Difference between revisions of "Pandora: Documentation en: RemoteManagement"

From Pandora FMS Wiki
Jump to: navigation, search
(Connecting to remote systems using SSH and/or Telnet with Pandora FMS)
(Remote system management with Pandora FMS)
 
(6 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
== Introduction ==
 
== Introduction ==
  
Pandora FMS is a monitoring tool, and given its philosophy, it doesn't use the agents to connect us to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them you only need to launch the command. To do this, we will use an'' optional'' extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [https://library.pandorafms.com/index.php?sec=Library&sec2=repository&lng=es&action=view_PUI&id_PUI=818]
+
Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an'' optional'' extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [https://library.pandorafms.com/index.php?sec=Library&sec2=repository&lng=es&action=view_PUI&id_PUI=818]
  
The standard tool in Pandora FMS to have access to remote systems (be it windows, mac or Windows) is eHorus [https://ehorus.com], a remote control tool that since it's WEB, it is totally integrated in the Pandora FMS interface.
+
The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [https://ehorus.com], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.
  
 
== Using eHorus with Pandora FMS ==
 
== Using eHorus with Pandora FMS ==
Line 17: Line 17:
 
</center>
 
</center>
  
To enable it, it is necessary to activate the integration in its configuration section.
+
To enable it, activate the integration in its configuration section.
  
 
<center>
 
<center>
Line 23: Line 23:
 
</center>
 
</center>
  
After that, it will be necessary to enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.
+
After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.
  
 
It is possible, although probably not necessary, to use another eHorus provider editing the fields
 
It is possible, although probably not necessary, to use another eHorus provider editing the fields
Line 34: Line 34:
 
<br><br>
 
<br><br>
  
{{tip|Remember to check if the connection works properly before saving the changes}}
+
{{tip|Remember to check if the connection works properly before saving the changes.}}
  
Once the connection is configured, you'll be able to check that a new custom field appears in the agent view, called '''eHorusID'''. This field should contain the eHorus agent ID to be managed. YOu can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).
+
Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called '''eHorusID'''. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).
  
 
<br><br>
 
<br><br>
Line 44: Line 44:
 
<br><br>
 
<br><br>
  
If you are using Pandora FMS agents 7.0 or higher, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:
+
If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:
  
 
  ehorus_conf <path>  
 
  ehorus_conf <path>  
Line 52: Line 52:
 
{{tip|The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.}}
 
{{tip|The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.}}
  
When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have management permissions of the agent, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.
+
When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.
  
The ehorus id (EKID) is entered in this custom field of the agent:
+
The eHorus id (EKID) is entered in this agent custom field:
  
 
<center>
 
<center>
Line 60: Line 60:
 
</center>
 
</center>
  
Once configured, just click on any of the sections that the remote control extension with ehorus of that agent presents: remote control via Shell, remote desktop, process view, services or copy files:
+
Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.
  
 
<center>
 
<center>
Line 70: Line 70:
 
</center>
 
</center>
  
We always recommend using a local password in the eHorus agent. If configured, we will be prompted interactively:
+
It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:
  
 
<center>
 
<center>
Line 76: Line 76:
 
</center>
 
</center>
  
Once authenticated, we can access the interactive command line session (linux, mac and windows) with root permissions:
+
Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:
  
 
<center>
 
<center>
Line 92: Line 92:
 
</center>
 
</center>
  
And of course, the remote desktop (windows, linux and mac):
+
And of course, the remote desktop (Windows, Linux and Mac):
  
 
<center>
 
<center>
Line 102: Line 102:
 
{{Warning|If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in [https://curl.haxx.se/ca/cacert.pem PEM] format and add <code>curl.cainfo&#61;{path}\cacert.pem</code> to the <i>php.ini</i> file.}}
 
{{Warning|If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in [https://curl.haxx.se/ca/cacert.pem PEM] format and add <code>curl.cainfo&#61;{path}\cacert.pem</code> to the <i>php.ini</i> file.}}
  
== Connecting to remote systems using SSH and/or Telnet with Pandora FMS ==
+
For more information about Pandora FMS remote management check the [https://pandorafms.com/docs/index.php?title=Pandora:Documentation_en:SSH_and_FTP_setup following link].
 
 
There is an extension that allows users to connect directly with remote devices via SSH or SSH. This can be done with the "Remote gateway"extension. This component needs a special configuration, which is not installed "by default" in most Pandora FMS installations, more information and downloads in the library of Pandora FMS modules. [https://pandorafms.com/library/anytermd/]
 
 
 
This extension does not work well with modern versions of Centos/RHEL due to security restrictions in the internal call forkptt (). We recommend using eHorus to replace this functionality.
 
 
 
<br><br>
 
<center>
 
[[image:ssh_snapshot1.png|center|670px]]
 
</center>
 
<br><br>
 
 
 
<br><br>
 
<center>
 
[[image:ssh_snapshot2.png|center|670px]]
 
</center>
 
<br><br>
 
 
 
Pandora FMS uses a tool called "anytermd", to create a kind of proxy between the user's browser and the remote destination. This tool launches a daemon, listening on a port, that executes a command, diverting all the contents of the connection to the user's browser. This means that all connections are made from the Pandora FMS server, and that the Pandora server has to have installed the ssh and telnet clients of the system. This would be an architecture of the system:
 
 
 
<br><br><center>
 
[[image:anytermd.png|center|500px]]
 
</center>
 
<br><br>
 
 
 
=== Installation and configuration ===
 
 
 
The source code is located in '''extras/anytermd''' in the SVN repository of the project. Additionally it can be found as RPM and tarball packages in the official downloads of the project.
 
 
 
Make sure you have installed the packages: gcc-c++, make, boost-devel and zlib-devel.
 
 
 
Execute:
 
 
 
make
 
 
 
Then manually install the binary in /usr/bin
 
 
 
cp anytermd /usr/bin
 
 
 
To run the server daemon, you will have to do it "by hand", since it does not start with the server or Pandora console. The SSH/Telnet remote connection extension will use a different port for each type of connection, SSH 8022 and Telnet 8023.
 
 
 
It has a boot script for anytermd in ''contrib/anytermd''. Copy it to ''/etc/init. d/anytermd'' and run it this way to boot it:
 
 
 
/etc/init.d/anytermd start
 
 
 
By default it uses the user "pandora" for its execution, if you want to change it, modify the script.
 
 
 
{{tip|Make sure that ports 8022 and 8023 are free and open from the user browser to the server where the Pandora's console and anytermd runs.}}
 
 
 
==== Securization of Anytermd installation ====
 
 
 
For security reasons, we recommend restricting access to ports 8022 and 8023 so that only authorized systems can access them. To do this, we recommend using firewall rules (iptables on Linux):
 
 
 
On the host where Anytermd runs:
 
 
 
iptables -I INPUT -p tcp --dport 8023 -s <source_ip> -j ACCEPT
 
iptables -I INPUT -p tcp --dport 8022 -s <source_ip> -j ACCEPT
 
 
 
Where <source_ip> is the IP of the user/browser that will have access to this functionality.
 
  
  

Latest revision as of 12:19, 14 October 2019

Go back to Pandora FMS documentation index

1 Remote system management with Pandora FMS

1.1 Introduction

Pandora FMS is a monitoring tool, and based on its work ethic, it does not use agents to connect to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them, you only need to launch the command. To do this, use an optional extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [1]

The standard tool in Pandora FMS to have access to remote systems (whether it may be windows, mac or Windows) is eHorus [2], a remote control tool that since it is WEB, it is totally integrated in Pandora FMS interface.

1.2 Using eHorus with Pandora FMS

eHorus is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.

Remote-computer-access-schema.png

To enable it, activate the integration in its configuration section.

Ehorus setup.png

After that, enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.

It is possible, although probably not necessary, to use another eHorus provider editing the fields API Hostname (switch.ehorus.com by default) and API Port (18080 by default).



Ehorus setup full.png



Info.png

Remember to check if the connection works properly before saving the changes.

 


Once the connection is configured, you will be able to check that a new custom field appears in the agent view, called eHorusID. This field should contain the eHorus agent ID to be managed. You can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).



Ehorus agent id.png



If you are using Pandora FMS 7.0 or higher agents, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:

ehorus_conf <path> 

The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.

Info.png

The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.

 


When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have agent management permissions, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.

The eHorus id (EKID) is entered in this agent custom field:

Ehorus pandora custom.jpg

Once configured, just click on any of the sections that the remote control extension with eHorus presents of that agent: remote control via Shell, remote desktop, process view, services or copy files.

Ehorus submenu.jpg
Ehorus c1.jpg

It is always recommended using a local password in the eHorus agent. If configured, we will be prompted interactively:

Ehorus c2.jpg

Once authenticated, you may access the interactive command line session (linux, mac and windows) with root permissions:

Ehorus c3.jpg

And the same goes for managing remote processes and copying files (both upload and download):

Ehorus c4.jpg
Ehorus c5.jpg

And of course, the remote desktop (Windows, Linux and Mac):

Ehorus d1.jpg

Info.png

For more information about eHorus, you can visit their website [3]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.

 


Template warning.png

If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in PEM format and add curl.cainfo={path}\cacert.pem to the php.ini file.

 


For more information about Pandora FMS remote management check the following link.


Go back to Pandora FMS Documentation Index