Network Config Management (NCM)
Pandora FMS NCM Server (Network Config Management) allows interacting with any network device, through Telnet and SSH protocols, to manage its configuration, perform backups, restore the configuration of the devices from the backups made and even perform custom executions with them.
To carry out all of these tasks, it is based on a system of templates by
Model that will allow to customize all the executions the network devices will carry out, having the control and knowledge of all the executions that will be carried out in each and every one of the above mentioned network devices.
Enable NCM server
To enable this feature in Pandora FMS, it is necessary for the NCM service to be enabled in
The following parameters must be correctly configured in
# Network manager configuration server (PANDORA FMS ENTERPRISE ONLY). ncmserver 1 # Threads for NCM server (PANDORA FMS ENTERPRISE ONLY). ncmserver_threads 1 # NCM utility to execute SSH and Telnet connections. ncm_ssh_utility /usr/share/pandora_server/util/ncm_ssh_extension
Once enabled, a new server will appear in the server view and all the sections corresponding to this feature will be enabled in the console.
To display the menus for everything related to NCM server each user must have the corresponding ACL rights. See more information about that in this article.
Enterprise Alternative Server packages
If you use the Enterprise Alternative Server packages, install
openssh-clients for the feature to work properly.
Defining vendors and models
Before starting work, you must make sure that the system has the manufacturer and model(s) of the devices to be used defined. To that end use the Vendor and Model editors.
You will find these editors in the Configuration → Network Config Manager section.
This is only a descriptive definition. The logic is applied in the network equipment Templates.
Network equipment templates
Templates are applied on a Manufacturer and on one or more models. Templates define how to interact with a network computer. The NCM and the equipment can be connected through Telnet or SSH. In both cases it will be necessary to provide one or more sets of credentials (in the case of the Cisco manufacturer the access username/password and the
enable mode password). In other devices there may be two pairs of credentials.
For the credentials, use Pandora FMS internal credentials system that allows to reuse them without knowing the details. That way the administrator may specify different user/password “pairs” with an identifier, and an operator may use them without seeing the content. In NCM, these users and passwords are passed to the dialog with the device through macros.
Macros in the dialog with the network device
_enablepass_: It will be replaced by the
passwordfield of the advanced key associated to the agent.
_username_: It will be replaced by the
usernamefield of the agent's access key.
_password_: It will be replaced by the
passwordfield of the agent's access key.
_advusername_: It will be replaced by the
usernamefield of the
_advpassword_: It will be replaced by the
passwordfield of the
enableadvanced key. It is an alias of
_enablepass_and both can be used in the templates since they are equivalent to the same value.
_applyconfigbackup_: It expands in as many commands as configuration lines the current backup has. It is applied line by line, as they are applied in Cisco® devices.
Creating a NCM template
Click on Define a NCM template button:
Click on Create button:
Fill the fields:
- Name: NCM template name.
- Vendors: Comma separated, a vendors list compatible with scripts defined within template.
- Models: Comma separated, a model list compatible with scripts defined within template.
- Script: Test: This script will be used to test devices availability.
- Script: Get configuration: This script will be used to retrieve configuration from devices
- Script: set configuration: This script will be used to apply configuration, previously backed up, to devices.
- Script: get firmware: This script will be used to retrieve firmware version from devices.
- Script: set firmware: This script will be used to upgrade firmware version of the devices.
- Script: custom task:This script will be executed on the devices when selecting CUSTOM task.
Example of use on a Cisco 7200 device
These scripts only work if the user you log in with (via Telnet or SSH) works with user and password and does not have
enable field enabled by default.
A test connection is made to the device and ended without performing any operation.
enable expect:Password:\s* _enablepass_ exit
The test connection is used to verify that you can actually connect to the device. It can be modified (
expect:xxxx) to expect a certain response, such as
Ready. This is only a basic example.
Retrieve current configuration
This block is used to define the way to obtain the configuration of the active device. In this example (Cisco®), the running configuration of the device is obtained by executing the
show running-config command inside the device:
enable expect:Password:\s* _enablepass_ term length 0 capture:show running-config exit
capture:<comando> : It is used to capture as active configuration what is returned by the screen.
Retrieve firmware version
Similar to the previous case, run the
show version | i IOS Software command to retrieve the firmware version of the device, and as in the previous case, the
capture command is used to capture the output of the command.
enable expect:Password:\s* _enablepass_ term length 0 capture:show version | i IOS Software exit
Restore configuration backup
In this execution, the macro
_applyconfigbackup_ is used to apply all the configuration stored in the Backup previously stored in the Console.
enable expect:Password:\s* _enablepass_ term length 0 config terminal _applyconfigbackup_ exit
Example custom script
Example of a custom script in which the values of some SHH parameters of the device are changed. Any necessary modification or command execution can be applied.
enable expect:Password:\s* _enablepass_ conf term ip ssh authentication-retries 4 ip tcp synwait-time 10 end exit
All changes recorded in the device will be recorded when performing a firmware backup and you will have control of the changes made, both by reports and by screen (Web Consol PFMS):
Setup in Agents
Within each of the agents that need to manage their remote configuration, associate a model to it.
This association will have to be done in the NCM section of the agent, where the following parameters must be selected:
- Device manufacturer.
- Device model.
- Connection method: Type of connection to be made (Telnet or SSH).
- Port: Port to use in the Telnet or SSH connection.
- Credentials to access device: Credentials stored in Credential Store of Pandora FMS, which will be used to make the initial Telnet or SSH connection. It is necessary for the user to need both parameters when connecting.
- Credentials to admin device: Credentials stored in Credential Store of Pandora FMS, which will be identified within the template selected in NCM template to be used, with the macros
_advusername_for the user and
_advpassword_for the password.
Once the agent configuration is finished, it will be ready to manage its configuration, back up, obtain firmware, restore the device configuration from the backups made and even perform custom executions with them.
To upload the firmware files and create backups of them with FTP, you must do it in an encrypted way to have the highest possible security. See section “FTP configuration to receive data in Pandora FMS” and the use of vsFTPd. You must use SFTP with exclusive chroot in:
See the Pandora FMS “Security Architecture” for a comprehensive overview of this issue.
Configuration management on the devices
If the configuration has been successfully completed, you may access the agent view or the Configuration → Network Config Management section to perform all possible management on each of them.
Accessing the NCM section in the agent view:
You will notice from the beginning that you do not have information from the beginning so click on Get running-config and start getting all this information.
When you click it, it will ask for confirmation:
And this will lead to the configured devices overview, where you will see the running task until it finishes:
From this same view, you will be able to perform all the interactions defined in the template, watching your process.
For example, to obtain the firmware version.
Once you have obtained all the information, you will be able to see it in the agent view:
At that moment all the options will have been enabled in the agent view to be able to update the saved configuration, update the backup and even restore the current configuration of the network device by the one of the backup stored in Pandora FMS.
In case the last downloaded version does not match the backup version, a window will appear with the differences between both versions:
For each of the executions that are made of this feature whether they are successful or not, a new event will be created in Pandora FMS indicating which task has been made, if it has been completed or not and its failure in case it has not completed successfully.
For the NCM feature there are three different ACL bits in which you may define the different users from the following defined bits:
View NCM data → You will only be able to see the agent view and see the information reflected on it without being able to apply any changes on it.
Operate NCM → You will be able to not only see the view, but also to perform the executions you wish on the agents and on the NCM view.
Manage NCM → With this permission you will be able to generate templates, models and new manufacturers in addition to the executions already performed by Operate NCM.