Events

Pandora FMS event system allows you to see a real time log containing all the events that take place in monitored systems. By default, in the event view you will see a screenshot of what is happening at that moment.

Events are classified according to their severity:

• 0 Maintenance (White/Gray).
• 1 Informative (Blue).
• 2 Normal (Green).
• 3 Warning (Yellow).
• 4 Critical (Red).
• 5 Minor (Pink).
• 6 Major (Brown).

The following actions can be performed on events:

• Change its status (validated or in progress).
• Change owner.
• Delete.
• Show additional information.
• Add a comment: Any text that provides information and can be used to filter searches. If needed, URLs can be added in MarkDown format: [](URL), even for the Event Custom ID field.
• Make customizable responses.

Events are managed in the menu Operations → Events → View Events.

The event viewer shows a summary of each event and sometimes there is other associated data, such as the agent's module that generated the event, the group, tags associated to the module, etc. You may also sort events by identifier, status or name, among other fields.

By clicking on the magnifying glass icon corresponding to each item you will get more details.

Events are presented by default search for the last eight hours and not validated (and can also be customized), and grouped to avoid redundancy. You may save searches as filters or apply a previously created filter.

An event can be found in four states:

• In process.
• New.
• Not validated.
• Validated.

Auto-validation

When events take place due to state changes in modules, there will generally be two events: a first event consisting on switching from normal state to another “incorrect” state, and an event of returning to normal state, once the issue is solved. In these cases, the events that went into an undesired state (either critical or warning) are automatically validated upon return to normal. This is called event auto-validation and is an extremely useful feature.

Manual validation

If working manually, an event can also be validated: the system will memorize the date and the user who validated the event, with the possibility of recording a comment on the situation, then the screen is refreshed and the validated event is made invisible.

In process

An event can be checked as “in process” in the Responses tab. That way the event will not be auto-validated and will remain as pending.

Individual or batch processes

Events can be validated, checked as “in process” or deleted individually by clicking on the corresponding icons or mass applied to a selection.

Important aspects of this feature:

• Filters can be saved for reuse at another time.
• The maximum number of hours old (Max. hours old) of events can be customized.
• Pandora FMS, by default, groups repeated events (Duplicate → Group events), however this preference may be changed:

1. All events: It displays all events individually.
2. Group agents: It groups events by agent.
3. Group events: The event name, agent ID and module ID are used to identify duplicates.
4. Group Extra IDs: Events will be grouped only by Extra ID, sorted by Timestamp.

• You may filter by specific group. If you use the Group recursion option, it will also search in the subgroups of that group. Likewise if you select Search in secondary groups, the events of agents with assigned secondary groups will be included. These last two options may affect PFMS server performance.

Advanced options

• You may request events that took place within a given time span using the From (date) and To (date) date fields.
• In the Free search field you may use a regular expression (for example, to search for Connections and Network enter (Connections|Network)). The search is performed by agent name, event name, extra ID, source, custom data and comments.
• You may filter by custom fields using the Custom data filter fields, either by filtering by field name (Filter custom data by field name) or by custom field content (Filter custom data by field value). Such fields will be displayed as columns in the event view.

Frequently used event filters may be added to the Events section in the Favorite menu (Operation menu). For that purpose, click on the star icon that will appear when loading a saved filter (Current filter). Clicking again will allow you to uncheck the icon and remove it from the favorite system.

Events may be deleted individually (manually) and/or automatically: in the menu Management → Setup → Setup → Setup → Max. days before events are deleted specify the time they will be saved for in days.

By activating Enable event history in Management → Setup → Setup → Historical database, you have the option to keep them for the purpose of creating special reports.

To see the events in a news feed you may access Operation → Events → RSS and with that link you may subscribe from the news reader of your choice.

It allows you to broadcast multiple sound alerts when an event takes place. The melody will play continuously until you pause the sound event or click OK.

List of events that generate sounds, by default (and can be customized):

• The triggering of any alert.
• A module going into warning status.
• A module going into critical status.
• A module going into unknown status.

Menu Operation → Events → Acoustic console: this option opens a pop-up window to control all sound events. The web browser must be configured to allow pop-up windows to be opened.

Sound events are scanned every 10 seconds asynchronously, when an event takes place, the window will start flashing red and vibrating and also, depending on the configuration of your browser and/or operating system, the window will keep focus and position itself ahead of the rest of the open windows.

To add new melodies, copy these files in WAV format, to the directory:

/var/www/pandora_console/include/sounds/

To export the events to CSV format, click Operation → Events → View events → Export to CSV file.

Pandora FMS external API is used by making remote calls (via HTTPS) on the /include/api.php file. This is the method defined in Pandora FMS to integrate third-party applications with Pandora FMS. It basically consists of a call with the formatted parameters to receive a value or a list of values that will later be used by this application to perform operations.

The three main points to activate PFMS API:

1. Enable access to the IP from which the command is to be executed.
2. Set a general API password.
3. Define a specific user and password that can only connect through API.

The dedicated tool to create or validate events by Pandora FMS API can be copied from:

/usr/share/pandora_server/util/pandora_revent.pl

The options to validate an event are:

./pandora_revent.pl -p <path_to_consoleAPI> -u <credentials> -validate_event <options> -id <id_event>

Sometimes, maybe for security reasons, it is necessary to have only the event creation option, for this purpose pandora_revent_create.pl can be copied to the client device. It is located at:

/usr/share/pandora_server/util/pandora_revent_create.pl

This tool shares similar features with pandora_revent.pl.

Events with custom fields can be generated through Pandora FMS CLI:

pandora_manage /etc/pandora/pandora_server.conf \
  --create_event 'Custom event' system Firewalls \
  'localhost' 'module' 0 4 '' 'admin' '' '' '' '' \
  '{"Location": "Office", "Priority": 42}'

By means of Management → Configuration → Events it is possible to configure:

• Custom columns.
• Responses.
• Filter configuration.

It is possible to customize the fields displayed by default by the event viewer; to do so, choose the fields to be displayed from Events → View events → Manage events → Custom columns.

The default fields are five, however there are more fields to add:

Menu Management → Configuration → Events → Events filters.

It allows you to create, delete and edit the filters applied to the event view. After saving you may go to View events and load the appropriate filter.

An event response is a custom action that may be executed on an event, such as creating a ticket in Pandora ITSM with the relevant event information. More information about Pandora ITSM can be found in Pandora FMS documentation.

Enter a representative name, description, the parameters to be used separated by commas, the command to be used (the latter allows the use of macros), the type and the server that will run the command. In Parameters you may set as many as you need, separated by commas. When the response is made, a dialog box will appear to fill in each one of them and thus add it to the event.

Agent address.

Agent alias.

Agent identifier.

Agent name.

Identifier of the alert associated with the event.

Command response time (seconds).

Identifier of the user running the response.

Full name of the user executing the response.

It retrieves information from custom data in JSON format.

Output all custom data in text mode (with line breaks).

It retrieves a particular field from custom data, replacing the X with the field name.

Date on which the event took place.

Extra identifier.

Event identifier.

Event Instructions.

Event criticality identifier.

Event severity (translated by Pandora FMS console).

Event source.

Event status (new, validated or event in process).

Event tags separated by commas.

Full event text.

Type of event:

• Monitor in critical status.
• Monitor in warning status.
• Monitor in normal status.
• Unknown.
• Unknown Monitor.
• Alert triggered.
• Alert recovered.
• Alert stopped.
• Manual alert validation.
• Agent created.
• Recon host detected.
• System.
• Error.
• Configuration change.
• Network configuration manager.

Date on which the event occurred in utimestamp format.

Group identifier.

Name of the group in the database.

Contact information of a group of agents.

Address of the module associated with the event.

Identifier of the module associated to the event.

Name of the module associated with the event.

For Command Center (Metaconsole) and Node: it returns the node identifier.

For Command Center (Metaconsole) and Node: it returns the node name.

User who owns the event.

Full name of the user who owns the event.

User identifier.

Back to Pandora FMS Documentation Index