Difference between revisions of "Pandora: Documentation en: Managing and Administration"

From Pandora FMS Wiki
Jump to: navigation, search
(Pandora FMS Management)
 
(49 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
 +
 +
{{WIP}}
  
 
= Pandora FMS  Management=
 
= Pandora FMS  Management=
Line 5: Line 7:
 
== Introduction ==
 
== Introduction ==
  
This chapter deals with several aspects of the daily management of Pandora FMS such as: group administration, user creation, etc.
+
This chapter deals with several aspects of Pandora FMS daily management such as: group administration, user creation, backups, workspace, etc.
  
 
==  Profiles, users, groups and ACL ==
 
==  Profiles, users, groups and ACL ==
  
Pandora FMS is a Web management tool that allows multiple users to work with different permissions in multiple groups of agents that are defined. Before adding users, the groups and profiles must be well defined and have a clear understanding of what data visibility we want each user to have.
+
Pandora FMS is a Web management tool. Thanks to its 100% multitenant permission system, multiple users can work with different permissions accessing Pandora FMS setup without seeing each other's information.
 +
 
 +
To add users, it is important to have groups and profiles properly defined, and know exactly which data you want each user to see and/or modify.
  
Pandora's permissions system is 100% ''multitenant'', that is to say, that different clients or departments access the information of the same Pandora setup without some of them seeing the information of the others.
+
<center>
 +
[[image:Standard-user-profile.jpg]]
 +
</center><br>
  
 
=== Users in Pandora FMS ===
 
=== Users in Pandora FMS ===
  
Users are managed from ''Profiles > Users management'', where you can view the list of defined users.
+
Users are managed from ''Profiles > Users management'', where you may see the list of defined users.
  
 
<center><br><br>
 
<center><br><br>
Line 21: Line 27:
 
</center><br><br>
 
</center><br><br>
  
The user definition consists of the following fields:
+
User definition consists of the following fields:
  
 
<center><br><br>
 
<center><br><br>
Line 27: Line 33:
 
</center><br><br>
 
</center><br><br>
  
We detail the relevant user fields:
+
Here are the relevant user fields:
  
*'''User ID''': Identifier to be used by the user to authenticate in the application. This is a value that is used as an identifier, so it should not have rare characters or spaces.  
+
*'''User ID''': Identifier to be used by the user for authentication in the application. This is a value that is used as an identifier, so it should not have rare characters or spaces.  
*'''Full Display Name''': field where the complete name is placed, this is a descriptive field and may contain spaces and non-standard characters.
+
*'''Full Display Name''': Field where the complete name is, this is a descriptive field and it may contain spaces and non-standard characters.
* '''Timezone''': field where you put the time zone of the console for the visualization of different elements(Agent detail,Monitor detail, ...).
+
* '''Timezone''': Field containing the timezone of the console for visualizing different elements (General agent view, Module view...).
*''' Global Profile''': An Administrator user will not be governed by the internal ACL system and will have access to everything. The standard user will be governed by the permissions assigned to them according to the different Pandora ACL systems.
+
*''' Global Profile''': An Administrator user will not abide by the internal ACL system, but rather will have access to everything. The standard user will abide by the Pandora FMS ACL permissions it is assigned.
*'''Skin''': field where you can choose a custom skin.
+
*'''Skin''': Field where a custom skin may be chosen.
*'''Interactive charts''': field where you can choose whether the user sees dynamic or static graphs. This setting allows you to overwrite the one defined by the system.
+
*'''Interactive charts''': Field where you may choose whether the user sees dynamic or static graphs. This setting allows overwriting the one defined by the system.
*'''Block size for pagination''': Block size by default for that user.
+
*'''Block size for pagination''': Pagination default size for that user.
*'''Not login'': if this field is checked, the user will only be able to access the API but not interactively through the console.
+
*'''Not login'': If this field is checked, the user will only be able to access the API but not interactively through the console.
*'''Home screen''': change the default screen to which the user enters after logging into the console, for example, the event viewer, or a visual console defined by the administrator.
+
*'''Home screen''': It changes the default screen to that of the user's choosing after logging into the console, for example, the event viewer, or a visual console defined by the administrator.
*'''Default event filter''': to define the default filter that the user will have when entering the event view. Then you can change it, but this will be the one that applies "by default".
+
*'''Default event filter''': To define the default filter that the user will have when entering the event view. Then it can be changed, but this will be the one applied "by default".
*'''Session time''':Time in which the user can be logged on without activity before the user considers his session expired and forces them to authenticate themselves again.
+
*'''Session time''': Time the user can be logged in with no activity before the session expires and the user must go through the authentication process again.
  
==== User Edition by the own User ====
+
==== User Edition by the User itself ====
  
 
All users can modify certain parameters of their own settings in ''Workspace > Edit my User''.
 
All users can modify certain parameters of their own settings in ''Workspace > Edit my User''.
  
The user creation form appears where you can configure some sections, except of course, the permissions on groups.
+
The user creation form will appear, where you can configure some sections, except for group permissions.
  
 
<center><br><br>
 
<center><br><br>
Line 51: Line 57:
 
</center><br><br>
 
</center><br><br>
  
===== Notification configuration =====  
+
===== Notification setup =====
  
In order to customize notifications for a logged-in user, the administrator must have previously granted the user editing permissions on the notifications. If you have this permission, as well as all the options activated, you can enable/disable the notifications and send them by mail.
+
To customize logged-in user’s notifications, the administrator must have previously granted him notification edition permissions. In case of having said permissions, as well as all options activated, notifications and their forwarding by email can be enabled/disabled.
  
<center><br><br>
+
<center>
[[image:gestusuarionotificaciones.png|800px]]
+
[[image:Notificaciones1.PNG]]
</center><br><br>
+
</center><br>
 +
 
 +
Notifications allow to see warning messages related to the following sections on screen:
 +
 
 +
* <b>System status</b>. Where the following notifications are generated:
 +
** Expired or nearly expired license warning (~15 days or less).
 +
** Too many files attached warning.
 +
** Piled-up .data files in data_in warning (> 1000 files and increasing).
 +
** Piled-up BADXML files in data_in warning (> 150 files).
 +
** Overall module queuing (increasing) by server warning.
 +
** PHP setup warning.
 +
** Review whether pandora_db is running on the main database.
 +
** Review whether pandora_db is running on the history database.
 +
** History database update status (MR correct).
 +
** Status warnings, component down or uninitiated => Any of the Pandora FMS servers with status=1 and ''keepalive - now()'' may be higher than ''server_keepalive * 2''.
 +
** Tentacle service down.
 +
** No master-mode server warning.
 +
** In the case of activated logs, Elastic/Logstash connectivity status.
 +
** In case of using Pandora FMS HA, error in DB replication.
 +
** Connection error with GIS map servers GIS (WMS).
 +
** Log size.
 +
** Mounting point/disk/almost full volume warning (data_in/mysql/tmp...)(> 90%).
 +
** History database connection failure.
 +
** Metaconsole synchronization failure.
 +
** Next scheduled shutdowns (in less than 15 days).
 +
** Metaconsole: Synchronization status:
 +
*** Node synchronization failures.
 +
*** Event replication failures.
 +
*** Agent cache.
 +
 
 +
* <b>Message</b>:
 +
** Messages received by the user yet to be read.
 +
 +
* <b>Pending task</b>:
 +
** Policies yet to be applied.
 +
** Queued policies running/complete, and acknowledged once completed.
 +
** Pending re-creation policies.
 +
** Defined server plugins whose executable does not exist.
 +
** Metaconsole:
 +
*** Pending synchronization tasks.
 +
*** Completed synchronization tasks.
 +
*** Pending notifications by node.
 +
*** Policy queue status.
 +
 +
* <b>Advertisement</b>.
 +
** Enterprise version not installed reminder.
 +
** Do you know our Enterprise version?
 +
** Do you know the module library?
 +
** Discover eHorus.
 +
** Discover Integria IMS.
 +
 
 +
* <b>Official communication</b>:
 +
** Update notifications.
 +
** Messages generated from Ártica ST headquarters (update to PHP7, phantomjs, etc.)
 +
 
 +
* <b>Suggestion</b>:
 +
** Did you know Pandora FMS can be integrated with Telegram?
 +
** Did you know alerts can be scaled?
 +
** Monitor your complete applications using services.
 +
 
 +
The options found in notification setup are these:
 +
 
 +
* <b>Notified users</b>: Users that will receive the activated notifications.
 +
* <b>Notified groups</b>: Groups that will receive the activated notifications.
 +
* <b>Notify all users</b>: Option that will allow to notify all users.
 +
* <b>Also email users with notification content</b>: To enable sending emails for each notification.
 +
* <b>Users can modify notification preferences</b>: To allow users to modify notification preferences (the system administrator can restrict this option).
 +
* <b>Users can postpone notifications up to</b>: It allows to postpone notifications so that they are not received more than once in a certain interval (which can be chosen in the drop-down).
  
 
=== Groups in Pandora FMS ===
 
=== Groups in Pandora FMS ===
 
====Introduction====
 
====Introduction====
The concept of group in Pandora is fundamental. The groups are sets of elements with their own rules whose function is to help to control the access of the users to certain aspects inside Pandora FMS.  
+
The concept of group in Pandora FMS is fundamental. The groups are sets of elements with their own rules whose purpose is to help to control user access to certain elements inside Pandora FMS.  
  
 
It is important to know that an agent can only belong to one group, but that a user can have access to one or several of these groups.  
 
It is important to know that an agent can only belong to one group, but that a user can have access to one or several of these groups.  
  
When configuring the groups, it will be necessary to take into account that the group All is a special group that cannot be eliminated, and all the groups are subgroups of this one. Any element that is associated to the All group can be seen/administered by a user that has permissions in any group.  
+
When configuring the groups, it will be necessary to take into account that the group All is a special group that cannot be eliminated, and all the groups are its subgroups. Any element that is associated to the All group can be seen/administered by a user that has permissions in any group.
 +
 
 +
====Group all====
 +
 
 +
Pandora FMS has a group system, which are entities into which agents are classified and which are used to grant permissions. That way users are granted some permissions assigned to one or several groups, and thus they will be able to interact with agentes and other elements in their context.
 +
 
 +
To make group assigning and filtering easier, there is a tool called group "All". Group "All", depending on the context, means ALL groups or ANY of them. From version 3.1 is exclusive identifier is ID 0. But it is totally controlled by the code, ther is no group with that ID in the DB.
  
 
====Group creation====
 
====Group creation====
Line 75: Line 154:
 
</center><br><br>
 
</center><br><br>
  
Inside a group's creation / modification, we have some fields that require an explanation:
+
Inside group creation / modification, there is the following form:
This form will appear:
 
  
 
<center><br><br>
 
<center><br><br>
Line 82: Line 160:
 
</center><br><br>
 
</center><br><br>
  
We detail the relevant user fields:
+
These are the relevant user fields:
 +
 
 +
* '''Name''': Group name. This group can be used in the automatic agent provisioning, so it is not recommended that it contains spaces or rare characters (although it is supported).
 +
* '''Icon''': Combo where the icon for the group can be chosen.
 +
* '''Parent''': Combo where another group can be defined as the parent of the group being created.
 +
* '''Password''': Optional. It allows restricting automatic agent creation (automatic software or satellite agent provision) so that only agents with the same password as the one defined in this field can be created.
 +
* '''Alerts''': If checked, the agents belonging to the group will be able to send alerts. If not checked, alerts will not be sent. You can use this property to quickly disable alert generation for a certain group of agents.
 +
* '''Propagate ACL''': If enabled, the child groups will have the same ACL permissions as the group.
 +
* '''Custom ID''': Groups have an ID in the database. In this field it is possible to set another custom ID that can be used from an external program to perform an integration (e.g. CMDBs).
 +
* '''Contact''': Contact information accessible through _groupcontact_ macro.
 +
* '''Skin''': A skin can be assigned to the group.
 +
 
 +
====Importing groups from CSV====
 +
 
 +
This is an Enterprise feature. The extension allows to import a file separated by some separating character in Pandora FMS server.
 +
 
 +
Access the extension from ''Admin tools > Extensions manager > CSV import group''.
 +
 
 +
<center>
 +
[[image:ex17.png|800px]]
 +
</center><br>
  
* '''Name''':group name. This group can be used in the automatic provisioning of agents, so it is not recommended that it contains spaces or rare characters (although it is supported).
+
The file to be imported is chosen by clicking on “Select file” and the combo is chosen from a combo. Once the previous fields are filled out, click “Go”.
* '''Icon''': combo where the icon for the group can be chosen.
+
 
* '''Parent''': combo where another group  can be defined as the parent of the group being created.
+
The CSV file must contain the following fields in the following order: Group name, icon, parent id and propagation (1 or 0).
* '''Password''': optional. It allows restricting the automatic creation of agents (automatic provision of software or satellite agents) so that only agents with the same password as the one defined in this field can be created.
 
* '''Alerts''': if checked, the agents belonging to the group will be able to send alerts, if not checked they will not be able to send alerts. You can use this property to quickly disable the generation of alerts for a certain group of agents.
 
* '''Propagate ACL''': if enabled, the child groups will have the same ACL permissions as the group.
 
* '''Custom ID''':  groups have an ID in the database; in this field it is possible to put another custom ID that can be used from an external program to perform an integration (e. g. CMDB' s).
 
* '''Contact''': contact information accessible via the _groupcontact_ macro
 
* '''Skin''': a skin can be assigned to the group.
 
  
 
===  Profiles in Pandora FMS ===
 
===  Profiles in Pandora FMS ===
  
Pandora FMS profiles allow to define which permissions a user can have. The combination of profiles plus a group, associated to a user, allows to define which permissions a user has on a group of agents, so that he can have different profiles in different groups. The profiles are managed from Profiles > profile management.  
+
Pandora FMS profiles allow to define which permissions a user is granted. The combination of profiles and a group associated to a user allows to define which permissions a user has on a group of agents, so that he can have different profiles in different groups. Profiles are managed from ''Profiles'' > ''Profile management''.  
  
 
<center><br><br>
 
<center><br><br>
Line 120: Line 212:
 
<tr><td>Validate/Comment event <td>EW
 
<tr><td>Validate/Comment event <td>EW
 
<tr><td>Delete event <td>EM
 
<tr><td>Delete event <td>EM
<tr><td>Excecute responses<td>EW
+
<tr><td>Execute responses<td>EW
 
<tr><td>Create an incidence through the event (Response) <td>EW&IW
 
<tr><td>Create an incidence through the event (Response) <td>EW&IW
 
<tr><td>Manage responses<td>PM
 
<tr><td>Manage responses<td>PM
 
<tr><td>Manage filters<td>EW
 
<tr><td>Manage filters<td>EW
<tr><td>Personalize event columns<td>PM
+
<tr><td>Customize event columns<td>PM
 
<tr><td>Change owner/Re-open event <td>EM
 
<tr><td>Change owner/Re-open event <td>EM
 
<tr><td>See users <td>AR
 
<tr><td>See users <td>AR
 
<tr><td>See Console SNMP <td>AR
 
<tr><td>See Console SNMP <td>AR
 
<tr><td>Validate traps <td>IW
 
<tr><td>Validate traps <td>IW
<tr><td>Menssages <td>IW
+
<tr><td>Messages <td>IW
 
<tr><td>Cron jobs <td>PM
 
<tr><td>Cron jobs <td>PM
 
<tr><td>Tree view <td>AR
 
<tr><td>Tree view <td>AR
Line 137: Line 229:
 
<tr><td>Editing the agent and its .conf <td>AW
 
<tr><td>Editing the agent and its .conf <td>AW
 
<tr><td>Assigning already created Alerts <td>LW
 
<tr><td>Assigning already created Alerts <td>LW
<tr><td>Define, modify templates, commando and actions <td>LM
+
<tr><td>Define, modify templates, commands and actions <td>LM
 
<tr><td>Group management <td>PM
 
<tr><td>Group management <td>PM
 
<tr><td>Create inventory modules <td>PM
 
<tr><td>Create inventory modules <td>PM
<tr><td>Manage modules (Including all suboptions)<td>PM
+
<tr><td>Manage modules (Including all sub-options)<td>PM
 
<tr><td>Massive operations <td>AW
 
<tr><td>Massive operations <td>AW
 
<tr><td>Create agent <td>AW
 
<tr><td>Create agent <td>AW
 
<tr><td>Duplicate remote configuration <td>AW
 
<tr><td>Duplicate remote configuration <td>AW
<tr><td>Management of downtimes<td>AD
+
<tr><td>Downtime management<td>AD
 
<tr><td>Alert management <td>LW
 
<tr><td>Alert management <td>LW
 
<tr><td>User management <td>UM
 
<tr><td>User management <td>UM
Line 154: Line 246:
 
<tr><td>DB maintenance <td>DM
 
<tr><td>DB maintenance <td>DM
 
<tr><td>Extension management <td>PM
 
<tr><td>Extension management <td>PM
<tr><td>Searcha bar <td>AR
+
<tr><td>Search bar <td>AR
<tr><td>Plicy management<td>AW
+
<tr><td>Policy management<td>AW
 
<tr><td>Deactivate agent/module/alert<td>AD
 
<tr><td>Deactivate agent/module/alert<td>AD
 
<tr><td>Validate alerts<td>LM&AR o AW&LW
 
<tr><td>Validate alerts<td>LM&AR o AW&LW
<tr><td>Network maps view<td>MR
+
<tr><td>Network map view<td>MR
<tr><td>Network maps  editing<td>MW
+
<tr><td>Network map editing<td>MW
 
<tr><td>Deleting own network maps<td>MW
 
<tr><td>Deleting own network maps<td>MW
 
<tr><td>Deleting any network map <td>MM
 
<tr><td>Deleting any network map <td>MM
Line 169: Line 261:
 
</table>
 
</table>
  
=== Permission assignment===
+
=== Permission granting ===
 
+
From user editing, you may grant a user access to a group with a certain profile:
From the user output, you can assign a user access to a group with a certain profile:
 
  
 
<center>
 
<center>
Line 177: Line 268:
 
</center>
 
</center>
  
In this example, the user has access with the operator profile to the "ehorus" and "hosting" group.
+
In this example, the user has access by means of the operator profile to the "eHorus" and "hosting" group.
  
If you don´t assign any group or profile to the user, when the user tries to log in, he will have an login error such as the image below:
+
If you do not assign any group or profile to the user, when the user tries to log in, there will be a login error like the one below:
  
 
<center>
 
<center>
Line 187: Line 278:
 
==== Permission system extended by tags ====  
 
==== Permission system extended by tags ====  
  
In the Enterprise version, the individual access to the modules of an agent can be configured with a system of Tags. Some tags are configured in the system, they are assigned to the modules you want, and additionally, you can restrict access to a user only to the modules that have those tags defined.  
+
In the Enterprise version, individual access to the modules of an agent can be configured by a Tag system. Some tags are configured in the system, they are assigned to the modules you wish, and additionally, access may be restricted to a user only to the modules that have those tags defined.  
  
 
<br>
 
<br>
 
{{Tip|Access by Tags does not replace access by groups, it only complements it.}}
 
{{Tip|Access by Tags does not replace access by groups, it only complements it.}}
  
Tags are defined in ''Profiles > Module Tags''.
+
Tags are defined in ''Profiles'' > ''Module Tags''.
  
 
<center><br><br>
 
<center><br><br>
Line 198: Line 289:
 
</center><br><br>
 
</center><br><br>
  
In the configuration of a module, one or more tags can (optionally) be assigned to it:
+
In module configuration, one or more tags can (optionally) can assigned:
  
 
<center>
 
<center>
Line 204: Line 295:
 
</center>
 
</center>
  
To assign specific access to a tag, it is done through the user editor, in the profile and group assignment, adding a tag:
+
You may assign specific access to a tag through the user editor, in profile and group assigning, by adding a tag:
  
 
<center>
 
<center>
Line 210: Line 301:
 
</center>
 
</center>
  
In this example, the user has access with the operator profile to the "ehorus" and "hosting" group and also to the "Infrastructure" group, but only to the modules marked with the "Security" tag.
+
In this example, the user has access by means of the operator profile to the "eHorus" and "hosting" group and also to the "Infrastructure" group, but only to modules labeled with the "Security" tag.
  
{{Warning|This system, which we call Tag-based security mode allows restricting access to all agent content, but has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.}}
+
{{Warning|This system, which is called Tag-based security mode allows restricting access to all agent content, but it has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.}}
  
{{Tip|In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the "visible" for the tag. }}
+
{{Tip|In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the ones "visible" by the tag. }}
  
 
==== Hierarchy ====
 
==== Hierarchy ====
  
In previous sections, we explained that the permissions of a group can be extended to the children by means of the configuration option ''Propagate ACL''. However, from the user configuration, you can limit this functionality and prevent the ACL from propagating by checking ''No hierarchy''.
+
In previous sections, we explained that the permissions of a group can be extended to the children by means of the configuration option ''Propagate ACL''. However, from user configuration, you may limit this feature and prevent the ACL from propagating by checking ''No hierarchy''.
  
As a reference for the examples, we propose a configuration with two parent groups "Applications" and "Databases" with two children each, "Development_Apps" and "Management_Apps" for the former and "Databases_America" and "Databases_Asia" for the latter. Both parent groups are marked for ACL to spread.
+
As a reference for the examples, here we propose a configuration with the two parent groups "Applications" and "Databases" with two children each, "Development_Apps" and "Management_Apps" for the first one and "Databases_America" and "Databases_Asia" for the second one. Both parent groups are set for ACL to be spread.
  
 
<center>
 
<center>
Line 226: Line 317:
 
</center>
 
</center>
  
In the user edit view, if the following profiles are added:
+
In the user edit view, the following profiles are added:
  
 
<center>
 
<center>
Line 240: Line 331:
 
</center>
 
</center>
  
Now the user will have access to the groups named "Applications", "Development_Apps", "Management_Apps", "Databases" and "Databases_Asia", but not to "Databases_America".
+
The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps", "Databases" and "Databases_Asia", but not to "Databases_America".
  
=== Secondary groups ===
+
==== Secondary groups ====
  
From the update package 721, agents can have secondary groups. Unlike the main group, these secondary groups are optional.
+
From update package 721 agents may have secondary groups. Unlike the primary group, these secondary groups are optional.
  
 
<center>
 
<center>
Line 250: Line 341:
 
</center>
 
</center>
  
The fact that an agent belongs to a secondary group means that, in fact, it belongs to several groups at the same time. With this functionality, two users who have very different permissions will be able to access the same agent just by adding the appropriate secondary groups to it.
+
An agent belonging to a secondary group means that it actually belongs to several groups at the same time. With this feature, two users with different permissions may have access to the same agent by just adding the appropriate secondary groups.
  
For example, if an agent named "Portal" has "Infrastructures" as its main group and "Hosting" as its secondary group, any user who has access to "Infrastructures" and/or "Hosting" can access it.
+
For example, if an agent called "Portal" has "Infrastructures" as main group and "Hosting" as secondary group, any user that has access to "Infrastructures" and/or a "Hosting" may access it.
  
Some views, such as the ''Tree View'', can show repeated agents. When using secondary groups, this is the normal behavior.
+
Some views, such as ''Tree View'', may show repeated agents. That is the usual performance when using secondary groups.
  
==Group "All" ==
+
=== ACL Enterprise System ===
 +
====Introduction====
 +
The ACL Open Source model is based on "unix style" role/action/group/user (4 items).
  
Pandora has a system of groups, which are entities in which agents are classified and used to break down privileges. In this way, users are given certain permissions framed in one or more groups and thus have the ability to see and interact with agents and other objects in their context.
+
The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by "groups") users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to see only the "Group" view and the "Detailed" agent view, skipping pages such as "Alert view" or "Monitor view", already grouped in the classic Pandora FMS ACL system as "AR" (Agent Read Privileges).
  
To make it easier to assign and filter groups, a tool called group "All" is available. The group All means, depending on the context, ALL groups or ANY of them.  From version 3.1 its reserved identifier is ID 0, with the difference that it is totally controlled by code, without there being a group with that ID in the database.
+
This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations.
  
== ACL Enterprise System==
+
{{Tip|Both models are "parallel" and compatible. The classic ACL system is complementary and it is evaluated prior to the ACL Enterprise system.}}
===Introduction===
 
The ACL Open Source model is based on "unix style" role/action/group/user (4 items).  
 
  
The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by "groups") users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to visualize only the "Group" view and the "Detailed" agent view, skipping pages such as "Alert view" or "Monitor view", already grouped in the classic Pandora FMS ACL system as "AR" (Agent Read Privileges).
+
====Configuration====
  
This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations. Both models are "parallel" and compatible, and this is only an Enterprise feature. The classic ACL system is complementary and is evaluated prior to the ACL Enterprise system.
+
In order to be able to use the new ACL system, the first step is to activate it in the configuration tab. This option is only visible if you use the Enterprise version.  
 
 
===Configuration===
 
 
 
In order to be able to use the new ACL system, the first step is to activate it in the Enterprise configuration tab. This option is only visible if you are using the Enterprise version.  
 
  
 
<br><br><center>
 
<br><br><center>
Line 278: Line 365:
 
</center><br><br>
 
</center><br><br>
  
To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in Administration -> Setup. On this screen you can add new items in the new ACL System and view the items defined by profile. You can also delete items from the Enterprise ACL system.  
+
To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in ''Administration'' > ''Setup''. On this screen you may add new items in the new ACL System and see the items defined by profile. You can also delete items from the Enterprise ACL system.  
  
 
<br>
 
<br>
Line 288: Line 375:
 
<br>
 
<br>
  
The Enterprise ACL system, if enabled, restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the "Administrator" profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.  
+
{{warning|If the Enterprise ACL system is enabled, it restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the "Administrator" profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.}}
  
 
{{warning|Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.}}
 
{{warning|Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.}}
  
If we have mistakenly lost access to the console, you can disable the Enterprise ACL system from the command line:
+
If you have mistakenly lost access to the console, you may disable the Enterprise ACL system from the command line:
  
 
  /usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
 
  /usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
  
You can define "page by page", "complete sections", set a rule "any" or add "custom pages" that are not accessible from the menu.
+
You can define "page by page", "complete sections", set "any" rule or add "custom pages" that are not accessible from the menu.
  
There are two ways to add pages to a profile: With the'' wizard'' (default) or with the ''custom edit''.  Above the button to add a rule, there is a button to change this mode.
+
There are two ways to add pages to a profile: with the'' wizard'' (default) or with ''custom edit''.  Above the button to add a rule, there is a button to change this mode.
  
===Wizard===
+
=====Wizard=====
  
 
In the wizard we will choose the sections and pages of some combo controls.
 
In the wizard we will choose the sections and pages of some combo controls.
  
{{warning|The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent's main view) we must use the custom editor}}
+
{{warning|The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent main view) use the custom editor.}}
  
 
To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in "Section" control the section that contains the desired page. You can then select any of your pages in the "Page" control.
 
To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in "Section" control the section that contains the desired page. You can then select any of your pages in the "Page" control.
Line 318: Line 405:
 
Another option is to select a section and the value "All" in the "Page" control. This will allow the chosen profile to see "all" of the selected section. Also by selecting "All" in both controls, users of that profile will be allowed to view "all" of "all" sections, just as it would be without the Enterprise ACL System for that profile.
 
Another option is to select a section and the value "All" in the "Page" control. This will allow the chosen profile to see "all" of the selected section. Also by selecting "All" in both controls, users of that profile will be allowed to view "all" of "all" sections, just as it would be without the Enterprise ACL System for that profile.
  
{{warning|To display a section in the menu, the user must have access to at least the first page of the section. For example, for the "Monitoring" section to be displayed they must have access to at least "Tactical View".}}
+
{{warning|For a section in the menu to be displayed, the user must have access to at least the first page of the section. For example, for the "Monitoring" section to be displayed they must have access to at least "Tactical View".}}
  
===Personalized Editing===
+
=====Custom editing=====
  
To add individual pages that are not accessible from the menu we can manually enter your sec2. To do this, access the page we want to add and copy the parameter sec2.  
+
To add individual pages that are not accessible from the menu, you may manually enter your sec2. To that end, access the page you wish to add and copy the parameter sec2.  
  
For example, if we want to add the main view of the agents, we will enter the view of any agent and find a URL similar to this one:
+
For example, if you wish to add the main view of the agents, enter the view of any agent and find a URL similar to this one:
  
 
  http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
 
  http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
Line 338: Line 425:
 
<br>
 
<br>
  
===Security===
+
====Security====
  
Any page that is not "allowed" will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in "manual" mode. Any page that isn't allowed by the "Classic" ACL system of Pandora FMS will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a concrete example of several filters:
+
Any page that is not "allowed" will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in "manual" mode. Any page that isn't allowed by the "Classic" Pandora FMS ACL system will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a specific example of several filters:
  
 
<br>
 
<br>
Line 350: Line 437:
 
<br>
 
<br>
  
In addition, there is a control that checks if a page belongs to a section, which reinforces the security against manual modifications of the URL. This check will be skipped for pages added with the custom editor as well as when you have access to all pages in a section, thus optimizing the load.
+
In addition, there is a control that checks whether a page belongs to a section, which reinforces security against manual URL modifications. This check will be skipped for pages added with the custom editor, as well as the access to each pages belonging to a full section whose access is granted, thus optimizing the load.
 +
== Servers ==
  
== Workspace ==
+
The detailed view of the servers is used to know, besides the general state of the Pandora FMS servers, their load level and delay. Let us see a screenshot of a server status screen that is reached through the operation menu > Pandora Servers.
  
This section allows you to interact with Pandora users, or edit the user's details, as well as some diverse operations, such as access to the incidences system (to open tickets), chat with other users connected to Pandora, etc.
+
<center>
 +
[[image:Server_explained_2017.png]]
 +
</center>
  
=== Chat ===
+
Some icons have special relevance, as seen in the above caption:
  
It allows to interact in a chat with other users connected to that Pandora console. Useful for example, if we want to comment something to another operator.
+
* Poll request: It asks the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
 +
* Editing Discovery server tasks.
 +
* Edit remote server configuration. Valid for Pandora FMS servers or satellite servers .
  
=== Connected users ===
+
In addition, in this view you may see several important data, each column shows the following information:
 
 
This extension shows other users connected to the Pandora FMS Console other than their own. This functionality is important because the Pandora FMS console allows connections of multiple users.
 
 
 
The extension is accessed from ''Workspace > Connected users''.
 
 
 
<center><br><br>
 
[[image:ex4b.png|800px]]
 
</center><br><br>
 
 
 
=== Messages ===
 
 
 
Pandora FMS has a tool that allows different users to send messages among themselves.
 
 
 
==== See messages ====
 
 
 
When a user has a message, an envelope icon appears at the top right of the console.
 
 
 
<center><br><br>
 
[[image:gest20.png|600px]]
 
</center><br><br>
 
 
 
Messages that have a user can be viewed in ''Workspace > Messages > Messages list'', and from there you can read, delete or write a message for a specific group or user.
 
  
 +
*Server name, usually the hostname of the machine.
 +
*Status (green = active, grey = stopped or down).
 +
*Server type: data server, network server, etc.
 +
*Progress bar indicating the total module load percentage for that type of server. In this case, all servers are at 100% except for recon server, which has no associated tasks so it is at 0%.
 +
*Number of such modules executed by the server with respect to the total number of such modules.
 +
*Server Lag: Highest amount of time spent by the oldest module waiting to receive data / Nº of modules out of their lifetime. In this example, there are approx. 3000 modules out of their lifespan, with a lag time of 10 minutes 13 seconds. This indicator is useful to know if you have many modules and to know if the server is at load capacity limit, as it is this case. Although it does not have an excessive delay (10 minutes 13 sec, for modules that have a lifespan average of 5 min), the number of modules out of time is considerable. In the case of the network server, this figure is much lower, being only 19 modules with a lag (10 minutes) of a total of almost 1500 modules.
 +
*Total number of threads configured on the server: Total number of modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules. This reflects the server's inability to process the data.
 +
*Number of seconds since the server updated its data. Each server has a "Keepalive" that updates its status, to make sure it is active and updating its statistics.
  
 
==Credential store==
 
==Credential store==
  
{{WIP}}
 
  
Pandora FMS dispone de un almacén de credenciales.
+
Pandora FMS features a credential store. This repository manages the IDs used in sections such as Discovery Cloud or agent automatic deployment.
 
 
Este almacén gestiona las identidades que se utilizarán en secciones como Discovery Cloud o el despliegue automático de agentes.
 
  
 
<center>
 
<center>
Line 397: Line 472:
 
</center>
 
</center>
  
A continuación acceda a la pestaña "Almacén de credenciales"
+
Next, the "Credential store" tab is displayed.
  
 
<center>
 
<center>
Line 404: Line 479:
  
  
Dispone de tres tipos distintos de credenciales para registrar:
+
There are three different login information types to register:
  
# Credenciales de Amazon Web Services
+
# Amazon Web Services (AWS) login information
# Credenciales de Microsoft Azure
+
# Microsoft Azure login information
# Credenciales personalizadas
+
# Custom login information
  
  
Line 414: Line 489:
  
  
Para agregar una nueva entrada presione el botón agregar y rellene la información requerida en el pop-up.
+
To add a new entry, press the "add" button and fill out the pop-up form.  
  
  
El grupo asignado a la clave controla la '''visibilidad''' de la misma. Es decir, si asigna la clave 'test' al grupo 'All', '''todos''' los usuarios de su consola Pandora FMS podrán utilizar dicha clave.
+
The group assigned to the password controls its '''visibility'''. That means that if the password 'test' is assigned to the group named 'All', '''all''' Pandora FMS console users will be able to see said password.
  
Del mismo modo, si asocia 'test' al grupo 'Applications', solo los usuarios con permisos sobre 'Applications' tendrán acceso a la clave.
+
In a similar way, if 'test' is allocated to the group named 'Applications', only users with permissions on 'Applications' will have access to the password.
  
  
Line 426: Line 501:
  
  
Una vez agregada podrá consultar, filtar, etc.
+
Once added, it can be checked, filtered etc.
  
 
[[File:Cred_store5.png]]
 
[[File:Cred_store5.png]]
  
  
Dentro de la edición de clave lo único que no podrá modificarse es el tipo de credencial:
+
Within password customization, the only thing that cannot be modified is the type of login information:
  
  
 
[[File:Cred_store6.png]]
 
[[File:Cred_store6.png]]
 
 
 
==Software agents repository==
 
 
{{WIP}}
 
 
El repositorio de agentes software forma parte del centro de despliegues, es donde controlan las versiones disponibles de los instaladores de agentes (programas) para ser desplegados.
 
 
Puede acceder a través del menú:
 
 
<center>
 
[[File:Agent_repo1.png]]
 
</center>
 
 
 
Para agregar un nuevo instalador al repositorio presione el botón 'Agregar agente'
 
 
[[File:Agent_repo2.png]]
 
 
 
Rellene la información correspondiente al tipo de sistema operativo objetivo, la arquitectura, el archivo de instalación, etc.
 
 
<center>
 
[[File:Agent_repo3.png]]
 
</center>
 
 
 
'''Nota:''' Los instaladores para Linux (y toda la familia Unix y BSD) son comunes para todas las arquitecturas. Tanto x64, x86, ARM, etc comparten el mismo instalador.
 
 
 
 
Verifique que la subida ha sido satisfactoria:
 
 
<center>
 
[[File:Agent_repo4.png]]
 
</center>
 
 
 
Aparecerá en la lista el instalador de agente subido, con su versión, quién y cuándo lo subió, etétera:
 
 
<center>
 
[[File:Agent_repo5.png]]
 
</center>
 
 
 
== Servers ==
 
 
The detailed view of the servers is used to know, besides the general state of the Pandora FMS servers, its load level and delay. Let's see a screenshot of a server status screen, that we remember, is reached through the operation menu -> Pandora Servers.
 
 
<center>
 
[[image:Server_explained_2017.png]]
 
</center>
 
 
Some icons have special relevance, as seen in the above caption:
 
 
* Poll request: It requests the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
 
* Editing recon server tasks.
 
* Edit remote server configuration. Valid for Pandora servers or satellite servers .
 
 
In addition, in this view we can see several important data, each column shows the following information:
 
 
*Server name, usually uses the hostname of the machine.
 
*Status (green = active, grey = stopped or dropped).
 
*Server type: data server, network server, etc.
 
*Progress bar indicating the load percentage of total modules for that type of server. In this case all servers are at 100% except recon server, which has no associated tasks so it is at 0%.
 
*Number of such modules executed by the server with respect to the total number of such modules.
 
*Server Lag: Higher time spent by the oldest module waiting to receive data / Nº of modules that are out of their lifetime. In this example there are approx. 3000 modules out of their lifespan, with a lag time of 10 minutes 13 seconds. This indicator is useful to know if we have many modules and to know if the server is at the limit of its load capacity, as it is this case, that without being an excessive delay (10 minutes 13 sec, for modules that on average have a life time of 5 min), the number of modules that are out of time is considerable. In the case of the network server this figure is much lower, being only 19 modules with lag (10 minutes) of a total of almost 1500 modules.
 
*Total number of threads configured on the server: Total number of modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules; this reflects the server's inability to process the data.
 
*Number of seconds since the server updated its data. Each server has a "Keepalive" that updates its status, to make sure it is active and updating its statistics.
 
 
== Backup ==
 
 
Extension that allows backing up the DB and restore it.
 
 
To make a backup, you must first select the destination folder where the data will be stored. Once chosen, we will write a description of the backup we are going to make.
 
 
<center><br><br>
 
[[image:ex12.png|800px]]
 
</center><br><br>
 
 
When the backup is done, it appears in the Backup list with the running icon.
 
 
<center>
 
[[image:ex13.png|800px]]
 
</center>
 
 
Once the Backup has been created, it is possible to:
 
* Download it by clicking on this icon:
 
 
<center>
 
[[image:ex14.png]]
 
</center>
 
 
*Do a rollback by clicking on this icon:.
 
 
<center>
 
[[image:ex15.png]]
 
</center>
 
 
The rollback applies a previously created backup and restores it. This will destroy all existing data in the console and apply the data that exists in the backup on which the rollback is made.
 
 
{{Warning|With this tool we will only be able to recover the backup of the database made with this utility. It is not possible to load a backup done manually.}}
 
 
* Delete it by clicking on this icon:
 
 
<center>
 
[[image:ex16.png]]
 
</center>
 
 
== Cron Job ==
 
 
''(Only Enterprise version)''
 
 
This extension allows you to schedule the execution of tasks from Pandora's server.
 
 
The extension can be accessed from ''Servers > Cron jobs''.
 
 
<center><br><br>
 
[[File:Cron_jobs.jpg|800px]]
 
</center><br><br>
 
 
To add a task, the following fields must be filled in:
 
* '''Task''': combo where the task to perform can be chosen.
 
**Send personalized report via e-mail
 
** Run custom script
 
** Pandora FMS BD Backup Copy
 
** Save custom report to disk
 
* '''Schedule''':  Field where the frecuency of the task performance can be chosen.
 
** Without schedule: These tasks will be executed only once and at the specified time..
 
** Hourly
 
** Daily
 
** Weekly
 
** Monthly
 
** Yearly
 
* '''First run''': Field where the date and time of the first execution of the task is chosen; it will be executed periodically, taking this date and time as a reference.
 
* '''Parameters''': Field that allows entering parameters in the task to be performed.  It varies by task.
 
** ''Pandora FMS BD Backup Copy'': Description and path where the backup will be stored.
 
** ''Send report via e-mail'': report to be sent and recipient's e-mail address.
 
** ''Run script'': script command to run.
 
** ''Save report to disk'': report to be saved and its path to be stored.
 
 
Once the data has been filled in, click on create and the task appears in the list of scheduled tasks.
 
 
<center><br><br>
 
[[File:Cron_jobs_list.jpg|800px]]
 
</center><br><br>
 
 
Once the scheduled task has been created, it is possible to force its execution by clicking on the green circle to the right of the task or delete it by clicking on the red cross on the left.
 
 
 
{{tip|If the cron job is "non scheduled" type, it will be eliminated when executed.}}
 
  
 
== Scheduled downtimes ==
 
== Scheduled downtimes ==
 
===Introduction===
 
===Introduction===
Pandora FMS has a small management system of planned downtimes. This system allows you to deactivate the alerts at intervals when there is a downtime, deactivating the agent. When an agent is deactivated it doesn't collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.
+
Pandora FMS has a small scheduled downtime management system. This system allows you to disable alerts at intervals when there is a downtime, disabling the agent. When an agent is disabled it does not collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.
  
 
<center>
 
<center>
Line 608: Line 531:
 
</center>
 
</center>
  
We find the following configurable parameters:
+
You will find the following configurable parameters:
  
 
* '''Name:''' Name of the scheduled downtime.
 
* '''Name:''' Name of the scheduled downtime.
* '''Group:''' The group to which we want it to belong to.
+
* '''Group:''' The group you want it to belong to.
 
* '''Description'''.
 
* '''Description'''.
* '''Type:''' we can set the following types of downtimes:
+
* '''Type:''' You may set the following types of downtimes:
** ''Quiet:'' Marks as "quiet" the modules we indicate, so they will not generate alerts, events, and will not store historical data.
+
** ''Quiet:'' Check as "quiet" the indicated modules, so they will not generate alerts nor events.
** ''Disable Agents:'' Disables the selected agents. It is important to know that if an agent is manually disabled before the task is triggered, it will become enabled once this task is completed.
+
** ''Disable Agents:'' It disables the selected agents. It is important to know that if an agent is manually disabled before the task is launched, it will become enabled once this task is completed.
** ''Disable Alerts:'' Disables alerts of selected agents.
+
** ''Disable Alerts:'' It disables alerts of selected agents.
* '''Execution:''' Allows us to configure whether we want it to run once or periodically.
+
* '''Execution:''' It allows to configure whether you want it to run once or periodically.
* '''Set time:''' Setting the day and time at which the planned stop will start and end either once or periodically, depending on what has been previously configured in "Execution".
+
* '''Set time:''' Setting the day and time at which the scheduled downtime will start and end either once or periodically, depending on what has been previously configured in "Execution".
  
  
{{tip|If the administrator of Pandora FMS enables it in the visual configuration section, it is possible to create planned stops in a last date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.}}
+
{{tip|If the Pandora FMS administrator enables it in the visual configuration section, it is possible to create scheduled downtimes in a past date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.}}
  
 
<center>
 
<center>
Line 628: Line 551:
 
</center>
 
</center>
  
Finally we specify which specific agents we want to include in that downtime.
+
Finally, specify which specific agents you want to include in that downtime.
  
 
<center>
 
<center>
Line 636: Line 559:
 
</center>
 
</center>
  
When a programmed downtime is "active" it cannot be modified or deleted, but from version 5.0 onwards there is an option where we can stop the execution in "Stop downtime", so that all the agents/modules/alarms that the scheduled downtime is temporarily disabling can be re-enabled. This option does not support periodic planned downtimes. From version 6.0 onwards, you can postpone planned non-periodic downtimes even if they are 'active'. When this downtime is over, we can modify or delete it.
+
When a scheduled downtime is "active", it cannot be modified or deleted, but from version 5.0 onwards there is an option where you may stop the execution in "Stop downtime", so that all agents/modules/alarms that the scheduled downtime disabled temporarily may be re-enabled. This option does not support periodic scheduled downtimes. From version 6.0 onwards, non-periodic scheduled downtimes can be delayed even if they are 'active'. When this downtime is over, you may modify or delete it.
  
=== Alternatives to downtime management on the console ===
+
=== Alternatives to console downtime management ===
  
There are often certain "cyclical" situations that we have to take into account and the method of managing downtimes is too specific: for example, we want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from a certain time to another. For this type of operations, there are ways to do it from the command line.
+
There are often certain "cyclical" situations to be taken into account and the method of downtime management is too specific: for example, you may want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from time to time. For this type of operations, there are ways to do it from the command line.
  
There is a faster way to put all agents in service mode, through the use of the CLI,'' pandora_manage. pl'' of Pandora management through the command line:
+
There is a faster way to set all agents in service mode, through the use of Pandora FMS management CLI, ''pandora_manage. pl'' through the command line:
  
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1
Line 654: Line 577:
 
  [INFO] Enabling group 1
 
  [INFO] Enabling group 1
  
This activates all agents; to disable them, it would be the same but slightly different:
+
Disabling them would be the following way:
  
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1
 
  ./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1
Line 660: Line 583:
 
== Audit Log ==
 
== Audit Log ==
  
Pandora FMS keeps a log of all the changes and important actions that occur in the Pandora FMS console. This log can be viewed in the ''Admin tools > System Audit Log''.
+
Pandora FMS keeps a log of all changes and important actions taken in Pandora FMS console. This log can be seen in ''Admin tools'' > ''System Audit Log''.
  
 
<center><br><br>
 
<center><br><br>
Line 666: Line 589:
 
</center><br><br>
 
</center><br><br>
  
On this screen, you can see a series of entries related to console activity, user information, action type, date and a brief description of the recorded events.
+
On this screen, you may see a series of entries related to console activity, user information, action type, date and a brief description of the events recorded.
  
 
<center>
 
<center>
Line 672: Line 595:
 
</center>
 
</center>
  
In the upper left corner, you can filter which entry is going to be displayed by different criteria including: actions, user and IP, you can even perform a text search and determine the maximum hours.
+
In the upper left corner, you may filter which entry will be displayed by different criteria including: actions, user and IP, you may even perform a text search and determine the maximum amount of hours.
  
 
The available filtering fields:
 
The available filtering fields:
  
* '''Action''': las diferentes acciones posibles entre las que filtrar -> ACL Violation, Agent management, Agent remote configuration, Alert management, Command management, Dashboard management, Event alert management, Event deleted, Extension DB inface, File collection, Logoff, Logon, Logon Failed, Massive management, Module management, No session, Policy management, Report management, Setup, System, Template alert management, User management, Visual console builder.
+
* '''Action''': The different possible filtering actions > ACL Violation, Agent management, Agent remote configuration, Alert management, Command management, Dashboard management, Event alert management, Event deleted, Extension DB inface, File collection, Logoff, Logon, Logon Failed, Massive management, Module management, No session, Policy management, Report management, Setup, System, Template alert management, User management, Visual console builder.
 
* '''User'''.
 
* '''User'''.
* '''Free text for search''': it will search in the fields ''User'', ''Action'' and ''Comments''.
+
* '''Free text for search''': It will search in the fields ''User'', ''Action'' and ''Comments''.
* '''Max. Hours old''': number of backward hours in which to display events.
+
* '''Max. Hours old''': Number of backward hours where to display events.
* '''IP''':  IP address of origin.
+
* '''IP''':  Source IP address.
  
 
It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the top right of the screen.
 
It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the top right of the screen.
Line 687: Line 610:
 
[[image:audit_02.png]]
 
[[image:audit_02.png]]
 
<br>
 
<br>
Available actions to filter
+
Available filtering actions
 
<br>
 
<br>
 
</center>
 
</center>
 
<br>
 
<br>
  
With this tool, you can search, for example, for the task that a user performs on managing agents in the last hour.
+
With this tool, you may search, for example, for the task that a user performs on agent management in the last hour.
  
 
<center>
 
<center>
Line 698: Line 621:
 
</center>
 
</center>
  
Or the moment when a given user has logged on to the console. You can retrieve all information about actions performed by the entire user.
+
Or the moment when a given user has logged in the console. You may retrieve all information about the actions performed by the entire user.
In addition, you can see the Pandora server service start date or when the console configuration was changed.
+
In addition, you may see the Pandora FMS server service start date or when the console configuration was changed.
  
 
<center>
 
<center>
Line 707: Line 630:
 
== Local server logs ==
 
== Local server logs ==
  
In the latest versions of the Pandora FMS console, you can check the status of the logs through the menu <i>Extensions > Extension management > System logs</i>.
+
In latest Pandora FMS console versions, log status can be checked through the menu <i>Extensions > Extension management > System logs</i>.
  
  
Line 714: Line 637:
 
</center>
 
</center>
  
From this extension you can view the logs of both the console and the local server:
+
From this extension you may see the logs of both the console and the local server:
  
 
<center>
 
<center>
Line 721: Line 644:
  
  
If you are unable to view the content, please check the permissions of your log files:
+
If you cannot see the content, check your log file permissions:
  
 
  chown -R pandora:apache /var/log/pandora/
 
  chown -R pandora:apache /var/log/pandora/
  
  
You can adjust the logrotate options to maintain this setting by modifying the file /etc/logrotate.d/pandora_server
+
You may change the rotator options to keep these settings by modifying the /etc/logrotate.d/pandora_server file.
  
 
<pre>
 
<pre>
Line 754: Line 677:
  
  
Note: If your system is SuSE, replace apache with www-data; in case of using a different system, check the users corresponding to the Apache service.  
+
Note: If your system is SuSE, replace apache with www-data. In case of using a different system, check the users corresponding to the Apache service.  
 
(httpd)
 
(httpd)
 
<br>
 
<br>
 +
 +
== Cron Job ==
 +
 +
This Pandora FMS Enterprise extension allows to schedule task execution from Pandora FMS server.
 +
 +
The extension can be accessed from ''Servers'' > ''Cron jobs''.
 +
 +
<center><br><br>
 +
[[File:Cron_jobs.jpg|800px]]
 +
</center><br><br>
 +
 +
To add a task, the following fields must be filled in:
 +
* '''Task''': Combo where the task to perform can be chosen.
 +
**Send custom report via e-mail
 +
** Run custom script
 +
** Pandora FMS BD Backup
 +
** Save custom report in disk
 +
* '''Schedule''':  Field where task frequency can be chosen.
 +
** Without schedule: These tasks will be executed only once and at the specified time..
 +
** Hourly
 +
** Daily
 +
** Weekly
 +
** Monthly
 +
** Yearly
 +
* '''First run''': Field where the date and time of the first task execution is chosen. It will be executed periodically, taking this date and time as a reference.
 +
* '''Parameters''': Field that allows entering parameters in the task to be performed. It varies by task.
 +
** ''Pandora FMS BD Backup'': Description and path where the backup will be stored.
 +
** ''Send report via e-mail'': Report to be sent and recipient's e-mail address.
 +
** ''Run script'': Script command to run.
 +
** ''Save report to disk'': Report to be saved and the path to store it.
 +
 +
Once the data has been filled in, click on create and the task will appear in the scheduled tasks list.
 +
 +
<center><br><br>
 +
[[File:Cron_jobs_list.jpg|800px]]
 +
</center><br><br>
 +
 +
Once the scheduled task has been created, it is possible to force its execution by clicking on the green circle to the right of the task or delete it by clicking on the red cross on the left.
 +
 +
 +
{{tip|If the cron job is "non scheduled", it will be deleted automatically when executed.}}
 +
  
 
== DB management from the console ==
 
== DB management from the console ==
  
the core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alarms, events, audit data, different users and their data. That is, all system data.
+
The core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alerts, events, audit data, different users and their data. That is, all system data.
  
The efficiency and reliability of this module is vital for the correct functioning of Pandora FMS, the maintenance of Pandora FMS database in good condition is critical for Pandora FMS to work correctly.  
+
Efficiency and reliability are vital for Pandora FMS to work properly, so database maintenance is essential.  
  
To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console without extensive knowledge of Mysql.
+
To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console although they may not have extensive Mysql knowledge.
  
Pandora FMS has multiple extensions to watch information from the database.
+
Pandora FMS has multiple extensions that can be used from the console to see information from the database.
  
 
=== Diagnostic tool ===
 
=== Diagnostic tool ===
  
In this section we can visualize general information about Pandora FMS installation. It is necessary to emphasize the great amount of information that is obtained from the database, where the recommended parameters can be observed, as well as warnings about existing values that need to be changed.
+
This section shows general information about Pandora FMS installation. It is necessary to emphasize the high amount of information that is obtained from the database, where the recommended parameters can be seen, as well as warnings about existing values that need to be changed.
  
 
<center><br><br>
 
<center><br><br>
Line 791: Line 756:
 
=== DB Interface ===
 
=== DB Interface ===
  
This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who know SQL and the Pandora FMS database schema in enough detail.  
+
This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who have a certain amount of knowledge about SQL and the Pandora FMS database schema.  
  
 
{{warning|If misused, this  tool may "destroy" data or permanently render the application inoperative.}}
 
{{warning|If misused, this  tool may "destroy" data or permanently render the application inoperative.}}
Line 805: Line 770:
 
=== DB Schema Check ===
 
=== DB Schema Check ===
  
This is an extension that allows you to check the structural differences between the database established in your Pandora FMS and a pattern scheme to compare possible errors.  
+
This is an extension that allows to check the structural differences between the database set in your Pandora FMS and a pattern scheme to compare possible errors.  
  
The operation is as follows:
+
It works like this:
 
* A temporary database is created with the structure that the installation database should have (different depending on the installed version).
 
* A temporary database is created with the structure that the installation database should have (different depending on the installed version).
 
* The database created is compared with the database referenced in the installation.
 
* The database created is compared with the database referenced in the installation.
Line 819: Line 784:
 
Enter the data to access your database and click on "Run test".
 
Enter the data to access your database and click on "Run test".
  
{{Tip|It is recommended to use this extension to check if a database migration has been performed correctly.}}
+
{{Tip|It is recommended to use this extension to check whether a database migration has been correctly performed.}}
  
 
{{Warning|This check can only be done in MySQL Databases.}}
 
{{Warning|This check can only be done in MySQL Databases.}}
 +
 +
== Network Tools ==
 +
 +
*<b>Traceroute path</b>: If empty, Pandora FMS will search the traceroute system.
 +
*<b>Ping path</b>: If empty, Pandora FMS will search the ping system.
 +
*<b>Nmap path</b>: If empty, Pandora FMS will search the nmap system. 
 +
*<b>Dig path</b>: If empty, Pandora FMS will search the dig system. 
 +
*<b>Snmpget path</b>: If empty, Pandora FMS will search the snmpget system.
 +
 +
== Backup ==
 +
 +
Extension that allows backing up the DB and restoring it.
 +
 +
To make a backup, first select the destination folder where the data will be stored. Once chosen, write a backup description.
 +
 +
<center><br><br>
 +
[[image:ex12.png|800px]]
 +
</center><br><br>
 +
 +
When the backup is done, it will appear in the Backup list with the running icon.
 +
 +
<center>
 +
[[image:ex13.png|800px]]
 +
</center>
 +
 +
Once the Backup has been created, it is possible to:
 +
* Download it by clicking on this icon:
 +
 +
<center>
 +
[[image:ex14.png]]
 +
</center>
 +
 +
*Do a rollback by clicking on this icon:.
 +
 +
<center>
 +
[[image:ex15.png]]
 +
</center>
 +
 +
The rollback applies a previously created backup and restores it. This will destroy all existing data in the console and apply the data that exists in the backup on which the rollback is made.
 +
 +
{{Warning|By means of this tool it is possible to recover the database backup made through this feature. It is not possible to load a manual backup.}}
 +
 +
* Delete it by clicking on this icon:
 +
 +
<center>
 +
[[image:ex16.png]]
 +
</center>
 +
 +
 +
 +
 +
  
 
== Plugin log ==
 
== Plugin log ==
Line 827: Line 844:
 
Extension that allows you to easily register server plugins.
 
Extension that allows you to easily register server plugins.
  
The extension can be accessed through ''Servers > Register plug-in''.
+
The extension can be accessed through ''Servers'' > ''Register plug-in''.
  
 
<center><br><br>
 
<center><br><br>
Line 833: Line 850:
 
</center><br><br>
 
</center><br><br>
  
To register a plugin choose the file by clicking on Browse and click on "Upload".
+
To register a plugin choose the file by clicking on "Browse" and "Upload".
  
 
More information about server plugins can be found in the development and extension chapter.
 
More information about server plugins can be found in the development and extension chapter.
  
You can see it in the section [[https://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Anexo_Agent_Plugins|Server Plugin Development]] the format of the .pspz files.
+
You may see in section [[https://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Anexo_Agent_Plugins|Server Plugin Development]] the format of the .pspz files.
  
 
== Insert data ==
 
== Insert data ==
Line 847: Line 864:
 
</center><br><br>
 
</center><br><br>
  
The format of the CSV file must be date; value per line. The date must be given in Y/m/d H: i: s format:
+
The format of the CSV file must be date;value per line. The date must be given in Y/m/d H:i:s format:
  
 
  2011/08/06 12:20:00;77.0
 
  2011/08/06 12:20:00;77.0
 
  2011/08/06 12:20:50;68.8
 
  2011/08/06 12:20:50;68.8
  
== Importing group from CSV ==
 
 
''(Enteprise feature)''
 
 
Extension that allows to import a file separated by some separator in the Pandora server.
 
 
It's accessible from ''Admin tools > Extensions manager > CSV import group''.
 
 
<center><br><br>
 
[[image:ex17.png|800px]]
 
</center><br><br>
 
 
Choose the file to import by clicking on "Select file" and from a combo you choose the separator. Once you have completed the above fields, click on "Go".
 
 
The CSV file must contain the following fields in the following order: Group Name, Icon, Parent ID and Propagate (1 or 0).
 
  
 
== Resource registration ==
 
== Resource registration ==
This extension allows you to import .prt files containing the definition of network component, smnp component, local component or wmi component. You can also add all of them (except the local component) to a template.
+
This extension allows you to import .prt files containing the definition of network component, smnp component, local component or wmi component. You may also add all of them (except for the local component) to a template.
  
 
<center><br><br>
 
<center><br><br>
Line 934: Line 936:
 
==Text string translator==
 
==Text string translator==
  
This extension belongs to the section ''Setup > Translate string'' and allows translating text strings of the Pandora FMS interface to customize it.
+
This extension belongs to the menu ''Setup > Translate string'' and allows translating Pandora FMS interface text strings to customize it.
  
 
<center><br><br>
 
<center><br><br>
Line 942: Line 944:
 
The fields to be filled in are detailed below:
 
The fields to be filled in are detailed below:
  
* '''Language''': allows to filter the strings by language.
+
* '''Language''': It allows to filter strings by language.
* '''Free text for search (*)''': Content of the string you want to customize.
+
* '''Free text for search (*)''': Content of the string you wish to customize.
 +
 
 +
Three columns will appear: the first one will show the original string, the second one the current translation and in the third one the custom translation you wish to add.
 +
 
 +
== Workspace ==
 +
 
 +
This section allows interacting with Pandora FMS users, or edit the user's details, as well as several actions, such as access to the issue system (to open tickets), chatting with other users connected to Pandora FMS, etc.
 +
 
 +
=== Chat ===
 +
 
 +
It allows to interact with other users connected to that Pandora FMS console through a chat. It is useful in case you want to say something to another operator for example.
 +
 
 +
===Issues===
 +
 
 +
Pandora FMS allows managing issues from the console thanks to its integration with Integria IMS.
 +
 
 +
For more information about this tool, check issue management with Integria IMS.
 +
 
 +
=== Messages ===
 +
 
 +
Pandora FMS has a tool that allows different users to send messages among themselves.
 +
 
 +
==== See messages ====
 +
 
 +
When a user has a message, an envelope icon appears at the top right of the console.
 +
 
 +
<center><br><br>
 +
[[image:gest20.png|600px]]
 +
</center><br><br>
 +
 
 +
User messages can be seen in ''Workspace > Messages > Messages list'', and from there you may read, delete or write a message to a specific group or user.
 +
 
 +
=== Connected users ===
 +
 
 +
This extension shows other users connected to the Pandora FMS Console other than their own. This feature is important because Pandora FMS console allows multiple user connections.
 +
 
 +
The extension is accessed from ''Workspace > Connected users''.
 +
 
 +
<center><br><br>
 +
[[image:ex4b.png|800px]]
 +
</center><br><br>
 +
 
 +
==Software agent repository==
 +
 
 +
Software agent repository is part of the deployment center, which controls agent installer available versions (programs) to be deployed.
 +
 
 +
You may access it through this menu:
  
Three columns will appear: in the first one it will show the original string, in the second, one the current translation and in the third one the custom translation that you want to add.
+
<center>
 +
[[File:Agent_repo1.png]]
 +
</center>
 +
 
 +
 
 +
To add a new installer to the repository, click "Add agent".
 +
 
 +
[[File:Agent_repo2.png]]
 +
 
 +
 
 +
Fill out the information related to the target OS type, the architecture, the installing file, etc.
 +
 
 +
<center>
 +
[[File:Agent_repo3.png]]
 +
</center>
 +
 
 +
 
 +
'''Note:''' Installers for Linux (and all Unix and BSD range) are shared by all architectures. Both x64, x86, ARM, etc share the same installer.
 +
 
 +
 
 +
 
 +
Make sure the upload was successful:
 +
 
 +
<center>
 +
[[File:Agent_repo4.png]]
 +
</center>
 +
 
 +
 
 +
The uploaded agent installer will appear on the list together with the information about its version, by whom and when it was uploaded etc.:
 +
 
 +
<center>
 +
[[File:Agent_repo5.png]]
 +
</center>
 +
 
 +
== Custom themes ==
 +
 
 +
Pandora FMS offers the possibility of uploading CSS files, in order to set custom themes in the visual console.
 +
 
 +
To that end, include the following comment in the CSS file:
 +
 
 +
/*
 +
Name: My custom Theme
 +
*/
 +
 
 +
Then, import the CSS file to the following path:
 +
 
 +
pandorafms/pandora_console/include/styles/CustomTheme.css
 +
 
 +
Once the desired themes are uploaded, go to ''Setup > Setup > Visual styles'' and select the appropriate theme from the ''Style template'' drop-down.
 +
 
 +
<center>
 +
[[File:CustomTheme1.png]]
 +
</center><br>
  
  

Latest revision as of 09:16, 25 May 2020

Go back to Pandora FMS documentation index

Template wip.png

We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.

 


1 Pandora FMS Management

1.1 Introduction

This chapter deals with several aspects of Pandora FMS daily management such as: group administration, user creation, backups, workspace, etc.

1.2 Profiles, users, groups and ACL

Pandora FMS is a Web management tool. Thanks to its 100% multitenant permission system, multiple users can work with different permissions accessing Pandora FMS setup without seeing each other's information.

To add users, it is important to have groups and profiles properly defined, and know exactly which data you want each user to see and/or modify.

Standard-user-profile.jpg


1.2.1 Users in Pandora FMS

Users are managed from Profiles > Users management, where you may see the list of defined users.



User list new.png



User definition consists of the following fields:



Detalle usuario 2018.png



Here are the relevant user fields:

  • User ID: Identifier to be used by the user for authentication in the application. This is a value that is used as an identifier, so it should not have rare characters or spaces.
  • Full Display Name: Field where the complete name is, this is a descriptive field and it may contain spaces and non-standard characters.
  • Timezone: Field containing the timezone of the console for visualizing different elements (General agent view, Module view...).
  • Global Profile: An Administrator user will not abide by the internal ACL system, but rather will have access to everything. The standard user will abide by the Pandora FMS ACL permissions it is assigned.
  • Skin: Field where a custom skin may be chosen.
  • Interactive charts: Field where you may choose whether the user sees dynamic or static graphs. This setting allows overwriting the one defined by the system.
  • Block size for pagination: Pagination default size for that user.
  • 'Not login: If this field is checked, the user will only be able to access the API but not interactively through the console.
  • Home screen: It changes the default screen to that of the user's choosing after logging into the console, for example, the event viewer, or a visual console defined by the administrator.
  • Default event filter: To define the default filter that the user will have when entering the event view. Then it can be changed, but this will be the one applied "by default".
  • Session time: Time the user can be logged in with no activity before the session expires and the user must go through the authentication process again.

1.2.1.1 User Edition by the User itself

All users can modify certain parameters of their own settings in Workspace > Edit my User.

The user creation form will appear, where you can configure some sections, except for group permissions.



Gestusuario.png



1.2.1.1.1 Notification setup

To customize logged-in user’s notifications, the administrator must have previously granted him notification edition permissions. In case of having said permissions, as well as all options activated, notifications and their forwarding by email can be enabled/disabled.

Notificaciones1.PNG


Notifications allow to see warning messages related to the following sections on screen:

  • System status. Where the following notifications are generated:
    • Expired or nearly expired license warning (~15 days or less).
    • Too many files attached warning.
    • Piled-up .data files in data_in warning (> 1000 files and increasing).
    • Piled-up BADXML files in data_in warning (> 150 files).
    • Overall module queuing (increasing) by server warning.
    • PHP setup warning.
    • Review whether pandora_db is running on the main database.
    • Review whether pandora_db is running on the history database.
    • History database update status (MR correct).
    • Status warnings, component down or uninitiated => Any of the Pandora FMS servers with status=1 and keepalive - now() may be higher than server_keepalive * 2.
    • Tentacle service down.
    • No master-mode server warning.
    • In the case of activated logs, Elastic/Logstash connectivity status.
    • In case of using Pandora FMS HA, error in DB replication.
    • Connection error with GIS map servers GIS (WMS).
    • Log size.
    • Mounting point/disk/almost full volume warning (data_in/mysql/tmp...)(> 90%).
    • History database connection failure.
    • Metaconsole synchronization failure.
    • Next scheduled shutdowns (in less than 15 days).
    • Metaconsole: Synchronization status:
      • Node synchronization failures.
      • Event replication failures.
      • Agent cache.
  • Message:
    • Messages received by the user yet to be read.
  • Pending task:
    • Policies yet to be applied.
    • Queued policies running/complete, and acknowledged once completed.
    • Pending re-creation policies.
    • Defined server plugins whose executable does not exist.
    • Metaconsole:
      • Pending synchronization tasks.
      • Completed synchronization tasks.
      • Pending notifications by node.
      • Policy queue status.
  • Advertisement.
    • Enterprise version not installed reminder.
    • Do you know our Enterprise version?
    • Do you know the module library?
    • Discover eHorus.
    • Discover Integria IMS.
  • Official communication:
    • Update notifications.
    • Messages generated from Ártica ST headquarters (update to PHP7, phantomjs, etc.)
  • Suggestion:
    • Did you know Pandora FMS can be integrated with Telegram?
    • Did you know alerts can be scaled?
    • Monitor your complete applications using services.

The options found in notification setup are these:

  • Notified users: Users that will receive the activated notifications.
  • Notified groups: Groups that will receive the activated notifications.
  • Notify all users: Option that will allow to notify all users.
  • Also email users with notification content: To enable sending emails for each notification.
  • Users can modify notification preferences: To allow users to modify notification preferences (the system administrator can restrict this option).
  • Users can postpone notifications up to: It allows to postpone notifications so that they are not received more than once in a certain interval (which can be chosen in the drop-down).

1.2.2 Groups in Pandora FMS

1.2.2.1 Introduction

The concept of group in Pandora FMS is fundamental. The groups are sets of elements with their own rules whose purpose is to help to control user access to certain elements inside Pandora FMS.

It is important to know that an agent can only belong to one group, but that a user can have access to one or several of these groups.

When configuring the groups, it will be necessary to take into account that the group All is a special group that cannot be eliminated, and all the groups are its subgroups. Any element that is associated to the All group can be seen/administered by a user that has permissions in any group.

1.2.2.2 Group all

Pandora FMS has a group system, which are entities into which agents are classified and which are used to grant permissions. That way users are granted some permissions assigned to one or several groups, and thus they will be able to interact with agentes and other elements in their context.

To make group assigning and filtering easier, there is a tool called group "All". Group "All", depending on the context, means ALL groups or ANY of them. From version 3.1 is exclusive identifier is ID 0. But it is totally controlled by the code, ther is no group with that ID in the DB.

1.2.2.3 Group creation

Groups are defined in the section Profiles > Manage agent groups.



Gest5.png



Inside group creation / modification, there is the following form:



Gestion grupo.png



These are the relevant user fields:

  • Name: Group name. This group can be used in the automatic agent provisioning, so it is not recommended that it contains spaces or rare characters (although it is supported).
  • Icon: Combo where the icon for the group can be chosen.
  • Parent: Combo where another group can be defined as the parent of the group being created.
  • Password: Optional. It allows restricting automatic agent creation (automatic software or satellite agent provision) so that only agents with the same password as the one defined in this field can be created.
  • Alerts: If checked, the agents belonging to the group will be able to send alerts. If not checked, alerts will not be sent. You can use this property to quickly disable alert generation for a certain group of agents.
  • Propagate ACL: If enabled, the child groups will have the same ACL permissions as the group.
  • Custom ID: Groups have an ID in the database. In this field it is possible to set another custom ID that can be used from an external program to perform an integration (e.g. CMDBs).
  • Contact: Contact information accessible through _groupcontact_ macro.
  • Skin: A skin can be assigned to the group.

1.2.2.4 Importing groups from CSV

This is an Enterprise feature. The extension allows to import a file separated by some separating character in Pandora FMS server.

Access the extension from Admin tools > Extensions manager > CSV import group.

Ex17.png


The file to be imported is chosen by clicking on “Select file” and the combo is chosen from a combo. Once the previous fields are filled out, click “Go”.

The CSV file must contain the following fields in the following order: Group name, icon, parent id and propagation (1 or 0).

1.2.3 Profiles in Pandora FMS

Pandora FMS profiles allow to define which permissions a user is granted. The combination of profiles and a group associated to a user allows to define which permissions a user has on a group of agents, so that he can have different profiles in different groups. Profiles are managed from Profiles > Profile management.



Gest1.png



1.2.3.1 Profile List

This list defines what each profile enables:

OperationAccess Bit
See agent data (all views) AR
Tactical view AR
Group view AR
Create a visual console RW
Create a report RW
Create a combined graph RW
See report, graph, etc. RR
Apply report templateRR
Create report templateRM
See event ER
Validate/Comment event EW
Delete event EM
Execute responsesEW
Create an incidence through the event (Response) EW&IW
Manage responsesPM
Manage filtersEW
Customize event columnsPM
Change owner/Re-open event EM
See users AR
See Console SNMP AR
Validate traps IW
Messages IW
Cron jobs PM
Tree view AR
Update manager (Operation and Management) PM
Extension Module GroupAR
Agent management view AW
Editing the agent and its .conf AW
Assigning already created Alerts LW
Define, modify templates, commands and actions LM
Group management PM
Create inventory modules PM
Manage modules (Including all sub-options)PM
Massive operations AW
Create agent AW
Duplicate remote configuration AW
Downtime managementAD
Alert management LW
User management UM
SNMP Console management PM
Profile managementPM
Server managementPM
System audit (editing and visualization)PM
Setup (all lower flaps incl) PM
DB maintenance DM
Extension management PM
Search bar AR
Policy managementAW
Deactivate agent/module/alertAD
Validate alertsLM&AR o AW&LW
Network map viewMR
Network map editingMW
Deleting own network mapsMW
Deleting any network map MM
Visual console viewVR
Visual console editingVW
Deleting own visual consolesVW
Deleting any visual consoleVM

1.2.4 Permission granting

From user editing, you may grant a user access to a group with a certain profile:

Acl groups.png

In this example, the user has access by means of the operator profile to the "eHorus" and "hosting" group.

If you do not assign any group or profile to the user, when the user tries to log in, there will be a login error like the one below:

Fallo login.png

1.2.4.1 Permission system extended by tags

In the Enterprise version, individual access to the modules of an agent can be configured by a Tag system. Some tags are configured in the system, they are assigned to the modules you wish, and additionally, access may be restricted to a user only to the modules that have those tags defined.


Info.png

Access by Tags does not replace access by groups, it only complements it.

 


Tags are defined in Profiles > Module Tags.



Gesttags5.png



In module configuration, one or more tags can (optionally) can assigned:

Tags 1.png

You may assign specific access to a tag through the user editor, in profile and group assigning, by adding a tag:

Acl tags.png

In this example, the user has access by means of the operator profile to the "eHorus" and "hosting" group and also to the "Infrastructure" group, but only to modules labeled with the "Security" tag.

Template warning.png

This system, which is called Tag-based security mode allows restricting access to all agent content, but it has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.

 


Info.png

In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the ones "visible" by the tag.

 


1.2.4.2 Hierarchy

In previous sections, we explained that the permissions of a group can be extended to the children by means of the configuration option Propagate ACL. However, from user configuration, you may limit this feature and prevent the ACL from propagating by checking No hierarchy.

As a reference for the examples, here we propose a configuration with the two parent groups "Applications" and "Databases" with two children each, "Development_Apps" and "Management_Apps" for the first one and "Databases_America" and "Databases_Asia" for the second one. Both parent groups are set for ACL to be spread.

Acl hierarchy groups.png

In the user edit view, the following profiles are added:

Acl hierarchy 1.png

The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps" and "Databases".

However, if a child of "Databases" is added:

Acl hierarchy 2.png

The user will have access to the groups named "Applications", "Development_Apps", "Management_Apps", "Databases" and "Databases_Asia", but not to "Databases_America".

1.2.4.3 Secondary groups

From update package 721 agents may have secondary groups. Unlike the primary group, these secondary groups are optional.

Secondary agent.png

An agent belonging to a secondary group means that it actually belongs to several groups at the same time. With this feature, two users with different permissions may have access to the same agent by just adding the appropriate secondary groups.

For example, if an agent called "Portal" has "Infrastructures" as main group and "Hosting" as secondary group, any user that has access to "Infrastructures" and/or a "Hosting" may access it.

Some views, such as Tree View, may show repeated agents. That is the usual performance when using secondary groups.

1.2.5 ACL Enterprise System

1.2.5.1 Introduction

The ACL Open Source model is based on "unix style" role/action/group/user (4 items).

The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by "groups") users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to see only the "Group" view and the "Detailed" agent view, skipping pages such as "Alert view" or "Monitor view", already grouped in the classic Pandora FMS ACL system as "AR" (Agent Read Privileges).

This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations.

Info.png

Both models are "parallel" and compatible. The classic ACL system is complementary and it is evaluated prior to the ACL Enterprise system.

 


1.2.5.2 Configuration

In order to be able to use the new ACL system, the first step is to activate it in the configuration tab. This option is only visible if you use the Enterprise version.



Enterprise acl setup.png



To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in Administration > Setup. On this screen you may add new items in the new ACL System and see the items defined by profile. You can also delete items from the Enterprise ACL system.



Acl setup1.png



Template warning.png

If the Enterprise ACL system is enabled, it restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the "Administrator" profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.

 


Template warning.png

Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.

 


If you have mistakenly lost access to the console, you may disable the Enterprise ACL system from the command line:

/usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl

You can define "page by page", "complete sections", set "any" rule or add "custom pages" that are not accessible from the menu.

There are two ways to add pages to a profile: with the wizard (default) or with custom edit. Above the button to add a rule, there is a button to change this mode.

1.2.5.2.1 Wizard

In the wizard we will choose the sections and pages of some combo controls.

Template warning.png

The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent main view) use the custom editor.

 


To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in "Section" control the section that contains the desired page. You can then select any of your pages in the "Page" control.



Acl setup4.png



Another option is to select a section and the value "All" in the "Page" control. This will allow the chosen profile to see "all" of the selected section. Also by selecting "All" in both controls, users of that profile will be allowed to view "all" of "all" sections, just as it would be without the Enterprise ACL System for that profile.

Template warning.png

For a section in the menu to be displayed, the user must have access to at least the first page of the section. For example, for the "Monitoring" section to be displayed they must have access to at least "Tactical View".

 


1.2.5.2.2 Custom editing

To add individual pages that are not accessible from the menu, you may manually enter your sec2. To that end, access the page you wish to add and copy the parameter sec2.

For example, if you wish to add the main view of the agents, enter the view of any agent and find a URL similar to this one:

http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702

Enter the contents of parameter sec2 (operation/agents/see_agent) in the text box.



Acl setup5.png



1.2.5.3 Security

Any page that is not "allowed" will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in "manual" mode. Any page that isn't allowed by the "Classic" Pandora FMS ACL system will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a specific example of several filters:



Acl example.png



In addition, there is a control that checks whether a page belongs to a section, which reinforces security against manual URL modifications. This check will be skipped for pages added with the custom editor, as well as the access to each pages belonging to a full section whose access is granted, thus optimizing the load.

1.3 Servers

The detailed view of the servers is used to know, besides the general state of the Pandora FMS servers, their load level and delay. Let us see a screenshot of a server status screen that is reached through the operation menu > Pandora Servers.

Server explained 2017.png

Some icons have special relevance, as seen in the above caption:

  • Poll request: It asks the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
  • Editing Discovery server tasks.
  • Edit remote server configuration. Valid for Pandora FMS servers or satellite servers .

In addition, in this view you may see several important data, each column shows the following information:

  • Server name, usually the hostname of the machine.
  • Status (green = active, grey = stopped or down).
  • Server type: data server, network server, etc.
  • Progress bar indicating the total module load percentage for that type of server. In this case, all servers are at 100% except for recon server, which has no associated tasks so it is at 0%.
  • Number of such modules executed by the server with respect to the total number of such modules.
  • Server Lag: Highest amount of time spent by the oldest module waiting to receive data / Nº of modules out of their lifetime. In this example, there are approx. 3000 modules out of their lifespan, with a lag time of 10 minutes 13 seconds. This indicator is useful to know if you have many modules and to know if the server is at load capacity limit, as it is this case. Although it does not have an excessive delay (10 minutes 13 sec, for modules that have a lifespan average of 5 min), the number of modules out of time is considerable. In the case of the network server, this figure is much lower, being only 19 modules with a lag (10 minutes) of a total of almost 1500 modules.
  • Total number of threads configured on the server: Total number of modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules. This reflects the server's inability to process the data.
  • Number of seconds since the server updated its data. Each server has a "Keepalive" that updates its status, to make sure it is active and updating its statistics.

1.4 Credential store

Pandora FMS features a credential store. This repository manages the IDs used in sections such as Discovery Cloud or agent automatic deployment.

Cred store.png

Next, the "Credential store" tab is displayed.

Cred store1.png


There are three different login information types to register:

  1. Amazon Web Services (AWS) login information
  2. Microsoft Azure login information
  3. Custom login information


Cred store2.png


To add a new entry, press the "add" button and fill out the pop-up form.


The group assigned to the password controls its visibility. That means that if the password 'test' is assigned to the group named 'All', all Pandora FMS console users will be able to see said password.

In a similar way, if 'test' is allocated to the group named 'Applications', only users with permissions on 'Applications' will have access to the password.


Cred store3.png


Once added, it can be checked, filtered etc.

Cred store5.png


Within password customization, the only thing that cannot be modified is the type of login information:


Cred store6.png

1.5 Scheduled downtimes

1.5.1 Introduction

Pandora FMS has a small scheduled downtime management system. This system allows you to disable alerts at intervals when there is a downtime, disabling the agent. When an agent is disabled it does not collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.



Downtimegeneral.png

1.5.2 Create a scheduled downtime

To create a downtime, go to the Tools > Scheduled downtime menu and press the button to create one:



Downtime1.png

You will find the following configurable parameters:

  • Name: Name of the scheduled downtime.
  • Group: The group you want it to belong to.
  • Description.
  • Type: You may set the following types of downtimes:
    • Quiet: Check as "quiet" the indicated modules, so they will not generate alerts nor events.
    • Disable Agents: It disables the selected agents. It is important to know that if an agent is manually disabled before the task is launched, it will become enabled once this task is completed.
    • Disable Alerts: It disables alerts of selected agents.
  • Execution: It allows to configure whether you want it to run once or periodically.
  • Set time: Setting the day and time at which the scheduled downtime will start and end either once or periodically, depending on what has been previously configured in "Execution".


Info.png

If the Pandora FMS administrator enables it in the visual configuration section, it is possible to create scheduled downtimes in a past date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.

 


Downtime2.png

Finally, specify which specific agents you want to include in that downtime.



Downtime5.png

When a scheduled downtime is "active", it cannot be modified or deleted, but from version 5.0 onwards there is an option where you may stop the execution in "Stop downtime", so that all agents/modules/alarms that the scheduled downtime disabled temporarily may be re-enabled. This option does not support periodic scheduled downtimes. From version 6.0 onwards, non-periodic scheduled downtimes can be delayed even if they are 'active'. When this downtime is over, you may modify or delete it.

1.5.3 Alternatives to console downtime management

There are often certain "cyclical" situations to be taken into account and the method of downtime management is too specific: for example, you may want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from time to time. For this type of operations, there are ways to do it from the command line.

There is a faster way to set all agents in service mode, through the use of Pandora FMS management CLI, pandora_manage. pl through the command line:

./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1

Pandora FMS Manage tool 3.1 PS100519 Copyright (c) 2010 Artica ST
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at http://www.pandorafms.org

[*] Pandora FMS Enterprise module loaded.

[INFO] Enabling group 1

Disabling them would be the following way:

./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1

1.6 Audit Log

Pandora FMS keeps a log of all changes and important actions taken in Pandora FMS console. This log can be seen in Admin tools > System Audit Log.



Gest67.png



On this screen, you may see a series of entries related to console activity, user information, action type, date and a brief description of the events recorded.

Audit 1.png

In the upper left corner, you may filter which entry will be displayed by different criteria including: actions, user and IP, you may even perform a text search and determine the maximum amount of hours.

The available filtering fields:

  • Action: The different possible filtering actions > ACL Violation, Agent management, Agent remote configuration, Alert management, Command management, Dashboard management, Event alert management, Event deleted, Extension DB inface, File collection, Logoff, Logon, Logon Failed, Massive management, Module management, No session, Policy management, Report management, Setup, System, Template alert management, User management, Visual console builder.
  • User.
  • Free text for search: It will search in the fields User, Action and Comments.
  • Max. Hours old: Number of backward hours where to display events.
  • IP: Source IP address.

It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the top right of the screen.

Audit 02.png
Available filtering actions


With this tool, you may search, for example, for the task that a user performs on agent management in the last hour.

Audit 03.png

Or the moment when a given user has logged in the console. You may retrieve all information about the actions performed by the entire user. In addition, you may see the Pandora FMS server service start date or when the console configuration was changed.

Audit 04.png

1.7 Local server logs

In latest Pandora FMS console versions, log status can be checked through the menu Extensions > Extension management > System logs.


System logs menu.png

From this extension you may see the logs of both the console and the local server:

System logs main.png


If you cannot see the content, check your log file permissions:

chown -R pandora:apache /var/log/pandora/


You may change the rotator options to keep these settings by modifying the /etc/logrotate.d/pandora_server file.

/var/log/pandora/pandora_server.log 
/var/log/pandora/pandora_server.error {
	weekly
	missingok
	size 300000
	rotate 3
	maxage 90
	compress
	notifempty
        copytruncate
	create 660 pandora apache
}
/var/log/pandora/pandora_snmptrap.log {
	weekly
	missingok
	size 500000
	rotate 1
	maxage 30
	notifempty
	copytruncate
	create 660 pandora apache
}


Note: If your system is SuSE, replace apache with www-data. In case of using a different system, check the users corresponding to the Apache service. (httpd)

1.8 Cron Job

This Pandora FMS Enterprise extension allows to schedule task execution from Pandora FMS server.

The extension can be accessed from Servers > Cron jobs.



Cron jobs.jpg



To add a task, the following fields must be filled in:

  • Task: Combo where the task to perform can be chosen.
    • Send custom report via e-mail
    • Run custom script
    • Pandora FMS BD Backup
    • Save custom report in disk
  • Schedule: Field where task frequency can be chosen.
    • Without schedule: These tasks will be executed only once and at the specified time..
    • Hourly
    • Daily
    • Weekly
    • Monthly
    • Yearly
  • First run: Field where the date and time of the first task execution is chosen. It will be executed periodically, taking this date and time as a reference.
  • Parameters: Field that allows entering parameters in the task to be performed. It varies by task.
    • Pandora FMS BD Backup: Description and path where the backup will be stored.
    • Send report via e-mail: Report to be sent and recipient's e-mail address.
    • Run script: Script command to run.
    • Save report to disk: Report to be saved and the path to store it.

Once the data has been filled in, click on create and the task will appear in the scheduled tasks list.



Cron jobs list.jpg



Once the scheduled task has been created, it is possible to force its execution by clicking on the green circle to the right of the task or delete it by clicking on the red cross on the left.


Info.png

If the cron job is "non scheduled", it will be deleted automatically when executed.

 



1.9 DB management from the console

The core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alerts, events, audit data, different users and their data. That is, all system data.

Efficiency and reliability are vital for Pandora FMS to work properly, so database maintenance is essential.

To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console although they may not have extensive Mysql knowledge.

Pandora FMS has multiple extensions that can be used from the console to see information from the database.

1.9.1 Diagnostic tool

This section shows general information about Pandora FMS installation. It is necessary to emphasize the high amount of information that is obtained from the database, where the recommended parameters can be seen, as well as warnings about existing values that need to be changed.



Captura de pantalla de 2017-10-09 13-37-10.png



Diagnostic info1.png

Diagnostic info2.png

Diagnostic info3 new.png

Diagnostic info4.png

1.9.2 DB Interface

This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who have a certain amount of knowledge about SQL and the Pandora FMS database schema.

Template warning.png

If misused, this tool may "destroy" data or permanently render the application inoperative.

 


It is accessed from Admin tools > DB interface.



Ex10.png



Write the command in the blank field and click on "Execute SQL".

1.9.3 DB Schema Check

This is an extension that allows to check the structural differences between the database set in your Pandora FMS and a pattern scheme to compare possible errors.

It works like this:

  • A temporary database is created with the structure that the installation database should have (different depending on the installed version).
  • The database created is compared with the database referenced in the installation.
  • The temporary database is deleted.




Captura de pantalla de 2017-10-09 13-47-04.png



Enter the data to access your database and click on "Run test".

Info.png

It is recommended to use this extension to check whether a database migration has been correctly performed.

 


Template warning.png

This check can only be done in MySQL Databases.

 


1.10 Network Tools

  • Traceroute path: If empty, Pandora FMS will search the traceroute system.
  • Ping path: If empty, Pandora FMS will search the ping system.
  • Nmap path: If empty, Pandora FMS will search the nmap system.
  • Dig path: If empty, Pandora FMS will search the dig system.
  • Snmpget path: If empty, Pandora FMS will search the snmpget system.

1.11 Backup

Extension that allows backing up the DB and restoring it.

To make a backup, first select the destination folder where the data will be stored. Once chosen, write a backup description.



Ex12.png



When the backup is done, it will appear in the Backup list with the running icon.

Ex13.png

Once the Backup has been created, it is possible to:

  • Download it by clicking on this icon:

Ex14.png

  • Do a rollback by clicking on this icon:.

Ex15.png

The rollback applies a previously created backup and restores it. This will destroy all existing data in the console and apply the data that exists in the backup on which the rollback is made.

Template warning.png

By means of this tool it is possible to recover the database backup made through this feature. It is not possible to load a manual backup.

 


  • Delete it by clicking on this icon:

Ex16.png




1.12 Plugin log

Extension that allows you to easily register server plugins.

The extension can be accessed through Servers > Register plug-in.



Ex9.png



To register a plugin choose the file by clicking on "Browse" and "Upload".

More information about server plugins can be found in the development and extension chapter.

You may see in section [Plugin Development] the format of the .pspz files.

1.13 Insert data

Extension that allows to import data in a comma separated file (CSV) to an agent module. This extension is accessed from Resources > Insert Data.



Insert data1.png



The format of the CSV file must be date;value per line. The date must be given in Y/m/d H:i:s format:

2011/08/06 12:20:00;77.0
2011/08/06 12:20:50;68.8


1.14 Resource registration

This extension allows you to import .prt files containing the definition of network component, smnp component, local component or wmi component. You may also add all of them (except for the local component) to a template.



Resource registration screenshot.png



1.14.1 .prt file format

<?xml version="1.0"?>
<pandora_export version="1.0" date="yyyy-mm-dd" time="hh:mm">
	<component>
		<name></name>
		<description></description>
		<module_source></module_source>
		<id_os></id_os>
		<os_version></os_version>
		<data></data>
		<type></type>
		<max></max>
		<min></min>
		<max_cri></max_cri>
		<min_cri></min_cri>
		<max_war></max_war>
		<min_war></min_war>
		<historical_data></historical_data>
		<ff_treshold></ff_treshold>
		<module_interval></module_interval>
		<id_module_group></id_module_group>
		<group></group>
		<tcp_port></tcp_port>
		<tcp_send></tcp_send>
		<tcp_rcv_text></tcp_rcv_text>
		<snmp_community></snmp_community>
		<snmp_oid></snmp_oid>
		<snmp_version></snmp_version>
		<auth_user></auth_user>
		<auth_password></auth_password>
		<privacy_method></privacy_method>
		<privacy_pass></privacy_pass>
		<auth_method></auth_method>
		<security_level></security_level>
		<plugin></plugin>
		<plugin_username></plugin_username>
		<plugin_password></plugin_password>
		<plugin_parameters></plugin_parameters>
		<wmi_query></wmi_query>
		<key_string></key_string>
		<field_number></field_number>
		<namespace></namespace>
		<wmi_user></wmi_user>
		<wmi_password></wmi_password>
		<max_timeout></max_timeout>
		<post_process></post_process>
	</component>
	<component>...</component>
	<component>...</component>
	<template>
		<name></name>
		<description></description>
	</template>
</pandora_export>

1.15 Text string translator

This extension belongs to the menu Setup > Translate string and allows translating Pandora FMS interface text strings to customize it.



Translate string.png



The fields to be filled in are detailed below:

  • Language: It allows to filter strings by language.
  • Free text for search (*): Content of the string you wish to customize.

Three columns will appear: the first one will show the original string, the second one the current translation and in the third one the custom translation you wish to add.

1.16 Workspace

This section allows interacting with Pandora FMS users, or edit the user's details, as well as several actions, such as access to the issue system (to open tickets), chatting with other users connected to Pandora FMS, etc.

1.16.1 Chat

It allows to interact with other users connected to that Pandora FMS console through a chat. It is useful in case you want to say something to another operator for example.

1.16.2 Issues

Pandora FMS allows managing issues from the console thanks to its integration with Integria IMS.

For more information about this tool, check issue management with Integria IMS.

1.16.3 Messages

Pandora FMS has a tool that allows different users to send messages among themselves.

1.16.3.1 See messages

When a user has a message, an envelope icon appears at the top right of the console.



Gest20.png



User messages can be seen in Workspace > Messages > Messages list, and from there you may read, delete or write a message to a specific group or user.

1.16.4 Connected users

This extension shows other users connected to the Pandora FMS Console other than their own. This feature is important because Pandora FMS console allows multiple user connections.

The extension is accessed from Workspace > Connected users.



Ex4b.png



1.17 Software agent repository

Software agent repository is part of the deployment center, which controls agent installer available versions (programs) to be deployed.

You may access it through this menu:

Agent repo1.png


To add a new installer to the repository, click "Add agent".

Agent repo2.png


Fill out the information related to the target OS type, the architecture, the installing file, etc.

Agent repo3.png


Note: Installers for Linux (and all Unix and BSD range) are shared by all architectures. Both x64, x86, ARM, etc share the same installer.


Make sure the upload was successful:

Agent repo4.png


The uploaded agent installer will appear on the list together with the information about its version, by whom and when it was uploaded etc.:

Agent repo5.png

1.18 Custom themes

Pandora FMS offers the possibility of uploading CSS files, in order to set custom themes in the visual console.

To that end, include the following comment in the CSS file:

/*
Name: My custom Theme
*/

Then, import the CSS file to the following path:

pandorafms/pandora_console/include/styles/CustomTheme.css

Once the desired themes are uploaded, go to Setup > Setup > Visual styles and select the appropriate theme from the Style template drop-down.

CustomTheme1.png



Go back to Pandora FMS Documentation Index