====== External API ======
{{indexmenu_n>2}}
===== Pandora FMS External API =====
The Pandora FMS External API is used doing remote calls (through HTTP or HTTPS) on the ''/include/api.php'' file. This is the method that has been defined in Pandora FMS to integrate applications from third parties to **Pandora FMS**. It basically consists on a call with the parameters formatted to receive a value or a list of values that after its application will be used to do operations.
A call to the API is as simple as this:
http:///include/api.php
The API can only receive the following parameters:
* ''op'' (required): It is the first parameter that specifies the nature of the operation, which could be ''get'' or ''set'' or ''help'':
* ''get'': It returns a value or values.
* ''set'': It sends a value or values.
* ''help'': It returns a little help from the calls
* ''op2'' (required): The call with an explanatory name of the one that it works on.
* ''id'' (//depends on the command//): The first call parameter.
* ''id2'' (//depends on the command//): The second call parameter.
* ''other'' (//depends on the command//): The third call parameter, sometimes it could be a list of serial values.
* ''other_mode'' (//depends on the command//): Serial format, list of posible values:
* ''url_encode'': the othervalue is an alphanumeric formatted as [[http://en.wikipedia.org/wiki/Percent-encoding|UrlEncode]].
* ''url_encode_separator_'':The value will be a serial value list with the divider character, for example:
...other=pears|melons|watermelon&other_mode=url_encode_separator_|
You can use any separator, in this documentation the ''|'' character (''%7C'' //percent-encoded//) is used preferentially. See also how works the [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#api_checker|API checker]].
* ''returnType'' (//depends on the command//): return format of the value or values. Any of current available values:
* ''string'': It returns the value as it is as an alphanumeric one.
* ''csv'': It returns the values as a CSV separated with the '';'' character (fields) and with CR (files) by default.
* ''csv_head'': It returns the same as with ''csv'', except that it adds a first file with the field names to return.
* **Security credentials**: see "[[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#security|Security]]" section.
==== Security ====
The API authenticates access via API source and/or password and/or user credentials.
=== By origin ===
At the moment, security is based on an IP addresses list that will have [[:es:documentation:pandorafms:management_and_operation:12_console_setup#general_setup|access to the tool]].
{{ :wiki:screnshot_of_api_acl_list_setup.png }}
If you enter the character ''*'' in the box text, the ACL check will be omitted relegating the security to the protocol and to the environment.
=== By API password ===
You can also set a password for API actions (**API password**).
* ''apipass'': By default, and used in this documentation, ''1234''.
=== By user credentials ===
Access is by user name and password; additionally from version 768 or later it is possible to authenticate by bearer token.
== By user name and password ==
To access API actions, it is necessary to give a Pandora FMS valid user name and password.
* ''user'': Valid Pandora FMS user; ''admin'' is used in this documentation.
* ''pass'': The user password; ''pandora'' is used in this documentation.
In API calls, passwords are uncoded. Be careful and use SSL connections to avoid sniffers from third party. The API allows POST petitions to encrypt them when using SSL/HTTPS.
=== Return ===
When the API denies the access, the simple string ''auth error'' is returned.
=== Examples ===
In this documentation the API password ''1234'' is used, the user name is ''admin'' ([[:es:documentation:pandorafms:introduction:03_glossary#superadmin|superadmin type]]) and the user password is ''pandora''.
Pandora FMS has installed, by default, a user called ''internal_API'' which has neither a password nor a superadmin. For this user, as well as for the others that are created, **the appropriate profiles should be established for each one of the commands and operations described here**.
[[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|See call syntax]]:
.../include/api.php?op=get&op2=plugins&return_type=csv&other=;&apipass=1234&user=admin&pass=pandora
Access conditions:
* The source IP address is in the ACL IP addresses list (or is used ''*'').
* The API password is //not set// or is ''1234''.
* The user ''admin'' exists and is a superadmin user, and its password is ''pandora''.
==== API checker ====
Access from the Administration menu: **Admin tools** → **API checker**.
{{ :wiki:pfms-admin_tools-api_checker.png }}
{{ :wiki:pfms-admin_tools-api_checker-credentials.png }}
**Version 768 or later**: You can authenticate with **API Token** by sending in the [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers|HTTP headers]] a [[https://www.rfc-editor.org/rfc/rfc6750#page-3|bearer token]] generated by each user and for their own private and particular use. See "[[:en:documentation:pandorafms:management_and_operation:11_managing_and_administration#user_edition_by_the_user_itself|Edit my user]]" for more details.
\\
{{ :wiki:pfms-admin_tools-api_checker-call_parameters.png }}
{{ :wiki:pfms-admin_tools-api_checker-custom_url.png }}
==== Security Workflow ====
It is implemented thanks to three elements:
* [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#by_origin|Filtering by IP address]]: Only the listed IP addresses will be able to access the API.
* [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#by_api_password|Global password for the API]]: If defined, it is mandatory to use it in all calls.
* [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#by_user_credentials|User and password]]: User of type [[:en:documentation:pandorafms:introduction:03_glossary#superadmin|superadmin]] and valid in the Web Console. Your permissions will be used for each requested operation. **From version NG 768 onwards** it is also possible to access by [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#authentication_by_bearer_token|bearer token]].
It is explained in this workflow:
{{ :wiki:api_access.png }}
===== API Calls =====
They are divided into two groups, depending on whether they [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#get|return]] or [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#set|write data]] in Pandora FMS.
There is an exception: The [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#info_retrieving|info retrieving]] call.
==== Authentication by bearer token ====
**Version 768 or later**: You can authenticate with **API Token** by sending in the [[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers|HTTP headers]] a [[https://www.rfc-editor.org/rfc/rfc6750#page-3|bearer token]] generated by each user and for their own private and particular use. See "[[:en:documentation:pandorafms:management_and_operation:11_managing_and_administration#user_edition_by_the_user_itself|Edit my user]]" for more details.
Authentication based on bearer token allows each of the users registered in Pandora FMS to generate their own identifier in one-to-one correspondence. This bearer token must be inserted in the HTTP headers, that is, it is not part of the complete URL of the API. The sending mechanism corresponds to the application that makes the connection with the PFMS API.
**Version 768 or later**: If a warning icon appears {{:wiki:icon_warning.png?nolink&21x21}}next to the API Token, [[:en:documentation:pandorafms:installation:04_configuration#phpconf_configuration_file|configure]] the ''php.conf'' file.
{{ :wiki:edit_my_user_2_warning_php_conf_file.png }}
The following examples use the command line program cURL, **version 7.68** .
* Check the **curl** version with ''curl -V''.
{{ :wiki:curl_-v.png }}
* If you need more help using curl, invoke ''curl -h''.
* The ''-k'' and ''-H'' parameters are used to accept connections with self-signed certificates for HTTPS and send header information, respectively.
* Consult the bearer token corresponding to the user who will perform the API query.
* Now you can perform an API query, the following example uses ''[[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#get_test|get test]]'' (replace with your previously queried bearer token):
BEARER="Authorization: Bearer 811a0c1889f3aa62ef481ccd173ea5ec"
URL="http://192.168.7.117/pandora_console/include/api.php"
API_QUERY="?op=get&op2=test"
curl -k -H "$BEARER" $URL$API_QUERY && echo ""
{{ :wiki:curl_-k_-h.png }}
* If you need to debug the connection use the ''-v'' parameter (not to be confused with ''-V'' used to display the version).
==== Info retrieving ====
It returns the version of Pandora FMS Console in a similar way as the ''get test'' call but without checking the API connection.
This call is useful to verify that this path allows a Pandora FMS installation and to retrieve the version before authentication.
The returned info can be retrieved from the login screen, so it is not considered a security vulnerability.
http://127.0.0.1/pandora_console/include/api.php?info=version
A return sample could be: ''Pandora FMS v7.0NG.768 - PC230120 MR60''
{{ :wiki:pfms-api-version.png }}
==== GET ====
It returns the required data.
=== get test ===
It checks the connection to the API and returns the version of Pandora FMS Console.
This feature is in Metaconsole.
Call syntax: Without parameters
**Examples**
This example will return OK,[version],[build]
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=test&apipass=1234&user=admin&pass=pandora
A return sample could be: //OK,v7.0NG.751,PC201215//
=== get license ===
To consult the Pandora FMS use licence status, depending on the access level of the user's credentials.
[[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|Call syntax]]:
* ''op=get'' (required).
* ''op2=license'' (required).
* ''return_type=json'' (required).
**Example (see ** [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|call syntax]]**):**
…/include/api.php?op=get&op2=license&return_type=json&apipass=1234&user=admin&pass=pandora
For //Community// version, it returns:
{
"type":"array",
"data":{
"license_mode":"PANDORA-FREE",
}
}
=== get all_agents ===
It returns a list of agent filters according to the filter in some other parameter.
Call syntax:
* op=get (required)
* op2=all_agents (required)
* return_type= csv or json (required)
* other= (optional). Serialized parameters to filter the agent search:
*
*
*
*
*
*
* Recursion (1 or 0)
**Examples**
This example will return all agents whose id_os is equal to 1, id_group equals 2, state equal to warning, their alias contains 'j', and the policy associated equals 2.
CSV example:
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=all_agents&return_type=csv&other=1&other_mode=url_encode_separator_%7C&apipass=1234&user=admin&pass=pandora
JSON example:
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=all_agents&return_type=json&other=1&other_mode=url_encode_separator_%7C&apipass=1234&user=admin&pass=pandora
=== get license_remaining ===
>= 7.0NG 752
To check the number of Agents or Modules available according to the Pandora FMS use licence and according to the access level of the user credentials used.
Call syntax:
* op = get (required)
* op2= license_remaining (required)
* return_type = json (required)
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=license_remaining&return_type=json&apipass=1234&user=admin&pass=pandora
=== get module_last_value ===
Returns the last module value. This module is filtered by the ID which has gone through the id parameter. With the other parameter you may add an error code that your application knows and it is out of range of module values.
Call syntax:
* op=get (required)
* op2=module_last_value (required)
* id=<índex> (required). It should be an agent module index.
* other= (optional). What you wish to receive if there is an error(usually not located in the database).
* Error return codes are:
* 'error_message'. It returns an error in a text message.
* 'error_value'. It returns this code or error value. But it is necessary to enclose it with 'other_mode', like other_mode=url_encode_separator_ to place the divider on another one.
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=module_last_value&id=63&other=error_value|0&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=module_last_value&id=62&apipass=1234&user=admin&pass=pandora
=== get agent_module_name_last_value ===
It returns the last module value. This module is filtered by the agent name which has gone through id parameter and module name which has gone through id2 parameter. With the other parameter, you may add an error code recognized by your application and which is out of range of module values.
Call Syntax:
* op=get (required)
* op2=agent_module_name_last_value (required)
* id=(required). It contains the agent name.
* id2= (required). It contains the module name.
* other= (optional). What you wish to receive if there is an error (that usually has not been found in the DB).
* Codes of error return are:
* 'error_message'. It returns error in a text message.
* 'error_value'. It returns this code or error value, but it must come with 'other_mode' such as other_mode=url_encode_separator_ to use the divider on another one.
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=agent_module_name_last_value&id=miguel-portatil&id2=cpu_user&apipass=1234&user=admin&pass=pandora
=== get agent_module_name_last_value_alias ===
⇒ 7.0NG
It returns the last module value. This module is filtered by the agent alias which has gone through id parameter and module name which has gone through parameter id2. With the other parameter, you may add an error recognized by your application and which is out range of module values.
Call Syntax:
* op=get (required)
* op2=module_last_value_alias (required)
* id=(required). It contains the agent alias.
* id2= (required). It contains the module name.
* other= (optional). What you wish to receive if there is an error ( that usually has not been found in the DB).
* Codes of error return are:
* 'error_message'. It returns error in a text message.
* 'error_value'. It returns this code or error value, but it must come with 'other_mode' such as other_mode=url_encode_separator_ to use the divider on another one.
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=agent_module_name_last_value_alias&id=pandorafms&id2=Memory_Used&apipass=1234&user=admin&pass=pandora
=== get module_value_all_agents ===
Given a module name, returns a list of agents containing that module name. The result returns the agent identifier, agent alias, requested module value and agent name, separated by semicolon ('';''). For example:
653;agente network;0.00000;a8c83b348451040dc91c1327303adf8945aefce6ac59ab9bf856c9f4e0cf6c6f
[[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|Call syntax]]:
* ''op=get'' (required).
* ''op2=module_value_all_agents'' (required).
* ''id=''< module_name > (required).
**Example (see ** [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|call syntax]]**):**
A list of all the agents that have the module with ''Host Alive'' name:
.../include/api.php?op=get&op2=module_value_all_agents&id=Host%20Alive&apipass=1234&user=admin&pass=pandora
=== get agent_modules ===
Returns the list of modules of an agent requested by its numerical identifier.
[[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|Syntax]]**:**
* ''op=get'' (required).
* ''op2=agent_modules'' (required).
* ''return_type=csv'' (required) Output format.
* ''other=''< serialized values > (required) Serialized values in order to filter by agent:
* < id_agent >
It is absolutely essential to use
''other_mode=url_encode_separator_< separator >''
with this parameter!
**Example (see ** [[:en:documentation:pandorafms:technical_reference:02_annex_externalapi#pandora_fms_external_api|call syntax]]**):**
.../include/api.php?op=get&op2=agent_modules&return_type=csv&other=14&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
=== get module_id ===
It returns the id of an agent module.
Call syntax:
* op=get (required)
* op2=module_id (required)
* id=id agent (required)
* other=module name (required)
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=module_id&id=5&other=Host%20Alive&apipass=1234&user=admin&pass=pandora
=== get module_custom_id ===
Returns the value of the //Custom_id// field of a specific module of an agent passing as parameter the module id.
Call syntax:
* op=get (required)
* op2=module_custom_id (required)
* id=id_agent_module (required)
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=module_custom_id&id=5&apipass=1234&user=admin&pass=pandora
=== set module_custom_id ===
Changes or clears the value of the //Custom ID// field passing as parameters the module id and the value of the custom id.
Call syntax:
* op=set (required)
* op2=module_custom_id (required)
* id=id_agent_module (required)
* id2=value, or vacuum to clean (required)
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=set&op2=module_custom_id&id=5&id2=1521&apipass=1234&user=admin&pass=pandora
=== get locate_agent ===
It gets the id server where the agent is located, and prints all the results like a csv.
Call syntax:
* op=get (required)
* op2=locate_agent (required)
* return_type= (required). Output format.
* id=id_agent (required)
* other_mode= other_mode=url_encode_separator_ (required)
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=locate_agent&return_type=csv&apipass=1234&user=admin&pass=pandora&id=Pepito&other_mode=url_encode_separator_%7C
=== get policies ===
It returns the list of agent policies, whose id which has gone through the other parameter.
Call syntax:
* op=get (required)
* op2=policies (required)
* return_type= (required)
* other= (optional). Serialized values for filtering policies by policy agent:
*
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=policies&return_type=csv&other=&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
=== get tree_agents ===
It returns a complete list structured by the groups in the first level, agents in the second level and modules in the third level. This list is filtered by the other parameter.
Call Syntax:
* op=get (required)
* op2=tree_agents (required)
* return_type= (required). That could be 'csv' or 'csv_head'.
* other= (optional). In this case, it could be the divider or a parameter list ordered and separated by the divider character. Both cases are described here:
* The divider ''yes'' of the ''csv''.
* |,,. It will place the following parameters in order (the divider character ''|'' could be specified in ''other_mode''):
* . Field divider in the CSV.
* . Character that will be replaced if it finds in any returned character the character RC, in order to avoid the ambiguity with the standard use of the RC character to specify registers/files in the CSV. If you make an string go through other, the replacing character is the blank space.
* ,, :the fields to show in the CSV are:
* type_row
* group_id
* group_name
* group_parent
* disabled
* custom_id
* group_description
* group_contact
* group_other
* agent_id
* alias
* agent_direction
* agent_commentary
* agent_id_group
* agent_last_contact
* agent_mode
* agent_interval
* agent_id_os
* agent_os_version
* agent_version
* agent_last_remote_contact
* agent_disabled
* agent_id_parent
* agent_custom_id
* agent_server_name
* agent_cascade_protection
* agent_name
* module_id_agent_modulo
* module_id_agent
* module_id_module_type
* module_description
* module_name
* module_max
* module_min
* module_interval
* module_tcp_port
* module_tcp_send
* module_tcp_rcv
* module_snmp_community
* module_snmp_oid
* module_ip_target
* module_id_module_group
* module_flag
* module_id_module
* module_disabled
* module_id_export
* module_plugin_user
* module_plugin_pass
* module_plugin_parameter
* module_id_plugin
* module_post_process
* module_prediction_module
* module_max_timeout
* module_custom_id
* module_history_data
* module_min_warning
* module_max_warning
* module_min_critical
* module_max_critical
* module_min_ff_event
* module_delete_pending
* module_id_agent_state
* module_data
* module_timestamp
* module_state
* module_last_try
* module_utimestamp
* module_current_interval
* module_running_by
* module_last_execution_try
* module_status_changes
* module_last_status
* module_plugin_macros
* module_macros
* module_critical_inverse (only in version 6.0SP1 or later)
* module_warning_inverse (only in version 6.0SP1 or later)
* alert_id_agent_module
* alert_id_alert_template
* alert_internal_counter
* alert_last_fired
* alert_last_reference
* alert_times_fired
* alert_disabled
* alert_force_execution
* alert_id_alert_action
* alert_type
* alert_value
* alert_matches_value
* alert_max_value
* alert_min_value
* alert_time_threshold
* alert_max_alerts
* alert_min_alerts
* alert_time_from
* alert_time_to
* alert_monday
* alert_tuesday
* alert_wednesday
* alert_thursday
* alert_friday
* alert_saturday
* alert_sunday
* alert_recovery_notify
* alert_field2_recovery
* alert_field3_recovery
* alert_id_alert_template_module
* alert_fires_min
* alert_fires_max
* alert_id_alert_command
* alert_command
* alert_internal
* alert_template_modules_id
* alert_templates_id
* alert_template_module_actions_id
* alert_actions_id
* alert_commands_id
* alert_templates_name
* alert_actions_name
* alert_commands_name
* alert_templates_description
* alert_commands_description
* alert_template_modules_priority
* alert_templates_priority
* alert_templates_field1
* alert_actions_field1
* alert_templates_field2
* alert_actions_field2
* alert_templates_field3
* alert_actions_field3
* alert_templates_id_group
* alert_actions_id_group'
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=tree_agents&return_type=csv&other=;&apipass=1234&user=admin&pass=pandora
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=tree_agents&return_type=csv&other=;|%20|type_row,group_id,agent_name&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
=== get module_data ===
Returns a list of values of a module, this module is filtered by the id of module pass as id in the url. And the list of values is from the now to the period limit passed as second parameter into the other parameter, the first is the CSV separator.
Call syntax:
* op=get (required)
* op2=module_data (required)
* id= (required)
* other_mode=url_encode_separator_ (required)
* other= (optional)
* The CSV divider character (point by default)
* The period (in seconds)
* Start time (T:)
* End time (T:)
**Examples**
http://127.0.0.1/pandora_console/include/api.php?op=get&op2=module_data&id=17&other=;|604800|20121201T13:40|20171215T13:40&other_mode=url_encode_separator_|&apipass=1234&user=admin&pass=pandora
=== get graph_module_data ===
Returns the chart of a module as an image file, this chart is generated with the same method of static graphs of Pandora FMS. It is necesary to include the width, height, period, label and start date of chart (knowing in Pandora FMS the date indicated in graphs is always the data end) into the other parameter.
Call syntax:
* op=set (required)
* op2=module_data (required)
* id= (required)
* other= (required). They are the following in this order:
*
*
*
*