Events
Introduction
Pandora FMS event system allows to see a real time record of all the events that take place in your monitored systems. The information displayed ranges from any module status change, alerts triggered or retrieved, to system restarts or custom events. By default, in the event view, a screenshot of what is happening at that time will be shown.
Events are classified by their severity:
- Maintenance (grey).
- Informational (blue).
- Normal (green).
- Warning (yellow).
- Critical (red).
- Major (brown).
- Minor (pink).
The following actions can be performed in regard to an event:
- Change its status (validated or in progress).
- Change the owner.
- Delete.
- Show additional information.
- Add a comment.
- Apply custom responses.
General information
Events are managed in Events → View Events:
This is an example of the default event viewer:
From Pandora FMS version 726, you may sort out events by ID, status, name…
The event viewer shows shows a summary of each event and sometimes other associated data, such as the agent module that generated the event, the group, module-related tags, etc.).
By clicking on the magnifying glass, all event details are shown:
By default, events are shown through a specific search for the last 8 hours and for those that are not validated (and it can also be customized), in addition to grouping to avoid redundancy:
The user will be able to see only the groups to which he/she belongs, unless the user explicitly belongs to the ALL group.
You may save searchers such as filters or either apply a previously created filter.
You may get more information in our video tutorial “Event management in Pandora FMS”.
Events are the record and a key point of a monitoring system.
Operating with events
Event validation and status. Autovalidation
An event may be in four different status:
- In process.
- New.
- Not validated.
- Validated.
When events take place due to module status changes, there will usually be two events: the first event is the change from normal to “faulty” state, and the second one is the event going back to normal once the problem is solved. In these cases, events going into a faulty state (critical or warning) are automatically validated when they go back to normal. This is what it is called event autovalidation and it is an extremely useful feature.
When working manually, an event can be validated. That will make the system save the date and the user who validated the event. It is also possible to leave a comment:
By clicking on the validate button, the screen is refreshed and the validated event “disappears”.
Un event can be checked as “in process” in the Responses tab:
That way the event will not get auto-validated and will stay as pendant. Notice the possible actions: execute custom responses such as pinging the host or assigning to name a couple of them.
You may validate, check as “in process” or delete events individually by clicking on the corresponding icons:
Or mass apply them to a selection:
Regarding custom responses, the maximum number of events to which the operation applies is limited to ten.
Event filtering
Important aspects of this feature:
- Filters can be saved to be used again later on.
- The limit for old events (Max. hours old) can be customized.
- Pandora FMS, by default, groups repeated events (Duplicate → Group events), however this preference can be changed:
- All events: Display all events individually.
- Group agents: Group events by agent.
- Group events: The event name, agent ID and module ID are used to identify duplicates.
- Group Extra IDs: Events will be grouped by Extra ID only, sorted by Timestamp.
- You may filter by specific group. If you use the Group recursion option, it will also search in the subgroups of that group. Likewise, if you select Search in secondary groups, the events of agents with assigned secondary groups will be included.These last two options may imply some work impact on PFMS server.
Advanced options
- You can request the events during a specific time lapse using the From (date) and To (date) fields.
- You can filter by custom fields using Custom data filter, either by filtering the field name (Filter custom data by field name) or by custom field content (Filter custom data by field value). These custom fields will be displayed as columns in the event view.
Favorite filters
NG 770 version or later
The event filters that you consider most frequently used can be added to the Events section in the Favorite menu (Operation menu). This is done by clicking on the star icon that will appear when loading a saved filter (Current filter). Clicking it again allows you to uncheck the icon and remove it from the favorites system.
Deleting an Event
Events can be deleted individually and/or automatically.
There is also the possibility in the , to keep them in order to create special reports.
Individually:
Automatic event purging:
RSS Events
To access event RSS feed, configure the IPs that have access allowed in the field IP list with API access within Setup.
To see events in a news channel or RSS go to Events > RSS and subscribe from the news reader of your choice.
Event sound console
It allows to spread the sound alerts when an event takes place. The tune will be played until you pause the sound event or click OK.
The list of sound events that generate a sound alert by default (and may be customized) is:
- A triggered alert.
- A module going into warning state.
- A module going into critical state.
- A module going into unknown state.
Go to Operation → Events → Acoustic console. This action opens a popup window control for all sound events. You must configure your web browser to allow pop-up windows to open.
Minimizing the Acoustic Console window will cause it not to work as expected.
Sound events are explored every 10 seconds asynchronously, when an event takes place, the window will start blinking in red or vibrating and in addition, depending on the configuration of your browser or operative system, the window will keep the focus and stay over the rest of the open windows.
You will only get sound alerts for events that start right from and while that window is open, that match selected items and that have an alarm set.
Advanced Configuration
To add new tunes, copy said files in WAV format, to the directory:
/var/www/pandora_console/include/sounds/
keep in mind that each tune must be sent to the browser and takes some bandwidth; it is recommended:
- Select an audio file only a few seconds long as the main alert sound, because it will be played on loop.
- Convert the audio to mono.
- Change the audio's coding to 16bits signed or even less. Quality will be lost but the file's size will decrease by doing this.
- In order to create or edit audio files, it is recommended to use tools as Audacity.
Exporting Events to a CSV
In order to export the events to a CSV file, click on Operation → View Events and Export to CSV File.
Event Statistics
Event statistics are only available up to version NG 752.
To access event statistics go to Events> Statistics.
Event graph
Event percentage according to their status.
Event graph by user
Percentage grouped by user.
Event graph by agent
Percentage by agent generated by each event.
Number of validated events
Validated events and to-be-validated.
When clicking on any of the sections, detailed information will appear.
Event alerts. Event correlation
For Pandora FMS release 741 onwards, there is event related alert management, a specific wiki section.
Events from the Command Line
Generating Events from the Command Line
Pandora FMS external API is used making remote calls (through HTTPS) on the /include/api.php
file. This is the method defined in Pandora FMS to integrate third party applications. It basically consists of a call with the parameters formatted to receive a value or a list of values that this application will use to carry out operations.
By using the WEB API, you may interact with Pandora FMS from any remote system, even if you do not have connection to the database with an installed Software agent.
The three main points to activate Pandora FMS API:
- Enable the API access for the IP from wich the command will be executed or use '*' for all IPs.
- Set an API password
- Use a user/password to login, or define a specific user to access it through API.
The password devoted to creating or validating events through Pandora FMS API may be copied from:
/usr/share/pandora_server/util/pandora_revent.pl
When executed in the client device, without parameters, you may see its syntax (here translated):
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST This program is Free Software, licensed under the terms of GPL License v2 You can download latest versions and documentation at https://www.pandorafms.org Options to create event: ./pandora_revent.pl -p <path_consoleAPI> -u <credentials> -create_event <opts> Where the options are: -u <credentials>: API credentials separated by comma: <api_pass>,<user_name>,<user_pass> -name <event_name>: Free text -group <id_group>: Group identifier (use 0 for 'all') -agent: Specify agent by identifier. Optional parameters: [-status <status>] : 0 New, 1 Validated, 2 In process [-user <id_user>] : Comment user (combine with -comment) [-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased alert_manual_validation, system, error, new_agent configuration_change, going_unknown, going_down_critical, going_down_warning, going_up_normal [-severity <severity>] : 0 Maintenance, 1 Informative, 2 Normal, 3 Warning, 4 Critical, 5 Minor, 6 Major. [-am <id_agent_module>] : ID del modulo de agente origen del evento [-alert <id_alert_am>] : ID de la alerta/modulo origen del evento [-c_instructions <critical_instructions>] [-w_instructions <warning_instructions>] [-u_instructions <unknown_instructions>] [-user_comment <comment>] [-owner_user <owner event>] : Event proprietary, use login name [-source <source>] : ('Pandora' by default) [-tag <tags>] : Tag (must already exist in the system) [-custom_data <custom_data>] : Custom data must be a 64 base encoded JSON document (>=6.0) [-server_id <server_id>] : Server node ID (>=6.0) [-id_extra <id extra>] : Extra ID [-agent_name <Agent name>] : Agent name, do not mistake with alias. [-force_create_agent<0 o 1>] : It forces agent creation if it does not exist that is why the parameter is 1 and it must have the option agent_name.
Example of event generation, using \
as order connector and didactic indenting:
./pandora_revent.pl \ -p https://$path_consoleAPI/pandora_console/include/api.php \ -u $api_pass, $user_name, $user_pass \ -create_event \ -name "SampleEvent" \ -group 2 -agent 189 \ -status 0 \ -user "admin" -type "system" \ -severity 3 \ -am 0 \ -alert 9 \ -c_instructions "Critical instructions" \ -w_instructions "Warning instructions"
Options to validate an event:
./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>
Sample of event validation:
./pandora_revent.pl \ -p https://$path_consoleAPI/pandora/include/api.php \ -u $api_pass, $user_name, $user_pass \ -validate_event \ -id 234
For instruction unknown
, critical
o warning
fields to appear in the details of the generated event, said event must be going_unknown
, going_down_critical
, or else going_down_warning
, respectively.
Only generating events from the Command Line: 'pandora_revent_create'
It is the same feature as the 'pandora_revent' script with the exception of not being able to validate events. You may do it using the tool found at:
/usr/share/pandora_server/util/pandora_revent_create.pl
This tool uses an HTTP/HTTPS remote connection to create or validate events under Pandora FMS. Execute it without parameters to see the syntax here translated:
Pandora FMS Remote Event Tool Copyright (c) 2013 Artica ST This program is Free Software, licensed under the terms of GPL License v2 You can download latest versions and documentation at http://www.pandorafms.org Options to create event: ./pandora_revent_create.pl -p <path_to_consoleAPI> -u <credentials> -create_event <options> Where options: -u <credentials> : API credentials separated by comma: <api_pass>,<user>,<pass> -name <event_name> : Free text -group <id_group> : Group ID (use 0 for 'all') -agent : Agent ID Optional parameters: [-status <status>] : 0 New, 1 Validated, 2 In process [-user <id_user>] : User comment (use in combination with -comment option) [-type <event_type>] : unknown, alert_fired, alert_recovered, alert_ceased alert_manual_validation, system, error, new_agent configuration_change, going_unknown, going_down_critical, going_down_warning, going_up_normal [-severity <severity>] : 0 Maintance, 1 Informative, 2 Normal, 3 Warning, 4 Crit, 5 Minor, 6 Major [-am <id_agent_module>] : ID Agent Module linked to event [-alert <id_alert_am>] : ID Alert Module linked to event [-c_instructions <critical_instructions>] [-w_instructions <warning_instructions>] [-u_instructions <unknown_instructions>] [-user_comment <comment>] [-owner_user <owner event>] : Use the login name, not the descriptive [-source <source>] : (By default 'Pandora') [-tag <tags>] : Tag (must exist in the system to be imported) [-custom_data <custom_data>] : Custom data should be a base 64 encoded JSON document (>=6.0) [-server_id <server_id>] : The pandora node server_id (>=6.0) Example of event generation: ./pandora_revent_create.pl -p http://localhost/pandora_console/include/api.php -u 1234,admin,pandora -create_event -name "SampleEvent" -group 2 -agent 189 -status 0 -user "admin" -type "system" -severity 3 -am 0 -alert 9 -c_instructions "Critical instructions" -w_instructions "Warning instructions"
Enable the API access and configure it first. Follow these three steps to do so:
- Enable the API access for the IP from which the command will be executed or use '*' for all IPs.
- Set an API password.
- Use a regular user/password or define a specific user to have access through the API.
In order for the 'unknown', 'critical' or 'warning' instruction fields to appear within the event details, the event type is required to be 'going_unknown', 'going_down_critical' or 'going_down_warning'.
More examples:
/pandora_revent_create.pl -p http://192.168.50.12/pandora_console/include/api.php -u pandora12,admin,pandora -create_event -name "Another nice event" -group 0 -type "system" -status 0 -severity 4 -user "davidv" -owner_user "admin" -source "Commandline" -comment "Prueba de comentario"
Custom fields within events
Events with custom fields may be generated by the Pandora FMS CLI, e.g. An event generated by the following command:
perl pandora_manage.pl /etc/pandora/pandora_server.conf --create_event 'Custom event' system Firewalls 'localhost' 'module' 0 4 // 'admin' // // // // '{"Location": "Office", "Priority": 42}'
It would look like the one shown below.
Event setup
In the Event section in the management part of Pandora FMS console('Events' > 'View events' > 'Manage events'), the following aspects regarding events can be configured:
- Event filtering.
- Event responses.
- Event display.
Custom event view
It is possible to customize the fields that the Event View shows by default from the ►Events → View events, click on Manage events → Custom columns section, where the fields to be shown can be chosen.
You may also access this section from Management → Configuration → Events → Custom columns.
By default, the fields displayed are:
- Severity mini: Event severity in reduced format.
- Event name: Event name.
- Agent ID: Agent ID.
- Status: Event status.
- Timestamp: Date when the event was created.
However, there is a great number of fields apart from those shown by default that can be added to the Fields selected list:
- Event ID: Event ID.
- Agent name: Agent name.
- User: Event creator user.
- Group: Group the module belongs to.
- Event type: Event type.
- Module name: Module name.
- Alert: Alert linked to the event.
- Severity: Event severity.
- Comment: Event comments.
- Tags: Module tags.
- Source: Event source.
- Extra ID: Extra ID.
- Owner: Owner.
- ACK Timestamp: Date when the event was validated.
- Instructions: Critical or warning instructions.
- Server name: Name of the server the event came from.
- Data: Numerical data reported by the event.
- Module status: Module current status.
- Module custom ID: Value of the Module custom Module ID field
Select the fields you wish to display from the Fields available list and move them to Fields selected using the horizontal arrows.
- When you select a field in Fields selected, you may move its location up or down using the vertical arrows to the right of the list.
- By clicking on the icon
you can restore the fields to how they were before starting modifying them.
Once selected, click Update.
Creating Event Filters
In this section you may create, remove and edit filters applied to the event view.
By clicking on Create new filter, the following view is shown, where the fields by wich you wish to filter may be chosen.
Once the filters have been saved, right from the Event View itself they can be loaded to display the desired information quickly without having to reconfigure the filter each time:
Event Responses
Introduction
In this section, event responses can be created, edited and deleted. An event response is a custom action that can be executed on an event, for example, creating a ticket in Integria IMS with the relevant information about the event. More information about Integria IMS can be found in Pandora FMS documentation.
Enter a representative name, a description, the parameters to use, separated by commas, the command to use (the last ones allow the use of macros), the type and the server that will execute the command.
In Parameters you may enter as many as you need, separated by commas. When you make the response, a dialog box will appear to fill in each one of them and add it to the event.
Event Responses macros
The accepted macros are:
_agent_address_
Agent address.
_agent_alias_
Agent alias.
_agent_id_
Agent ID.
_agent_name_
Agent name.
_alert_id_
Event related alert ID.
_command_timeout_
Command response time (seconds).
_current_user_
Id of the user who executes the response.
_current_username_
Full name of the user executing the response.
_customdata_json_
Pulls all information from custom data in JSON format.
_customdata_text_
Pulls all information from custom data in text mode (with carrier return).
_customdata_X_
Pulls a particular field from custom data, replacing the X with the field's name.
_event_date_
Date on which the event took place.
_event_extra_id_
Extra event ID.
_event_id_
Event ID.
_event_instruction_
Event instructions.
_event_severity_id_
Event severity ID.
_event_severity_text_
Event severity (translated by Pandora FMS console).
_event_source_
Event source.
_event_status_
Event status (new, validated or event in process).
_event_tags_
Event tags separated by commas.
_event_text_
Full text of the event.
_event_type_
Event type (System, going into Unknown Status…).
_event_utimestamp_
Date on which the event occurred in utimestamp format.
_group_id_
Group ID.
_group_name_
Group name in database.
_group_contact_
Contact information for a group of agents.
_module_address_
Event associated module address.
_module_id_
Event associated module ID.
_module_name_
Event associated module name.
_node_id_
For Metaconsole and Node, returns the node identifier.
_node_name_
For Metaconsole and Node, returns the node name.
_owner_user_
Event owner user.
_owner_username_
Full name of the user who owns the event.