Pandora: Metaconsole: Documentation en: Installation
- 1 Installation and Configuration
- 1.1 Installation
- 1.2 Metalicence
- 1.3 Configuration
- 1.3.1 Metaconsole
- 1.3.2 Instances
- 1.3.3 Metaconsole Additional Configuration
- 1.4 Metalicence Synchronization
1 Installation and Configuration
In this section will be included all the aspects needed in order to install and configure a Metaconsole and their Instances(nodes).
The installations of the Instances and the Metaconsole requires to be hosted in servers that are communicated in both ways.
In order to do these we should verify that:
- The Metaconsole can contact with the Instances
- The Instances can contact with the Metaconsole
To understand better this requirement you can take a look to Metaconsole architecture.
The timezone setting should see the same. The more synchronized would be the Instances and Metaconsole would be, more exact will be the visualized data.
For example: If an Instance has 5 minutes of difference with the Metaconsole, the visualization of the time that have passed since their events were generated when these data are shown in the Metaconsole they will be false.
An Instance or node is a tipical Pandora FMS Enterprise instalation, with its "server" and "web console"
To know more about how to install an instance, visit the following link.
A Metaconsole is a Pandora FMS Enterprise installation with a metaconsole license.
It is necessary to have an active server in order to perform different operations related to the Metaconsole such as migration, auto-provisioning, execution of services...
1.1.3 Metaconsole License Activation
After installing the Enterprise version of Pandora FMS Console, regardless of the installation method, you will have to access the Pandora console (http://IP/pandora_console/) and the following welcome screen will appear to accept the license. To know more about how the license is activated we can visit the following []
In order to activate the Metaconsole you need a Metaconsole license. If you activate the node license, the normal console will appear.
From PandoraFMS version 7.0NG we have a unique license for an environment with Meta Console. You can create as many instances as you want, as long as you don't exceed the total number of agents inside the Meta Console.
This license is applied in the Meta Console and can be synchronized in as many instances as you want, allowing the centralized management of the different agents that will be deployed in those Instances.
With this license, if we start an installation from scratch, we must first install the Meta Console validating its metalicence. Once validated, we will register each one of the desired instances (explained in the following sections), later synchronizing the metalicence so that we can work on all of them.
Other than occasional network failures, Pandora FMS nodes must be able to reach the Pandora FMS Metaconsole at all times. If you need to support nodes that may go offline for arbitrarily large periods of time, contact Artica at [email protected].
In order for instances to communicate with the Metaconsole and vice versa, you should configure both sides correctly.
188.8.131.52 Registration and Configuration of Instances
In the Metasetup section, you can register and configure the Instances with which the Meta Console will be linked.
To register a new instance we must know a series of parameters referring to the instance we want to handle. If it is a registration of an instance that has not yet been registered with a license, the default data are:
- Server name: localhost.localdomain
- Auth token: empty
- Console URL: http://IP/pandora_console
- API password: empty
- DB host: database IP
- DB name: pandora
- DB user: pandora
- DB password: pandora
- DB port: 3306
- Control user: admin
- Console password: pandora
To ensure connectivity between node and Metaconsole, we can manually configure the connection data.
- Metaconsole DB host: database IP
- Metaconsole DB name: pandora
- Metaconsole DB user: pandora
- Metaconsole DB password: pandora
- Metaconsole DB port: 3306
These fields indicate the configuration of the connection that the node will establish against the Metaconsole.
If the installation is a Pandora where we have already included a valid license in the instance, we will have to obtain these data from the setup of the instance and its database.
In the view of the configured Instances we will see that the instances can be modified, deactivated and deleted. There are some indicators that check certain information of the configuration of each instance. These checks are done when loading this view, but they can also be done individually by clicking on them.
The indicators will be the following list:
- Database: If we have misconfigured the Instance database or do not have the necessary permissions, the indicator will be red and will give us information about the problem.
- API: This indicator will test the API of the Instance. If it fails it will give us information about the failure.
- Compatibility: This indicator makes a check of some requirements that have to be between Instance and Metaconsole. The name of the Instance server, for example, must match the name given to it in its configuration in the Meta Console.
- Event Replication: This indicator shows whether the Instance has event replication enabled and if events have already been received from the Instance, how long ago the last replication was.
- Agent cache: This indicator states that the last status of the agents and modules of the node have been correctly saved in the Metaconsole database. When a change is generated, only that change will be modified in the database.
- Synchronization: This indication refers to the possibility of being able to synchronize the different elements from the Metaconsole to the Instances.
The first three indicators must be green in order for the Instance to be properly linked and for us to begin to see its data. On the other hand, the Event Replication indicator only gives us information about this feature.
Once you have chosen to replicate the events, all their management will be done from the Metaconsole, leaving the events of the instance as merely informative.
184.108.40.206 Index Scaling
Most of the synchronization between the Metaconsole and the Instances is done by name, independently of the internal ID of the elements, with the exception of groups, tags, alerts, operating systems and groups of modules, whose IDs it is important that they are synchronized.
In order to 'ensure that the IDs of the groups, tags, alerts, operating systems and module groups that are synchronized from the Metaconsole do not exist in the instances, we will increase the AUTO_INCREMENT value of the tables tgrupo, ttag, talert_templates, talert_actions, talert_commands, tconfig_os and tmodule_group sensibly. In this way, we will give a wide margin in the event that elements are created in the instances for reasons beyond the control of the Metaconsole.
For that we will execute in the Metaconsole's database the following query:
ALTER TABLE tgrupo AUTO_INCREMENT = 3000; ALTER TABLE ttag AUTO_INCREMENT = 3000; ALTER TABLE talert_templates AUTO_INCREMENT = 3000; ALTER TABLE talert_actions AUTO_INCREMENT = 3000; ALTER TABLE talert_commands AUTO_INCREMENT = 3000; ALTER TABLE tconfig_os AUTO_INCREMENT = 3000; ALTER TABLE tmodule_group AUTO_INCREMENT = 3000;
If you suspect that the number of elements of an instance created outside the Metaconsole may exceed 3000, you can set a higher value.
220.127.116.11 Report scheduler / Pandora_DB maintance script
It is necessary to install the packages (open and enterprise) of the server in the system where the Metaconsole is installed in order to launch the database maintenance script ('pandora_db). You must make sure that it is correctly programmed for execution in cron every hour (as detailed in the following link.).
If you are going to use on-demand reports (sent by email), you need to program the execution of the cron extension as it is done in a normal Enterprise console. Usually this is done by putting the following line into the cron by adjusting the corresponding local paths:
*/5 * * * * <user> wget -q -O - http://x.x.x.x/pandora_console/enterprise/extensions/cron/cron.php >> /var/www/pandora_console/pandora_console.log
Finally, to configure the SMTP to send emails, it is necessary to edit the corresponding parameters in the mail configuration section, which by default have the following values:
In Instances, there are a series of parameters to ensure the access of your data with the Metaconsole.
18.104.22.168 Giving access to the Metaconsole
The Metaconsole could have access to one Instance in two different ways:
- Remote access to the Data Base to see and edit the data stored in the instances.
- Access to the to the API for some actions like the edition of configuration files or NetFlow monitoring
The Instance should be configured to guarantee both accesses to the Metaconsole.
As we have said before, you must know the credentials of the database to configure the instance in the Meta Console. (Host, Database, User and Password).
Besides this, another important point is giving permission to the user to remotely access the database. It is done with MySQL's GRANT command:
GRANT ALL PRIVILEGES on <MetaconsoleDatabaseName>.* to <UserName>@<HostAddress> IDENTIFIED BY <UserPass>;
GRANT ALL PRIVILEGES on PandoraMetaBase.* to [email protected] IDENTIFIED BY pandora;
The access to the API Instance will be guaranteed with the following parameters:
- User and password: It is necessary to know a valid user and password in the Instance.
- API password: It is necessary to know the access password to the API that is configured in the Instance.
- IPs List with access to the API: In the Instance configuration, there is an IPs list that could have access to the API. It is possible to use '*' as wildcart to give access to all IPs or to one subnet
In some parts of the Metaconsole there are accesses to the Web Console of the Instance like, for example, in the event viewer when clicking on the agent associated to an event (if there is one) it will take us to the view of that agent in the console of the Instance to which it belongs. Auto-authentication is used for this access. This authentication is done with a hash for which you need a string configured in the Instance: The auto-identification password. We put this password in the "Auth token" field of the instance configuration in the Metaconsole.
This configuration is not necessary to configure the instance in the Metaconsole, but without it, when clicking on one of the links that take us to the instance, we will have pass the authentication.
22.214.171.124 Event Replication
In order that Instance events may be seen in the Metaconsole, these should have access to the Metaconsole database.
The Instances will replicate from time to time their events saving the date and hour of the last one to be replicated to continue from there the next time.
Besides the event replication, they will make the Metaconsole autovalidation effective. This is, for the events that are associated to one module, when they will replicate the event to the Metaconsole, they will validate all the previous events that are assigned to the same module.
To configure the event replication, in the Instance Enterprise Configuration section be should activate the Event Replication.
This will be configured:
- Interval: Every how many seconds the server will replicate the events generated from the last replication to the Metaconsole database.
If is configured, for example 60 seconds, the first replication will happen 60 seconds after the server has been started.
- Replication Mode: If all events will be replicated or only the ones that are validated.
- Show list of events in the local console (only reading): When the event replication is activated, the event management will be done in the Metaconsole and in the instance there is not access to them.With this option you will have access to a view of events in only reading mode.
- Metaconsole Database Credentials : Host, Database, Users,Password and Port (Is the port is not indicted the port by default will be used).
The event replication is done by the server. In the configuration file should be an enabled token:
To do effective any configuration change in the event replication it will be necessary to restart the server.
If you add in a metaconsole a new node which already contains lots of events, it could take a long time to copy all the events to the metaconsole
If you want to alter the date since node is going to synchronize events with the target metaconsola (for example, to force event replication from the current date), you need to execute this SQL sentence in the node database for versions of Pandora older than 5.1SP3:
UPDATE tconfig SET `value` = UNIX_TIMESTAMP() WHERE `token` = "replication_copy_last_utimestamp"
For versions newer than 5.1SP3 execute the following query:
UPDATE tconfig SET `value` = (SELECT MAX(id_evento) FROM tevento) WHERE `token` = "replication_copy_last_id";
If you have activated the child nodes SELinux security, the event replication may not work. Please disable it.
126.96.36.199 Autoprovisioning from the node
From Pandora version 7 onwards, you can find in the enterprise configuration setup, the option to register the node in the Metaconsole introducing less data than in the node form in the Metaconsole.
You can also check if this arrives via api to the Metaconsole and check if the node is registered in the Metaconsole.
1.3.3 Metaconsole Additional Configuration
The Metaconsole, if the node events replication has been activated, store event data in its own database. For their maintenance these data can be deleted and/or move to the metaconsole history event ddb. THis is done, as in a pandora instance, through the execution of the ddbb maintenance script that is at/usr/share/pandora_server/util/pandora_db.pl. Usually, to launch it the server file is used, only that as it is a metaconsole, there is no server. To do this, get a copy o fhe file /etc/pandora/pandora_server.conf from one of the nodes, edit it, and modify the data related to the DDBB (hostname, DDBB name, user and password) and save the file, for example as:
Create an script at /etc/cron.daily/pandora_meta_db with the following content:
And modify the permissions of it through chmod:
chmod 755 /etc/cron.daily/pandora_meta_db
In order to could execute it, it is necessary that you have installed the necessary packages to execute (even if it doesn't) the Pandora FMS server and its Enterprise part.
Execute it manually to check that it works and it doesn't report errors:
1.4 Metalicence Synchronization
Next, let's see an example of how to synchronize the Metalicence between a Metaconsole and an Instance.
First, we have an instance with its own key generated and correctly validated.
Once we have the node generated and properly validated, then configure it in the Metaconsole to later synchronize the license:
When we have these steps, we will go to the Metaconsole license and give "Validate and sync" to synchronize the Metalicence with the Instance.
The result will be that we will have the Metalicence in the Instance as can be seen below: