora FMS newsletters.
  • Comments: Additional information to the fields defined above.
  • Profiles/Groups assigned to this user: Selection of profiles and/or groups in which the user will be organized or have access to.

1.2.1.1 User Edition by the User itself

All users can modify certain parameters of their own settings in Workspace > Edit my User.

The user creation form will appear, where you can configure some sections, except for group permissions.



Gestusuario.png



1.2.1.1.1 Notification setup

To customize logged-in user’s notifications, the administrator must have previously granted him notification edition permissions. In case of having said permissions, as well as all options activated, notifications and their forwarding by email can be enabled/disabled.

Notificaciones1.PNG


Notifications allow to see warning messages related to the following sections on screen:

  • System status. Where the following notifications are generated:
    • Expired or nearly expired license warning (~15 days or less).
    • Too many files attached warning.
    • Piled-up .data files in data_in warning (> 1000 files and increasing).
    • Piled-up BADXML files in data_in warning (> 150 files).
    • Overall module queuing (increasing) by server warning.
    • PHP setup warning.
    • Review whether pandora_db is running on the main database.
    • Review whether pandora_db is running on the history database.
    • History database update status (MR correct).
    • Status warnings, component down or uninitiated => Any of the Pandora FMS servers with status=1 and keepalive - now() may be higher than server_keepalive * 2.
    • Tentacle service down.
    • No master-mode server warning.
    • In the case of activated logs, Elastic/Logstash connectivity status.
    • In case of using Pandora FMS HA, error in DB replication.
    • Connection error with GIS map servers GIS (WMS).
    • Log size.
    • Mounting point/disk/almost full volume warning (data_in/mysql/tmp...)(> 90%).
    • History database connection failure.
    • Metaconsole synchronization failure.
    • Next scheduled shutdowns (in less than 15 days).
    • Metaconsole: Synchronization status:
      • Node synchronization failures.
      • Event replication failures.
      • Agent cache.
  • Message:
    • Messages received by the user yet to be read.
  • Pending task:
    • Policies yet to be applied.
    • Queued policies running/complete, and acknowledged once completed.
    • Pending re-creation policies.
    • Defined server plugins whose executable does not exist.
    • Metaconsole:
      • Pending synchronization tasks.
      • Completed synchronization tasks.
      • Pending notifications by node.
      • Policy queue status.
  • Advertisement.
    • Enterprise version not installed reminder.
    • Do you know our Enterprise version?
    • Do you know the module library?
    • Discover eHorus.
    • Discover Integria IMS.
  • Official communication:
    • Update notifications.
    • Messages generated from Ártica ST headquarters (update to PHP7, phantomjs, etc.)
  • Suggestion:
    • Did you know Pandora FMS can be integrated with Telegram?
    • Did you know alerts can be scaled?
    • Monitor your complete applications using services.

The options found in notification setup are these:

  • Notified users: Users that will receive the activated notifications.
  • Notified groups: Groups that will receive the activated notifications.
  • Notify all users: Option that will allow to notify all users.
  • Also email users with notification content: To enable sending emails for each notification.
  • Users can modify notification preferences: To allow users to modify notification preferences (the system administrator can restrict this option).
  • Users can postpone notifications up to: It allows to postpone notifications so that they are not received more than once in a certain interval (which can be chosen in the drop-down).

1.2.2 Groups in Pandora FMS

1.2.2.1 Introduction

The concept of group in Pandora FMS is fundamental. The groups are sets of elements with their own rules whose purpose is to help to control user access to certain elements inside Pandora FMS.

It is important to know that an agent can only belong to one group, but that a user can have access to one or several of these groups.

When configuring the groups, it will be necessary to take into account that the group All is a special group that cannot be eliminated, and all the groups are its subgroups. Any element that is associated to the All group can be seen/administered by a user that has permissions in any group.

1.2.2.2 Group all

Pandora FMS has a group system, which are entities into which agents are classified and which are used to grant permissions. That way users are granted some permissions assigned to one or several groups, and thus they will be able to interact with agentes and other elements in their context.

To make group assigning and filtering easier, there is a tool called group "All". Group "All", depending on the context, means ALL groups or ANY of them. From version 3.1 is exclusive identifier is ID 0. But it is totally controlled by the code, ther is no group with that ID in the DB.

1.2.2.3 Group creation

Groups are defined in the section Profiles > Manage agent groups.



Gest5.png



Inside group creation / modification, there is the following form:



Gestion grupo.png



These are the relevant user fields:

  • Name: Group name. This group can be used in the automatic agent provisioning, so it is not recommended that it contains spaces or rare characters (although it is supported).
  • Icon: Combo where the icon for the group can be chosen.
  • Parent: Combo where another group can be defined as the parent of the group being created.
  • Password: Optional. It allows restricting automatic agent creation (automatic software or satellite agent provision) so that only agents with the same password as the one defined in this field can be created.
  • Alerts: If checked, the agents belonging to the group will be able to send alerts. If not checked, alerts will not be sent. You can use this property to quickly disable alert generation for a certain group of agents.
  • Propagate ACL: If enabled, the child groups will have the same ACL permissions as the group.
  • Custom ID: Groups have an ID in the database. In this field it is possible to set another custom ID that can be used from an external program to perform an integration (e.g. CMDBs).
  • Contact: Contact information accessible through _groupcontact_ macro.
  • Skin: A skin can be assigned to the group.

1.2.2.4 Importing groups from CSV


This feature is in Metaconsole.


This is an Enterprise feature. The extension allows to import a file separated by some separating character in Pandora FMS server.

Access the extension from Admin tools > Extensions manager > CSV import group.

Ex17.png


The file to be imported is chosen by clicking on “Select file” and the combo is chosen from a combo. Once the previous fields are filled out, click “Go”.

The CSV file must contain the following fields in the following order: Group name, icon, parent id and propagation (1 or 0).

1.2.3 Profiles in Pandora FMS

Pandora FMS profiles allow to define which permissions a user is granted. The combination of profiles and a group associated to a user allows to define which permissions a user has on a group of agents, so that he can have different profiles in different groups. Profiles are managed from Profiles > Profile management.



Gest1.png



1.2.3.1 List of profiles

This list defines what each profile enables:

BIT ACCESSOPERATION
IR- See incidents
IW- Validate traps
- Messages
IM- Manage incidents
- View agent data (all views)
- Tactical view
- Group view
- See users
- See SNMP console
- Tree view
- Extension Module Group
- Search bar
AW- Agent management view
- Edit agent and its .conf
- Massive operations
- Create agent
- Duplicate remote configuration
- Policy management
AD- Management of service stops
- Deactivate agent/module/alert
LW- Alert assignment already created
- Alert management
LM- Define, modify templates, commands and actions
UM- User management
DM- Database Maintenance
ER- See event
EW- Validate/Comment event
- Manage filters
- Execute responses
EM- Delete event
- Change owner/Re-open event
RR- View report, graph, etc
- Apply a report template
RW- Create a visual console
- Create report
- Create combined Graph
RM- Create a report template
MR- Network map view
MW- Editing network maps
- Deleting own network maps
MM- Deletion of any network map
VR- Visual console view
VW- Visual console edition
- Deletion of own visual consoles
- Deletion of any visual console
VM- Visual console management
PM- Manage responses
- Customize event columns
- Update manager (Operation and Administration)
- Manage groups
- Create inventory modules
- Manage modules (including all sub-options)
- Manage SNMP console
- Manage profiles
- Manage servers
- System audit (edit and view)
- Setup (all lower tabs incl)
- Administration extensions
PERMITS COMBINATION
EW & IW- Create incidence through the event (Response)
LM & AR / AW & LW- Validate alerts

1.2.4 Permission granting

From user editing, you may grant a user access to a group with a certain profile:

Acl groups.png

If you do not assign any group or profile to the user, when the user tries to log in, there will be a login error like the one below:

Fallo login.png

1.2.4.1 Assignment of profiles and groups with user management permission (UM).

From Pandora FMS version 748 on, an improvement in the management of users, permissions and groups is enabled.

Several possible scenarios have been taken into account, which we will now explain:

  • A "manager" user with UM permissions that belongs to the group ALL will be able to manage any user regardless of the group he belongs to.
  • Accesses to groups can be added before creating a user as such.
  • A "manager" user can edit profiles and groups only on the users he can see because they belong to the groups he manages with UM permissions.
  • An administrator user can create other administrator users and can manage any other user, but in no case a "manager" user with UM permissions can remove UM permissions to another user who has the same permissions on the same group. This can only be modified by an administrator.
  • A "manager" user without UM permissions on a group, can not see which users belong to that group.
  • A "manager" user can eliminate the relation of users with the groups that it manages and even the complete user if only this one has relation with the groups that it manages.

Template warning.png

In case the last profile/group relationship of an user is going to be deleted and the user is going to be deleted Pandora shows a warning.

 


  • A "manager" user that has UM permissions in a group and not in another one, can only see the profile/group information of the groups that he manages, even if the user he observes has more permissions of other groups. The rest of the user's information will be unrelated to the "manager" user. In this way the "manager" user will only be able to obtain information or modify the permissions on the groups that he manages, but at no time will he be able to remove more permissions or eliminate the user.

1.2.4.2 Permission system extended by tags

In the Enterprise version, individual access to the modules of an agent can be configured by a Tag system. Some tags are configured in the system, they are assigned to the modules you wish, and additionally, access may be restricted to a user only to the modules that have those tags defined.


Info.png

Access by Tags does not replace access by groups, it only complements it.

 


Tags are defined in Profiles > Module Tags.



Gesttags5.png



In module configuration, one or more tags can (optionally) can assigned:

Tags 1.png

You may assign specific access to a tag through the user editor, in profile and group assigning, by adding a tag:

Acl tags.png

In this example, the user has access by means of the operator profile to the "eHorus" and "hosting" group and also to the "Infrastructure" group, but only to modules labeled with the "Security" tag.

Template warning.png

This system, which is called Tag-based security mode allows restricting access to all agent content, but it has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.

 


Info.png

In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the ones "visible" by the tag.

 


1.2.4.3 Hierarchy

In previous sections, we explained that the permissions of a group can be extended to the children by means of the configuration option Propagate ACL. However, from user configuration, you may limit this feature and prevent the ACL from propagating by checking No hierarchy.

As a reference for the examples, here we propose a configuration with the two parent groups "Applications" and "Databases" with two children each, "Development_Apps" and "Management_Apps" for the first one and "Databases_America" and "Databases_Asia" for the second one. Both parent groups are set for ACL to be spread.

Acl hierarchy groups.png

In the user edit view, the following profiles are added:

Acl hierarchy 1.png

The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps" and "Databases".

However, if a child of "Databases" is added:

Acl hierarchy 2.png

The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps", "Databases" and "Databases_Asia", but not to "Databases_America".

1.2.4.4 Secondary groups

From update package 721 agents may have secondary groups. Unlike the primary group, these secondary groups are optional.

Secondary agent.png

An agent belonging to a secondary group means that it actually belongs to several groups at the same time. With this feature, two users with different permissions may have access to the same agent by just adding the appropriate secondary groups.

For example, if an agent called "Portal" has "Infrastructures" as main group and "Hosting" as secondary group, any user that has access to "Infrastructures" and/or a "Hosting" may access it.

Some views, such as Tree View, may show repeated agents. That is the usual performance when using secondary groups.

1.2.5 ACL Enterprise System

1.2.5.1 Introduction

The ACL Open Source model is based on "unix style" role/action/group/user (4 items).

The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by "groups") users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to see only the "Group" view and the "Detailed" agent view, skipping pages such as "Alert view" or "Monitor view", already grouped in the classic Pandora FMS ACL system as "AR" (Agent Read Privileges).

This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations.

Info.png

Both models are "parallel" and compatible. The classic ACL system is complementary and it is evaluated prior to the ACL Enterprise system.

 


1.2.5.2 Configuration

In order to be able to use the new ACL system, the first step is to activate it in the configuration tab. This option is only visible if you use the Enterprise version.



Enterprise acl setup.png



To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in Administration > Setup. On this screen you may add new items in the new ACL System and see the items defined by profile. You can also delete items from the Enterprise ACL system.



Acl setup1.png



Template warning.png

If the Enterprise ACL system is enabled, it restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the "Administrator" profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.

 


Template warning.png

Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.

 


If you have mistakenly lost access to the console, you may disable the Enterprise ACL system from the command line:

/usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl

You can define "page by page", "complete sections", set "any" rule or add "custom pages" that are not accessible from the menu.

There are two ways to add pages to a profile: with the wizard (default) or with custom edit. Above the button to add a rule, there is a button to change this mode.

1.2.5.2.1 Wizard

In the wizard we will choose the sections and pages of some combo controls.

Template warning.png

The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent main view) use the custom editor.

 


To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in "Section" control the section that contains the desired page. You can then select any of your pages in the "Page" control.



Acl setup4.png



Another option is to select a section and the value "All" in the "Page" control. This will allow the chosen profile to see "all" of the selected section. Also by selecting "All" in both controls, users of that profile will be allowed to view "all" of "all" sections, just as it would be without the Enterprise ACL System for that profile.

Template warning.png

For a section in the menu to be displayed, the user must have access to at least the first page of the section. For example, for the "Monitoring" section to be displayed they must have access to at least "Tactical View".

 


1.2.5.2.2 Custom editing

To add individual pages that are not accessible from the menu, you may manually enter your sec2. To that end, access the page you wish to add and copy the parameter sec2.

For example, if you wish to add the main view of the agents, enter the view of any agent and find a URL similar to this one:

http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702

Enter the contents of parameter sec2 (operation/agents/see_agent) in the text box.



Acl setup5.png



1.2.5.3 Security

Any page that is not "allowed" will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in "manual" mode. Any page that isn't allowed by the "Classic" Pandora FMS ACL system will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a specific example of several filters:



Acl example.png



In addition, there is a control that checks whether a page belongs to a section, which reinforces security against manual URL modifications. This check will be skipped for pages added with the custom editor, as well as the access to each pages belonging to a full section whose access is granted, thus optimizing the load.

1.3 Servers

The detailed view of the servers is used to know, besides the general state of the Pandora FMS servers, their load level and delay. Let us see a screenshot of a server status screen that is reached through the operation menu > Pandora Servers.

Server explained 2017.png

Some icons have special relevance, as seen in the above caption:

  • Poll request: It asks the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
  • Editing Discovery server tasks.
  • Edit remote server configuration. Valid for Pandora FMS servers or satellite servers .

In addition, in this view you may see several important data, each column shows the following information:

  • Server name, usually the hostname of the machine.
  • Status (green = active, grey = stopped or down).
  • Server type: data server, network server, etc.
  • Progress bar indicating the total module load percentage for that type of server. In this case, all servers are at 100% except for recon server, which has no associated tasks so it is at 0%.
  • Number of such modules executed by the server with respect to the total number of such modules.
  • Server Lag: Highest amount of time spent by the oldest module waiting to receive data / Nº of modules out of their lifetime. In this example, there are approx. 3000 modules out of their lifespan, with a lag time of 10 minutes 13 seconds. This indicator is useful to know if you have many modules and to know if the server is at load capacity limit, as it is this case. Although it does not have an excessive delay (10 minutes 13 sec, for modules that have a lifespan average of 5 min), the number of modules out of time is considerable. In the case of the network server, this figure is much lower, being only 19 modules with a lag (10 minutes) of a total of almost 1500 modules.
  • Total number of threads configured on the server: Total number of modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules. This reflects the server's inability to process the data.
  • Number of seconds since the server updated its data. Each server has a "Keepalive" that updates its status, to make sure it is active and updating its statistics.

1.4 Credential store

Pandora FMS features a credential store. This repository manages the IDs used in sections such as Discovery Cloud or agent automatic deployment.

Cred store.png

Next, the "Credential store" tab is displayed.

Cred store1.png


There are three different login information types to register:

  1. Amazon Web Services (AWS) login information
  2. Microsoft Azure login information
  3. Custom login information


Cred store2.png


To add a new entry, press the "add" button and fill out the pop-up form.


The group assigned to the password controls its visibility. That means that if the password 'test' is assigned to the group named 'All', all Pandora FMS console users will be able to see said password.

In a similar way, if 'test' is allocated to the group named 'Applications', only users with permissions on 'Applications' will have access to the password.


Cred store3.png


Once added, it can be checked, filtered etc.

Cred store5.png


Within password customization, the only thing that cannot be modified is the type of login information:


Cred store6.png

1.5 Scheduled downtimes

1.5.1 Introduction

Pandora FMS has a small scheduled downtime management system. This system allows you to disable alerts at intervals when there is a downtime, disabling the agent. When an agent is disabled it does not collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.



Downtimegeneral.png

1.5.2 Create a scheduled downtime

To create a downtime, go to the Tools > Scheduled downtime menu and press the button to create one:



Downtime1.png

You will find the following configurable parameters:

  • Name: Name of the scheduled downtime.
  • Group: The group you want it to belong to.
  • Description.
  • Type: You may set the following types of downtimes:
    • Quiet: Check as "quiet" the indicated modules, so they will not generate alerts nor events.
    • Disable Agents: It disables the selected agents. It is important to know that if an agent is manually disabled before the task is launched, it will become enabled once this task is completed.
    • Disable Alerts: It disables alerts of selected agents.
  • Execution: It allows to configure whether you want it to run once or periodically.
  • Set time: Setting the day and time at which the scheduled downtime will start and end either once or periodically, depending on what has been previously configured in "Execution".


Info.png

If the Pandora FMS administrator enables it in the visual configuration section, it is possible to create scheduled downtimes in a past date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.

 


Downtime2.png

Finally, specify which specific agents you want to include in that downtime.



Downtime5.png

When a scheduled downtime is "active", it cannot be modified or deleted, but from version 5.0 onwards there is an option where you may stop the execution in "Stop downtime", so that all agents/modules/alarms that the scheduled downtime disabled temporarily may be re-enabled. This option does not support periodic scheduled downtimes. From version 6.0 onwards, non-periodic scheduled downtimes can be delayed even if they are 'active'. When this downtime is over, you may modify or delete it.

1.5.3 Alternatives to console downtime management

There are often certain "cyclical" situations to be taken into account and the method of downtime management is too specific: for example, you may want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from time to time. For this type of operations, there are ways to do it from the command line.

There is a faster way to set all agents in service mode, through the use of Pandora FMS management CLI, pandora_manage. pl through the command line:

./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1

Pandora FMS Manage tool 3.1 PS100519 Copyright (c) 2010 Artica ST
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at http://www.pandorafms.org

[*] Pandora FMS Enterprise module loaded.

[INFO] Enabling group 1

Disabling them would be the following way:

./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1

1.6 Audit Log

Pandora FMS keeps a log of all changes and important actions taken in Pandora FMS console. This log can be seen in Admin tools > System Audit Log.



Gest67.png



On this screen, you may see a series of entries related to console activity, user information, action type, date and a brief description of the events recorded.

Audit 1.png

In the upper left corner, you may filter which entry will be displayed by different criteria including: actions, user and IP, you may even perform a text search and determine the maximum amount of hours.

The available filtering fields:

  • Action: The different possible filtering actions > ACL Violation, Agent management, Agent remote configuration, Alert management, Command management, Dashboard management, Event alert management, Event deleted, Extension DB inface, File collection, Logoff, Logon, Logon Failed, Massive management, Module management, No session, Policy management, Report management, Setup, System, Template alert management, User management, Visual console builder.
  • User.
  • Free text for search: It will search in the fields User, Action and Comments.
  • Max. Hours old: Number of backward hours where to display events.
  • IP: Source IP address.

It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the top right of the screen.

Audit 02.png
Available filtering actions


With this tool, you may search, for example, for the task that a user performs on agent management in the last hour.

Audit 03.png

Or the moment when a given user has logged in the console. You may retrieve all information about the actions performed by the entire user. In addition, you may see the Pandora FMS server service start date or when the console configuration was changed.

Audit 04.png

1.7 Local server logs

In latest Pandora FMS console versions, log status can be checked through the menu Extensions > Extension management > System logs.


System logs menu.png

From this extension you may see the logs of both the console and the local server:

System logs main.png


If you cannot see the content, check your log file permissions:

chown -R pandora:apache /var/log/pandora/


You may change the rotator options to keep these settings by modifying the /etc/logrotate.d/pandora_server file.

/var/log/pandora/pandora_server.log
/var/log/pandora/websocket.log 
/var/log/pandora/pandora_server.error {
	weekly
	missingok
	size 300000
	rotate 3
	maxage 90
	compress
	notifempty
        copytruncate
	create 660 pandora apache
}
/var/log/pandora/pandora_snmptrap.log {
	weekly
	missingok
	size 500000
	rotate 1
	maxage 30
	notifempty
	copytruncate
	create 660 pandora apache
}

On the other hand, there is also a specific configuration for the console log rotation in /etc/logrotate.d/pandora_console:

/var/www/html/pandora_console/log/audit.log
/var/www/html/pandora_console/log/console.log {
        weekly
        missingok
        size 100000
        rotate 3
        maxage 15
        compress
        notifempty
        create 644 apache root
}


Note: If your system is SuSE, replace apache with www-data. In case of using a different system, check the users corresponding to the Apache service. (httpd)

Template warning.png

If updating from OUM a version prior to 747 you will need to manually modify the logrotate file.

 


1.8 Cron Job

This Pandora FMS Enterprise extension allows to schedule task execution from Pandora FMS server.

The extension can be accessed from Servers > Cron jobs.



Cron jobs.jpg



To add a task, the following fields must be filled in:

  • Task: Combo where the task to perform can be chosen.
    • Send custom report via e-mail
    • Run custom script
    • Pandora FMS BD Backup
    • Save custom report in disk
  • Schedule: Field where task frequency can be chosen.
    • Without schedule: These tasks will be executed only once and at the specified time..
    • Hourly
    • Daily
    • Weekly
    • Monthly
    • Yearly
  • First run: Field where the date and time of the first task execution is chosen. It will be executed periodically, taking this date and time as a reference.
  • Parameters: Field that allows entering parameters in the task to be performed. It varies by task.
    • Pandora FMS BD Backup: Description and path where the backup will be stored.
    • Send report via e-mail: Report to be sent and recipient's e-mail address.
    • Run script: Script command to run.
    • Save report to disk: Report to be saved and the path to store it.

Once the data has been filled in, click on create and the task will appear in the scheduled tasks list.



Cron jobs list.jpg



Once the scheduled task has been created, it is possible to force its execution by clicking on the green circle to the right of the task or delete it by clicking on the red cross on the left.


Info.png

If the cron job is "non scheduled", it will be deleted automatically when executed.

 



1.9 DB management from the console

The core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alerts, events, audit data, different users and their data. That is, all system data.

Efficiency and reliability are vital for Pandora FMS to work properly, so database maintenance is essential.

To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console although they may not have extensive Mysql knowledge.

Pandora FMS has multiple extensions that can be used from the console to see information from the database.

1.9.1 Diagnostic tool

This section shows general information about Pandora FMS installation. It is necessary to emphasize the high amount of information that is obtained from the database, where the recommended parameters can be seen, as well as warnings about existing values that need to be changed.



Captura de pantalla de 2017-10-09 13-37-10.png



Diagnostic info1.png

Diagnostic info2.png

Diagnostic info3 new.png

Diagnostic info4.png

1.9.2 DB Interface

This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who have a certain amount of knowledge about SQL and the Pandora FMS database schema.

Template warning.png

If misused, this tool may "destroy" data or permanently render the application inoperative.

 


It is accessed from Admin tools > DB interface.



Ex10.png



Write the command in the blank field and click on "Execute SQL".

1.9.3 DB Schema Check

This is an extension that allows to check the structural differences between the database set in your Pandora FMS and a pattern scheme to compare possible errors.

It works like this:

  • A temporary database is created with the structure that the installation database should have (different depending on the installed version).
  • The database created is compared with the database referenced in the installation.
  • The temporary database is deleted.




Captura de pantalla de 2017-10-09 13-47-04.png



Enter the data to access your database and click on "Run test".

Info.png

It is recommended to use this extension to check whether a database migration has been correctly performed.

 


Template warning.png

This check can only be done in MySQL Databases.

 


1.10 Network Tools

  • Traceroute path: If empty, Pandora FMS will search the traceroute system.
  • Ping path: If empty, Pandora FMS will search the ping system.
  • Nmap path: If empty, Pandora FMS will search the nmap system.
  • Dig path: If empty, Pandora FMS will search the dig system.
  • Snmpget path: If empty, Pandora FMS will search the snmpget system.

1.11 Backup

Extension that allows backing up the DB and restoring it.

To make a backup, first select the destination folder where the data will be stored. Once chosen, write a backup description.



Ex12.png



When the backup is done, it will appear in the Backup list with the running icon.

Ex13.png

Once the Backup has been created, it is possible to:

  • Download it by clicking on this icon:

Ex14.png

  • Do a rollback by clicking on this icon:.

Ex15.png

The rollback applies a previously created backup and restores it. This will destroy all existing data in the console and apply the data that exists in the backup on which the rollback is made.

Template warning.png

By means of this tool it is possible to recover the database backup made through this feature. It is not possible to load a manual backup.

 


  • Delete it by clicking on this icon:

Ex16.png




1.12 Plugin log

Extension that allows you to easily register server plugins.

The extension can be accessed through Servers > Register plug-in.



Ex9.png



To register a plugin choose the file by clicking on "Browse" and "Upload".

More information about server plugins can be found in the development and extension chapter.

You may see in section [Plugin Development] the format of the .pspz files.

1.13 Insert data

Extension that allows to import data in a comma separated file (CSV) to an agent module. This extension is accessed from Resources > Insert Data.



Insert data1.png



The format of the CSV file must be date;value per line. The date must be given in Y/m/d H:i:s format:

2011/08/06 12:20:00;77.0
2011/08/06 12:20:50;68.8


1.14 Resource registration

This extension allows you to import .prt files containing the definition of network component, smnp component, local component or wmi component. You may also add all of them (except for the local component) to a template.



Resource registration screenshot.png



1.14.1 .prt file format

<?xml version="1.0"?>
<pandora_export version="1.0" date="yyyy-mm-dd" time="hh:mm">
	<component>
		<name></name>
		<description></description>
		<module_source></module_source>
		<id_os></id_os>
		<os_version></os_version>
		<data></data>
		<type></type>
		<max></max>
		<min></min>
		<max_cri></max_cri>
		<min_cri></min_cri>
		<max_war></max_war>
		<min_war></min_war>
		<historical_data></historical_data>
		<ff_treshold></ff_treshold>
		<module_interval></module_interval>
		<id_module_group></id_module_group>
		<group></group>
		<tcp_port></tcp_port>
		<tcp_send></tcp_send>
		<tcp_rcv_text></tcp_rcv_text>
		<snmp_community></snmp_community>
		<snmp_oid></snmp_oid>
		<snmp_version></snmp_version>
		<auth_user></auth_user>
		<auth_password></auth_password>
		<privacy_method></privacy_method>
		<privacy_pass></privacy_pass>
		<auth_method></auth_method>
		<security_level></security_level>
		<plugin></plugin>
		<plugin_username></plugin_username>
		<plugin_password></plugin_password>
		<plugin_parameters></plugin_parameters>
		<wmi_query></wmi_query>
		<key_string></key_string>
		<field_number></field_number>
		<namespace></namespace>
		<wmi_user></wmi_user>
		<wmi_password></wmi_password>
		<max_timeout></max_timeout>
		<post_process></post_process>
	</component>
	<component>...</component>
	<component>...</component>
	<template>
		<name></name>
		<description></description>
	</template>
</pandora_export>

1.15 Text string translator

This extension belongs to the menu Setup > Translate string and allows translating Pandora FMS interface text strings to customize it.



Translate string.png



The fields to be filled in are detailed below:

  • Language: It allows to filter strings by language.
  • Free text for search (*): Content of the string you wish to customize.

Three columns will appear: the first one will show the original string, the second one the current translation and in the third one the custom translation you wish to add.

1.16 Workspace

This section allows interacting with Pandora FMS users, or edit the user's details, as well as several actions, such as access to the issue system (to open tickets), chatting with other users connected to Pandora FMS, etc.

1.16.1 Chat

It allows to interact with other users connected to that Pandora FMS console through a chat. It is useful in case you want to say something to another operator for example.

1.16.2 Issues

Pandora FMS allows managing issues from the console thanks to its integration with Integria IMS.

For more information about this tool, check issue management with Integria IMS.

1.16.3 Messages

Pandora FMS has a tool that allows different users to send messages among themselves.

1.16.3.1 See messages

When a user has a message, an envelope icon appears at the top right of the console.



Gest20.png



User messages can be seen in Workspace > Messages > Messages list, and from there you may read, delete or write a message to a specific group or user.

1.16.4 Connected users

This extension shows other users connected to the Pandora FMS Console other than their own. This feature is important because Pandora FMS console allows multiple user connections.

The extension is accessed from Workspace > Connected users.



Ex4b.png



1.17 Software agent repository

Software agent repository is part of the deployment center, which controls agent installer available versions (programs) to be deployed.

You may access it through this menu:

Agent repo1.png


To add a new installer to the repository, click "Add agent".

Agent repo2.png


Fill out the information related to the target OS type, the architecture, the installing file, etc.

Agent repo3.png


Note: Installers for Linux (and all Unix and BSD range) are shared by all architectures. Both x64, x86, ARM, etc share the same installer.


Make sure the upload was successful:

Agent repo4.png


The uploaded agent installer will appear on the list together with the information about its version, by whom and when it was uploaded etc.:

Agent repo5.png

1.18 Custom themes

Pandora FMS offers the possibility of uploading CSS files, in order to set custom themes in the visual console.

To that end, include the following comment in the CSS file:

/*
Name: My custom Theme
*/

Then, import the CSS file to the following path:

pandorafms/pandora_console/include/styles/CustomTheme.css

Once the desired themes are uploaded, go to Setup > Setup > Visual styles and select the appropriate theme from the Style template drop-down.

CustomTheme1.png



Go back to Pandora FMS Documentation Index