Installation and configuration
Installation
The installations of the Instances and the Command Center (Metaconsole) are required to be hosted in servers that communicate in both directions.
- Check that the Command Center can contact the Instances.
- Check that the Instances can contact the Command Center.
Instances do not need to communicate with each other at any time, for more details see Command Center architecture.
- The time setting must be the same. The more synchronized the Instance and Command Center timers are, the more accurate the displayed data will be.
Instances
An Instance or node is a common Pandora FMS installation, made up by a server and a Web Console.
Command Center
A Command Centeris a Pandora FMS installation with a special license for it.
Pandora FMS Console and Command Center cannot be used at the same time.
It is necessary to have a server active to be able to perform different operations related to the Command Center, such as “migration”, “self-provisioning”, service execution, etc.
License activation
After activating the license from Pandora FMS Web Console, whatever the installation method is, you should access Pandora FMS console:
http://<dir_IP_or_URL>/pandora_console/
A welcome screen will appear to accept the license.
In order to activate the Command Center, a Command Center license is required. Node license is activated, the normal Console will appear.
Metalicense
From Pandora FMS version 7.0 NG onwards, a single license is available for a Command Center environment. You may create as many Instances as you wish, as long as the total number of agents inside the Command Center is not exceeded.
This license is applied in the Command Center and may be synchronized in as many Instances as desired, thus allowing centralized management of the different agents to be deployed in those Instances.
If you need nodes that can remain disconnected from the Command Center for long periods of time, contact Pandora FMS team.
Metalicense sincronization
- The Instances (nodes) must have their own key generated and correctly validated.
- Once the nodes are generated and correctly validated, they are configured in the Command Center.
- All statuses should appear normal (green) and if necessary the synchronization button Synchronize all should be used:
- Once all these steps have been completed for each node, access the Command Center license and click Validate to synchronize the Metalicense with all the Instances.
Registration of Instances
Setup → Metasetup → Consoles setup menu.
In the Metasetup section, you may register and configure the Instances with which the Command Center will be linked.
In order to register a new Instance, a series of parameters related to the Instance to be managed must be known. If it is the registration of an Instance that has not yet been registered with a license, the default data are:
- Server name:
localhost.localdomain
. - API password: Empty.
- DB host: Database IP address.
- DB name:
pandora
. - DB user:
pandora
. - DB password:
pandora
. - DB port:
3306
. - Control user:
admin
. - Console password:
pandora
. - Console URL:
http://<dir_IP_or_URL>/pandora_console
Advanced fields
To ensure connectivity between nodes and the Command Center, connection data may be configured manually.
- Metaconsole DB host: Database IP address.
- Metaconsole DB name:
pandora
. - Metaconsole DB user:
pandora
. - Metaconsole DB password:
pandora
. - Metaconsole DB port:
3306
.
These fields indicate the configuration of the connection to be established by the node against the Command Center.
In case it is a Pandora FMS installation, where a valid license has already been included in the Instance, you have to obtain this data from the Instance configuration and the Instance database.
All the fields must be filled in to achieve the connection and at the moment of saving, it will depend on whether it is a completely new node, without any data, it will be added with the Register empty node button, otherwise the Register node with data to merge button will be used.
- When using the Register empty node button, a warning window will be displayed, indicating that the data in the node will be deleted:
Click OK if you are sure and the new node will be centralized.
- When using the Register node with data to merge button, a confirmation window will be displayed indicating that the data in the existing node will be centralized:
In the view of the configured Instances, it can be seen that the Instances may be modified, deactivated and deleted. There are indicators that check certain information of the configuration of each instance. These checks are performed when loading this view, but may also be done individually by clicking on them.
The indicators are as follows:
- Database: If the Instance database has been misconfigured or does not have the necessary permissions, the indicator will be red and will give information about the problem.
- API: This flag will test the Instance API. If it fails it will give failure information.
- Compatibility: This flag checks some requirements between Instance and Command Center. The name of the Instance server, for example, must match the name given in its configuration in the Command Center.
- Event replication: This indicator shows whether the Instance has event replication enabled, and if events have already been received from the Instance, how long ago the last replication was.
- Agent cache: This indicator shows that the last statuses of the agents and modules of the node have been correctly saved in the Command Center database. When a change is generated, only that change will be modified in the database.
- Synchronization: This indicator refers to the possibility of being able to synchronize the different elements from the Command Center to the Instances.
The first three indicators must appear in green so that the Instance is properly linked and you begin to see its data. On the other hand, the Event Replication indicator only gives information about this feature.
- An Instance can be well configured, but without replicating its events.
- Once you have chosen to replicate the events, all event management will be done from the Command Center, leaving the Instance events as merely informative.
In case of enabling database encryption, all nodes and the Command Center must use the same configuration of encryption_passphrase
.
Report scheduling
NG 755 version or earlier: you should configure the use of the Command Center, you have all the relevant information there.
It is necessary to install server packages in the system where the Command Center is installed in order to be able to launch the Database maintenance script (pandora_db
). You should make sure that it is properly programmed for its execution in the cron every hour (as it is detailed in the following link).
If you are going to use on-demand reports (sent by e-mail) you need to schedule the execution of the cron extension just as you do in a normal Web Console. Generally, this is done by entering the following line in the cron, setting the local paths accordingly:
/5 * * * * <user> wget -q -O - http://x.x.x.x/pandora_console/enterprise/extensions/cron/cron.php>> /var/www/pandora_console/log/console.log
For versions prior to 747 the path will be:
/var/www/pandora_console/pandora_console.log
Finally, to configure SMTP for sending e-mails, you need to edit the corresponding parameters in the mail configuration section.
API
Access to the Instance API will be granted with the following parameters:
- Username and password: A valid username and password must be known in the Instance.
- API Password: The API access password configured in the Instance must be known.
- List of IP addresses with API access: In the Instance configuration, there is a list of IP addresses that may access the API. The asterisk can be used as a wildcard to give access to all IP addresses or to a subnet.
Self-authentication
In some parts of the Command Center there are accesses to the Instance Web Console; for example, in the event viewer, clicking on the agent associated to an event (if any) will lead to the view of that agent in the console of the Instance to which it belongs.
For this type of access autoauthentication is used. This authentication is performed by activating the token Setup → General setup → Auto login in node.
Configuration
To configure the Command Center, go to Setup → Metasetup. Each instance or node has also its own configuration.
Warp Update Online
Setup → Metasetup → Warp Update Onlinemenu. This section will only be visible if Enable Warp Update is enabled in General Settings.
If you have a valid command center license and Internet access, you will be able to update the Command Center automatically.
Warp update Offline
Setup → Metasetup → Warp Update Offlinemenu. This section will only be visible if Enable Warp Update is enabled in the General Settings.
Applying patches and/or updates offline can make the Web Console unusable, before that it is recommended to perform a full backup.
- It allows you to update and/or patch the Command Center without the need to connect to the Internet.
* Only the files should be uploaded in order up to the version that needs to be updated, since they are not cumulative versions.
The Warp Update Offline also serves to install patches of different types: console, server and manual combined patches.
When accessing this section a unique access code related to the applied license will be displayed and must be copied by clicking on the icon , click on the indicated link to open in a new tab of the web browser, paste the code and log in and download the necessary files. If no code appears, sign up with an e-mail address and you will get the unique access code right away.
- When you enter the download web page you will see the version installed according to the license and you will be able to search for updates by name and description.
- Once the search for the desired update is ready, click View details to see its contents.
- A dialog box will open with the different files for downloading one at a time.
- Once the file(s) have been downloaded, access the Warp Update Offline menu again and click Browse it to select file by file.
- The size of each file must be smaller than specified in the
post_max_size
andupload_max_filesize
tokens in the/etc/php.ini
file. - The information displayed on the screen should be checked to see if it matches the updates and/or modifiactions. To process, click on the green icon in the lower right corner and wait for the Web Console to display the results of each process.
Warp Update Journal
Setup → Metasetup → Warp Update Journal menu. This section will only be visible if Enable Warp Update is enabled in the General Settings.
Click Warp Update Journal icon to see the updates performed, version, date and time of application, user who requested and applied it, and so on. Over time you will accumulate many records which can be filtered by expanding the Filter box and entering the keyword to search for.
Warp Update Setup
Setup → Metasetup → Warp Update Setup menu. This section will only be visible if Enable Warp Update is enabled in General Settings.
By default it is already configured to perform the update online.
Contact support before changing any of the following fields:
- Warp Update URL.
- Use secured Warp Update.
- Proxy server.
- Proxy port.
- Proxy user.
- Proxy password.
Relations rules
Setup → Metasetup → Relations rulesmenu.
To enable this functionality, the Enable API agent token must be enabled in the general configuration.
It allows to quickly retrieve information about certain special devices by means of an API (different from the main API).
In the Relationships box you must choose a Type, drop-down list: Ip Gateway or IMEI) and assign a relationship value which will be used in the API query. This query will return the Node address that you have selected, either one of the Command Center (Metaconsole) nodes or a custom node via Custom. Once the three fields described above have been set, click on the Insert relation button to save the new relation.
To load a list of relations you must prepare a file in CSV format with the following order:
imei,<rule>,<node>
o gateway,<rule>,<node>
.
Illustrative values: gateway,4,192.168.80.37
.
The saved relationships will be displayed at the bottom and can be filtered by type, value or node address. You can also delete relationships one by one or select several or all of them with the corresponding checkbox and then pressing the Delete button to mass delete.
Relationship queries will be returned in JSON format. In Mozilla Firefox web browser for gateway=1
:
In Mozilla Firefox web browser for imei=2
:
By means of the Node Address Default button you can configure to return a preset response when there is no relationship rule established or when no relationship rule is found that matches the request made. This response can be either the IP address of one of the Metaconsole nodes or a custom message by selecting the option Custom:
Notifications
Setup → Metasetup → Notificationsmenu.
In Pandora FMS there is a system for monitoring the status of the Console and the system in general.
- By clicking on the notifications icon you can add or subscribe to each category of notifications those users or groups who will receive the notification.
- For the System status you can additionally specify each technical aspect for each of the registered users or groups.
The different types of notification are as follows:
- System status.
- Message.
- Pending task.
- Advertisement.
- Official communication.
- Sugerence (Suggestion).
The Enable user configuration token enables users, in the Operation → Workspace → Configure user notifications section, to enable or disable such notifications in Console and/or by e-mail.
For notifications to arrive by e-mail, the user must have configured his e-mail in his user profile, and the Pandora FMS server must also be configured to send e-mails.
If a user belongs to a group and that group is added to one of the notification categories, that user will have active Console notifications for that corresponding notification category, however cannot modify even if the Enable user configuration token is already enabled (for that category).
By default, the admin
user comes with the active notifications of System status and Official communication even if these categories are inactive. All superuser that is added later will be in all notification categories.
Setup → Metasetup → Mailmenu.
In this configuration a series of values must be established such as:
- Exit address (From dir -From address-).
- Name of outgoing address (From name).
- The IP address or FQND of the SMTP server (Server SMTP).
- SMTP port number (Port SMTP).
- Type of encryption for privacy (Encryption):
SSL
,SSLv2
,SSLv3
,STARTTLS
. - If necessary, the user and password of the email user (E-mail user and E-mail password).
When using a Gmail® account, Google® may block authentication attempts by certain applications. For proper operation, it will therefore be necessary to enable access by insecure applications. More information on how to do this can be found on the official Google® support pages.
For security reasons you must use a Gmail® email account created expressly and only to send Pandora FMS server warning messages. Never use a personal email account for this purpose.
If necessary, modify the mta_auth
token in the /etc/pandora/pandora_server.conf
file. This token, by default, is established as a comment, so it should be activated by editing this line and placing the required authentication type, see this link for more details.
Once the email configuration is saved, by clicking on the E-mail test option you will be able to check if your configuration is correct by sending an email automatically generated by Pandora FMS to a desired email address. Only if the selected configuration is correct, you will be able to see the email in your inbox.
You must ensure that the Pandora FMS server is able to resolve, through its DNS server, the mail server in charge of your mail domain.
nslookup -type=mx my.domain
It is necessary to check, also in this case, that the mail server accepts the mails redirected from the Pandora FMS server.
For more information you can consult the Pandora FMS server configuration.
Strings translation
Setup → Metasetup → Strings translation menu.
Allows to translate text strings from the Pandora FMS interface in a customized way.
- Language: Allows you to filter the string by language.
- Free text for search (*): Content of the string to be customized (this field can be left blank to display all strings).
Three columns will appear: the first one will show the original string, the second one the current translation and the third one the custom translation to be added. The last column must be completed and the Update button clicked to save.
Care should be taken to copy exactly the same HTML code and JavaScript language that may appear in the text to be translated.
File manager
Setup → Metasetup → File manager menu.
File manager where you can upload and delete files in the folder images of the Command Center installation.
The Command Center code reuses some images from the normal console code. These images will not be accessible from this manager and it will be necessary to access the installation manually to manage them.
Performance setup
Setup → Metasetup → Performance setup menu.
The Database maintenance status section informs about the maintenance and compaction of the PFMS database. The following parameters are used for these processes.
Performance.
- Max. days before events are deleted: Field where the maximum number of days before deleting the events is defined.
- Front page for custom reports: The custom report cover page will be applied by default to all reports and templates.
- Max. days before audited events are deleted: Number of days of event auditing to be maintained.
- Default hours for event view: Field where the hours field of the default filter in the event view is defined. If the default is 8, the event view will show only the events occurred in the last 8 hours. This field also affects the display, counting and graphing of events in the tactical view.
- Migration block size: Migration block size. It is used to migrate (move) agents between nodes in Command Center environments, especially to transfer historical data between one node and another.
- Events response max. execution: Number of events that will perform the desired action at the same time.
- Max. number of events per node: Maximum number of events to be displayed for each node.
- Row limit in CSV log: Limit of rows for the record in CSV format.
- Max. macro data fields: Field where the number of macros that can be used for alerts is defined.
- Limit of events per query: Limit set for the maximum number of events in a query, by default five thousand items.
- Max. days before purge: Field where the maximum number of days before deleting data is defined. This also specifies the maximum number of days to keep historical inventory data.
- Rows limit for SQL report item PDF (per node): Before increasing this value, it should be noted that a high value may affect the performance of PDF generation. You can use
0
to disable this limit.
Visual setup
Setup → Metasetup → Visual setup menu.
Note that group synchronization may change the node's group configuration.
Visual styles:
- Date format string: Allows specific formatting of the date and time. By default it uses
F j, Y, g:i a
(full name of month and day, year and hour and minute). It is denoted according to PHP language; to add the timezone you must addT
and/ore
. - Graph color: Allows you to choose a color for each of the three graphics.
- Data precision for reports and visual consoles: Number of decimal places to display in reports and visual consoles. Must be between
0
and5
. - Percentile: Displays a percentile in the graphs, by default
95
. - Value to interface graphics: Name of the units for the network interface graphics, by default
Bytes
. - Block size for pagination: Allows pagination of the various results (alerts, events, etc.); by default in blocks of
20
elements. If a lower value is defined, notifications will be obtained warning of this. - Number of elements in Custom Graph: To limit the number of legends in the combined plots, it is recommended to reduce the width of the legends, make them summarized and as short as possible. The combined charts that respond to this token are of type: Line, Area, Vertical Bars, Horizontal Bars, Stacked.
- Use round corners: Use rounded corners in graphics.
- Chart fit to content: There are graphs whose values are percentages and the top of the graph exceeds the maximum value of one hundred, by activating this option you can configure the graphs to stop adding a proportional upper margin.
- Graph TIP view: (This option may cause performance problems) Indicates whether visualize TIP charts:
- None: The TIP option in the graphics setup will be disabled (default option).
- All: The TIP option in the graphs menu will be activated in all graphs.
- On Boolean graphs: The TIP option will only be activated in the menu for true and false type graphs.
- Graph mode: Allows to show only the average or the average with the minimum and maximum values.
- Zoom graphs: Graphics zoom, by default 100%.
- Type of module charts: By default the modules will be presented as area charts, the other option is line charts.
- Metaconsole elements: The number of elements that each instance or node will return in certain views. By default
100
. - Add new custom value to intervals: Allows to add custom time intervals (except for the event comment view). The numerical value must be entered and the time unit selected, then press the general button Update. The added interval will then appear in the Delete interval list where it can be deleted. The deletion process consists of selecting the interval to be deleted from the list, pressing Delete and then the Update button.
- Show only the name of the group: To display the group name instead of its icon.
- Display data of proc modules in other format: The proc type data represent binary states of a module. In the database they are collected as a number, but they could also be represented descriptively with an identifier for each of the two states. By activating this option, this second form of representation is used.
- Display text when proc modules are in OK status: If the Display data of proc modules in other format option is enabled, this text appears instead of the number when the module has a correct status.
- Display text when proc modules are in critical status: If the Display data of proc modules in other format option is enabled, this text appears instead of the number when the module has a critical status.
- Custom favicon: It must be in
.ico
format and its dimensions in 16 by 16 pixels to work properly. You can add icons to choose from in theimages/custom_favicon
folder. - Custom background login: Allows you to choose a background for the login. Custom images can be placed in the
images/backgrounds/
folder. If the token Random background (login) is enabled this option will be ignored.
- Product name and Copyright notice: These first two tokens to appear correspond to the instances (nodes) and allow the product to be renamed.
- Product name and Copyright notice: The second two tokens to appear correspond to the Command Center and allow the product to be renamed.
The following tokens allow you to change the Web Console icons for the expanded and collapsed main menu:
- Custom logo (menu).
- Custom logo collapsed (menu).
- Custom logo (header white background).
The following tokens allow you to change text and images at user login, their names are self-descriptive:
- Title (header).
- Subtitle (header) (also used in the Web Console).
- Custom logo (login).
- Custom Splash (login).
- Background opacity % (login).
- Title 1 (login).
- Title 2 (login).
- Docs URL (login).
- Support URL (login).
- Random background (login).
- Graphs font family: Default font Lato selected, value immutable.
- Visual effects and animation: Allows you to disable animations at the start of each user session.
- Default cache expiration: This section indicates how often it clears the status cache of the elements and, therefore, how often it calculates the status of each element individually.
- Default interval for Visual Console to refresh: This interval will affect only the visual console pages, setting how often they will be refreshed automatically.
- Data multiplier to use in graphs/data: Value by which you will multiply the displayed data to represent it in the graphs. This is useful in case the unit of value is bytes; for all other conversions use Custom value post processing.
- Mobile view not allow visual console orientation: On the mobile console it prevents the screen from being rotated according to the motion sensor.
- Display item frame on alert triggered: Allows you to hide an orange box when you have a triggered alert in the Static image, Simple value, Icon, Group elements of the Visual Consoles. Enabled by default.
- Graphs font size: Field to choose the font size used by Pandora FMS for the graphs. Immutable value, by default.
- Show unit along with value in reports: Displays the units in addition to the module value in the reports.
- Truncate agent text at end and Truncate module text at end: For the Operation → Monitoring → Views section, if enabled cut the name of the agents and modules at the end and place three ellipses (the default behavior is to cut in the middle).
- Agent text size and Module text: To choose the text size in the representation of agents and modules, respectively.
Reports configuration:
- Show report info with description: Custom report description information. Applies to all reports and templates by default.
- Front page for custom reports: Custom report cover. It will be applied to all reports and templates by default.
- PDF font size (px): Font size for PDF report, default
10
dots per inch. - HTML font size for SLA (em): Font size for SLA reports, default
2 em
(means 2 times the current font size). - Graph image height for HTML reports: It is the height in pixels of the module's graphic or of the custom graphic in HTML reports, default value
250
. - CSV divider: Character or character set with which the data will be separated when exporting to CSV.
- CSV decimal separator: Symbol to use in the decimal separator when exporting to CSV.
- Interval description: Displays the description of the time interval in abbreviated or unabbreviated form. A Long description would be “10 hours, 20 minutes, 33 seconds”; a Short interval is “10h 20m 33s”.
- Custom logo: The path to the custom logos is located in
images/custom_logo
, in the Web Console installation. More files in JPG and PNG format can be uploaded with the upload tool.
Authentication
The following fields are common to all options:
- Control of timeout session: By default enabled, checks if there has been no activity in the time period set in Session time (mins) to log off.
- Session time (mins): The default value is
90
minutes and when this value is set to0
for a user, Pandora FMS will use the value saved in the General Configuration, section authentication. - Double authentication: Users can choose whether to enable two-step authentication on their accounts.
In remote authentication processes, it must be verified that the port numbers are configured correctly.
Local Pandora FMS
Default authentication, indicates that it will be done using the Pandora FMS internal database. The users type superadmin for security reasons always authenticate in this way, the rest of the authentication types have the local option as fallback.
When choosing an authentication method such as Active Directory®, LDAP or SAML the Local Pandora FMS option will no longer be available as the exclusive authentication method. However, users will always have the option of local authentication as a fallback.
Active Directory®
- Automatically create remote users: Enables or disables the automatic creation of remote users. This option allows Pandora FMS to create the users automatically once they log in. If this feature is enabled, the following numbered fields will be available:
- Save Password: If enabled it allows to save the AD passwords in the Pandora FMS local database.
- Advanced Configuration AD: If this option is enabled, the configuration of Advanced Permissions AD.
- Advanced Permissions AD: Lists the advanced permissions that have been added in Add new permissions. This option will be enabled if you first save the preliminary authentication settings with Active Directory®.
- Automatically create profile: If Automatically create remote users is enabled and Advanced Configuration AD is disabled, this field makes it possible to assign a profile type to these automatically created users. The profiles by default are:
Chief Operator
,Group Coordinator
,Operator (Read)
,Operator (Write)
andPandora Administrator
. The different available profiles can be consulted in the section Centralised management → User management → Profile management. - Automatically create profile group: IfAutomatically create remote users is enabled and Advanced Configuration AD is disabled, this field makes it possible to assign a group to these automatically created users. The different groups available can be consulted in the section Centralised management → Agent management → Group management.
- Automatically create profile tags: If Automatically create remote users is activated and Advanced Configuration AD is deactivated, this field makes it possible to assign a profile to a group with the desired tags. The different groups available can be found in the Centralised management → Component management → Tags management section.
Advanced Permissions AD and Add new permissions details:
- Auto enable node access: New users will be able to connect to the nodes.
- Recursive group search: It allows an iterative search by groups.
- Automatically create blacklist: Allows you to write a comma-separated list of users that will not be created automatically.
- Active Directory server: Here you define the path where the Active Directory® server is located.
- Active Directory port: To define the port number of the Active Directory® server (
389
by default). - Start TLS: Defines whether or not to use the Transport Layer Security (TLS) protocol in communications between the client and the server.
- Domain: Define the domain to be used by Active Directory®. Please note the following numbered indications:
- At the moment the primary groups of a user are not supported by the advanced group configuration in AD Authentication.
- If Advanced Configuration AD is used, put the full path in the Domain field (Domain).
- If the Active Directory® installation is with LDAP, the LDAP path where the server is usually located must be defined here:
ldap://addc.mydomain
- Enable secondary active directory: Allows you to activate the connection to a secondary Active Directory server. It has the same fields as the primary server and also allows you to configure a search AD search timeout), with a default value of
5
seconds. - In case there is a password change in the users, MS Windows® allows to use by default an old password during 60 minutes in Active Directory®. As it is a MS Windows® configuration, this behaviour is totally alien to Pandora FMS®. If you want to modify it, you can consult the documentation of Microsoft.
- Double authentication: Users can choose whether to enable two-step authentication on their accounts.
LDAP
In order to use this mode, it is necessary to have the openLDAP dependencies installed. Depending on the operating system used, the commands: dnf install openldap*
or apt install_ldap-utils
are used.
- Fallback to local authentication: If this option is enabled, a local authentication will be done if LDAP fails. Admin users will always have fallback enabled, to always maintain access to Pandora FMS in case of remote authentication system failure.
- Automatically create remote users: Enables or disables the automatic creation of remote users. This option allows Pandora FMS to create the users automatically once they have logged in using LDAP. If this option is enabled the following numbered options will be enabled:
- Save password: If enabled, it allows to save LDAP passwords in the local Pandora FMS database.
- Force automatically create profile user: This option makes it possible to assign a profile type to these automatically created users.
- Login user attribute: Allows you to choose whether users will be identified by their name or by their e-mail address.
- LDAP function: When searching LDAP, you can choose whether to use the native PHP function or use the local ldapsearch command. It is recommended to use the local command for environments that have a large LDAP with many items.
Advanced Config LDAP: If the option is enabled, a list of all saved advanced permissions is displayed. You can add new permissions by selecting the profile, groups and tags, next to the attribute filter. If the user meets any of these attributes (e.g. a particular organisational unit or group) then the user will be created.
- If this option is not activated, the simple system for the creation of user profiles is used. (Automatically create profile, Automatically create profile group, Automatically create profile tags, Automatically assigned no hierarchy).
Attributes must have the following format Attribute_Name = Attribute_Value.
- Enable secondary LDAP: If you enable a secondary LDAP server as a backup, respective fields of the primary LDAP server will appear.
- Double authentication: Users will be able to choose whether to enable two-step authentication on their accounts.
Double authentication
This functionality requires the PFMS server and mobile devices to have an accurately synchronised date and time.
It will also be necessary to have the code generator application on a mobile device owned by each user. To find out where and how to download it:
To use this functionality in PFMS an administrator or superadmin user should activate the double authentication in the authentication section of the Pandora FMS Web Console global configuration.
To do this in the Setup → Metasetup → Authentication menu, click on the Double authentication button to activate it and then click on the Update button to save the change.
Users can choose whether to enable two-step authentication on their accounts by accessing the Edit my user option.
You can use the Command Center notification system to inform all users that 2FA is available and how to activate this personal option. To do this in the Reports → Messages menu, click the Create new message button and compose a message to the All
group similar to this one:
Force 2FA for all users is enabled
Enabling this option will force all users to use the two-step authentication.
To disable this functionality to a specific user without using the graphical interface, an administrator can use the PFMS CLI.
SAML
For SAML configuration, see this section.
Historical database
Setup → Metasetup → Historical database menu.
Enables the use of the historical database in the Command Center. This functionality allows to save data with a configured age in a database different from the main one in order to speed up the exploitation of the latter.
To access all the options you must first activate the Enable historical database button. The configuration box (Configure connection target) will appear, which allows you to connect to the future historical database.
All options can be configured despite being disconnected from the historical database. Only when a successful connection has been configured, the data movement will start.
Saving the connection configuration and your user credentials in the future historical database will check these values, resulting in a view similar to the following:
Once the connection is established, and if necessary, it is possible to configure the customized parameters (Customize settings), which are divided into historical general values, general data, events data and SNMP traps data.
Active to historical settings
- Advanced options: Enables the String data days old to keep in active database option which sets the maximum age of string data to keep in the active database. The string data will be available in the active database at the time and days specified here. Older information will be sent to the historical database. The data will be purged from the active database after
7
days (default value). - Data days old to keep in active database: Value indicating after how many days the data will be transferred to the historical database. Default value:
15
days. Note that the data will be deleted from the active database after45
days. - Transference block size (Step): Mechanism for transferring data (similar to a data buffer) to the historical database. The smaller the number of records the less impact on the performance of the main database. Default value
1500
records. See the next item to configure the time period. - Delay between transferences (seconds): Waiting time -in seconds- between data transfers between the main database and the historical database. Default value:
1
.
Historical data settings
- Maximum historical data age (days): Maximum number of days to retain numeric data. Default value:
180
. - Maximum historical string data age (days): Maximum number of days to retain string data. Default value:
180
. - Automatic partition of big tables: To automatically create monthly partitions in IDB files of specific databases (
tagente_datos
andtagente_datos_string
).
Historical events settings
When Enable historical events is activated, the following tokens will be displayed:
- Events days old to keep in active database: Number of days to keep the events in the historical database. Default value:
90
days. Note that from the main database the events are deleted (purged) after7
days. - Maximum historical events age (days): Number of days to finally delete the events from the historical database. Default value:
180
.
Historical trap settings
Enabling the Enable historical traps option will allow storing the SNMP traps in the historical database:
- Days old to keep in active dabase: Number of days of seniority to be kept in the active database. Default value:
6
days. Note that in the main database the traps are deleted after7
days. - Maximum historical traps age (days): Number of days of antiquity to keep in the historical database. Default value:
180
days.
Log Viewer
Setup → Metasetup → Log Viewermenu.
To activate the Log Viewer interface first enable the Enable log viewer token in Setup → Metasetup → General setup and saving the changes will activate the corresponding tab.
Then the Activate Log Collector button should be enabled in order to have access to the connection configuration to OpenSearch. In the OpenSearch options and Basic authentication sections, the necessary values should be placed: IP address and port number of the OpenSearch server, if a secure connection with HTTPS will be used, the default number of logs to visualize and the user credentials.
By activating Index configuration you will have access to the following options:
It is only recommended to change this setting if you have advanced knowledge of OpenSearch. A wrong configuration could destabilize the system.
- Number of shards: The number of primary shards an index should have. The default value is
1
. This value can only be set at the time of index creation. It cannot be changed in a closed index. - Auto expand replicas: Automatically expand the number of replicas according to the number of data nodes in the cluster. You can set a lower and upper limit by delimiting with dashes (default
0-1
) or use all for the upper limit (0-all
). Note that the auto-expanded number of replicas only takes into account the allocation filtering rules and ignores other allocation rules such as total shards per node. This can lead to the cluster's health changing YELLOW (warning notification) if the applicable rules prevent all replicas from being allocated.
- Number of replicas: The number of replicas that each primary fragment has. The default is
1
.
Setting Number of replicas to 0
may result in a temporary loss of availability during node restarts or a permanent loss of data in case of data corruption.
Passwords setup
Setup → Metasetup → Passwords setup menu.
To activate the password policy you should have administrator profile (Pandora administrator) or be superadmin. First the Enable password policy button should be activated to be able to configure the other tokens:
- Min. password size: The password must have a minimum length, by default
4
characters. - Password expiration: Password expiration, in days. Default
0
days (no expiration). - Number of failed login attempts: Number of failed attempts before blocking the login. Default value
5
attempts. - Block user if login fails: If the maximum number of failed attempts is exceeded, the user is blocked for a few minutes (default
5
). - Enable password history and Compare previous password: They work together to prevent a user from using repeated passwords. The first token must be enabled and the second token must be greater than zero (default
3
), so that a user's new password will be compared to the3
previously used by the same user (or the number of times indicated). - The password must include numbers: The password must have numbers, disabled by default.
- The password must include symbols: The password must have symbols, disabled by default.
- Force password change on first login: Force password change on first login after user creation, disabled by default.
- Apply password policy to admin users: Applies the password policy also to administrator users, enabled by default.
- Exclusion list for passwords: Allows to add a list of passwords explicitly excluded from use in Pandora FMS.
General setup
Setup → Metasetup → General setupmenu.
Basic
Language settings
Language settings: Permite configurar el idioma por defecto en la Consola web, excepto para los usuarios que escojan un idioma particular para ellos.
Auto login in node
Auto login in node: Available since version 777, it allows you to go from Command Center (Metaconsole) to each of the centralized nodes' Web Consoles and log in automatically.
Time source
Time source: List where you can choose the origin of the date and time to use. It can be the local system (System
), which is usually used when the database is in a different system with a different time zone than the Web Console, or the database (Database
).
Enforce https
Enforce https: It allows to force the redirection to HTTPS. If it is enabled you will have to activate the use of Pandora FMS with https in the WEB server.
If you have enabled this field and have not configured Apache to use HTTPS, you will not be able to access the WEB console and you will have to disable this option again by accessing the database directly through MySQL and inserting the following query:
UPDATE tconfig SET `value` = 0 WHERE `token` = 'https';
Attachment directory
Attachment directory: Pandora FMS Console directory, used to host collections, incident attachments and other files. You must have write permissions for the web server and it is located by default in:
/var/www/html/pandora_console/attachment
Remote configuration directory
Remote configuration directory: Path to the directory that stores the remote configuration of the agents, by default located in:
/var/spool/pandora/data_in
Chromium path
Chromium path: Chromium is a special component used to dynamically generate PDF graphics. You must enter the path or PATH where this component is installed. Default value:
/usr/bin/chromium-browser
Server timezone setup
Server timezone setup: Defines the time zone in which the Web Console is located. Unlike the codes and abbreviations of all countries (ISO 3166 standard), the list of time zones has complicated rules (IANA Time Zone Database) and therefore a first list with continents with their countries is included and selecting an option from it will update the second list where you can choose exactly a country or city and then save the changes with the Update button. Note: the edit icon (change timezone) is of no use.
Public URL
Public URL: A public URL can be stored. It is useful to complete this field when you have a reverse proxy or, for example, with the mod_proxy
mode of the Apache web server.
Force use Public URL
Force use Public URL: Forces the use of public URLs. If this field is active, no matter which system is implemented, links and references will always be built based on public_url
.
Public URL host exclusions
Public URL host exclusions: Hosts added in this field will ignore the Force use Public URL field.
Customise sections
Customise sections: Allows you to enable and disable sections in Command Center.
Disable custom live view filters
Disable custom live view filters: If in Customise sections the NetFlow® monitoring view has been enabled, it disables the definition of custom filters (filters that are already created can still be used).
Command line snapshot
Command line snapshot: String modules with multiple lines are shown as command output.
API password
API password: Authentication method to access the API of Pandora FMS. It is recommended to use HTTPS to be able to encrypt the communication and keep this token secret.
IP list with API access
IP list with API access: List of IP addresses that will have access to Pandora FMS API (by default 127.0.0.1
, only for local access). You can use the asterisk as a wildcard, in such a way that placing *
will give access to all IP addresses.
Enable Warp Update
Enable Warp Update: This option allows you to activate the Warp Update for update the Command Center.
Collection size
Collection size: This is the maximum size, in bytes (default value one million), for the Collections.
Max. agents to add in policy concurrently
Max. agents to add in policy concurrently: Maximum number of agents allowed to be added concurrently in the policy (adding a high number of agents at the same time can cause performance problems). Default 200
.
Warning for synchronization queue
Warning for synchronization queue: If the number of pending items (per node) is greater than this number, a notification will be displayed. Default value: 200
.
Enable Agent API
Enable Agent API: Enables access to the Relations rules.
Enable log viewer
Enable log viewer: This option enables the log viewer tab.
Enable console log
Enable console log: Due to the large amount of debugging data generated by this log, it is recommended to disable it, as it is configured by default.
If enabled, the file /var/log/php-fpm/error.log
is used for logging Web Console events.
If you are using EL8 (Enterprise Linux 8), apart from enabling Enable console log, the file must be modified:
/etc/php-fpm.d/www.conf
and comment with a semicolon the next parameter:
;php_admin_value[error_log] = /var/log/php-fpm/www-error.log
In this way the data will be saved in:
…/pandora_console/log/console.log
Enable audit log
Enable audit log: When activated it also uses the file …/pandora_console/log/audit.log
to record the audit.
Enable console report
Enable console report: Allows to enable the Web Console in dedicated mode for the report generation.
Check connection interval
Check connection interval: Time interval (in seconds) to check the connection with the database server. Minimum value 60
, default 180
.
Keep in process status for new events with extra ID
Keep in process status for new events with extra ID: If any In process with a specific ID Extra is triggered and a new event with the same ID Extra is received, it will be created as In process instead. New events also inherit the ID Extra of the event.
Max. hours old events comments
Max. hours old events comments: Filter comments in events by elapsed hours. The default value is 8
(integer values). There are other values available for users and only the superadmin will be able to set a custom value, which is independent of the value of this token.
Limit for bulk operations
Limit for bulk operations: Limit of elements that can be modified by massive one-time operations, 500
by default.
Show experimental features
Show experimental features: Advanced features offered for testing prior to final release. Disabled by default.
Number of modules in queue
Number of modules in queue: Sets the maximum number of queued modules (default 500
) and if this value is exceeded, a warning icon will be displayed for each item in the server administration.
Consoles setup
Setup → Metasetup → Consoles setup menu.
This section includes registration of new instances.
The first six columns include buttons that allow you to check each of the instances and their corresponding statuses:
- BD.
- API.
- Compatibility.
- Agent cache.
- Sync.
- Database sync.
The last three columns in Manage allow:
- Edit.
- Deactivate.
- Delete.