Pandora: Documentation en: syncserver Monitoring

From Pandora FMS Wiki
Jump to: navigation, search

1 Monitoring isolated network environments: Sync server

1.1 Introduction

The monitoring system of isolated environments with Sync server and Tentacle server allows to deploy monitoring in remote networks from which communication is not possible to the main Pandora FMS server. It will be Pandora FMS's own server that initiates the communications towards the isolated environment to recover all the monitoring information.

This feature makes special sense when monitoring remote networks in locations other than Pandora FMS server, with the particularity that communications never start from the remote network to Pandora, but it is the server itself that "collects" the information initiating communications.

1.2 Operational overview

We will start from a Pandora FMS central server as if it were a standard installation. In the remote network a data collection point (tentacle server) will be installed, which will store all data until the main server (sync server) initiates communications and downloads the information, similar to a buffer.

Packets stored buffered in the remote environment will disappear once they have been downloaded by the main server.

This functionality will generally be applied in environments with the following structure:

Sync scheme.jpg

The main difference between the sync server and the satellite server is that it is the main server that initiates communications and receives the packets from the remote network. In an environment with a satellite server and/or proxy it is the satellite/proxy that sends the data to the Pandora FMS server.

1.3 Configuration

We will start from an environment in which we have a main Pandora FMS server, where we will build the sync server. To do this, we only need to modify the following parameters in the configuration file:

syncserver 1
sync_address <Tentacle server IP>
sync_port <Tentacle server port, 41121 by default>

Install the updated Tentacle server on the isolated network and modify the startup script (/etc/init.d/tentacle_serverd by default) by adding the parameters -I and -o to the TENTACLE_EXT_OPS line:

TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -I -o"

It is not necessary to indicate any IP on the Tentacle server as the sync server initiates communications and recovers the Tentacle server files indicated on the sync_address parameter.

Multiple remote Tentacle servers can be configured and the sync server will communicate with all of them provided the IP addresses are indicated on the sync_address parameter, separated by commas:


Configuration example:

In pandora_server.conf:

syncserver 1
sync_port 41121

In the Tentacle server startup script /etc/init.d/tentacle_serverd:

TENTACLE_EXT:OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -I -o"

1.3.1 Sync server configuration with SSL

Sync server communications support SSL certificate use. Various parameters must be added to the pandora_server.conf file and in the remote Tentacle server script the same options should be used to achieve normal SSL connection.

In pandora_server.conf:

  • sync_ca: <certificate path of the authenticating CA>
  • sync_cert: <server certificate path>
  • sync_key: <server certificate private key path>

Configuration example: pandora_server.conf:

sync_ca /home/cacert.pem
sync_cert /home/tentaclecert.pem
sync_key /home/tentaclekey.pem

In tentacle_serverd:

  • -e: <certificate path>
  • -k: <public key path>
  • -f: <CA certificate path>

Template warning.png

ALWAYS indicate the absolute paths where the certificates are located in the parameters, e.g. /home/tentaclecert.pem


The complete configuration line should look something like this:

TENTACLE_EXT_OPTS="-i.*\.conf:conf;.*\.md5:md5;.*\.zip:collections -e /home/tentaclecert.pem -k /home/tentaclekey.pem -f /home/cacert.pem"

other configuration parameters:

sync_retries: Sync number of attempts. by default 3
sync_timeout: Sync timeout. by default 10

There is a quick guide on how to setup a Tentacle server with security options.