Pandora: Documentation en: Policy
Go back to Pandora FMS documentation index
Contents
- 1 Policies
- 1.1 Introduction
- 1.2 Adding a Policy
- 1.3 Deleting a Policy
- 1.4 Duplicating a Policy
- 1.5 Configuring a Policy
- 1.5.1 Policy Queues Management
- 1.5.2 Agents and Groups
- 1.5.3 Modules
- 1.5.3.1 Creating a Data Server Module
- 1.5.3.2 Creating a Network Server Module
- 1.5.3.3 Creating a Module for the Plug-in Server
- 1.5.3.4 Creating a Module for the WMI Server
- 1.5.3.5 Creating a Module for the Prediction Server
- 1.5.3.6 Creating a Module for the Web Server
- 1.5.3.7 Modifying a previously created Module
- 1.5.3.8 Deleting an already created Module
- 1.5.3.9 Using Plug Ins within the Policies
- 1.5.4 Inventory Modules
- 1.5.5 Alerts
- 1.5.6 External Alerts
- 1.5.7 Agent Plug Ins
- 1.5.8 Types of Modules
- 1.5.9 File Collections
- 1.6 Policy search
- 1.7 Policy management from the Metaconsole
1 Policies
1.1 Introduction
Pandora FMS is able to manage thousands of devices, containing thousands of modules and alerts. We've developed the policy functionality with the purpose of rendering the administrators work a lot easier as the systems which are the target of the monitoring could be composed of a very high number of components.
The policy appliance allows you to propagate modules, alerts, external alerts and collections to the agents in a centralized and homogeneous way by modifying its configuration files by the remote edition feature called Agent Configuration.
The available operations pertaining to policies in general are the following:
- To create, delete and duplicate one policy
- To add and delete one or several existing agents
- To create, edit and delete one module
- To create, edit and delete one alert
- To create, edit and delete an external alert
- To add and delete an already existing collection
- To add and delete an already existing inventory module
- To link the policy to one or several adopted modules
The operations conducted within a policy are not going to be effective until the policy is applied.
The application of the different policies is managed by one queue, in which they could be introduced in order to apply to an agent or to all of the policy. It's also possible to introduce the application of one policy from the database, if the changes don't affect the remote configuration.
You may invoke the policy management by clicking on 'Administration' and 'Manage Policies' on the left side of the Pandora FMS web console as shown below.
1.2 Adding a Policy
If you click on the 'Administration' and 'Manage Policies' menus, all available policies are going to be shown.
Please click on the 'Create' button to create a new policy. You have a policy creation screen here, in which we're required to insert the name, the group to which it's going to belong to, and an optional description.
1.3 Deleting a Policy
If you intend to delete any policy, please make sure that it doesn't have any agent associated to it.
If one policy contains agents, the delete button is disabled and a button to delete all its agents is shown next to it. This button is going to introduce the deletion process into the queue. Once it has been processed, the policy deletion button is going to be in an active state again.
1.4 Duplicating a Policy
There is also a button to duplicate a policy. It's located in the middle of the policy operation buttons.
The copy of the policy which will be created here is going to be shown as 'not applied', regardless of the original policy's state.
1.5 Configuring a Policy
In order to configure the policy, please click on the policy's name under 'Administration' and 'Manage Policies' or access it directly by hovering the mouse over it and clicking on the policy you intend to configure.
The policy configuration contains options for the following elements:
- Agents
- Modules
- Inventory Modules
- Alerts
- External Alerts
- Collections
- Linking
- Queue
- Agent Plug Ins
The different executable actions aren't going to be applied until the policy is applied. If you're adding an agent to the policy, you're e.g. able to create several modules and alerts, but they're not going to come into effect until you're applying the policy.
If we e.g. have one policy applied and we're modifying or deleting elements, the changes aren't going to come into effect until its next execution.
All changes are displayed shown within the 'Queue' window. You're able to introduce the policy into the process queue there, in which it's going to wait for its turn to be applied.
1.5.1 Policy Queues Management
The policy operations queue contains a summary of the elements which have been changed since their last application:
This list contains the elements which are required to be updated and the ones pending to delete:
- Pending to update
- Agents
- Adopted modules pending to link
- Adopted modules pending to unlink
- Pending to delete
- Agents
- Modules
- Inventory Modules
- Alerts
- External Alerts
- Collections
This summary is going to show you whether you should apply the policy or not. Sometimes, a button will be shown to apply them next to the icon of agents pending to apply.
If the pending changes only affect the database, e.g. changes in alerts, this button is going to conduct the changes on this level only, so the application will be quicker.
If the configuration which affects the configuration files has been changed, e.g. if collections or local modules have been modified, the application is complete.
Under summary, there is a button called 'Apply All', regardless of the pending modifications.
If we select to apply we're going to add the policy agents to the application queue. The Pandora FMS Server will be in charge of applying the pending policies to the queue. If we refresh the screen, we're able to see the application's progress. In the moment it's completed, it's going to be mentioned in the queue as completed, along with the time which passed since it has finished the process.
1.5.2 Agents and Groups
This window was designed to add or to delete agents from the policy, filtered by agents or groups.
1.5.2.1 Agents
At the top part we will have the possibility to select different agents or groups using Control or Shift keys.
At the bottom part we will have a list of all agents asociated to the policy and even all of that agents that are pending to be deleted from the policy.
The list of agents has the possibility to filter by group, substring or state. List of items displayed:
- Agent Name
- Remote Configuration
- Status of the agent in the policy
- Number of unlinked modules in the agent
- Button to add that agent to the policy.
- Icon group in order to know if that agent was applied by a policy group.
- Timestamp of the last time that the policy was applied.
- Delete/Undo buttom.
Adding or deleting agents from a policy won't be performed until you have applied the queue.
1.5.2.2 Groups
Group recursion option will be available.
At the bottom part we will have a list of all groups asociated to the policy and even all of that agents that are pending to be deleted from the policy.
The list of groups will shown the following information:
- Group Name
- State of the group in the policy
- Button to add that group to the policy
- Number of agent belonged to that group that have applied that policy.
- Timestamp of the last time that the policy was applied.
- Delete/Undo button.
Adding or deleting groups from a policy won't be performed until you have applied the queue.
1.5.3 Modules
The modules menu allows to configure the modules which are going to be added to the policy.
In order to add modules, you're required to pick the type of module in the drop-down menu, to select one module, e.g. 'data server', 'network', 'red', 'plug in', 'WMI', 'prediction' and 'web' and to click on the 'Create' button.
1.5.3.1 Creating a Data Server Module
The Data Server Modules are the modules which are going to be added to the software agents. In order to work with these modules, it's necessary for the agents to have the remote configuration enabled.
Please select the option 'Create a new data server module' and click on the 'Create' button in order to create a new data server module.
Subsequently, a screen intended to configure all the module fields is going to be displayed. The field called 'Data Configuration' is the one which allows you to introduce the module's code which is going to be applied to the agents subscribed to this policy. This change will be contained in this particular agent's 'pandora_agent.conf' file.
You're able to gain access to the advanced options by clicking on the 'Advanced Options' button.
It's possible to review the description of these particular features in the Templates and Components section. There are two options: To fill out the fields or to have a previously defined local component ready to invoke here.
1.5.3.2 Creating a Network Server Module
The network server modules are modules which are managed by the Network Server.
Please select the option called 'Create a new Network Server Module' and click on the 'Create' button in order to create a new network server module.
Subsequently, a window intended to configure all the module fields is going to be displayed.
Please click on the 'Advanced Options' button to gain access to the advanced options.
It's possible to review the description of these particular features and options in the Templates and Components section. Please click on 'Create' button once all fields have been filled out.
Please keep in mind that the modules are quite similar most of the time. Instead of filling out the fields any time one module is added, the best option is to preliminarily define it as a component and to use it as such. In order to use a component, please fill out the combo which is located under 'Using module component' in which it's possible to choose between the different component groups.
Once the group has been selected, another combo pops up in which you're able to choose the component you intend to use.
In this example, we've selected the component called 'Catalyst CPU Usage' of the Cisco MIBs Group.
Once the component is selected, it's possible to modify any of the fields. Please click on the 'Create' button once all the fields have been filled out appropriately.
1.5.3.3 Creating a Module for the Plug-in Server
The modules of the plug-in servers are the modules which are getting managed by it.
In order to create a module for the complement server, please click on 'Create a new Plug-In Server Module' and click on the 'Create' button.
In this moment, a window intended to configure all the module's fields is going to appear.
You may gain access to the advanced options by clicking on the 'Advanced Options' button as shown on the bottom left on the picture above.
You're also able to review the description of the above mentioned features and options within the Templates and Components section again.
Once you have filled out all the fields appropriately, please click on the 'Create' button.
Please keep in mind that the modules are quite similar most of the time. Instead of always filling out the fields any time a module is added, the best option is to preliminarily define it as a component and to use it as such. The use of components is thoroughly explained in the section called Creating a Network Server Module.
|
|
Use macros to configure dynamic parameters, like the IP address of an agent. |
|
1.5.3.4 Creating a Module for the WMI Server
The modules of the WMI Server are the ones which are getting managed by it.
In order to create a module of the Network Server, please click on 'Create a new WMI Server Module' and click on the 'Create' button as shown below.
In this moment, a window intended configure all the module's fields is going to appear.
You may gain access to the advanced options by clicking on the 'Advanced Options' button as shown on the bottom left on the picture above.
It's also possible to review the description of these features and options in the Templates and Components section.
Once all the fields have been filled out appropriately, please click on the 'Create' button.
Please keep in mind that the modules are quite similar most of the time. Instead of always filling out the fields any time a module is added, the best option is to preliminarily define it as a component and to use it as such.
1.5.3.5 Creating a Module for the Prediction Server
The modules of the prediction server are the ones which are getting managed by it.
In order to create a module for the prediction server, please select the option called 'Create a new Prediction Server Module' and click on the 'Create' button.
Subsequently, a window intended to configure all the module's fields is going to appear.
You may gain access to the advanced options by clicking on the 'Advanced Options' button.
Please feel free to review these features and options in the Templates and Components section.
Once all the fields have been filled out appropriately, please click on the 'Create' button.
|
|
In this particular context, the modules of the prediction server are not considered components. |
|
1.5.3.6 Creating a Module for the Web Server
The modules of the web server are the modules which are getting managed by it.
In order to create a module for the web server, please select the option called 'Create a new Web Server Module' and click on the 'Create' button.
Subsequently it's going to display a window intended to configure all the module's fields.
You may gain access to the advanced options by clicking on the 'Advanced Options' button.
Please feel free to review these features and options in the Templates and Components section.
Once all the fields have been filled out appropriately, please click on the 'Create' button.
|
|
In this particular context, the modules of the web server are not considered components. |
|
1.5.3.7 Modifying a previously created Module
It's possible to modify all modules created in a preliminarily generated policy.
In order to do so, please click on the module's name so the module configuration options are shown.
Once they have been modified appropriately, please click on the 'Update' button.
|
|
If the policy module is renamed, the name is going to be renamed like any other field in the moment the policy is applied. |
|
|
|
If a module with the new name already exists in one of the agents in the moment the policy module is renamed, this module is going to be adopted while the old module's name is deleted. |
|
1.5.3.8 Deleting an already created Module
In order to delete the module from the policy and remove it from the agents that have it installed, please click on the x-shaped button on the right of the module's name. Once you've done that, the module is still going to be shown but crossed out. Subsequently, the 'Delete' button will be replaced by the 'Undo' button.
1.5.3.9 Using Plug Ins within the Policies
The format used is quite simple. You're only required to 'outwit' the system, declaring one module for each type of module that the plug in returns. In order to do this, you're required to foreknow how many modules the plug in would return. If you're not completely sure, you're able to choose to register the plug in once and that the modules, which are going to be created, are going to work from outside of the policy. The data will arrive, but we can't parametrize them by the policies, because they are modules which are going to arrive without being associated to the policy.
All the data linked to one policy has to be previously defined. The policies don't specifically contain 'non-defined' information.
Supposing that we're going to execute this plug in which dynamically returns the free space in bytes which all the units of the system have.
In this example, the plug-in exit returns several unities (C:, D: and Z:)
If you intend to manage them as policy modules, it's recommended to define several modules and the real call of the plug in within only one of them. Please leave the field called 'module_plugin' empty in any other cases.
module_begin module_name C: module_type generic_data module_plugin cscript //B "%ProgramFiles%\pandora_agent\util\df.vbs" module_end module_begin module_name D: module_type generic_data module_plugin module_end module_begin module_name Z: module_type generic_data module_plugin module_end
1.5.4 Inventory Modules
It's also possible to create inventory modules within a policy by picking one from the list of the available ones in the system, thereby picking an interval and the credentials for it.
Like the rest of the policy's elements, if we remove an inventory module, it's going to be shown as crossed out. The 'Undo' button is going to be displayed instead in case you intend to undo the action.
1.5.5 Alerts
The Alert menu allows you to configure the alerts which are going to be added to the policy.
1.5.5.1 Adding Alerts
In order to add an alert, you just have to link it to one of the predefined templates or to one module which belongs to the policy and to click on the 'Add' button.
1.5.5.2 Modifying Alerts
It's possible to add actions to alerts, to put them in a stand-by mode or to deactivate them.
If you intend to change any module or template, it's recommended to delete it and to create a new one.
1.5.5.3 Deleting Alerts
In order to delete an alert from the policy and remove it from the agents that have it installed, please click on the x-shaped button on the right of the module's name. Once you've done that, the alert is still going to be shown but crossed out. Subsequently, the 'Delete' button will be replaced by an 'Undo' button.
1.5.6 External Alerts
The external alerts are very similar to the regular alerts. The difference is that this type allows you to link alerts to agent modules which aren't contained in the policy module's main list. It's sometimes very useful to only assign alerts to some agent modules but not to all of them.
1.5.6.1 Adding External Alerts
In order to create an external alert, you're required to fill out the form shown on the picture below. The first field is intended to select the agent's modules. Only the ones which aren't contained in the policies are mentioned here. The second field is intended to select the appropriate alert template.
1.5.6.2 Modifying External Alerts
Considering how easy it is to create new external alerts along with their few variables, the possibility of modifying external alerts doesn't exist. In order to modify an external alert, it's recommended to just delete it and to create a new one.
1.5.6.3 Deleting External Alerts
In order to delete an external alert from the policy and remove it from the agents that have it installed, please click on the x-shaped button on the right of the module's name.
The deletion system is the same as the one of the regular alerts. The deletion isn't going to come into effect until the policy is applied. The 'Delete' button is going to be replaced by an 'Undo' button in order to undo an e.g. accidental deletion.
1.5.7 Agent Plug Ins
|
|
In order for the plugin of an agent to be applied by a policy, the plugin must exist in the path specified by the agent |
|
Since Pandora FMS 5.0 it's possible propagate the agent's plug ins easily by the plug ins editor within the policies.
It's possible to add agent plug ins to be created in each local agent within a policy in the moment of applying it.
1.5.8 Types of Modules
If a policy is applied, it's possible to review the different modules within the agent's view. If you click on 'Manage Agents' and 'Modules' menu, there are three different types of modules:
1.5.8.1 Adopted Modules
These modules were created in the policy with the same name of an already existing module within the agent. When applying the policy, Pandora FMS is going to use the existing module's data instead of creating a new one.
If you delete a policy, the adopted modules aren't going to be deleted from the agents. They're only going to be defined as 'non-adopted' modules. The data column for these modules is going to look like the one shown on the picture below.
1.5.8.2 Linked Modules
These modules are created in the policy. If you're applying the policy, they're also being created within the agent. These are the average modules created in the policies.
You're able to link and unlink modules by clicking on 'Manage Agents' and 'Modules'. Please select the appropriate module and click the button on the picture below in order to unlink the module ...
... and this button to link it.
If you delete a policy, the linked and unlinked modules are deleted from the agents.
1.5.8.3 Unlinked Modules
If a module is unlinked, the future changes conducted in the policy aren't going to be applied onto them. The unlinked modules are useful, because they allow to define 'individual exceptions' to modules which belong to a certain policy. You're able to 'customize' an agent in a policy without removing it from the policy and only for a specific module in this way.
The changes in the policies are only going to be applied if the module is linked again.
1.5.9 File Collections
A file collection is not just an option to policies - it's usually utilized in them. A file collection is a group of files (e.g. scripts or executables) which are automatically copied to a specific directory of the agent (under Windows or UNIX). The file collections allow to be propagated along with the policies in order to be used by a group of agents, using a 'package' of scripts and modules which use them.
First we learn how to use the file collections in the agent's view, how to conduct it manually, agent by agent, without using collections, and how to do the same thing by using policies.
Our first task is to arrange a compilation of files. In order to do this, please go to the agent's administrator. Subsequently, we're going to see a 'sub option' called 'Collections'. Please click on it in order to create a new collection as we can see on the picture below.
Once you've created the file collection, please feel free to upload any appropriate file to it. These files can be binaries, scripts or data files. All files are moved to the same base directory. It's extremely important that each file collection has its own base directory. In the console, file collections are stored under a directory called '/pandora_console/attachment/collection', bearing a name like 'fc_XXX', where 'XXX' is the collection's numerical ID. The file collections are also able to contain subdirectories. The file collections are transferred as ZIP files to the agent.
File collections are only supported if you use the Tentacle transference mode.
On the second picture below, you can see how the example collection we've created (fc_1383033439) has received two files:
If we go back to the mail collection screen, we can see both collections as a triangular icon, which indicates a problem. This happens because the collections aren't synchronized. It's recommended to synchronize them by clicking on the triangular icon shown below.
When a file collection is synchronized, a green arrow-shaped icon is displayed as shown on the picture below.
Once we've synchronized the collection, it's going to be applied onto the agent - this time without using any policies. Please go to the agent's administrator mode and look for the collection's tabulator (it's a disk-shaped icon). The available collections are going to be displayed there in order to pick one of them and apply it to the agent, as you can see in the windows utilities example on the picture below.
Now it has been applied. Next time the agent contacts the server, we're going to receive the file and a little modification in the '.conf' file, which is going to look like this:
file_collection fc_1383033439
1.5.9.1 File Collections and Policies
This works in a similar way as the single agent collections. Instead of applying a collection on a specific agent it's applied to one policy, as we can see below.
It's very easy to use a module which works with a file included in the collection: Only refer to the directory which contains the collection by using its fixed ID. This is an example which uses a plug-in module:
1.5.9.2 Centralized management of collections
From Pandora FMS OUM729 onwards, you can centralize the management of collections from the Meta Console.
For more information, please visit this link.
1.5.9.3 Location of File Collections within Agents
Each file collection has a 'short name'. In this example, it's called 'fc_1383033439', which means the utilities, scripts or executables contained in the collection are located in '%Archivos de programa%\pandora_agent\collections\fc_1383033439'. It's important to keep in mind that the collection is sent in a compressed format to the agent, so this file collection should contain the unzip tool to be able to unpack the file. Since the agent's version 3.2, this utility is installed under '%Archivos de programa%\pandora_agent\utils'.
This information is important in order to use modules which work by using these files and to be able to specify the complete 'real' path.
This is another example:
If the collection's short name is 'fc_18', the location will be '%ProgramFiles%\pandora_agent\collections\fc_18' in case the English language is used on this particular computer.
Each file collection is stored in a different location in order to avoid the file collections to overwrite each other or to create conflicts among them.
Any locally modified file (on the same system on which the agent is executed) will be overwritten by the agent in the moment it establishes contact to the server. This is done in order to avoid local modifications and to ensure the collections are identical in all the systems in which they've been shown on. This mechanism utilizes the same method the remote configurations management does. It's based on MD5 hashes.
This is an example of one plug in which uses the 'df_percent.vbs' file, contained in one collection called 'fc_1383033439' for a windows-based agent:
module_plugin cscript //B "%ProgramFiles%\pandora_agent\collections\fc_1383033439\df_percent.vbs"
Go back to Pandora FMS Documentation Index
1.6 Policy search
It is possible to perform policy searches from both the Metaconsole and the node. The icon is added in the search header and in the main search results menu.
In the section of policy result, there is a table with the following fields:
- Name.
- Description.
- Group.
- Status.
There are 2 types of results in the Metaconsole:
- Centralized search: The policies that are shown are those that are in the Metaconsole itself. In the table, there is the Server field that is filled out with the symbol - to indicate that the data are obtained from the Metaconsole itself.
- Non-centralized search: The policies shown are obtained directly from each node. In the table, there is the Server field that is filled out with the name of each node.
1.7 Policy management from the Metaconsole
It is possible to manage policies from the Metaconsole. The process consists of distributing the information to all the nodes for each of the servers in charge of applying them. This distribution of information is complex because it is important that all nodes have the same data as the Metaconsole.
1.7.1 Configuration. Centralized management mode
TheMetaconsole has a centralized management mode. This means that, as far as policies are concerned, management is done from the meta console and not from the node. In the Metaconsole, the selection of this mode is made from the general configuration.
For the configured nodes to know that the mode is centralized, just go to the license screen and synchronize. In this way, all policy management pages will be informative only, that is, available in read-only mode. The new nodes that are added will be automatically configured in this mode.
Finding out if a node is in centralized mode or not. If so, a warning message will appear in the policy view.
1.7.2 Policy queue in Metaconsole
The policy queue in the Metaconsole is different from that of the nodes. While in the latter, you can see the status of the implementation of the incomplete policies and a history of those already completed, in the Metaconsole this second part has been deleted. Only those that have not been applied or are in progress are shown indicating the node to which they belong.
However, if you want to consult the history, it is available at the node. In fact, it is the only thing that can be managed from the node since all other pages are in read-only mode.
1.7.3 Data Integrity
The data that the nodes and the Metaconsole of each policy have to be the same. Modules, alerts, inventory module, collections... have to be consistent. Therefore, when applying a policy from the Metaconsole, all this data is copied to the involved nodes.
It is very diverse and very sensitive information. There may be an error when copying the data. In this case, the console will display an error and the node will be rolled up with the previous data. In clean installations there is not going to be any problem, but it is recommended to delete the previous policy configurations made manually in the nodes, passing them to the metaconsole to later synchronize them from there.
