Table of Contents
Console Management and Administration
Pandora FMS Management
Introduction
This chapter deals with several aspects of Pandora FMS daily management such as: group administration, user creation, backups, workspace, etc.
Profiles, users, groups and ACL
Pandora FMS is a Web management tool. Thanks to its 100% multitenant permission system, multiple users can work with different permissions accessing Pandora FMS setup without seeing each other's information.
To add users, it is important to have groups and profiles properly defined, and know exactly which data you want each user to see and/or modify.
Users in Pandora FMS
Users are managed from Profiles → Manage users:
By default, you may see the list of defined users:
User definition consists of the following fields:
- User ID: Identifier that the user will use to authenticate themselves in the application. This identifier is a value that should not have special characters or spaces.
- Full Display Name: Field where you enter the full name if it is a descriptive field and can contain spaces and non-standard characters.
- Password: Password that the user will have to access. Enter it again in the Password confirmation field.
- Administrator user: An Administrator user (superadmin) will not be governed by the internal ACL system and will have access to everything. The standard user will be ruled by Pandora FMS ACL permissions assigned to it.
- Extra info: Optional fields where you may add extra user information, like the email or phone number.
- Login Error: If this field is checked, the user will only be able to access the API but not in an interactive way through the console.
- Local user: To perform user authentication against your own database. PFMS also supports other authentication methods.
- Session time:
- This setting is used when a user is logged in to PFMS and then closes the web browser. If a user is using PFMS Console, that user will never be logged out by PFMS.
- The default value is
0
minutes and when this value is established for a user, Pandora FMS will use the value saved in the General Configuration, authentication section. - If you set the value to
-1
, the web browser containing a user's open session will resume that session regardless of the amount of time the web browser was closed.
- Language: By default, it is the system language. You may also assign a specific language in which the user will see Pandora FMS console.
- Block size for pagination: Default pagination size for this user.
- Skin: Field where you may choose a custom theme (ensemble of colors and styles for Pandora FMS console).
- Home screen: Change the default screen the user enters after logging in to the console, for example, the event viewer, or a visual console defined by the administrator.
- Default event filter: It allows to define the default filter that the user will have when entering the event view. Later you may change it, but this will be the one applied “by default”.
- Timezone: Field where to enter the console's timezone to see different elements (general agent view, module view…).
- Comments: Additional information to the fields defined above.
- Login allowed IP list: Enabling this option will limit the login to a comma-separated list of IP addresses (and/or ranges). To connect from any IP address use the wildcard
*
(asterisk). - eHorus user access enabled: This option only appears if it is enabled in its corresponding configuration section, see “Remote equipment management”.
- Profiles/Groups assigned to this user: Selection of profiles and/or groups the user will be classified into or have access to.
User Edition by the User itself
All users can modify certain parameters of their own settings in Workspace → Edit my User.
The user creation form will appear, where you may configure some sections, except for group permissions.
Notification setup
To customize logged-in user’s notifications, the administrator must have previously granted him notification edition permissions. In case of having said permissions, as well as all options activated, notifications and their forwarding by email can be enabled/disabled.
Notifications allow to see warning messages related to the following sections on screen:
- System status.
NOTIF.LICENSE.LIMITED
: Device-amount-limited license notice.NOTIF.FILES.ATTACHMENT
: Too many files attached warning.NOTIF.FILES.DATAIN
:.data
file alert indata_in
directory accumulated (more than 1000 files).NOTIF.FILES.DATAIN.BADXML
:.xml
file alert poorly structured indata_in
directory accumulated (more than 150 files).NOTIF.PHP.SAFE_MODE
: Warning when PHP safe mode is enabled (some features may not work properly).NOTIF.PHP.INPUT_TIME
: Warning when value in PHP configuration for input time is not recommended.NOTIF.PHP.EXECUTION_TIME
: Warning when value in PHP configuration for execution time is not recommended.NOTIF.PHP.UPLOAD_MAX_FILESIZE
: Warning when value in PHP configuration for file size is not recommended.NOTIF.PHP.MEMORY_LIMIT
: Warning when value in PHP configuration for memory limit is not recommended.NOTIF.PHP.DISABLE_FUNCTIONS
: The variabledisable_functions
contains functionssystem()
orexec()
in PHP configuration file (php.ini).NOTIF.PHP.PHANTOMJS
: (For NG 767 and earlier versions) Warning if PhantomJS is not installed.NOTIF.PHP.VERSION
: For a correct operation of PandoraFMS, PHP must be updated to version 7.0 or higher.NOTIF.HISTORYDB
: Notify whethere the history database is being used.NOTIF.PANDORADB
: Check whether pandora_db is running on the main database.NOTIF.PANDORADB.HISTORICAL
: Check whether pandora_db is running on the history database.NOTIF.HISTORYDB.MR
: History database update status (MR correct).NOTIF.EXT.ELASTICSEARCH
: Check whether Elasticsearch is being executed.NOTIF.EXT.LOGSTASH
: Deprecated token.NOTIF.METACONSOLE.DB_CONNECTION
: Metaconsole synchronisation errors.NOTIF.DOWNTIME
: Status warning, component down or non-initiated > Any of the Pandora FMS server with status =1 and keepalive - now() and greater than server_keepalive * 2.NOTIF.UPDATEMANAGER.REGISTRATION
: Notice if you are not registered in the update manager.NOTIF.MISC.EVENTSTORMPROTECTION
: Event cascade usage warning.NOTIF.MISC.DEVELOPBYPASS
: Warning in development mode (show all notices and errors in the console -and register them).NOTIF.MISC.FONTPATH
: Check whether thefontpath
(path to the font directory) exists.NOTIF.SECURITY.DEFAULT_PASSWORD
: Default password change notice.NOTIF.UPDATEMANAGER.OPENSETUP
: It checks whether there are new updates.NOTIF.UPDATEMANAGER.UPDATE
: Higher Pandora FMS update notice.NOTIF.UPDATEMANAGER.MINOR
: Pnadora FMS minor update notice.NOTIF.UPDATEMANAGER.MESSAGES
: Several messages of the update manager.NOTIF.CRON.CONFIGURED
: Warning if the cron task programmer is active.NOTIF.ALLOWOVERRIDE.MESSAGE
: AllowOverride is disabled. You can use AllowOverride instruction in Apache web sercer to override PHP settings, create URL rewrites, etc.NOTIF.HAMASTER.MESSAGER
: Notice of not having any server in master mode in High Availability mode.NOTIF.SERVER.STATUS
: Pandora FMS server status notice.NOTIF.SERVER.QUEUE
: Overall module queuing (increasing) by server.NOTIF.SERVER.MASTER
: Notice of not havinf any server in master mode.
- Message:
- Messages received by the user yet to be read.
- Pending tasks:
- Policies yet to be applied.
- Queued policies running/complete, and acknowledged once completed.
- Collections of files to synchronize.
- Defined server plugins whose executable does not exist.
- Metaconsole:
- Pending synchronization tasks.
- Completed synchronization tasks.
- Pending notifications by node.
- Policy queue status.
- Advertisement.
- Enterprise version not installed reminder.
- Do you know our Enterprise version?
- Do you know the module library?
- Discover eHorus.
- Discover Integria IMS.
- Official communications.
- Update notifications.
- Messages generated from Ártica ST headquarters (update to PHP 8, chromium, etc.).
- Suggestions.
- Did you know Pandora FMS can be integrated with Telegram?
- Did you know alerts can be scaled?
- Monitor your complete applications using services.
The options found in notification setup are these:
- Notified users: Users that will receive the activated notifications.
- Notified groups: Groups that will receive the activated notifications.
Groups in Pandora FMS
Introduction
The concept of group in Pandora FMS is fundamental. The groups are sets of elements with their own rules whose purpose is to help to control user access to certain elements inside Pandora FMS.
It is important to know that an agent can only belong to one group, but that a user can have access to one or several of these groups.
When configuring the groups, it will be necessary to take into account that the group All
is a special group that cannot be eliminated, and all the groups are its subgroups. Any element that is associated to the All
group can be seen/administered by a user that has permissions in any group.
Group all
Pandora FMS has a group system, which are entities into which agents are classified and which are used to grant permissions. That way users are granted some permissions assigned to one or several groups, and thus they will be able to interact with agentes and other elements in their context.
To make group assigning and filtering easier, there is a tool called group All
. Group All
, depending on the context, means ALL groups or ANY of them. From version 3.1 is exclusive identifier is ID 0
. But it is totally controlled by the code, there is no group with that ID in the DB.
Group creation
Groups are defined in section Profiles → Manage agent groups.
By clicking on the previous menu, it will show predefined groups and/or user-created groups:
When creating a group (Create group) or modifying it (wrench icon in the Actions column), the following form appears:
These are the relevant user fields:
- Name: Group name. This group can be used in the automatic agent provisioning, so it is not recommended that it contains spaces or rare characters (although it is supported).
- Icon: Combo where the icon for the group can be chosen.
- Parent: Combo where another group can be defined as the parent of the group being created.
- Password: Optional. It allows restricting automatic agent creation (automatic software or Satellite agent provision) so that only agents with the same password as the one defined in this field can be created.
- Alerts: If checked, the agents belonging to the group will be able to send alerts.You may use this feature to quickly disable alert generation for a certain group of agents.
- Propagate ACL: If enabled, child groups will have the same ACL permissions as the group.
- Custom ID: Groups have an ID in the database. In this field it is possible to set another custom ID that can be used from an external program to perform an integration (e.g. CMDBs).
- Contact: Contact information accessible through the
_group_contact_
macro. - Skin: A skin can be assigned to the group.
Version NG 754 or later.
You may limit the amount of Agents in each group by means of the Max agents allowed fields. Default value zero (limitless).
Also, by means of Pandora FMS API, when creating a group or editing a group, you may set the maximum number of agents in a group if necessary.
Importing groups from CSV
The extension allows to import a file with registers (whose fields are separated by comas
,
or by any other character that you choose from the Separator list) and that define groups, to Pandora FMS server.
Access the extension from Admin tools > Extensions manager > CSV import group.
The file to be imported is chosen clicking Browse…, select the separator character and click Go.
The CSV file must contain the following fields in the following order: Group name, icon, parent id and propagation (1
or 0
).
Profiles in Pandora FMS
Profiles are managed from Profiles → Profile management.
Pandora FMS profiles allow to define which permissions a user is granted. The combination of profiles and a group associated to a user allows to define which permissions a user has on a group of agents, so that he can have different profiles in different groups.
List of profiles
This list defines what each profile enables:
BIT ACCESS | OPERATION |
---|---|
IR | - See incidents |
IW | - Validate traps - Messages |
IM | - Manage incidents - View agent data (all views) - Tactical view - Group view - See users - See SNMP console - Tree view - Extension Module Group - Search bar |
AR | - See agents |
AW | - Agent management view - Edit agent and its .conf - Massive operations - Create agent - Duplicate remote configuration Policy management |
AD | - Management of service stops - Deactivate agent/module/alert |
LW | - Alert assignment already created - Alert management |
LM | - Define and modify templates. - Define and modify actions. |
UM | - User management |
DM | - Database Maintenance |
ER | - See event |
EW | - Validate/Comment event - Manage filters - Execute responses |
EM | - Delete event - Change owner/Re-open event |
RR | - View report, graph, etc - Apply a report template |
RW | - Create a visual console - Create report - Create combined Graph |
RM | - Create a report template |
MR | - Network map view |
MW | - Editing network maps - Deleting own network maps |
MM | - Deletion of any network map |
VR | - Visual console view |
VW | - Visual console edition - Deletion of own visual consoles - Deletion of any visual console |
VM | - Visual console management |
PM | - Manage responses - Customize event columns - Update manager (Operation and Administration) - Manage groups - Create inventory modules - Manage modules (including all sub-options) - Manage SNMP console - Manage profiles - Manage servers - System audit (edit and view) - Setup (all lower tabs incl) - Administration extensions - Define and modify commands. |
PERMITS COMBINATION | |
EW & IW | - Create incidence through the event (Response) |
LM & AR / AW & LW | - Validate alerts |
In addition, Pandora FMS NCM server (Network Config Management) has its own access bits.
Permission granting
From user editing, you may grant a user access to a group with a certain profile:
If you do not assign any group or profile to the user, said user will not be able to log into Pandora FMS server:
Profiles and group assignment with user management permissions (UM).
From Pandora FMS version 748 on, an improvement in user, permission and group management is enabled.
Several possible scenarios have been taken into account, which we will now explain:
- A manager user with UM permissions that belongs to the group ALL will be able to manage any user regardless of the group he belongs to.
- Accesses to groups can be added before creating a user as such.
- A manager user can edit profiles and groups only on the users he can see because they belong to the groups he manages with UM permissions.
- An administrator user can create other administrator users and can manage any other user, but in no case a “manager” user with UM permissions can withdraw UM permissions from another user who has the same permissions on the same group. This can only be modified by an administrator.
- A manager user without UM permissions on a group can not see which users belong to that group.
- A manager user can delete the list of users and groups he manages and even the whole user if this one is only related to the groups he manages.
In case the last profile/group relationship of an user is deleted and the user is deleted Pandora FMS shows a warning.
- A manager user that has UM permissions in a group and not in another one, can only see the profile/group information of the groups that he manages, even if the user has more permissions on other groups. The rest of the user's information will be unrelated to the manager user. That way the manager user will only be able to obtain information or modify the permissions on the groups he manages, but will will he be able to remove more permissions or delete the user.
Permission system extended by tags
In the Enterprise version, individual access to the modules of an agent can be configured by a Tag system. Some tags are configured in the system, they are assigned to the modules you wish, and additionally, access may be restricted to a user only to the modules that have those tags defined.
Tags are defined in Profiles → Module Tags.
Access by Tags does not replace access by groups, it only complements it.
In module configuration, one or more tags can (optionally) be assigned:
You may assign specific access to a tag through the user editor, in profile and group assigning, by adding a tag:
In this example, the user has access with the Chief Operator profile and the group Applications and also the Operator (read) and group Network but only to modules labeled with the “network_usage” tag.
This system, which is called Tag-based security mode allows restricting access to all agent content, but it has performance impact, so it is designed exclusively to give access to small portions of information, that is, it should not be used with more than two or three tags per user/profile/group combination.
In some global views (tactical view, group view, general tree counts) the totals show all the modules, not just the ones “visible” by the tag.
Hierarchy
In previous sections, we explained that the permissions of a group can be extended to the children by means of the configuration option Propagate ACL. However, from user configuration, you may limit this feature and prevent the ACL from propagating by checking No hierarchy.
As a reference for the examples, here we propose a configuration with the two parent groups Applications and Databases.
Each of these two groups has two children each, Development_Apps and Management_Apps for the first one and Databases_America and Databases_Asia for the second one.
Both parent groups are set for ACL to be spread.
In the user edit view, the following profiles are added:
The user will have access to the groups named Applications, Development_Apps, Management_Apps and Databases.
However, if a child of Databases is added:
The user will have access to the groups named Applications, Development_Apps, Management_Apps, Databases and Databases_Asia, but not to Databases_America.
Secondary groups
From update package 721 agents may have secondary groups.
Unlike the primary group, these secondary groups are optional.
An agent belonging to a secondary group means that it actually belongs to several groups at the same time. With this feature, two users with different permissions may have access to the same agent by just adding the appropriate secondary groups.
For example, if an agent called Portal has Infrastructures as main group and “Hosting” as secondary group, any user that has access to Infrastructures and/or a Hosting may access it.
Some views, such as Tree View, may show repeated agents. That is the usual performance when using secondary groups.
ACL Enterprise System
Introduction
The ACL Open Source model is based on unix style role/action/group/user
(4 items).
The ACL Enterprise system allows you to define -according to profile- which pages (defined one by one or by “groups”) users have access to. This will allow you to redefine which sections of the interface a user can see. For example, to allow a user to see only the Group view and the Detailed agent view, skipping pages such as Alert view or Monitor view, already grouped in the classic Pandora FMS ACL system as “AR” (Agent Read Privileges).
This feature allows you to restrict the administration per page. It is very useful to allow some specific low-level operations.
Both models are parallel and compatible. The classic ACL system is complementary and it is evaluated prior to the ACL Enterprise system.
Configuration
In order to be able to use the Enterprise ACL system, the first step is to activate it in the configuration tab. This option is only visible if you use the Enterprise version.
To configure the Enterprise ACL system, go to the specific option for ACL Enterprise in Profiles > Enterprise ACL Setup. On this screen you may add new items in the new ACL System and see the items defined by profile. You can also delete items from the Enterprise ACL system.
If the Enterprise ACL system is enabled, it restricts ALL pages to ALL groups (including the Administrator!) to all defined (allowed) pages in the Enterprise ACL system. If a user with the Administrator profile does not have pages included in the Enterprise ACL system, they will not be able to see anything.
Please, be careful with this, because you may lose access to the console if you enable improper ACL Enterprise configuration for your user.
If you have accidentally lost access to the console, you may disable the Enterprise ACL system from the command line:
/usr/share/pandora_server/util/pandora_manage.pl /etc/pandora_server.conf --disable_eacl
How it works
You may define “page by page”, “complete sections”, set “any” rule or add “custom pages” that are not accessible from the menu.
There are two ways to add pages to a profile: with thewizard (default) or with custom edit. Above the button to add a rule, there is a button to change this mode.
Wizard
In the wizard choose the sections and pages of some combo controls.
The pages that appear in these combos are only those accessible from the menu. To give access to pages that can be accessed in another way (e. g. the agent main view) use the custom editor.
To include a Pandora FMS page in the “allowed pages”, you must select the profile to which the rule will be applied, then select in Section control the section that contains the desired page. Right then you may select any of the pages from control Section 2 and the same goes for Section 3.
Another option is to select a section and the value All in the Page control. This will allow the chosen profile to see “everything” from the selected section. Also by selecting All in both controls, users of that profile will be allowed to view “all” of “all” sections, just as it would be without the Enterprise ACL System for that profile.
For a section in the menu to be displayed, the user must have access to at least the first page of the section.
Custom editing
To add individual pages that are not accessible from the menu, you may manually enter your sec2. To that end, access the page you wish to add and copy the parameter Section 2.
For example, if you wish to add the main view of the agents, enter the view of any agent and find a URL similar to this one:
http://localhost/pandora/index.php?sec=estado&sec2=operation/agentes/ver_agente&id_agente=7702
Enter the contents of parameter sec2 (operation/agents/see_agent) in the text box Section 2.
Security
Any page that is not “allowed” will not be displayed in the menu, and its use will not be allowed, even when the user enters the URL in “manual” mode.
Any page that isn't allowed by the “Classic” Pandora FMS ACL system will not be allowed by the Enterprise ACL system (this is valid for the classic ACL system). This would be a specific example of several filters:
In addition, there is a control that checks whether a page belongs to a section, which reinforces security against manual URL modifications. This check will be skipped for pages added with the custom editor, as well as the access to each pages belonging to a full section whose access is granted, thus optimizing the load.
You may check at any time the pages allowed for each profile by means of Filter by profile and then clicking Filter:
For users to have access to change their own user data, they must be granted access to Profile | Configure user | All .
Data and permissions display in reports, visual consoles and other shared elements
Groups and profiles are conceived for a user to have different roles in a Pandora FMS implementation. The basic elements of monitoring as agents and modules are governed by these basic rules of group/profile, taking into account how they are extended with the use of secondary groups and tag permissions.
Other elements of pandora such as reports, visual consoles, network maps and dashboards work as containers. If a user with visibility into all managed data creates a report and assigns it to a general group, users with access to that group will be able to view the report, and all of its contents. Even if they don't have permission access to the individual elements of your report.
The report, visual dashboard, network map and dashboards work as information containers. Access control to the container, but not to its content.
Example
Suppose we have four groups: Client A, Client B, Internal Infrastructure and Global.
The administrator creates a visual console that contains internal infrastructure elements and specific elements of Client A and Client B. This visual console is associated with the Global group.
- Client A has report writing access in Client A and report reading access in Global. Client A will be able to view that visual console and all its contents, even though it contains elements of client B and the Internal Infrastructure group that the administrator added when creating the visual console.
- Client B will be able to see exactly the same console as client A, since it has permissions to read reports from the Global group.
Exceptions to this feature
There are some exceptions to this general feature, specifically in some dashboard widgets such as the tree view or in the dashboard event control, since that particular widget allows interaction with data (to validate events) or in independent elements of the visual console where you may restrict console element display for a certain group.
It should be noted that the purpose of such elements, when given access in read mode, is to access data that otherwise could not be viewed by that user. The user may have read and write access, in such a case, when you edit one of those containers, you can only add elements to which you have access and you can delete elements to which you do not have access, but you cannot add them again.
Servers
The detailed view of the servers is used to find out, besides the general status of Pandora FMS servers, their load level and delay. Go to the Servers menu and click Manage servers:
- Name: Server name, usually the hostname of the machine.
- Status: (green = active, grey = stopped or down).
- Type: Server type (data server, network server, etc.).
- Version: It shows Pandora FMS server versions
- Modules: The number of modules of that type executed by the server regarding the total number of modules of this type.
- Lag: Highest amount of time spent by the oldest module waiting to receive data / Nº of modules out of their lifetime. This indicator is useful to know whether you have many modules and to know if the server is at load capacity limit. Delayed modules shows the amount of modules that did not report to the server.
- T/Q (Current threads/queued modules currently): Total number of current active threads in each server. Number of total modules in queue waiting to be attended. These parameters reflect excessive load status. There should almost never be queued modules. This reflects the server's inability to process the data.
- Updated: Each server has a Keepalive that updates its status, to make sure it is active and updating its statistics.
- Op.: Operations available, icon column.
Some icons have special relevance:
- Poll request: It asks the remote test server to run all the checks it has, forcing it to run them again. Valid for all network servers, e. g. Network server, WMI server, Plugin server, WEB server, etc.
- Edit: To change the IP address and server description.
- Delete: To delete the server.
- Manage Discovery tasks: Manage discovery tasks. Valid for Discovery servers.
- Edit remote configuration: Edit the server's remote configuration. Valid for Pandora FMS servers or Satellite servers.
To enable remote configuration you will need to change the remote_config
token to 1 and then restart PFMS server. By clicking on the Remote configuration icon you will be able to edit a PFMS server or a PFMS Satellite server. The GUI remote configuration has three sections:
- Server features: Where you may enable or disable each of the servers you have according to the type of license you purchased.
- Optimization settings: To fine-tune each server according to its features.
- Other server settings: To set up automated tasks.
Consoles
NG 770 version or later
To balance the load in the execution of console tasks in Discovery server, you may declare and add consoles in the config.php
section.
Credential store
Pandora FMS features a credential store. This repository manages the IDs used in sections such as Discovery Cloud or agent automatic deployment. Go to the menu and choose Profiles → Manage agent groups.
Next, the Credential store tab is displayed.
Pandora FMS allows the encryption of passwords to be stored in the database. For more information visit Password Encryption
To add a new entry, press Add key and fill out the pop-up form.
There are seven different login information types to register:
- Amazon Web Services® (AWS®) login information.
- Microsoft Azure® login information.
- Custom login information.
- Google® login information.
- SAP® login information.
- WMI type login information.
- SNMP type (v1, v2, v2.c and v3) login information.
The group assigned to the password controls its visibility. That means that if the password 'test' is assigned to the group named All
, all Pandora FMS console users will be able to see said password. User can only assign a group to which the user creating the credential belongs, unless that user explicitly belongs to the ALL group.
In a similar way, if 'test' is allocated to the group named Applications
, only users with permissions on Applications
will have access to the password.
Once added, it can be checked, filtered etc.
Within password customization, the only thing that cannot be modified is the type of login information (Product):
Scheduled downtimes
Introduction
Pandora FMS has a small scheduled downtime management system (►Tools → Scheduled downtime).
This system allows you to disable alerts at intervals when there is a downtime, disabling the agent.
When an agent is disabled it does not collect information either, so that in a downtime, for most metrics or report types, the intervals where there is a downtime are not taken into account in the reports because there is no data in the agents during those intervals.
Create a scheduled downtime
To create a downtime, go to the ►Tools → Scheduled downtime menu:
Next click Create to add a new scheduled downtime:
- Name: Name of the scheduled downtime.
- Group: The group you want it to belong to. User can only assign a group to which the user creating the scheduled downtime belongs, unless that user explicitly belongs to the ALL group. The agents and modules to be selected for the new scheduled downtime will be added after creating it.
- Type: You may set the following types of downtimes:
- Quiet: Check as “quiet” the indicated modules, so they will not generate alerts nor events.
- Disable only agents: It disables the selected agents. It is important to know that if an agent is manually disabled before the task is launched, it will become enabled once this task is completed.
- Disable Alerts: It disables alerts of selected agents. It is important to know that if an agent is manually disabled before launching the task, it will switch to enabled once the task is finished.
- Disable modules: It disables the selected modules.
Remember that the Quiet mode and Disable modules are applied to modules, while Disable only alerts and Disable Agents are applied to Agents, which in turn affects each and every one of the corresponding modules.
- Execution: It allows to configure whether you want it to run once or periodically: Monthly or Weekly.
- Set time: Setting the day and time at which the scheduled downtime will start and end either once or periodically.
If the Pandora FMS administrator enables it in the visual configuration section, it is possible to create scheduled downtimes in a past date. They will not be executed, but their existence will be reflected in different reports. This is particularly relevant since it affects, among others, availability reports and SLAs.
To save click Add and then add through the agents and modules affected by the scheduled downtime:
Through Group filter, select. group and in Available agents the available agents will be displayed. From them in turn select one or several and the modules will be updated in Available modules. You maly also select all with the option Any. You may also see the common modules among the selected agents in Show common modules, or on the other hand, see all modules through Show all modules and therefore carry out a new module selection. Finally, click Update to update the scheduled downtime you just created.
Once the scheduled downtime modules are added, you may modify, delete or add modules (those available according to the selected filter).
When a scheduled downtime is “active” (Running), it cannot be modified or deleted, but from version 5.0 onwards there is an option where you may stop the execution in Stop downtime.
This option does not support periodic scheduled downtimes.
Notice that each scheduled downtime shows the amount of affected agents in brackets next to its name.
Alternatives to service console downtime management
There are often certain “cyclical” situations to be taken into account and the method of downtime management is too specific: for example, you may want to be able to deactivate all agents quickly and on time or to plan a general downtime every week from time to time. For this type of operations, there are ways to do it from the command line.
There is a faster way to set all agents in service mode, through the use of Pandora FMS management CLI, pandora_manage. pl
through the command line:
./pandora_manage.pl /etc/pandora/pandora_server.conf --enable_group 1 Pandora FMS Manage tool 3.1 PS100519 Copyright (c) 2010 Artica ST This program is Free Software, licensed under the terms of GPL License v2 You can download latest versions and documentation at http://www.pandorafms.org [*] Pandora FMS Enterprise module loaded. [INFO] Enabling group 1
To disable them:
./pandora_manage.pl /etc/pandora/pandora_server.conf --disable_group 1
Audit Log
Pandora FMS keeps a log of all changes and important actions taken in Pandora FMS console. This log can be seen in Admin tools > System Audit Log.
On this screen, you may see a series of entries related to console activity, user information, action type, date and a brief description of the events recorded.
In the upper left corner, you may filter which entry will be displayed by different criteria including: actions, user and IP, you may even perform a text search and determine the maximum amount of hours for searching.
The available filtering fields:
- Action: The different possible filtering actions
- User: Search by user.
- Free text for search: It will search in the fields User, Action and Comments.
- Max. Hours old: Number of backward hours where to display events.
- IP: Source IP address.
It is also possible to export the information displayed on the screen to a CSV file by clicking on the button at the top right of the screen.
With this tool, you may search for example the tasks that all users carried out on the configuration for the last 72 hours:
Or the moment when a given user has logged in the console. In addition, you may see the Pandora FMS server service start date or when the console configuration was changed (you may also see the exact date and time my hovering with your mouse over the icon “i”).
Local server logs
In latest Pandora FMS console versions (718 or later), log status can be checked through the menu Admin tools → Extension management → System logfiles.
From this extension you may see the logs of both the console and the local server:
If you cannot see the content, check your log file permissions:
chown -R pandora:apache /var/log/pandora/
You may change the rotator options to keep these settings by modifying the /etc/logrotate.d/pandora_server
file.
/var/log/pandora/pandora_server.log /var/log/pandora/websocket.log /var/log/pandora/pandora_server.error { weekly missingok size 300000 rotate 3 maxage 90 compress notifempty copytruncate create 660 pandora apache } /var/log/pandora/pandora_snmptrap.log { weekly missingok size 500000 rotate 1 maxage 30 notifempty copytruncate create 660 pandora apache }
On the other hand, there is also a specific configuration for the console log rotation in /etc/logrotate.d/pandora_console
:
/var/www/html/pandora_console/log/audit.log /var/www/html/pandora_console/log/console.log { weekly missingok size 100000 rotate 3 maxage 15 compress notifempty create 644 apache root }
If updating from OUM a version prior to 747 you will need to manually modify the logrotate file.
If you wish, you can use the following blocks to quickly configure logrotate.
cat> /etc/logrotate.d/pandora_server <<EO_LR /var/log/pandora/pandora_server.log /var/log/pandora/web_socket.log /var/log/pandora/pandora_server.error { su root apache weekly missingok size 300000 rotate 3 maxage 90 compress notifempty copytruncate create 660 pandora apache } /var/log/pandora/pandora_snmptrap.log { su root apache weekly missingok size 500000 rotate 1 maxage 30 notifempty copytruncate create 660 pandora apache } EO_LR
chmod 0644 /etc/logrotate.d/pandora_server
DB management from the console
The core of Pandora FMS system is its database. It stores all data collected by monitored systems, agent configuration, alerts, events, audit data, different users and their data. That is, all system data.
Efficiency and reliability are vital for Pandora FMS to work properly, so database maintenance is essential.
To perform regular database maintenance, administrators can use standard MySQL commands from the command line or manage the database from the console although they may not have extensive Mysql knowledge.
Pandora FMS has multiple extensions that can be used from the console to see information from the database.
Diagnostic tool
This section shows general information about Pandora FMS installation. It is necessary to emphasize the high amount of information that is obtained from the database, where the recommended parameters can be seen, as well as warnings about existing values that need to be changed.
For the 767 version it is composed of 14 sections, some of them are as follows:
DB Interface
This is an extension that allows you to execute commands in the database and see the result. It is an advanced tool that should only be used by people who have a certain amount of knowledge about SQL and the Pandora FMS database schema.
If misused, this tool may destroy data or permanently render the application inoperative.
It is accessed from Admin tools > DB interface.
Type in the command in the blank field and click Execute SQL.
DB Schema Check
This check can only be done in MySQL Databases.
This is an extension that allows to check the structural differences between the database set in your Pandora FMS and a pattern scheme to compare possible errors.
It is recommended to use this extension to check whether a database migration has been correctly performed.
It works like this:
- A temporary database is created with the structure that the installation database should have (different depending on the installed version).
- The database created is compared with the database referenced in the installation.
- The temporary database is deleted.
Enter the data to access your database and click Run test.
Network Tools
- Traceroute path: If empty, Pandora FMS will search the traceroute system.
- Ping path: If empty, Pandora FMS will search the ping system.
- Nmap path: If empty, Pandora FMS will search the nmap system.
- Dig path: If empty, Pandora FMS will search the dig system.
- Snmpget path: If empty, Pandora FMS will search the snmpget system.
Backup
For the backup option, check section Discovery - Console tasks.
Plugin registration
Extension that allows you to easily register server plugins.
The extension can be accessed through Servers > Register plugin.
To register a plugin, choose the file by clicking on Browse and Upload.
More information about server plugins can be found in the development and extension chapter.
You may see in section Server Plugin Development the format of the .pspz
files.
Insert data
Extension that allows to import data in a comma separated file (CSV) to an agent module. This extension is accessed from Resources > Insert Data.
The format of the CSV file must be date;value per line. The date must be given in Y/m/d H:i:s
format:
2011/08/06 12:20:00;77.0 2011/08/06 12:20:50;68.8
If you are not able to load the file, please check the directory permissions:
chown -R pandora:apache /var/spool/pandora/data_in
Resource registration
This extension allows you to import .prt
files containing the definition of network component, smnp component, local component or wmi component. You may also add all of them (except for the local component) to a template.
Access this option through the menu Resources > Resource registration:
.prt file format
<?xml version="1.0"?> <pandora_export version="1.0" date="yyyy-mm-dd" time="hh:mm"> <component> <name></name> <description></description> <module_source></module_source> <id_os></id_os> <os_version></os_version> <data></data> <type></type> <max></max> <min></min> <max_cri></max_cri> <min_cri></min_cri> <max_war></max_war> <min_war></min_war> <historical_data></historical_data> <ff_treshold></ff_treshold> <module_interval></module_interval> <id_module_group></id_module_group> <group></group> <tcp_port></tcp_port> <tcp_send></tcp_send> <tcp_rcv_text></tcp_rcv_text> <snmp_community></snmp_community> <snmp_oid></snmp_oid> <snmp_version></snmp_version> <auth_user></auth_user> <auth_password></auth_password> <privacy_method></privacy_method> <privacy_pass></privacy_pass> <auth_method></auth_method> <security_level></security_level> <plugin></plugin> <plugin_username></plugin_username> <plugin_password></plugin_password> <plugin_parameters></plugin_parameters> <wmi_query></wmi_query> <key_string></key_string> <field_number></field_number> <namespace></namespace> <wmi_user></wmi_user> <wmi_password></wmi_password> <max_timeout></max_timeout> <post_process></post_process> </component> <component>...</component> <component>...</component> <template> <name></name> <description></description> </template> </pandora_export>
Text string translator
This extension belongs to the menu Setup > Translate string and allows translating Pandora FMS interface text strings to customize it.
- Language: It allows to filter strings by language.
- Free text for search (*): Content of the string you wish to customize.
Three columns will appear: the first one will show the original string, the second one the current translation and in the third one the custom translation you wish to add. Fill in the following one and click Update to save.
Be careful to copy the HTML code exactly as it is and the JavaScript language that may appear in the text to be translated.
Workspace
This section allows interacting with Pandora FMS users, or edit the user's details, as well as several actions, such as access to the issue system (to open tickets), chatting with other users connected to Pandora FMS, etc.
Chat
It allows to interact with other users connected to that Pandora FMS console through a chat. It is useful in case you want to say something to another operator for example.
Issues
Pandora FMS allows managing issues from the console thanks to its integration with Integria IMS.
For more information about this tool, check Issue management with Integria IMS.
Messages
Pandora FMS has a tool that allows different users to send messages among themselves.
When a user has a message, an envelope icon appears at the top right of the console.
User messages can be seen in Workspace > Messages > Messages list, and from there you may read, delete or write a message to a specific group or user.
Notifications
In Pandora FMS there is a console status supervision system as well as a general one.
You may enable notifications following these steps:
- In Pandora FMS nofitications configuration tab (Setup → Setup → Notifications) add or subscribe to each notifications' category of those users or groups that receive the notification.
- For the System status you may in addition specify each technical aspect for each registered user or group.
- For the user itself, it is posssible to make sure that the different notification categories are enabled in Workspace → Configure → User notifications. At this point, if you wish so, you may also enable notification reception by email. An administrator may in turn prevent a user from handling or modifying said values.
Notification forwarding by email require for CRON to be initiated and working to be able to process email queues. Since the CRON system is the one that forwards the email, the URLs of the notifications sent by email will be built automatically taking as reference the URL you configure in crontab.
Recommendation:
- Using a FQDN (full qualified domain name) for the Console.
- Setting the local value for this FQDN in the machine that hosts the console (add the entry
127.0.0.1 FQDN
to your file/etc/hosts
in the machine/s the Console gives service to).
* * * * * wget -q -O - --no-check-certificate http://nova.artica.lan/pandora_console/enterprise/cron.php>> /var/www/html/pandora_console/pandora_console.log
Content of /etc/hosts
(example in machine nova.artica.lan
):
127.0.0.1 nova.artica.lan
If you do not have a FQDN, use the IP address from which you access the Console as target in the crontab configuration:
* * * * * wget -q -O - --no-check-certificate http://192.168.1.100/pandora_console/enterprise/cron.php>> /var/www/html/pandora_console/pandora_console.log
You may find more information about email configuration in this section.
Connected users
This extension shows other users connected to the Pandora FMS Console other than their own. This feature is important because Pandora FMS console allows multiple user connections.
The extension is accessed from Workspace > Connected users. You must be an administrator user to access this menu.
Software agent repository
The software agent repository is part of the Deployment Center, which controls agent installer available versions (programs) to be deployed.
The deployment center is part of the Enterprise Discovery. You may use it from Discovery → Host&devices → Agent deployment
You may access it through the following menu: Configuration → Software agents repository.
To add a new installer to the repository, click Add new software:
Select OS (Linux or Windows):
Fill out the information related to the Architecture type, Version, Transfer timeout (time in seconds before deployment is cancelled), select the file and click Ok. Wait a few seconds.
Installers for Linux (and all Unix and BSD range) are shared by all architectures. Both x64, x86, ARM, etc. share the same installer .tar.gz
.
Make sure the upload was successful:
The uploaded agent installer will appear on the list together with the information about its version, by whom and when it was uploaded etc.:
Use the button to edit each installer, or the
button to delete it.
Custom themes
Only version NG 752 and previous versions.
Pandora FMS offers the possibility of uploading CSS files, in order to set custom themes in the visual console.
To that end, include the following comment in the CSS file:
/* Name: My custom Theme */
Then, import the CSS file to the following path:
pandorafms/pandora_console/include/styles/CustomTheme.css
Once the desired themes are uploaded, go to Setup > Setup > Visual styles (Style configuration) and select the appropriate theme from the Style template drop-down.
Only NG 753 and later versions.
From this version onwards a script called styles_backup.sh
will be available, which allows to export icons and existing CSS. It is located in directory:
/tmp/pandorafms/pandora_server/util -> styles_backup.sh
Executing it generates the following folder:
/var/www/html/pandora_console/styles_backup
Within said directory compressed files will be saved:
images-backup-<date>-<time>.tar.gz styles-backup-<date>-<time>.tar.gz
Where <date>
and <time>
will be the date and time to make said backup.
It has two themes to choose among in Pandora FMS Console configuration:
If you wish to change the theme, just go to the database, with the appropriate credentials and execute:
UPDATE tconfig SET value = '<new_skin>' WHERE token LIKE 'style';
Where style
is the keyword to find the log in table tconfig
and <new_skin>
is the new theme you wish to use.