Difference between revisions of "Pandora: Documentation en: RemoteManagement"

From Pandora FMS Wiki
Jump to: navigation, search
(Using TeamViewer with Pandora FMS)
(Remote system management with Pandora FMS)
 
(32 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
  
= Remote systems management with Pandora FMS =
+
= Remote system management with Pandora FMS =
  
== Introduction==
+
== Introduction ==
  
Pandora FMS is a monitoring tool, and it doesn't use the agents so we could connect with the systems.This way it isn't useful to control remotely the monitored systems. Some systems, such as routers and switches could be managed through Telnet or SSH and in order to have access to them you will only need to fire the right command.
+
Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an'' optional'' extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [https://library.pandorafms.com/index.php?sec=Library&sec2=repository&lng=es&action=view_PUI&id_PUI=818]
  
Pandora FMS includes "by default" a Java plugin to be able to connect from the WEB console, via VNC to the remote servers, using the IP configured by them. This could be easy if we are in the same local network segment and if we have direct connection. In other cases, it is more complicated.
+
The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [https://ehorus.com], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.
 
We can distinguish between complex and simple environments. These would be the characteristics of a simple environment:
 
  
* The server IP doesn't change.
+
== Using eHorus with Pandora FMS ==
* The access (paths, firewalls) from the operator PC to the servers has open ports and it knows how to get through normal TCP/IP.
 
* We could install a remote control software in the server host system, or this has already one.
 
  
Unlike this, the characteristics of a complex environment would be the following ones:
+
[http://ehorus.com/ eHorus] is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.
 
 
* The server IP changes (it's dynamic).
 
* There is no direct access from the operator PC to the server that we want to monitor.
 
* We couldn't install remote control software in the remote system.
 
 
 
There are also intermediate cases, for example, the machines have fixed IP, but we don't have direct remote access via TCP/IP to the server from the operator PC. In any case, there are three possible ways to have remote access to these systems:
 
 
 
# Directly, it's possible to install, for example a SSH server, activate the Remote Desktop or to install a VNC server in the host system. From the operator PC, it'll be enough if we write the remote system IP in the client program that is running in the operator PC and it'll be ready. This is right only for the "Simple" environments. Here we strongly recommend UltraVNC.<br><br>
 
# To use an inverse system. We are referring to those remote control systems that, instead of waiting to connect, with an open TCP port, connect with a server in the internet which allows, when the operator PC communicates with this same server in Internet, to "connect" both computers so they can "talk". This way, between them, the internal network wouldn't communicate at all. This system, useful in complex environments, has many disadvantages, such as the speed, or the fact that if the server that we need to control doesn't have access to Internet, we won't be able to communicate with it. Here we recommend TeamViewer.<br><br>
 
# Use a direct connection system with UltraVNC allows to configure one proxy, so it'll be the one that connects with the remote server. We will connect with the intermediate server (proxy) and this one with the end server. This is called "Ultra VNC Repeater". You can find more information about this in this page http://www.uvnc.com/docs/uvnc-repeater.html.This would be the working basic sketch:
 
  
 
<center>
 
<center>
<br><br>
+
[[image:Remote-computer-access-schema.png|center]]
[[image:Ultra_vnc_modeI.png|750px]]
 
<br><br>
 
 
</center>
 
</center>
  
The UltraVNC tool itself allows to do the setup in a graphic way:
+
To enable it, activate the integration in its configuration section.
  
 
<center>
 
<center>
<br><br>
+
[[image:ehorus_setup.png|center|670px]]
[[image:Ultra_vnc_repeater.gif]]
 
<br><br>
 
 
</center>
 
</center>
  
The connection to the VNC server would use the proxy to connect with the destination server, as we can see in this screenshot:
+
After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.
  
 +
It is possible, although probably not necessary, to use another eHorus provider editing the fields
 +
''API Hostname'' (''switch.ehorus.com'' by default) and ''API Port'' (''18080'' by default).
 +
 +
<br><br>
 
<center>
 
<center>
 +
[[image:ehorus_setup_full.png|center|670px]]
 +
</center>
 
<br><br>
 
<br><br>
[[image:Vnc_sample2.gif]]
 
<br><br>
 
</center>
 
  
== Using VNC integrated in Pandora FMS ==
+
{{tip|Remember to check if the connection works properly before saving the changes.}}
  
It's possible, through the Pandora FMS "VNC" extension, to have access, from the WEB console itself, without having to install additional software or doing anything extra. To do this, the only requisites are these:
+
Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called '''eHorusID'''. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).
  
* Having installed a VNC server that includes the Java applet, listening in the port 5800 of each server we want to manage remotely.
 
* Having the Java plugin installed in its browser.
 
* Having direct connection from the PC where the operator is connected to the Pandora console, to the monitored server that we want to manage remotely. The connection has to allow the port 5800/TCP
 
 
If we fulfil these requisites, we only have to press on the flap with the extension "VNC" in the operation view of one agent and we'll see the following:
 
 
<center>
 
<br><br>
 
[[image:vnc_tab.png]]
 
 
<br><br>
 
<br><br>
<i>Look of the VNC flap (first one by left)</i>
 
<br>
 
</center>
 
 
When the communication is reestablished, it's necessary to introduce a password that is configured when the VNC server is installed in the machine.
 
 
 
<center>
 
<center>
<br><br>
+
[[image:ehorus_agent_id.png|center]]
[[image:Vnc_ext_1.png|750px]]
 
<br><br>
 
 
</center>
 
</center>
 
Once we have introduced the password, we have access to the server " as if we were there".
 
 
<center>
 
<br><br>
 
[[image:Vnc_ext_2.png|750px]]
 
 
<br><br>
 
<br><br>
</center>
 
  
We recommend the use of the UltraVNC [http://www.uvnc.com/], so, besides being very strong, support connection coding, and allow file transfer from one machine to other, it's OpenSource and free.
+
If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:
  
The limitations of this system are mainly the following:
+
ehorus_conf <path>
  
* Needs connection between your PC and the machine to monitor remotely. If it's behind one firewall or a Router, in Internet, it won't be able to connect.
+
The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.
* Needs to know the IP. With Pandora FMS, it could tell to the agent that notifies the current IP to Pandora, and this will know which one is the IP, but sometimes it won't work well (if it has several network adapters, if it doesn't update the IP in an standard way or due to other possible causes)
 
* Needs to install the UltraVNC software, may be that due to security policies it won't be able to install it.
 
  
In case that the problem is the first point, you could use the direct connection method through proxy, but the method shown there won't work, so you will need to download a client program and execute it manually from your PC in order to connect with the remote system.
+
{{tip|The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.}}
  
== Using TeamViewer with Pandora FMS ==
+
When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.
  
TeamViewer is one of the best remote management systems available. Teamviewer can use  intermediate servers in Internet to connect with their equipments, regardless of changes in the IP, firewalls or other problems we've previously mentioned. You will only need three things:
+
The eHorus id (EKID) is entered in this agent custom field:
  
* Internet connection in both ends (the server to monitor and the operator's PC).
+
<center>
* Take note of the machine ID and remember the password.
+
[[image:ehorus_pandora_custom.jpg|center]]
* Install the TeamViewer software in the remote server.
+
</center>
  
Once it has been installed, you'll assign an ID to this machine and you'll have the chance to configure a password for permanent access. The TeamViewer IDs has the format "XXX XXX XXX" (nine digits). This is the ID you need to connect to a server. For this, we use the Enterprise feature "Customized fields" to create this field in all the agents and write there the ID of each machine.
+
Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.
  
I create the custom field (Configuration -> Agents -> Manage customized fields -> Create)
+
<center>
 +
[[image:Ehorus_submenu.jpg|center]]
 +
</center>
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_c1.jpg|center]]
[[image:Custom_field_create.png|650px]]
 
<br><br>
 
 
</center>
 
</center>
  
Once created, I can store there the ID of this machine, in this case 623 596 886
+
It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_c2.jpg|center]]
[[image:Custom_field_create1.png|650px]]
 
<br><br>
 
 
</center>
 
</center>
  
Now, I only have to go to the TeamViewer page, [https://login.teamviewer.com/] introduce my ID and go to the system:
+
Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_c3.jpg|center]]
[[image:team_viewer.png|650px]]
 
<br><br>
 
 
</center>
 
</center>
  
=== Technical details about Teamviewer ===
+
And the same goes for managing remote processes and copying files (both upload and download):
  
TeamViewer is extremely powerful and it also allows to transfer files from one system to other one.
+
<center>
 +
[[image:Ehorus_c4.jpg|center]]
 +
</center>
  
These tools are connected with remote servers, and the security could be a "problem" if we are specially " demanding" with these concepts (due to legal questions and/or privacy of data. With the commercial version there are, obviously, some advantages regarding this point.
+
<center>
 +
[[image:Ehorus_c5.jpg|center]]
 +
</center>
  
This is a list of the connections fixed in the server managed remotely with a fixed TeamViewer connection:
+
And of course, the remote desktop (Windows, Linux and Mac):
  
TCP    desktop:1379          server530.teamviewer.com:http  ESTABLISHED
+
<center>
TCP    desktop:1380          master4.teamviewer.com:http  ESTABLISHED
+
[[image:Ehorus_d1.jpg|center]]
TCP    desktop:1381          server311.teamviewer.com:http  ESTABLISHED
+
</center>
TCP    desktop:1382          server311.teamviewer.com:http  ESTABLISHED
 
 
 
Teamviewer also supports direct connection between the client and the server.
 
 
 
We strongly recomment to all enterprise users to buy a licence of TeamViewer to manage their servers. VNC is nice, but Teamviewer has a very efficient on the fly compression, and you will experience an incredible remote access experience managing remote hosts.
 
 
 
== Connecting remote systems using SSH/Telnet from Pandora FMS ==
 
 
 
Since 4.0.2 version, Pandora FMS has a new extension to let users connect directly with devices by telnet or SSH. This is done with the Remote Gateway extension. You need to do a special setup for this component, not usually installed "by default". This is an opensource feature, based on anytermd software, published under GPL2 licence.
 
 
 
<br><center><br>
 
[[image:ssh_snapshot1.png|570px]]
 
</center><br><br>
 
 
 
<br><center><br>
 
[[image:ssh_snapshot2.png|570px]]
 
</center><br><br>
 
 
 
Pandora FMS uses a tool called "anytermd" to create a "proxy" between user browser and remote destination. This tool launches as a daemon, listeting in a port, and executing a command, forwarding all output to the user browser. That means all the connections are done FROM the pandora server and it has to be installed the telnet and ssh client. This is a basic architecture schema:
 
 
 
<br><center><br>
 
[[image:anytermd.png|500px]]
 
</center><br><br>
 
 
 
=== Install and setup ===
 
 
 
Sources are placed in extras/anytermd.
 
 
 
Make sure you have installed gnu c++ compiler (gcc-c++), make, boost-devel and zlib-devel.
 
 
 
Run:
 
 
 
make
 
 
 
Later, install manually the binary to /usr/bin
 
 
 
cp anytermd /usr/bin
 
 
 
To run the server daemons, you need to do manually, Pandora FMS server / console doesn't start up automatically. Pandora FMS SSH/Telnet extension will search for a different instance of anyterd running in 8023 for Telnet connections and 8022 for SSH connections.
 
 
 
You have a start/stop daemon in contrib/anytermd. Copy to ''/etc/init.d/anytermd'' and execute it like this:
 
 
 
/etc/init.d/anytermd start
 
  
By default uses "pandora" user for execution, if you want to change it, alter the script file for any other httpd based user your system may have.  
+
{{Tip|For more information about eHorus, you can visit their website [https://ehorus.com]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.}}
  
 +
{{Warning|If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in [https://curl.haxx.se/ca/cacert.pem PEM] format and add <code>curl.cainfo&#61;{path}\cacert.pem</code> to the <i>php.ini</i> file.}}
  
{{tip|This will use ports 8023 and 8022, be sure that ports are "open and clear" from the user browser to the console webserver system. No firewalls there}}
+
For more information about Pandora FMS remote management check the [https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:SSH_and_FTP_setup following link].
  
Now you're free to use the extension and connect remote servers by telnet or SSH.
 
  
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
+
[[Pandora:Documentation_en|Go back to Pandora FMS Documentation Index]]
  
 
[[Category:Pandora FMS]]
 
[[Category:Pandora FMS]]

Latest revision as of 12:19, 14 October 2019

Go back to Pandora FMS documentation index

1 Remote system management with Pandora FMS

1.1 Introduction

Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an optional extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [1]

The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [2], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.

1.2 Using eHorus with Pandora FMS

eHorus is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.

Remote-computer-access-schema.png

To enable it, activate the integration in its configuration section.

Ehorus setup.png

After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.

It is possible, although probably not necessary, to use another eHorus provider editing the fields API Hostname (switch.ehorus.com by default) and API Port (18080 by default).



Ehorus setup full.png



Info.png

Remember to check if the connection works properly before saving the changes.

 


Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called eHorusID. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).



Ehorus agent id.png



If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:

ehorus_conf <path> 

The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.

Info.png

The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.

 


When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.

The eHorus id (EKID) is entered in this agent custom field:

Ehorus pandora custom.jpg

Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.

Ehorus submenu.jpg
Ehorus c1.jpg

It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:

Ehorus c2.jpg

Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:

Ehorus c3.jpg

And the same goes for managing remote processes and copying files (both upload and download):

Ehorus c4.jpg
Ehorus c5.jpg

And of course, the remote desktop (Windows, Linux and Mac):

Ehorus d1.jpg

Info.png

For more information about eHorus, you can visit their website [3]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.

 


Template warning.png

If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in PEM format and add curl.cainfo={path}\cacert.pem to the php.ini file.

 


For more information about Pandora FMS remote management check the following link.


Go back to Pandora FMS Documentation Index