Difference between revisions of "Pandora: Documentation en: Policy"

From Pandora FMS Wiki
Jump to: navigation, search
(Agent plugins)
 
(Modifying a previously created Module)
Line 563: Line 563:
 
<br>
 
<br>
 
<br>
 
<br>
 +
 +
{{Tip|If the policy module is renamed, the name will be renamed like any other field when the policy were applied}}
  
 
====Deleting a Module already created====
 
====Deleting a Module already created====

Revision as of 16:17, 24 July 2013

Go back to Pandora FMS documentation index

1 Policies

1.1 Introduction

Pandora FMS is able to manage thousand of devices with thousand of modules and alerts. As the systems that are the target of the monitoring could be composed by a high number of components and with the purpose of making the administrator work easier, we have developed the policy functionality.

The policy appliance will allow to propagate modules, alerts, external alerts and collections to the agents in a centralized and homogeneous way, modifying its configuration files through the remote edition feature Agent Configuration.

The available operations in a policy are these:

  • To create/Delete/Duplicate one policy
  • To add/To delete one or several existing agents
  • To create/Edit/Delete one module
  • To create/To Edit/To delete one alert
  • To create/To Edit/To delete an external alert
  • To add/To delete a collection that already exists
  • To add/To delete one inventory module that already exists
  • To link the policy to one or several adopted modules

The operations that are done in a policy will be not effective until the policy would be applied.

The application of the different policies is managed by one queue, in which they could be introduced in order to apply an agent or all the policy. It is also possible to introduce the application of one policy that is only from the database, if the changes that have been done don't affect to the remote configuration.

The policy management is done at section Administration -> Manage policies,at the left side of the Pandora FMS web console:



Politicas.jpg



1.2 Adding a Policy

When clicking on the Administration -> Manage policies menu, all the available policies will be showed.



Politicas1.jpg



To create one new policy, click on the "Create" button. You have here a policy creation screen, where we should introduce the name, the group where it will be classified, and an optional description.



Policia.jpg



1.3 Deleting a Policy

To delete a policy, it couldn't have any agent associated to it.

If one policy has agents, the delete button will be disabled, and a button to delete all its agent will be shown next to it. This button will introduce in the queue the one that has been deleted, and when it had been processed, the policy deleting button will be active again.



Borrar agentes.jpg



1.4 Duplicating a Policy

There is also a button to duplicate a policy between the policy operation buttons



Duplicar politica.jpg



The copy of the policy that will be created will be shown as no applied regardless of the origin policy state.

1.5 Configuring a Policy

In order to configure the policy you should click on the policy name at Administration -> Manage policies or directly on a direct access of one of those that are shown when moving the mouse on the policy you want to configure.



Windows5.jpg



In the policy configuration,there are also the following windows:


  • Agents
  • Modules
  • Inventory Modules
  • Alerts
  • External alerts
  • Collections
  • Linking
  • Queue
  • Agent plugins

The different actions that could be done will be not applied until the policy will be applied. If we ad an agent to the policy we can create several modules and alerts, for example, but until we apply the policy they will not be effective.

Same way, if we have one policy applied and we modify or delete elements, the changes will be not done until the next execution.

All changes will be shown in the "Queue" window, and you could introduce the policy to the process queue there, where it'll wait its turn to be applied.


1.5.1 Policy Propagation

Policy propagation means the activation of the modules, alerts and collections that are configured in the agents that have been defined. This means that these modules and alerts will be added to the agents.

A policy can be propagated in an specific agent or in a complete policy.

To do it on an agent, we should go to the Agents section and choose which in agent we want to apply it . If what we want is to apply all the policy, then we should go to the Queue section.

1.5.2 Policy Queues Management



Queue.jpg




In the policy operations queue there is a summary of the elements that have been changed since the last aplication:

In this list we have the elements that need to be updated and the ones pending to delete:

  • Pending to Update
    • Agents
    • Adopted modules pending to link
    • Adopted modules pending to unlink
  • Pending to Delete
    • Agents
    • Modules
    • Inventory modules
    • Alerts
    • External alerts
    • Collections

This summary will show us if you should apply or not the policy. Some times, next to the icon of agents pending to apply, a button will be shown to apply them.

If the pending changes only affect to the database (for example changes in alerts) this button will do changes only on these level, so the application will be quicker.



Queue onlydb.png



But if the configuration that affects to the configuration files has been changed (for example if collections or local modules have been modified) the application will be complete.



Queue onlydbconf.png



Under the summary there is a button to apply all, regardless of the kind of modifications pending.



Queue applyall.png



When we select to apply we will be adding the policy agents to the application queue. The Pandora FMS server will be in charge of applying the pending policies in the queue. If we refresh the screen, we can see the progress of the application and when it finish, it will be in the queue as completed, with the time that it has passed since it finished.



Queue progress.png



1.5.3 Agents

In this window it's possible to add or to delete agents from the policy.



Brocha3.jpg



1.5.3.1 Massive actions

The upper part is to add/delete agents in a massive way.



Policy agentstop.jpg



They could be filtered by group and with a substring. It's possible to do a multiple selection to add them to the policy by pressing on the arrow that points to the right. These agents will go to the box that is on the right, being associated to the policy but pending to apply.

Same way, the agents of the policy could be deleted with multiple selection with the help of a filter in the same way to pass them to the box at the left with the arrow that points to the left. When you select this way, one or several agents to delete from the policy, they will be shown as crossed out in the box at the right, and they could be re associated to the policy when selecting them again in the left box and linking them as if they were not.

1.5.3.2 Unit Actions

In the window that is bellow,there is a list with all the agents associated to the policy, including those that are pending to delete from it.



Policy agentsbottom.jpg



The agent list has a filter by group, substring or application state:

It shows:

  • The agent name
  • The remote configuration
  • The agent state in the policy
  • The number of modules unlinked in the agent
  • The button to introduce this agent in the queue to could apply it
  • The date and hour of the last application
  • The button of delete/undo remove

When an agent is removed, it will be shown with the name crossed out and in the place of the deleted button a new one to undo the deleting and link the agent to the policy again.

1.5.4 Modules

The modules menu allows to configure the modules that are going to be added to the policy.



Windows6.jpg



To add modules you have to choose the kind of module in the drop-down menu, select one module from the six that are available (dataserver,network, red, plug-in, WMI, prediction and Web) and press on the Create button



Windows7.png



1.5.4.1 Creating one Data server module

The data server modules are the modules that are added to the software agents, to work with these modules, it's necessary that the agents have the remote configuration enabled.

To create one data server module select the option “Create a new data server module” and click on Create.



Windows8.jpg



After this an screen will be shown to could configure all the module fields. The field "Data configuration" is the one that allows to introduce the code of the module that will be applied to the agents that will be subscribed to this policy. This change will be shown in the file “pandora_agent.conf” of this agent.



Windows9.jpg



Clicking on Advanced Options you could have access to the advanced options.



Windows10.jpg



It's possible to see the description of these screen fields in the Templates and components section.

There are two options:To fill in the fields or to have defined a local component previously.

1.5.4.2 Creating a Network Server Module

The network server modules are the modules that are managed through the Network server.

To create a Network server module, select the option “Create a new network server module” and press on the Create button.



Grafic1.jpg



Then, a screen will be shown in order you could configure all the module fields.



Grafic2.jpg



Clicking on Advanced Options you will go to the advanced options



Grafic3.jpg



It's possible to see the description of these screens fields in the Template and components section.

Once that all the fields have been filled in, press on "Create"

Consider that most of the time that the modules repeats, instead of filling in the fields any time that one module is added, the best option is to define it previously as a component and to use this component.

To use a component, fill in the combo that is on "Using module component" where it's possible to choose between the different groups of components



Grafic4.jpg



Once the group has been selected, another combo is selected where you can choose the component to use.



Grafic5.jpg



In the example, we have select the component “Catalyst CPU Usage” of the Cisco Mibs Group.



Grafic6.jpg



Once the component is chosen, it's possible to modify any of the fields. Once all the fields have been filled in, press on "create"

1.5.4.3 Creating a module of the Complement Server

The modules of the complement servers are the modules that are managed through the complement server.

To create a module of the complement server choose the option “Create a new Plugin server module” and press on Create.



Cosa1.jpg



An screen will be shown as you could configure all the module fields.



Cosa2.jpg



Pressing on Advanced Options you can have access to the advanced options.



Cosa3.jpg



You can see the description of these screen fields in the Template and component section.

Once you have filled in all the fields press on the "Create" button.

As most of the times the modules repeats, instead of filling in the fields any time that a module is added, is better to define it previously as one component and use this component. The use of components is explained in the Creating a network module section

1.5.4.4 Creating a module of the WMI Server

The modules of the WMI server are the modules that are managed through the WMI server.

To create a module of the Network server, select the option “Create a new WMI server module” and press on the Create button.



Cosa4.jpg



Then an screen will be shown to you could configure all the module fields.



Cosa5.jpg



Clicking on Advanced Options you go to the advanced options.



Cosa6.jpg



It's possible to see the description of these screen fields in the Template and components section.

Once all the fields have been filled press on "Create"

As most of the times the modules repeats, instead of filling in the fields any time that a module is added, is better to define it previously as one component and use this component. The use of components is explained in the Creating a network module section

1.5.4.5 Creating a module of the Prediction server

The modules of the Prediction server are the modules that are managed through the Prediction server.

To create a module of the Prediction server, select the option “Create a new prediction server and press on Create



Cosa7.jpg



After doing this, a screen will be shown in order you could configure all the module fields.



Cosa8.jpg



Clicking on Advanced Options you go to the advanced options



Cosa9.jpg



You can see the field description of these screens in the Template and components section.

Once all the fields have been filled in, press on "Create"

In case of the prediction modules there aren't components.

1.5.4.6 Creating a Module of the Web server

The modules of the Web server are the modules that are managed from the Web server.

To create a module of the Web server, select “Create a new web server module” and press on Create



Monstruo1.jpg



Then it will show a screen to you could configure all the module fields



Monstruo2.jpg



Clicking on Advanced Options you go to Advanced options.



Monstruo3.jpg



You can see the description of the fields of these screens in the Template and components section.

Once all the fields have been filled in, press on "Create".

In case of the Web modules there aren't components.

1.5.4.7 Modifying a previously created Module

It is possible to modify any of the modules created in a previous policy



Rama1.jpg



To do it press on the module name to the module configuration options would be shown

Once they have been modified press on Update



Rama2.jpg



Info.png

If the policy module is renamed, the name will be renamed like any other field when the policy were applied

 


1.5.4.8 Deleting a Module already created

To delete the module from the policy and remove it from the agents that have it installed, click on the X that is on the module line. Once you have done it, the module will still be showed but crossed out and the deletion button will be replaced by one that undo the action.



Rama4.jpg



1.5.4.9 Using Plugins in the Policies

The format used is quite simple. To do it, you only need to "cheat" the system, declaring one module for each kind of module that the plugin returns.In order to do this, you need to know previously how many modules the plugin could return. If we aren't completely sure, we could choose to register the plugin once and that the modules that are going to be created will do it out of the policy. The data will arrive, but we can't parametrize them with the policies so they are modules that will arrive without being associated to the policy.

All the data linked to one policy have to be previously defined. The policies don't contain "Non defined" information specifically.

Supposing that we are going to execute this plugin, that returns, in a dynamic way, the free space in bytes that all the unities of the system. In this example, the plugin exit returns several unities (C:, D: y Z:)



Plugin exec sample.png



You should define, if you want to manage them as policy modules, several modules, and only in one of them to define the real call to the plugin leaving in other cases, the field module_plugin empty:

module_begin
module_name C:
module_type generic_data
module_plugin cscript //B "%ProgramFiles%\pandora_agent\util\df.vbs"
module_end

module_begin
module_name D:
module_type generic_data
module_plugin 
module_end

module_begin
module_name Z:
module_type generic_data
module_plugin 
module_end

1.5.5 Inventory Modules

It is also possible to create inventory modules in a policy by choosing one from the list of the available ones in the system, an interval and the credentials.



Policy inventory modules.png



Same as with the rest of the elements of the policies, if we remove an inventory module, it will be shown as crossed out, and instead of the deleting button, another one will be shown to undo the action.



Policy inventory modules undo.png



1.5.6 Alerts

The Alert menu allows to configure the alerts that are going to be added to the policy.



Salva1.jpg



1.5.6.1 Adding Alerts

To add one alert is very easy, you have only to link it to one of the templates previously defined or with one of the modules with one module that belongs to the policy and press on "Add".



Salva2.jpg



1.5.6.2 Modifying Alerts

It's possible to add actions, put on standby or deactivate one alert.

If you want to change the module or the template, you should delete and create a new alert.

1.5.6.3 Deleting Alerts

To delete the alert from the policy and remove it from the agents that have it installed, click on the X that is on the alert line. Doing this the alert will remain in the list but with its name crossed out and the deleting button will be replaced by a button to undo the deletion.



Brocha2.png



1.5.7 External Alerts

The External Alerts are similar to the Alerts. The difference is that these allow to link alerts with agent modules that are not in the policy module main list. It's very useful to assign alerts, only to some agent modules and not only to all of them.

1.5.7.1 Adding External Alerts

To create one External Alert you should fill in the following form, the first field is useful to select the agent modules. There will be shown only the ones that are not in the policies. In the second field you could select the alert template.



External-alert-filled.png



1.5.7.2 Modifying External Alerts

Considering how easy is to add External Alerts and the little variables that are, the possibility of modifying External Alerts doesn't exist. To modify an External Alert you should delete and create a new one.

1.5.7.3 Deleting External Alerts

To delete the External Alert from the policy and remain it from the agents that have it installed, you should click on the X that there are on the External Alert line.



External-alert-action-added.png



The deletion system is the same as that of the normal alerts. It will be not effective until the policy would be apply, and instead of the deleting button it will show a button to undo the deletion.

1.5.8 Agent plugins

Since Pandora FMS 5.0, with the plugins editor in policies is possible propagate the agents plugins easily.

Is possible to add agent plugins in a policy to be created in each local agent when be applied.



Policy plugins editor.png



1.5.9 Kind of modules

When a policy is applied, it's possible to see different modules in the agent view. If you go tho the Manage Agents > Modules menu, you could see three different kind of modules .



Modules0.jpg



1.5.9.1 Adopted modules

These modules were created in the policy with the same name of a module already existing in the agent. When applying the policy Pandora FMS will use the data of the existing module instead of creating a new module.



Modules1.jpg



When you delete a policy, the adopted modules are not deleted from the agents. They will be only selected as non-adopted modules, and the line for this modules will be like this one:



Modules1 1.jpg



1.5.9.2 Linked Modules

These modules are created in the policy and when you apply the policy, they will be created in the agent too. These are the average modules created in the policies.



Modules2.jpg



You can link an unlink modules going to Manage Agent > Modules, then select the chosen module and press this button to don't link the module.



Modules3.jpg



And this button to link the module.



Modules4.jpg



When you delete a policy, the modules linked and not linked are deleted from the agents.

1.5.9.3 Unlinked Modules

When a module is not linked, the future changes done in the policy will not be applied on them. The modules not linked are useful because they allow to fix "individual exceptions" to modules that belongs to some policy. This way we can "customize" an agent in a policy without taking it out from the policy, and only for an specific module.



Modules5.jpg



The changes in the policies will be applied only when the module returns to be linked.

1.5.10 File Collections

A file collection is not only an option to policies, but is usually used in policies. A file collection is a group of files (script, and /ore executables) that are automatically copied to an specific directory of the agent (Windows or Unix). The file collections allow that they could be propagated with the policies, so they could be used by a group of agents, using a "package" of scripts and modules that use them.

First we learn how to use the file colletions in the agent view, manual way, agent by agent, without collections, and how to do the same with policies.

Our first task is to do a compilation of files. To do this, go to the agent administrator and after we'll see a "suboption" called "Collections":do click in it to create a new collection, as we can see in the following screen shot:



File collection create.png



Once we have created a file colletion, we upload any file to this collection.This can be of binaries, scripts or data files.All files will go to the same base directory. Each collection has its own base directory, that is extremely important. In the console, these are stored as /pandora_console/attachment/collection directory with a name like fc_XXX, where the XXX is the collection numeric ID. The file collection could contain subdirectories. The file collections are transferred as ZIP files to the agent through. The file collections are only supported with the Tentacle transference mode.

Now we can see how the collection that we have created (fc_3) has two files download:



File collection addfile.png



In this case, if we come back to the mail collection screen, we can see both collections as a triangular icon, what shows that there is a problem. This happens because the collections aren't synchronized and we should synchronize them clicking on this triangular icon.



File collection sync.png



When a file collection is synchronized, an icon with a blue arrow is shown, as we can see here:



File collection sync1.png



Once we have synchronized the collection, it will be applied to the agent, this time without using policies. Go to the agent administrator mode and search the collection tabulator (one icon similar to a disk). There will be shown the available collections, so we can choose one of them and apply it to the agent, in this case, of the previous example (Windows utilities):



Agent collection apply1.png



Now it has been applied. Next time the agent contact with the server we will get the file and also a little modification in the .conf file, that in this case will be this:

file_collection fc_3



Agent collection apply2.png



1.5.10.1 File Collections and Policies

This works in a similar way to the single agent collections, but instead of applying a collection on an specific agent it's applied to one policy, as we can see here:



File collection policyadd.png



If you want to use a module that works with a file included in the collection,it is very easy:refer only to the directory that contains the collection, using its fixed id.This is an example using a plugin module:



Collection module usage plugin.png



To know how the policies work-with plugins-see the specif section in this chapter.

1.5.10.2 Location of the File Collections in the agent

Each file collection has a "short name". In this example, it is called "fc_3", this means that the utilities, scripts or executables that are in the collection will be at %Archivos de programa%\pandora_agent\collections\fc_3.It is important to know that the collection is compressed for its sending to the agent, so this one should have the unzip tool to could this way unzip the file. Since the agent 3.2 version, this utility is installed at %Archivos de programa%\pandora_agent\utils.

You should know this to could use modules that work using these files, to could specify the complete "real" path. Let's see another example:

If the short name of the collection is "fc_18", the location will be (in case of a computer in english):%ProgramFiles%\pandora_agent

\collections\fc_18.

Each file collection is stored in a different address in order to avoid that different file collections would be overwritten or have conflicts between them.

Any file locally modified (in the same system where the agent is executed) will be overwritten by the agent when this one contact with the server. This is done to avoid local modifications and make sure that the collections are identical in all the systems where these ones have been displayed. This mechanism uses the same method that the remote configurations management uses, and it's based on md5 hashes.

This is an example of use of one plugin, that uses the "df_perfecnt.vbs" file, contained in one collection called "fc_3" for a Windows agent:

module_plugin cscript //B "%ProgramFiles%\pandora_agent\collections\fc_3\df_percent.vbs"

1.6 Extra access to policies

It is possible to enable extra access to a policy for users that haven't access to the policy group. This will be done in the editing of users:



File:Extra policies.png



Keep in mind that an user with extra access to a policy will see all the components of the policy: agents, modules, alerts, collections ...

This access is limited to those items.

For example:

You have a Pandora FMS user.

The system has the groups A, B and C. 

There is an agent "age" in the group A with 1 module named "mod". 

There is also a policy "pol" with one module "mod_pol" in the group B. In this policy, the agent "age" is added. 

Your user has access to the group C and is given extra access to the policy "pol".

In your list of agents, you can see all the group C agents and the agent "age" too.

In the module list of the agent "age", you can see the policy module "mod_pol" but NOT the module of the agent named "mod".

If the agent "age" was also in other policy, that policy modules only be displayed if you have access to policies. This access is possible because you have extra access to policies, or because the policy is in group C, to which you have already access.</pre>

Go back to Pandora FMS documentation index