Pandora: Documentation en: Managing and Administration

From Pandora FMS Wiki
Revision as of 11:18, 9 August 2018 by Fermin (talk | contribs) (Secondary groups)
Jump to: navigation, search

Go back to Pandora FMS documentation index

1 Pandora FMS Management

1.1 Introduction

This chapter deals with several aspects of the daily management of Pandora FMS such as: group administration, user creation, etc.

1.2 Profiles, users, groups and ACL

Pandora FMS is a Web management tool that allows multiple users to work with different permissions in multiple groups of agents that are defined. Before adding users, the groups and profiles must be well defined and have a clear understanding of what data visibility we want each user to have.

Pandora's permissions system is 100% multitenant, that is to say, that different clients or departments access the information of the same Pandora setup without some of them seeing the information of the others.

1.2.1 Users in Pandora FMS

Users are managed from Profiles > Users management, where you can view the list of defined users.

User list new.png

The user definition consists of the following fields:

Detalle usuario 2017.png

We detail the relevant user fields:

  • User ID: Identifier to be used by the user to authenticate in the application. This is a value that is used as an identifier, so it should not have rare characters or spaces.
  • Full Display Name: field where the complete name is placed, this is a descriptive field and may contain spaces and non-standard characters.
  • Global Profile: An Administrator user will not be governed by the internal ACL system and will have access to everything. The standard user will be governed by the permissions assigned to them according to the different Pandora ACL systems.
  • Skin: field where you can choose a custom skin.
  • Interactive charts: field where you can choose whether the user sees dynamic or static graphs. This setting allows you to overwrite the one defined by the system.
  • Block size for pagination: Block size by default for that user.
  • 'Not login: if this field is checked, the user will only be able to access the API but not interactively through the console.
  • Home screen: change the default screen to which the user enters after logging into the console, for example, the event viewer, or a visual console defined by the administrator.
  • Default event filter: to define the default filter that the user will have when entering the event view. Then you can change it, but this will be the one that applies "by default".
  • Session time:Time in which the user can be logged on without activity before the user considers his session expired and forces them to authenticate themselves again. User Edition by the own User

All users can modify certain parameters of their own settings in Workspace > Edit my User.

The user creation form appears where you can configure some sections, except of course, the permissions on groups.


1.2.2 Groups in Pandora FMS

The concept group in Pandora is fundamental. It serves to regulate the system of access to agents for a user. An agent can only belong to one group and a user can access one or more groups.

Template warning.png

The group All is a especial group which can't be deleted. Every group is a subgroup of the All group. Any element (report, graph, event...) associated to the group All will be seen/managed by a user that has permissions in any group.


Groups are defined in the section Profiles > Manage agent groups.


Inside a group's creation / modification, we have some fields that require an explanation: This form will appear:

Gestion grupo.png

We detail the relevant user fields:

  • Name:group name. This group can be used in the automatic provisioning of agents, so it is not recommended that it contains spaces or rare characters (although it is supported).
  • Icon: combo where the icon for the group can be chosen.
  • Parent: combo where another group can be defined as the parent of the group being created.
  • Password: optional. It allows restricting the automatic creation of agents (automatic provision of software or satellite agents) so that only agents with the same password as the one defined in this field can be created.
  • Alerts: if checked, the agents belonging to the group will be able to send alerts, if not checked they will not be able to send alerts. You can use this property to quickly disable the generation of alerts for a certain group of agents.
  • Propagate ACL: if enabled, the child groups will have the same ACL permissions as the group.
  • Custom ID: groups have an ID in the database; in this field it is possible to put another custom ID that can be used from an external program to perform an integration (e. g. CMDB' s).
  • Contact: contact information accessible via the _groupcontact_ macro
  • Skin: a skin can be assigned to the group.

1.2.3 Profiles in Pandora FMS

Pandora profiles allow you to define what permissions a user can have. The combination of profiles plus a group, associated with a user, allows you to define what permissions a user has over a group of agents, so that they can have different profiles in different groups. Profiles are managed from Profiles > profile management.


This list defines what each profile enables:

OperationAccess Bit
See agent data (all views) AR
Tactical view AR
Group view AR
Create a visual console RW
Create a report RW
Create a combined graph RW
See report, graph, etc. RR
Apply report templateRR
Create report templateRM
See event ER
Validate/Comment event EW
Delete event EM
Excecute responsesEW
Create an incidence through the event (Response) EW&IW
Manage responsesPM
Manage filtersEW
Personalize event columnsPM
Change owner/Re-open event EM
See users AR
See Console SNMP AR
Validate traps IW
Menssages IW
Cron jobs PM
Tree view AR
Update manager (Operation and Management) PM
Extension Module GroupAR
Agent management view AW
Editing the agent and its .conf AW
Assigning already created Alerts LW
Define, modify templates, commando and actions LM
Group management PM
Create inventory modules PM
Manage modules (Including all suboptions)PM
Massive operations AW
Create agent AW
Duplicate remote configuration AW
Management of downtimesAD
Alert management LW
User management UM
SNMP Console management PM
Profile managementPM
Server managementPM
System audit (editing and visualization)PM
Setup (all lower flaps incl) PM
DB maintenance DM
Extension management PM
Searcha bar AR
Plicy managementAW
Deactivate agent/module/alertAD
Validate alertsLM&AR o AW&LW
Network maps viewMR
Network maps editingMW
Deleting own network mapsMW
Deleting any network map MM
Visual console viewVR
Visual console editingVW
Deleting own visual consolesVW
Deleting any visual consoleVM

1.2.4 Permission assignment

From the user output, you can assign a user access to a group with a certain profile:

Acl tags.png

In this example, the user has access with the operator profile to the "ehorus" and "hosting" group. Permission system extended by tags

In the Enterprise version, individual access to an agent's modules can be configured with a Tag system. Tags are configured in the system, assigned to the modules you want and additionally, you can restrict access to a user only to modules that have those tags defined.


Access by Tags does not replace access by groups, it only complements it.


Tags are defined in Profiles > Module Tags.


In the configuration of a module, one or more tags can (optionally) be assigned to it:

Tags 1.png

To assign specific access to a tag, it is done through the user editor, in the profile and group assignment, adding a tag:

Acl tags.png

In this example, the user has access with the operator profile to the "ehorus" and "hosting" group and also to the "Infrastructure" group, but only to the modules marked with the "Security" tag.

Template warning.png

This system, which we call Tag-based security mode allows restricting access to all agent content, but has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.



In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the "visible" for the tag. Jerarquía

En apartados anteriores, se explicó que los permisos de un grupo se pueden extender a los hijos mediante la opción de configuración Propagate ACL. Sin embargo, desde la configuración de usuarios, se puede limitar esta funcionalidad y evitar que el ACL se propague marcando No hierarchy.

Como referencia para los ejemplos, se plantea una configuración con dos grupos padre "Applications" y "Databases" con dos hijos cada uno, "Development_Apps" y "Management_Apps" para el primero y "Databases_America" y "Databases_Asia" para el segundo. Ambos grupos padre están marcados para que se propague el ACL.

Acl hierarchy groups.png

En la vista de edición de usuario, si se añaden los siguientes perfiles:

Acl hierarchy 1.png

El usuario tendrá acceso a los grupos "Applications", "Development_Apps", "Management_Apps" y "Databases".

En cambio, si se añade un hijo de "Databases":

Acl hierarchy 2.png

Ahora el usuario podrá acceder a los grupos "Applications", "Development_Apps", "Management_Apps", "Databases" y "Databases_Asia", pero no a "Databases_America".

1.3 Group "All"

Pandora has a system of groups, which are entities in which agents are classified and used to break down privileges. In this way, users are given certain permissions framed in one or more groups and thus have the ability to see and interact with agents and other objects in their context.

To make it easier to assign and filter groups, a tool called group "All" is available. The group All means, depending on the context, ALL groups or ANY of them. From version 3.1 its reserved identifier is ID 0, with the difference that it is totally controlled by code, without there being a group with that ID in the database.

1.4 ACL Enterprise System

The ACL Open Source model is based on "unix style" role/action/group/user (4 items).

The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by "groups") users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to visualize only the "Group" view and the "Detailed" agent view, skipping pages such as "Alert view" or "Monitor view", already grouped in the classic Pandora FMS ACL system as "AR" (Agent Read Privileges).

This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations. Both models are "parallel" and compatible, and this is only an Enterprise feature. The classic ACL system is complementary and is evaluated prior to the ACL Enterprise system.

In order to be able to use the new ACL system, the first step is to activate it in the Enterprise configuration tab. This option is only visible if you are using the Enterprise version.

Enterprise acl setup.png

To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in Administration -> Setup. On this screen you can add new items in the new ACL System and view the items defined by profile. You can also delete items from the Enterprise ACL system.

Acl setup1.png

The Enterprise ACL system, if enabled, restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the "Administrator" profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.

Template warning.png

Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.


If we have mistakenly lost access to the console, you can disable the Enterprise ACL system from the command line:

/usr/share/pandora_server/util/ /etc/pandora_server.conf --disable_eacl

You can define "page by page", "complete sections", set a rule "any" or add "custom pages" that are not accessible from the menu.

There are two ways to add pages to a profile: With the wizard (default) or with the custom edit. Above the button to add a rule, there is a button to change this mode.

1.4.1 Wizard

In the wizard we will choose the sections and pages of some combo controls.

Template warning.png

The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent's main view) we must use the custom editor


To include a Pandora FMS page in the "allowed pages", you must select the profile to which the rule will be applied, then select in "Section" control the section that contains the desired page. You can then select any of your pages in the "Page" control.

Acl setup4.png

Another option is to select a section and the value "All" in the "Page" control. This will allow the chosen profile to see "all" of the selected section. Also by selecting "All" in both controls, users of that profile will be allowed to view "all" of "all" sections, just as it would be without the Enterprise ACL System for that profile.

Template warning.png

To display a section in the menu, the user must have access to at least the first page of the section. For example, for the "Monitoring" section to be displayed they must have access to at least "Tactical View".


1.4.2 Personalized Editing

To add individual pages that are not accessible from the menu we can manually enter your sec2. To do this, access the page we want to add and copy the parameter sec2.

For example, if we want to add the main view of the agents, we will enter the view of any agent and find a URL similar to this one:


Enter the contents of parameter sec2 (operation/agents/see_agent) in the text box.

Acl setup5.png

1.4.3 Security

Any page that is not "allowed" will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in "manual" mode. Any page that isn't allowed by the "Classic" ACL system of Pandora FMS will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a concrete example of several filters:

Acl example.png

In addition, there is a control that checks if a page belongs to a section, which reinforces the security against manual modifications of the URL. This check will be skipped for pages added with the custom editor as well as when you have access to all pages in a section, thus optimizing the load.

1.5 Workspace

This section allows you to interact with Pandora users, or edit the user's details, as well as some diverse operations, such as access to the incidences system (to open tickets), chat with other users connected to Pandora, etc.

1.5.1 Chat

It allows to interact in a chat with other users connected to that Pandora console. Useful for example, if we want to comment something to another operator.

1.5.2 Connected users

This extension shows other users connected to the Pandora FMS Console other than their own. This functionality is important because the Pandora FMS console allows connections of multiple users.

The extension is accessed from Workspace > Connected users.


1.5.3 Messages

Pandora FMS has a tool that allows different users to send messages among themselves. See messages

When a user has a message, an envelope icon appears at the top right of the console.


Messages that have a user can be viewed in Workspace > Messages > Messages list, and from there you can read, delete or write a message for a specific group or user.

1.6 Servers

The detailed view of the servers is used to know, besides the general state of the Pandora FMS servers, its load level and delay. Let's see a screenshot of a server status screen, that we remember, is reached through the operation menu -> Pandora Servers.

Server explained 2017.png

Some icons have special relevance, as seen in the above caption:

  • Poll request: It requests the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
  • Editing recon server tasks.
  • Edit remote server configuration. Valid for Pandora servers or satellite servers .

In addition, in this view we can see several important data, each column shows the following information:

  • Server name, usually uses the hostname of the machine.
  • Status (green = active, grey = stopped or dropped).
  • Server type: data server, network server, etc.
  • Progress bar indicating the load percentage of total modules for that type of server. In this case all servers are at 100% except recon server, which has no associated tasks so it is at 0%.
  • Number of such modules executed by the server with respect to the total number of such modules.
  • Server Lag: Higher time spent by the oldest module waiting to receive data / Nº of modules that are out of their lifetime. In this example there are approx. 3000 modules out of their lifespan, with a lag time of 10 minutes 13 seconds. This indicator is useful to know if we have many modules and to know if the server is at the limit of its load capacity, as it is this case, that without being an excessive delay (10 minutes 13 sec, for modules that on average have a life time of 5 min), the number of modules that are out of time is considerable. In the case of the network server this figure is much lower, being only 19 modules with lag (10 minutes) of a total of almost 1500 modules.
  • Total number of threads configured on the server: Total number of modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules; this reflects the server's inability to process the data.
  • Number of seconds since the server updated its data. Each server has a "Keepalive" that updates its status, to make sure it is active and updating its statistics.

1.7 Backup

Extension that allows backing up the DB and restore it.

The extension is accessed from Admin tools > Extension manager > Backup.

To back up, type the Backup description and click on "Create".


When the backup is done, it appears in the Backup list with the running icon.


Once the Backup has been created, it is possible to:

  • Download it by clicking on this icon:


  • Do a rollback by clicking on this icon:.


The rollback applies a previously created backup and restores it. This will destroy all existing data in the console and apply the data that exists in the backup on which the rollback is made.

  • Delete it by clicking on this icon:


1.8 Cron Job

(Only Enterprise version)

This extension allows you to schedule the execution of tasks from Pandora's server.

The extension can be accessed from Servers > Cron jobs.

Cron jobs.jpg

To add a task, the following fields must be filled in:

  • Task: combo where the task to perform can be chosen.
    • Send personalized report via e-mail
    • Run custom script
    • Pandora FMS BD Backup Copy
    • Save custom report to disk
  • Schedule: Field where the frecuency of the task performance can be chosen.
    • Without schedule: These tasks will be executed only once and at the specified time..
    • Hourly
    • Daily
    • Weekly
    • Monthly
    • Yearly
  • First run: Field where the date and time of the first execution of the task is chosen; it will be executed periodically, taking this date and time as a reference.
  • Parameters: Field that allows entering parameters in the task to be performed. It varies by task.
    • Pandora FMS BD Backup Copy: Description and path where the backup will be stored.
    • Send report via e-mail: report to be sent and recipient's e-mail address.
    • Run script: script command to run.
    • Save report to disk: report to be saved and its path to be stored.

Once the data has been filled in, click on create and the task appears in the list of scheduled tasks.

Cron jobs list.jpg

Once the scheduled task has been created, it is possible to force its execution by clicking on the green circle to the right of the task or delete it by clicking on the red cross on the left.

1.9 Scheduled downtimes

Pandora FMS has a small management system of planned downtimes. This system allows you to deactivate the alerts at intervals when there is a downtime, deactivating the agent. When an agent is deactivated it doesn't collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.

To create a downtime, go to the Tools > Scheduled downtime menu and press the button to create one:


We find the following configurable parameters:

  • Name: Name of the scheduled downtime.
  • Group: The group to which we want it to belong to.
  • Description.
  • Type: we can set the following types of downtimes:
    • Quiet: Marks as "quiet" the modules we indicate, so they will not generate alerts, events, and will not store historical data.
    • Disable Agents: Disables the selected agents. It is important to know that if an agent is manually disabled before the task is triggered, it will become enabled once this task is completed.
    • Disable Alerts: Disables alerts of selected agents.
  • Execution: Allows us to configure whether we want it to run once or periodically.
  • Set time: Setting the day and time at which the planned stop will start and end either once or periodically, depending on what has been previously configured in "Execution".


If the administrator of Pandora FMS enables it in the visual configuration section, it is possible to create planned stops in a last date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.



Finally we specify which specific agents we want to include in that downtime.


When a programmed downtime is "active" it cannot be modified or deleted, but from version 5.0 onwards there is an option where we can stop the execution in "Stop downtime", so that all the agents/modules/alarms that the scheduled downtime is temporarily disabling can be re-enabled. This option does not support periodic planned downtimes. From version 6.0 onwards, you can postpone planned non-periodic downtimes even if they are 'active'.


When this downtime is over, we can modify or delete it.

1.9.1 Alternatives to downtime management on the console

There are often certain "cyclical" situations that we have to take into account and the method of managing downtimes is too specific: for example, we want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from a certain time to another. For this type of operations, there are ways to do it from the command line.

There is a faster way to put all agents in service mode, through the use of the CLI, pandora_manage. pl of Pandora management through the command line:

./ /etc/pandora/pandora_server.conf --enable_group 1

Pandora FMS Manage tool 3.1 PS100519 Copyright (c) 2010 Artica ST
This program is Free Software, licensed under the terms of GPL License v2
You can download latest versions and documentation at

[*] Pandora FMS Enterprise module loaded.

[INFO] Enabling group 1

This activates all agents; to disable them, it would be the same but slightly different:

./ /etc/pandora/pandora_server.conf --disable_group 1

1.10 Audit Log

Pandora FMS keeps a log of all the changes and important actions that occur in the Pandora FMS console. This log can be viewed in the Admin tools > System Audit Log.


On this screen, you can see a series of entries related to console activity, user information, action type, date and a brief description of the recorded events.

At the top right, you can see a pie chart with the percentage of actions per user. Shows the most active users.

Audit 01.png

In the upper left corner, you can filter which entry is going to be displayed by different criteria including: actions, user and IP, you can even perform a text search and determine the maximum hours.

The available filtering fields:

  • Action: las diferentes acciones posibles entre las que filtrar -> ACL Violation, Agent management, Agent remote configuration, Alert management, Command management, Dashboard management, Event alert management, Event deleted, Extension DB inface, File collection, Logoff, Logon, Logon Failed, Massive management, Module management, No session, Policy management, Report management, Setup, System, Template alert management, User management, Visual console builder.
  • User.
  • Free text for search: it will search in the fields User, Action and Comments.
  • Max. Hours old: number of backward hours in which to display events.
  • IP: IP address of origin.

It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the bottom right of the screen.

Audit 02.png
Available actions to filter

With this tool, you can search, for example, for the task that a user performs on managing agents in the last hour.

Audit 03.png

Or the moment when a given user has logged on to the console. You can retrieve all information about actions performed by the entire user. In addition, you can see the Pandora server service start date or when the console configuration was changed.

Audit 04.png

1.11 Local server logs

In the latest versions of the Pandora FMS console, you can check the status of the logs through the menu Extensions > Extension management > System logs.

System logs menu.png

From this extension you can view the logs of both the console and the local server:

System logs main.png

If you are unable to view the content, please check the permissions of your log files:

chown -R pandora:apache /var/log/pandora/

You can adjust the logrotate options to maintain this setting by modifying the file /etc/logrotate.d/pandora_server

/var/log/pandora/pandora_server.error {
	size 300000
	rotate 3
	maxage 90
	create 660 pandora apache
/var/log/pandora/pandora_snmptrap.log {
	size 500000
	rotate 1
	maxage 30
	create 660 pandora apache

Note: If your system is SuSE, replace apache with www-data; in case of using a different system, check the users corresponding to the Apache service. (httpd)

1.12 DB management from the console

the core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alarms, events, audit data, different users and their data. That is, all system data.

The efficiency and reliability of this module is vital for the correct functioning of Pandora FMS, the maintenance of Pandora FMS database in good condition is critical for Pandora FMS to work correctly.

To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console without extensive knowledge of Mysql.

The database diagnostic report is obtained from "Admin tools -> Diagnostic info"

The management of the Database by means of sql statements is carried out from "Admin tools -> Admin Tools -> DB Interface"

The database schema check management is performed from "Admin tools -> Admin Tools -> DB Schema Check"

Captura de pantalla de 2017-10-09 13-37-10.png

1.12.1 DB Interface

This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who know SQL and the Pandora FMS database schema in enough detail.

Template warning.png

If misused, this tool may "destroy" data or permanently render the application inoperative.


It is accessed from Admin tools > DB interface.


Write the command in the blank field and click on "Execute SQL".

1.12.2 DB Schema Check

This is an extension that allows you to check the structural differences between the database established in your Pandora FMS and a pattern scheme to compare possible errors.

You access the extension from Admin tools > Admin Tools -> DB Schema Check.

Captura de pantalla de 2017-10-09 13-47-04.png

Enter the data to access your database and click on "Run test".

1.13 Plugin log

Extension that allows you to easily register server plugins.

The extension can be accessed through Servers > Register plug-in.


To register a plugin choose the file by clicking on Browse and click on "Upload".

More information about server plugins can be found in the development and extension chapter.

You can see it in the section [Plugin Development] the format of the .pspz files.

1.14 Insert data

Extension that allows to import data in a comma separated file (CSV) to an agent module. This extension is accessed from Resources > Insert Data.

Insert data1.png

The format of the CSV file must be date; value per line. The date must be given in Y/m/d H: i: s format:

2011/08/06 12:20:00;77.0
2011/08/06 12:20:50;68.8

1.15 Importing agents from CSV

(Enteprise feature)

Extension that allows to import a file separated by some separator in the Pandora server.

It's accessible from Admin tools > Extensions manager > CSV import.


Choose the file to import by clicking on "Select file". Choose the server where the export will take place and from a combo you choose the separator. Once you have completed the above fields, click on "Go".

The CSV file must contain the following fields in the following order: Agent Name, IP Address, Operating System ID, Interval and Group ID to which the agent must belong.

1.16 Resource registration

This extension allows you to import .prt files containing the definition of network component, smnp component, local component or wmi component. You can also add all of them (except the local component) to a template.

Resource registration screenshot.png

1.16.1 .prt file format

<?xml version="1.0"?>
<pandora_export version="1.0" date="yyyy-mm-dd" time="hh:mm">

1.17 Text string translator

This extension belongs to the section Setup > Translate string and allows translating text strings of the Pandora FMS interface to customize it.

Translate string.png

The fields to be filled in are detailed below:

  • Language: allows to filter the strings by language.
  • Free text for search (*): Content of the string you want to customize.

Three columns will appear: in the first one it will show the original string, in the second, one the current translation and in the third one the custom translation that you want to add.

Go back to Pandora FMS Documentation Index