Architecture
We are working on the translation of the Pandora FMS documentation. Sorry for any inconvenience.
Pandora FMS Architecture
The vital component and where almost all the information is stored is MySQL database. All Pandora FMS components can be replicated and function in a pure HA environment (Active/Passive) or in a group or cluster environment (Active/Active with load balancing).
The PFMS Servers, with the information generated by themselves or by the Agents, enter the data and information in the database. The Web Console is the part in charge of displaying the data and interacting with the end user. The Software Agents are applications that run on the monitored systems and collect the information to send it to the Pandora FMS servers.
Pandora FMS Servers
The Servers are integrated into a single application, generically called Pandora Server, which is a multithreaded application that concurrently runs different instances or specialized servers of Pandora FMS. These are the elements in charge of carrying out the existing checks, since they verify and change their status based on the results obtained. They are also in charge of triggering the alerts that are established to control the state of the data.
Concurrent servers can exist; one of them is the main server and the rest of the servers are secondary servers. Although there is a secondary and a main server, they all work simultaneously. The difference between the two is that when a server of the same type goes offline (for example, a Network Server) the main server is in charge of processing all the data associated with the offline server.
Pandora FMS automatically manages the status of each server, its load level and other parameters. The user can monitor the status of each server through the server status section of the Web Console.
Data server
It only processes the information sent by the Software Agents, which build an information package in XML format and deliver it to a specific directory that the data server processes first and then stores its result in the database.
Different data servers can be installed on different systems or on the same host using multi-CPU virtual servers.
Despite its simplicity, the data server is one of the critical elements of the system, since it processes all the information from the agents and generates alerts and system events based on that data.
Network server
Run remote monitoring tasks over the network: ICMP checks (eg ping and latency times), TCP requests and SNMP requests. It is very important that the machines running the network servers have “network visibility” (connection) to the devices to be remotely monitored.
SNMP trap server
This server uses the standard trap collection system daemon, snmptrapd: It receives SNMP traps and the Pandora FMS SNMP Console processes and stores them in the database. It is also in charge of launching the alerts associated with SNMP traps that have been defined.
WMI server
WMI is a Microsoft® standard for obtaining operating system information and applications from MS Windows® environments. This is the dedicated server for monitoring remotely MS Windows® systems using the WMI protocol.
Discovery server
Formerly called the Recon server, the Discovery server is used to regularly scan the network and detect new running systems and apply a monitoring template and start monitoring immediately. Using the GNU system applications nmap, xprobe and traceroute it is able to detect Operating Systems and establish a network topology.
The Discovery server is also used to launch scheduled tasks and launch specific monitoring against virtual environments, databases or all those applications or environments that require exploring what exists before monitoring.
Plugin server
Run complex checks remotely via scripersonalized pts, managed centrally. This allows an advanced user to define their own complex tests and integrate them into the application so that they can be used conveniently and centrally from Pandora FMS.
Prediction server
An Artificial Intelligence component that implements a statistical data forecast based on past data up to 30 days old, allowing to predict data values with an interval of 10 to 15 minutes, and to know if a data at the moment current is anomalous with respect to its history. You basically build a dynamic baseline with a weekly profile.
Web server
Perform complete web checks, such as the user identification process, passing parameters by form, content checking, menu navigation, etc. It is used for true/false availability checks and to obtain full browsing experience latency times.
Export server
It allows exporting the data of a monitored device from one Pandora FMS installation to another, and thus have the data replicated. Especially useful in large deployments with several Pandora FMS installations and the need to centralize.
Inventory server
Obtains and displays inventory information of the systems: installed software, model of hardware elements, storage devices, running services, etc. You can obtain this information both remotely and local.
Event server
This special server is used to correlate events and generate alerts and does not execute monitoring tasks. This server, unlike the rest, does not have thread configuration or high availability.
ICMP server
They use advanced strategies to execute ICMP checks (ping), it works with the OIDs (Object IDentifier) previously validated, so it has a high performance.
Satellite server
It is installed separately from the main Pandora FMS server and allows the forwarding of data files from the Software Agents to the main server, acting as agent proxy in distributed topologies. It sends the monitoring data as XML files through a Tentacle connection, so it does not require a connection to the database.
WUX server
Combined with the Selenium Grid allows complex web transactions to be carried out in a distributed manner. These transactions are executed in a real browser, their output is captured and processed for step-by-step viewing, including error traps and detailed statistics.
Syslog server
It allows analyzing the syslog of the machine where it is located, analyzing its content and storing the references in the corresponding OpenSearch server.
Log server
It allows you to correlate logs and run your alerts.
Alert server
If it is activated, it will be in charge of executing all the monitoring alerts, since by default each server is in charge of its own alerts and in some specific cases there may be delays in monitoring if an alert must execute a task and it takes longer of what is due to be done.
Pandora FMS web console
It is the Pandora FMS user interface. This Administration and Operation Console allows different users, with different privileges, to control the status of Agents, view statistical information, generate graphs and data tables, as well as manage incidents with its integrated system. It is also capable of generating reports and centrally defining new Modules, Agents, alerts and creating other users and profiles.
It can run on multiple servers to spread load as well as to ease access due to logistical issues (large networks, many different user groups, geographic differences, administrative differences, etc.).
Pandora FMS Database
Pandora FMS uses a MySQL database in which it stores allgives the information received in real time, normalizing all the data from the various sources of origin. Currently Pandora FMS only supports MySQL, MariaDB and Percona.
Pandora FMS Software Agents
It is important to differentiate between two concepts: Agent, or Console Agent, as a container, and Software Agent, which runs on a computer.
Agent (Container)
The Pandora FMS Agent is an organizational element created in the Pandora FMS Web Console, associated to a group of Modules (or individual monitoring elements). This agent can (optionally) have one or more IP addresses associated with it.
An Agent can contain remote type or local type Modules. Remote type modules are executed by those servers that obtain information from remotely (eg Network server); the local type modules are executed by the Software Agents and collected and processed by the Data Server.
Software Agent
Software Agents are installed locally on the computers to be monitored, extracting the information from the computer itself. They are mainly used in servers to monitor machine resources (CPU, RAM, disks…) and installed applications (MySQL, Apache, JBoss…). Generally, the monitoring of servers and equipment will be carried out with Software Agents while the monitoring of network equipment will be done remotely without the installation of any software.
All the information of the checks carried out is reflected in a single data file in XML format, which is sent through the Tentacle protocol to the Pandora FMS server at a predetermined interval of 300 seconds. It is also possible to transmit the packets using SSH or FTP.
Topologies, schemes and monitoring models
Accessible networks
- Accessible network for centralized remote monitoring: where, from the Pandora FMS server, you can access all the machines and/or devices to probe remotely.
- Accessible network for Agent-based monitoring: where, from the Software Agents installed on the monitored machines, they can reach the Pandora FMS server without problems.
Networks with difficult access
- Remote network not reachable by Pandora FMS remote checks: Use the broker agent mode.
- Need to monitor different networks for remote monitoring with the server: In this case you can also use the Satellite Server or several different Pandora FMS servers connected to the same database.
Special organizational features
- Reporting duality: Additionally, you can configure Agents to report to two different Pandora FMS servers, although it can only be managed by one of them.
- Fragmented management: It is necessary to delegate the administration of part of the teams to different personnel, with different accesses. This, more than an architecture problem, is a management problem. It is solved with assigned permissions on policies.
Large environments with Pandora FMS
- Large network: When they cannot be centralized in a single server, servers in broker mode are used, which distribute the load of remote checks.
- Redundant servers: For safety, should the primary hardware fail, a server in HA mode can automatically relocate and delegate the monitoring workload.