Pandora: Documentation en: Other Monitoring
1 Predictive monitoring
In addition to features like remote monitoring, agent-based monitoring or web monitoring, Pandora FMS offers other advanced resources to improve monitoring. With these resources, you are able to predict the value of a module based on historical data or create new modules, carrying out arithmetic operations by using existing ones.
1.2 Types of predictive monitoring
Within the creation of a predictive monitoring module, you can choose one of the following options:
- Arithmetic monitoring:
- Synthetic arithmetic: It means carrying out arithmetic operations (sum, subtraction, multiplication and divide) with data that have been previously obtained in other modules.
- Synthetic average: This means obtaining the average from data that have been previously obtained from other modules.
- Predictive monitoring:
- Module: It means predicting "acceptable" data which can be received by a module, according to the amount of data to be analyzed in the period field.
- Service: It consists of carrying out the status prediction of a service.
1.3 Monitoring through Synthetic Modules
This is an Enterprise version feature. Synthetic modules are manufactured from data from other modules, which can be in the same agent or in different agents. The operations that can be carried out (add, subtract, multiply and divide) between modules and/or with absolute values are arithmetic.
Here are some examples:
- A module called 'Traffic sum' which adds the values of the incoming and outgoing traffic of a router, generating a new module by the total traffic of the interface.
- A module called 'Total users' which adds the values of ten modules called 'Connected users' in each of the five servers where the number of connected users is monitored.
Synthetic modules are managed by the prediction server, so in order to use them that subcomponent of the Pandora FMS server must be activated and the agent on which the modules are created must use that server.
The first step to create a synthetic module is to go to the 'management' section in the 'module' tab of an agent, and once there create a new module of the prediction type.
In the first example, a fictitious module will be created, which is going to contain the arithmetic average value of two modules from two different agents: CPUUse (Sancho-XP) and cpu_user (Garfio). Within each machine, this module measures the percentage of CPU use, and they are two Windows and Linux machines respectively. The final result will be a module stored in 'Sancho-XP' agent which is going to contain the average of both values.
The second example creates a module called "Total accesses" with the average of the values of the "Apache_accesses" modules from two different agents, called Sancho-XP and Sancho-XP_2.
Another easier but more useful example is the one which has been used to create the module called 'Total accesses' in 'Sancho-XP_2'. It simply 'copies' the value of a module of the same name into 'Sancho-XP' to produce the value.
In order to operate with other logical operations (multiplication, subtraction, and division), keep the order of the operators in mind. Feel free to play around with the interface to see how all other arithmetic operations between different modules can be done. You are also able to use a fixed value to add it to your logical operations as shown in the picture below.
You are able to select multiple agents from the box on the left side (by using 'control'). In the central box, all the 'common' modules from the selected agents are going to be shown. It can be pretty useful to produce averages from common modules in a server group (e.g. CPU or disk space).
1.4 Predictive monitoring
Predictive modules require a "base" module on which to "compare" and make predictions. You have two types: anomaly detection and value prediction, both based on the series of data from the module you use as a basis to make the prediction. These two types are based on the type of data to be stored in the predictive module that you are going to create:
- (generic_data) Predict what an acceptable value would be, in a time span of 5-10 minutes (or more, but the farther you estimate in the future, the worse the approximation becomes).
- (generic_proc) Detect whether there is an anomaly or not in the value collected by the "origin" module being analyzed.
Predictive modules are managed by the prediction server, so in order to use them you must have activated that subcomponent of the Pandora FMS server and the agent on which the modules are created must use that server.
Let us see how to define a predictive module.
Within an existing agent, click on the top tab of Modules. Then, select Create a new predictive module:
Once the Create button is pressed, a form will be displayed in which the necessary fields must be filled in in order to create a prediction module. The data type defines the behavior of the predictive module type: depending on the type, you will act as anomaly detector (Boolean type module) or as "predictor" of the module value in the future (numerical data type module).
Below, in the specific section on predictive modules, you should pay attention to the following fields:
- Agent. Just type a part of the name on it and it will look for agents with that part on their names.
- Module. Once you have selected the agent, it will show which modules it has. This will be the "source module" from which it will use the history to predict its future data or detect anomalies.
- Period. Choose the type of sample to be used: daily, monthly or weekly. In this way, an average will be made with the information of the current data and the data in the last four periods. If you have chosen daily, the average of the last four days will be chosen. Same with weekly or monthly data.
Finally, you should not forget a field that appears in advanced properties:
- Interval: The interval takes a number of samples from the last 4 days/weeks/month during the duration of that interval. For example, if you are taking that sample at 13.00, and the interval you set is one hour, it will take the average to add all the values of the last 4 weeks/months/day from 12.30 to 13.30.
The difference between the numerical predictive calculation and anomaly detection is that the latter compares the value obtained in the prediction calculation with the current one. If it exceeds a threshold defined by the standard deviation of that calculated period, it returns fault (0), or it returns ok (1) if it does not.