Difference between revisions of "Pandora: Documentation en: RemoteManagement"

From Pandora FMS Wiki
Jump to: navigation, search
(Connecting remote systems using SSH/Telnet from Pandora FMS)
(Remote system management with Pandora FMS)
 
(16 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS documentation index]]
  
= Remote Systems Management by Pandora FMS =
+
= Remote system management with Pandora FMS =
  
 
== Introduction ==
 
== Introduction ==
  
Pandora FMS is a monitoring tool and it doesn't use agents in order to establish a connection to the systems. It isn't useful to control the monitored systems remotely in this way. Some systems, such as routers and switches could be managed by using Telnet or SSH. In order to have access to them you're only required to fire the appropriate command.
+
Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an'' optional'' extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [https://library.pandorafms.com/index.php?sec=Library&sec2=repository&lng=es&action=view_PUI&id_PUI=818]
  
Pandora FMS includes a Java plug in by default to be able to establish a connection from the web console via VNC to the remote servers by using the IP configured within them. This could be easy if we're in the same local network segment and have a direct connection. It's more complicated in some other cases.
+
The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [https://ehorus.com], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.
 
We're distinguishing between complex and simple environments. These would be e.g. the characteristics of a simple environment:
 
  
* The server's IP doesn't change.
+
== Using eHorus with Pandora FMS ==
* The access (paths and firewalls) from the operator's PC to the servers has open ports and it knows how to connect by using normal TCP/IP.
 
* We're able to install a remote control software within the server's host system or it already has one.
 
  
The characteristics we consider to be the ones of a complex environment are the following:
+
[http://ehorus.com/ eHorus] is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.
  
* The server's IP changes (it's dynamic).
+
<center>
* There is no direct access from the operator's PC to the server we intend to monitor.
+
[[image:Remote-computer-access-schema.png|center]]
* We're unable to install any remote control software on the remote system.
+
</center>
  
There are also intermediate cases, e.g. the machines have a fixed IP, but we don't have direct remote access from the operator's PC to the server via TCP/IP. In any case, there are three possible ways to acquire remote access to these systems:
+
To enable it, activate the integration in its configuration section.
<br>
 
<br>
 
'''1. Directly:'''<br>
 
It's possible to install e.g. an SSH server, to activate the remote desktop or to install a VNC server on the host system. From the perspective of the operator's PC, it's completely sufficient if we're inserting the remote system's IP into the client program which is running on it and it's ready. For the 'simple' environments, this is the appropriate way to go. We strongly recommend to use [http://www.uvnc.com/ '''UltraVNC'''] if you decide to use this method.
 
  
 +
<center>
 +
[[image:ehorus_setup.png|center|670px]]
 +
</center>
  
'''2. By using an inverse System:'''<br>
+
After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.
We're referring to remote control systems which connect by using a server on the internet which allows to connect both computers so they can 'talk' if the operator's PC communicates with the same server on the internet, instead of just waiting to connect with an open TCP port. The internal network wouldn't communicate with them in this way at all. This system, although useful in complex environments, has many disadvantages such as the speed or the fact that if the server we're required to control doesn't have access to the internet. In this case, we wouldn't be able to communicate with it. We strongly recommend to use [http://www.teamviewer.com/en/index.aspx '''TeamViewer'''] here.
 
  
 +
It is possible, although probably not necessary, to use another eHorus provider editing the fields
 +
''API Hostname'' (''switch.ehorus.com'' by default) and ''API Port'' (''18080'' by default).
  
'''3. By using a Direct Connection System:'''<br>
+
<br><br>
UltraVNC allows to configure one proxy, so it's going to be the one which connects to the remote server. We're going to connect with the intermediate server (proxy) and connect this one to the end server. This is called 'Ultra VNC Repeater'. You can find more information about this method on the [http://www.uvnc.com/docs/uvnc-repeater.html '''UVNC Repeater'''] page.
 
 
 
On the picture below, you're looking at a basic working sketch of this system.
 
 
 
 
<center>
 
<center>
 +
[[image:ehorus_setup_full.png|center|670px]]
 +
</center>
 
<br><br>
 
<br><br>
[[image:Ultra_vnc_modeI.png|750px]]
 
<br><br>
 
</center>
 
  
The UltraVNC tool itself allows you to conduct the setup graphically:
+
{{tip|Remember to check if the connection works properly before saving the changes.}}
 +
 
 +
Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called '''eHorusID'''. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).
  
 +
<br><br>
 
<center>
 
<center>
 +
[[image:ehorus_agent_id.png|center]]
 +
</center>
 
<br><br>
 
<br><br>
[[image:Ultra_vnc_repeater.gif]]
 
<br><br>
 
</center>
 
  
The connection to the VNC server utilizes the proxy to connect to the destination server, as we can see on the picture below.
+
If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:
  
<center>
+
ehorus_conf <path>  
<br><br>
 
[[image:Vnc_sample2.gif]]
 
<br><br>
 
</center>
 
 
 
== Using Integrated VNC under Pandora FMS ==
 
  
By the Pandora FMS 'VNC' extension it's possible to have access from the web console itself, without having to install additional software or doing besides that.
+
The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.
  
The only requirements are the following:
+
{{tip|The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.}}
  
* Having a VNC server that includes the Java applet installed which listens on port 5800 of each server we intend to manage remotely.
+
When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.
* Having the Java plug in installed on its browser.
 
* Having direct connection from the PC on which the operator is connected to the Pandora FMS console and to the monitored server we intend to manage remotely. The connection is required to grant access via port 5800 TCP.
 
  
If we fulfill these requirements, we only have to click on the flap with the 'VNC' extension within the 'Operation' view of an agent. We're going to see the following there:
+
The eHorus id (EKID) is entered in this agent custom field:
  
 
<center>
 
<center>
<br><br>
+
[[image:ehorus_pandora_custom.jpg|center]]
[[image:vnc_tab.png]]
 
<br>
 
<i>Appearance of the VNC flap (first one on the left)</i>
 
<br>
 
 
</center>
 
</center>
  
When the communication is reestablished, it's required to introduce a password which is configured in the moment the VNC server is installed on the machine.
+
Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_submenu.jpg|center]]
[[image:Vnc_ext_1.png|750px]]
 
<br><br>
 
 
</center>
 
</center>
 
Once we have introduced the password, we have access to the server "as if we were on site".
 
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_c1.jpg|center]]
[[image:Vnc_ext_2.png|750px]]
 
<br><br>
 
 
</center>
 
</center>
  
We recommend the use of [http://www.uvnc.com/ '''UltraVNC''']. Besides being very strong, supporting connection coding and allowing file transfer from one machine to another, it's a GPLv2 licensed free software.
+
It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:
  
However, the limitations of this system are mainly the following:
+
<center>
 +
[[image:Ehorus_c2.jpg|center]]
 +
</center>
  
* It requires a connection between your PC and the machine you intend to monitor remotely. If it's behind a firewall, a router or in the internet, it won't be able to connect.
+
Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:
* It requires to know the IP. With Pandora FMS, it could tell the agent which notifies the current IP to it, which is going to know the appropriate IP, but sometimes it doesn't work very well. If it has several network adapters, if it doesn't update the IP by default or due to other possible causes.
 
* It requires the installation of the UltraVNC software, which you're might not allowed to install due to certain security policies in your location.
 
  
In cases in which the first mentioned point is the problem, we recommend to use the direct connection method by using a proxy. If the methods shown here aren't working, you're required to download a client program and execute it manually from your PC in order to connect to your remote system.
+
<center>
 
+
[[image:Ehorus_c3.jpg|center]]
== Using TeamViewer under Pandora FMS ==
+
</center>
 
 
[http://www.teamviewer.com/en/index.aspx '''TeamViewer'''] is one of the best remote management systems available. TeamViewer is able to use intermediate servers on the internet to connect to its equipment, regardless of changes in the IP, firewalls or other problems we've previously mentioned.
 
 
 
You only require three things:
 
 
 
* An internet connection on both ends (the server you intend to monitor and the operator's PC).
 
* To take a note of the machine's ID and to remember the password.
 
* To install the TeamViewer software on the remote server.
 
  
Once it has been installed, you're required to assign an ID to the machine. You're also able to configure a password for permanent access. The TeamViewer IDs have the format "XXX XXX XXX" (nine digits). This is the required ID to connect to the server. We use the Enterprise feature called 'Customized Fields' to create this field within all agents and to insert the ID of each machine for this.
+
And the same goes for managing remote processes and copying files (both upload and download):
 
 
Please click on 'Configuration' -> 'Agents' and 'Manage customized Fields' in order to create a custom field. Once the creation process is finished, please click on 'Create' button.
 
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_c4.jpg|center]]
[[image:Custom_field_create.png|650px]]
 
<br><br>
 
 
</center>
 
</center>
 
Once the field is created, you're able to store the machine's ID there. It's '623 596 886' in this case.
 
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_c5.jpg|center]]
[[image:Custom_field_create1.png|650px]]
 
<br><br>
 
 
</center>
 
</center>
  
In this moment, you're required to go to the [https://login.teamviewer.com/ '''TeamViewer'''] page, insert my ID and login to the system as shown on the picture below.
+
And of course, the remote desktop (Windows, Linux and Mac):
  
 
<center>
 
<center>
<br><br>
+
[[image:Ehorus_d1.jpg|center]]
[[image:team_viewer.png|650px]]
 
<br><br>
 
 
</center>
 
</center>
  
=== Technical Details about TeamViewer ===
+
{{Tip|For more information about eHorus, you can visit their website [https://ehorus.com]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.}}
 
 
TeamViewer is quite powerful. It allows to transfer files from one system to another.
 
 
 
These tools are connected to remote servers. The security could be a problem in cases we're very demanding related to these concepts, e.g. legal questions and privacy of data. If you're using the commercial version, there are some advantages regarding the above mentioned security issues.
 
 
 
This is a list of fixed connections within the remotely managed server in the moment of using a fixed TeamViewer connection:
 
 
 
TCP    desktop:1379          server530.teamviewer.com:http  ESTABLISHED
 
TCP    desktop:1380          master4.teamviewer.com:http  ESTABLISHED
 
TCP    desktop:1381          server311.teamviewer.com:http  ESTABLISHED
 
TCP    desktop:1382          server311.teamviewer.com:http  ESTABLISHED
 
 
 
TeamViewer also supports direct connections between client and server.
 
 
 
We strongly recommend  to buy a license of TeamViewer to manage their servers to all Pandora FMS Enterprise users. VNC is quite nice, but TeamViewer has a very efficient on the fly compression, and you will experience an incredible remote access level when managing remote hosts with it.
 
 
 
== Connecting remote systems using SSH/Telnet from Pandora FMS ==
 
 
 
Since the 4.0.2 version, Pandora FMS comes with a new extension which was designed to directly connect to their devices by telnet or SSH. This feature is conducted by the 'Remote Gateway' extension. You're required to conduct a special setup for this component, because it's not going to be installed by default. This is an open-source feature, based on the 'anytermd' software, published under GPL2 license.
 
 
 
<br><center><br>
 
[[image:ssh_snapshot1.png|570px]]
 
</center><br><br>
 
 
 
<br><center><br>
 
[[image:ssh_snapshot2.png|570px]]
 
</center><br><br>
 
 
 
Pandora FMS uses a tool called 'anytermd' to create a 'proxy' between the user's browser and its remote destination. This tool launches as a daemon which listens on a port. It executes a command which forwards all output to the user's browser. That means all the connections are conducted '''by''' the Pandora FMS Server and it has to be installed onto the telnet and SSH client.
 
 
 
You're looking at the the architecture's basic schema on the picture below.
 
 
 
<br><center><br>
 
[[image:anytermd.png|500px]]
 
</center><br><br>
 
 
 
=== Setup and Installation ===
 
 
 
All sources are contained in the directory called 'extras/anytermd'.
 
 
 
Please make sure you have the gnu c++ compiler ('gcc-c++'), 'make', 'boost-devel' and 'zlib-devel' installed.
 
 
 
Please execute:
 
 
 
make
 
 
 
Then install the binary to the directory called '/usr/bin' manually by executing the following command:
 
 
 
cp anytermd /usr/bin
 
 
 
In order to run the server daemons, you're required to start them manually, since the Pandora FMS Server or the console don't start up automatically. The Pandora FMS SSH / telnet extension is going to look for a different instance of 'anytermd', running on port 8023 for telnet and port 8022 for SSH connections.
 
 
 
You also have a start and stop daemon in the directory called 'contrib/anytermd'. Please copy it to '/etc/init.d/anytermd' and execute it in the following way:
 
 
 
/etc/init.d/anytermd start
 
 
 
It's going to use the 'pandora' user for execution by default. If you intend to change it, please alter the script file for any other HTTPD-based user your system may have.  
 
  
 +
{{Warning|If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in [https://curl.haxx.se/ca/cacert.pem PEM] format and add <code>curl.cainfo&#61;{path}\cacert.pem</code> to the <i>php.ini</i> file.}}
  
{{tip|This script is going to use the ports 8023 and 8022. Please make sure these ports are 'open and clear' from the user browser to the console's web-server system.}}
+
For more information about Pandora FMS remote management check the [https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:SSH_and_FTP_setup following link].
  
You're now free to use the extension and connect to remote servers by telnet or SSH.
 
  
 
[[Pandora:Documentation_en|Go back to Pandora FMS Documentation Index]]
 
[[Pandora:Documentation_en|Go back to Pandora FMS Documentation Index]]
  
 
[[Category:Pandora FMS]]
 
[[Category:Pandora FMS]]

Latest revision as of 12:19, 14 October 2019

Go back to Pandora FMS documentation index

1 Remote system management with Pandora FMS

1.1 Introduction

Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an optional extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [1]

The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [2], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.

1.2 Using eHorus with Pandora FMS

eHorus is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.

Remote-computer-access-schema.png

To enable it, activate the integration in its configuration section.

Ehorus setup.png

After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.

It is possible, although probably not necessary, to use another eHorus provider editing the fields API Hostname (switch.ehorus.com by default) and API Port (18080 by default).



Ehorus setup full.png



Info.png

Remember to check if the connection works properly before saving the changes.

 


Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called eHorusID. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).



Ehorus agent id.png



If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:

ehorus_conf <path> 

The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.

Info.png

The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.

 


When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.

The eHorus id (EKID) is entered in this agent custom field:

Ehorus pandora custom.jpg

Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.

Ehorus submenu.jpg
Ehorus c1.jpg

It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:

Ehorus c2.jpg

Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:

Ehorus c3.jpg

And the same goes for managing remote processes and copying files (both upload and download):

Ehorus c4.jpg
Ehorus c5.jpg

And of course, the remote desktop (Windows, Linux and Mac):

Ehorus d1.jpg

Info.png

For more information about eHorus, you can visit their website [3]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.

 


Template warning.png

If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in PEM format and add curl.cainfo={path}\cacert.pem to the php.ini file.

 


For more information about Pandora FMS remote management check the following link.


Go back to Pandora FMS Documentation Index