Difference between revisions of "Pandora: Documentation en: RemoteManagement"

From Pandora FMS Wiki
Jump to: navigation, search
(Using eHorus with Pandora FMS)
Line 1: Line 1:
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
= Remote system management with Pandora FMS =
= Remote system management with Pandora FMS =
Line 103: Line 101:
{{Warning|If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in [https://curl.haxx.se/ca/cacert.pem PEM] format and add <code>curl.cainfo&#61;{path}\cacert.pem</code> to the <i>php.ini</i> file.}}
{{Warning|If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in [https://curl.haxx.se/ca/cacert.pem PEM] format and add <code>curl.cainfo&#61;{path}\cacert.pem</code> to the <i>php.ini</i> file.}}
== Connecting to remote systems using SSH and/or Telnet with Pandora FMS ==
There is an extension that allows users to connect directly with remote devices via SSH or SSH. This can be done with the "Remote gateway"extension. This component needs a special configuration, which is not installed "by default" in most Pandora FMS installations, more information and downloads in the library of Pandora FMS modules. [https://pandorafms.com/library/anytermd/]
{{Warning|This extension does not work well with modern versions of Centos/RHEL due to security restrictions in the internal call forkptt (). We recommend using eHorus to replace this functionality. [https://anyterm.org/security.html More info.]}}
Pandora FMS uses a tool called "anytermd", to create a kind of proxy between the user's browser and the remote destination. This tool launches a daemon, listening on a port, that executes a command, diverting all the contents of the connection to the user's browser. This means that all connections are made from the Pandora FMS server, and that the Pandora server has to have installed the ssh and telnet clients of the system. This would be an architecture of the system:
=== Installation and configuration ===
The source code is located in '''extras/anytermd''' in the SVN repository of the project. Additionally it can be found as RPM and tarball packages in the official downloads of the project.
Make sure you have installed the packages: gcc-c++, make, boost-devel and zlib-devel.
Then manually install the binary in /usr/bin
cp anytermd /usr/bin
To run the server daemon, you will have to do it "by hand", since it does not start with the server or Pandora console. The SSH/Telnet remote connection extension will use a different port for each type of connection, SSH 8022 and Telnet 8023.
It has a boot script for anytermd in ''contrib/anytermd''. Copy it to ''/etc/init. d/anytermd'' and run it this way to boot it:
/etc/init.d/anytermd start
By default it uses the user "pandora" for its execution, if you want to change it, modify the script.
{{tip|Make sure that ports 8022 and 8023 are free and open from the user browser to the server where the Pandora's console and anytermd runs.}}
==== Securization of Anytermd installation ====
For security reasons, we recommend restricting access to ports 8022 and 8023 so that only authorized systems can access them. To do this, we recommend using firewall rules (iptables on Linux):
On the host where Anytermd runs:
iptables -I INPUT -p tcp --dport 8023 -s <source_ip> -j ACCEPT
iptables -I INPUT -p tcp --dport 8022 -s <source_ip> -j ACCEPT
Where <source_ip> is the IP of the user/browser that will have access to this functionality.

Revision as of 12:16, 14 October 2019

Go back to Pandora FMS documentation index

1 Remote system management with Pandora FMS

1.1 Introduction

Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an optional extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [1]

The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [2], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.

1.2 Using eHorus with Pandora FMS

eHorus is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.


To enable it, activate the integration in its configuration section.

Ehorus setup.png

After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.

It is possible, although probably not necessary, to use another eHorus provider editing the fields API Hostname (switch.ehorus.com by default) and API Port (18080 by default).

Ehorus setup full.png


Remember to check if the connection works properly before saving the changes.


Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called eHorusID. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).

Ehorus agent id.png

If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:

ehorus_conf <path> 

The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.


The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.


When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.

The eHorus id (EKID) is entered in this agent custom field:

Ehorus pandora custom.jpg

Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.

Ehorus submenu.jpg
Ehorus c1.jpg

It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:

Ehorus c2.jpg

Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:

Ehorus c3.jpg

And the same goes for managing remote processes and copying files (both upload and download):

Ehorus c4.jpg
Ehorus c5.jpg

And of course, the remote desktop (Windows, Linux and Mac):

Ehorus d1.jpg


For more information about eHorus, you can visit their website [3]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.


Template warning.png

If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in PEM format and add curl.cainfo={path}\cacert.pem to the php.ini file.


Go back to Pandora FMS Documentation Index