Monitoring with Policies

The policy system is designed to make large monitoring environment management easier and allows propagating Modules, alerts, external alerts, plugins, remote inventories and collections to Agents in a centralized and homogeneous way.

More information at "Differences between Templates, Policies and Mass Operations".

• You can quickly access the components of any policy by clicking on the corresponding links.
• It allows adding pre-configured policies that can be downloaded from Pandora FMS's resource library.
• The item filter dialog can be accessed with the keyboard shortcut CTRL+f, even if it is hidden by a notification.
• In the configuration section for each agent (menu Management → Resources → Manage agents → Edit → Manage policy) there is a specific policies tab for each agent. The interface is similar to the monitoring policies and only affects the selected agent. This allows for joint operations by selecting multiple policies at once, and applying or deleting them simultaneously. Agents added this way will also appear in the main section of monitoring policies and can be managed in bulk.

It can be performed from Pandora FMS search header in both the Command Center (Metaconsole) as in any of its nodes. The searches in the Command Center return two types of results:

• Centralized search: The policies shown are those within the Command Center itself.
• Non-centralized search: The policies displayed are obtained directly from each node, indicating their source.

Menu Management → Configuration → Manage policies → Create.

Enter the name and group and specify whether it will be applied to secondary groups and whether it will be enforced for agents that do not have remote configuration enabled (option Force Apply). Click again Create to save.

Click on the corresponding icon in the options column:

See section for import and export in PRD format.

If a policy has Agents, the delete button will be disabled and a button will appear to delete all its Agents.

This button will queue Agent deletion. Once processed, the button to delete the policy will be active again.

In the policy operation queue, there is a summary of the elements that changed since the last time the policy was applied.

This list contains the items pending to be updated and those pending to be deleted. This summary will indicate whether the policy needs to be applied or not. Sometimes a button to apply them will appear next to the pending agents icon.

• If the pending modifications only affect the database (e.g. changes in alerts), this button will only make changes at that level, so application will be faster.
• On the other hand, if configuration affecting the configuration files was modified (for example, if collections or local Modules were modified), the application will be complete.
• Below the summary, on the right side, there is a button to apply all, regardless of the type of pending modifications.

In the node configuration, there is a token called Max. days before policy queue is purged, set by default to 7 days, to clean the database of already applied monitoring policy queues.

To configure the policy, click on the policy name. Once inside, you may access the different configuration sections through the top right menu.

Within the configuration of a policy, in addition to the setup, the following tabs are available:

• Agents.
• Modules.
• Inventory modules.
• Alerts.
• External alerts.
• Collections.
• Linking.
• Queue.
• Agent Plugins.
• Agent Wizards.

The possible operations in a policy are:

• Add/Remove one or more existing Agents to the policy.
• Create/Edit/Delete a module.
• Define/Edit/Remove an agent plugin.
• Create/Edit/Delete an alert.
• Create/Edit/Delete an external alert.
• Add/Remove an existing collection.
• Add/Remove an existing Inventory Module.
• Link one or more adopted Modules to the policy.
• Implement the changes made in the policy.

To add Agents to the policy, at the top section of the window you may find the filtering options to be selected in group. You may select the Agents you need by using the Control Ctrl or Shift Shift keys. At the bottom of the window there is a list with all the Agents associated to the policy, including those pending to be removed from it.

Likewise, the Agents list has a filter by group, substring or its application status.

• When an Agent is deleted, it will appear with the name highlighted in red and instead of a delete button, it will show a button to undo the deletion and re-associate the Agent to the policy.
• Remember that adding or removing Agents from the policy will only be effective when the policy is applied in the “Queue” section.

In Apply to, select Groups and then search for and select the required groups. Then add them to the list with Groups in policy. A list of all groups associated with the policy, including those pending removal from the policy, will be displayed at the bottom of the window.

When a group is deleted, it will appear with the name crossed out and, instead of the deleted button, a button to undo the deletion and re-associate the group to the policy will appear. The Agents that belonged to the group will also appear crossed out.

Adding or removing groups from the policy will not become effective until “Queue” is applied.

Delete a module that has already been created

To remove a Module from the policy and remove it from the Agents' configuration, click on the trash can icon to the right of the Module. When you do this, the Module will remain in the list but with its name crossed out, and the trash can button will become a button to undo the deletion.

If you need to delete multiple modules, you can select each one in the box to the right of the trash can and then click the Delete button.

Data Server modules are added to the PFMS EndPoints. To work with these modules, agents must have remote configuration enabled.

Select the Endpoint module option, then click the Create button.

You can either fill in the fields in the Basic tab or, if you have previously defined a local component, select it. You can find more information about the description of these fields in the topic Templates and components.

The Data configuration field allows you to enter the code for the Module itself, which will be applied to Agents that subscribe to that policy. This modification will be reflected in the pandora_agent.conf file of the Endpoint itself.

These types of ICMP modules are executed by the PFMS Server.

To create an ICMP module, select the Network ICMP module option and click the Create button. We recommend using the two preconfigured options in the Using network component → Network Management list: Host alive to monitor the availability and connectivity of a device and Host latency to measure its access time. If there are modules with the same name in the agent, these will become adopted modules.

For Target IP (address) there are three options:

1. Auto: It is always updated with the first IP address of the agent to which the policy will be applied.
2. Force primary key: By default, the module is created with the agent's primary IP address at the time the policy is applied. If the agent's IP address is changed, the old IP address is retained.
3. Custom: Allows you to assign a specific IP address in the policy. A text box will appear when you select this option.

These TCP modules are executed by the PFMS Server.

The best options to use are in the network components (from the Using network component list) and are included by default with Pandora FMS. The flexibility of PFMS allows each client to create their own components and use them in their own monitoring policies.

For Target IP (address) there are three options:

1. Auto: It is always updated with the first IP address of the agent to which the policy will be applied.
2. Force primary key: By default, the module is created with the agent's primary IP address at the time the policy is applied. If the agent's IP address is changed, the old IP address is retained.
3. Custom: Allows you to assign a specific IP address in the policy. A text box will appear when you select this option.

Pandora FMS has some SNMP components preconfigured in the Using network component list, and SNMP monitoring is extensive. That said, it is extremely important to know the OID (Object IDentifier) to use. There is an SNMP explorer (button SNMP Walk) where the credentials and parameters of the device to be monitored will be entered manually in order to obtain the OID values and their responses.

For Target IP (address) there are three options:

1. Auto: It is always updated with the first IP address of the agent to which the policy will be applied.
2. Force primary key: By default, the module is created with the agent's primary IP address at the time the policy is applied. If the agent's IP address is changed, the old IP address is retained.
3. Custom: Allows you to assign a specific IP address in the policy. A text box will appear when you select this option.

The MS Windows® operating system has countless WMI queries, the most important of which are pre-registered with PFMS and can be selected from the Using network component list. When configuring each policy that will contain an SNMP module, you can quickly configure the query credentials using the “Credential Store” feature.

For Target IP (address) there are three options:

1. Auto: It is always updated with the first IP address of the agent to which the policy will be applied.
2. Force primary key: By default, the module is created with the agent's primary IP address at the time the policy is applied. If the agent's IP address is changed, the old IP address is retained.
3. Custom: Allows you to assign a specific IP address in the policy. A text box will appear when you select this option.

In the Basic → Command tab, enter the instruction to be executed remotely. Use single quotation marks when necessary. If you need to use double quotation marks, escape them with a backslash (\").

According to the command entered and its response when executed, the appropriate module type must be selected (numeric, Boolean, alphanumeric, incremental data).

The Using network component list includes a large number of components classified by operating system (check if it matches the general purpose of the policy in question) or use (General group).

For Target IP (address) there are three options:

1. Auto: It is always updated with the first IP address of the agent to which the policy will be applied.
2. Force primary key: By default, the module is created with the agent's primary IP address at the time the policy is applied. If the agent's IP address is changed, the old IP address is retained.
3. Custom: Allows you to assign a specific IP address in the policy. A text box will appear when you select this option.

Select the option Web module → Create. Configure the Module fields and access the Web checks section.

Depending on the type of module chosen, which depends on the corresponding check (field Web Checks), thresholds and even the type of authentication, credentials, etc. must be configured. To save, use the Create button again.

To create a predictive module, select the option Prediction module → Create.

In the Source module list, you can choose modules from the same policy (except if you choose Service) as the data source for calculating the prediction. In the Module type list, you must choose the module type according to the selection made. For more details, see the topic Artificial Intelligence.

Select the option Plugin module → Create. Enter the name and choose from two ways to select a plugin:

• Using the Using network component list, which automatically configures the name and type of module (and the plugin itself).
• Using the Plugin list, select an item in Module type that corresponds to the selected plugin.

In both cases, you must fill in the specific fields of the chosen plugin (we recommend reading the help section included in PFMS when it is installed) and the thresholds to be monitored for the status change of the future module created by the policy.

Once all fields have been filled in, click on the Create button to save the new monitoring policy module.

In this case, there is no network component, so its configuration must be carried out as indicated in the topic API Monitoring.

Inventory Modules may also be created in a policy by choosing one from the list of those available in the system, an interval and the credentials.

As with the other elements of the monitoring policies, if an inventory module is deleted, it will appear crossed out and instead of the deleted button, a button to undo the action will appear.

More information about adding Remote Inventory Modules can be found at “Inventory Modules”.

When a Module is created from a policy, it is referenced through the policy icon.

These Modules are created in the monitoring policy and when applying the policy they are also created in the Agent. You may link and unlink Modules from the configuration page of the Module itself by clicking on this button.

Unlinked Modules are those that belong to a policy but are not sensitive to changes made to it. They can be useful because they allow to set individual exceptions to Modules belonging to a policy. That way it is possible to customize a Module of a given Agent within a policy without removing it.

These Modules were created in the policy with the same name of an existing Module in the Agent. When applying Pandora FMS policy, the data of the existing Module will be used instead of creating a new Module and it will continue to be managed from the Agent.

An adopted Module can be linked to make use of the definition set in the monitoring policy instead of the local one. That way, when managing the Module from the policy, when you make a change this module changes.

To add an alert, you associate one of the Alert templates, previously defined with a Module belonging to the policy, and then click Add to finish.

You may add actions, put on standby or deactivate an alert. If you want to change the Module or the template, delete it and create a new alert.

To delete the alert from the policy and remove it from the Agents configuration, click on the trash can icon to the right of the alert. When you do so, the alert will remain in the list but with the name crossed out and the trash can button will become a button to undo the deletion.

External Alerts allow linking alerts to Agent Modules that are not in the list of Modules of the monitoring policy. It is very useful to assign alerts only to some Agent Modules and not to all of them.

To create an External Alert, fill in the following form:

The only editing allowed is the addition or deletion of actions from the external alert. For other changes you will have to delete and create again.

To delete the External Alert from the policy and remove it from the Agents' configuration, click on the trash can icon to the right of the External Alert.

The deletion system is the same as for normal alerts; it will not become effective until the “Queue” policy is applied.

One or several modules can have different actions from different monitoring policies.

The way to add plugins in policies is exactly the same as it is done in an Agent. You may check the section “Plugins in EndPoints” for more information.

One way to configure and enable the Hardening plugin on Unix®/Linux® systems is to modify the relevant monitoring policy, go to the Agent plugins tab, click the Create plugin button and complete the wizard:

This will insert the following code:

module_begin
module_plugin /usr/share/pandora_agent/plugins/pandora_hardening
module_timeout 150
module_absoluteinterval 7d
module_end

Finally, the policy queue must be managed so that each agent receives the necessary code.

Complementing SIEM monitoring is the File Integrity Monitoring (FIM) applied to policies, which allows you to monitor the integrity of each important file according to each operating system.

File collections are resources used to massively deploy scripts or plugins for later use in EndPoints, Agent Monitoring Policies and Satellite servers.

When editing a monitoring policy and clicking on the Collections tab, a list of available collections will be displayed. They may be added or removed to then apply the Queue of changes.

It is possible to manage policies from the Command Center (Metaconsole). The process consists of distributing the information to all the nodes so that each one of the servers is in charge of applying them. This information distribution is complex, since it is important that all nodes have the same data as the Command Center.

Back to Pandora FMS Documentation Index