Pandora:Documentation en:Policy

From Pandora FMS Wiki

Jump to: navigation, search

Go back to Pandora FMS documentation index

Policies

Introduction

Pandora FMS is able to manage thousands of devices, containing thousands of modules and alerts. We've developed the policy functionality with the purpose of rendering the administrators work a lot easier as the systems which are the target of the monitoring could be composed of a very high number of components.

The policy appliance allows you to propagate modules, alerts, external alerts and collections to the agents in a centralized and homogeneous way by modifying its configuration files by the remote edition feature called Agent Configuration.

The available operations pertaining to policies in general are the following:

  • To create, delete and duplicate one policy
  • To add and delete one or several existing agents
  • To create, edit and delete one module
  • To create, edit and delete one alert
  • To create, edit and delete an external alert
  • To add and delete an already existing collection
  • To add and delete an already existing inventory module
  • To link the policy to one or several adopted modules

The operations conducted within a policy are not going to be effective until the policy is applied.

The application of the different policies is managed by one queue, in which they could be introduced in order to apply to an agent or to all of the policy. It's also possible to introduce the application of one policy from the database, if the changes don't affect the remote configuration.

You may invoke the policy management by clicking on 'Administration' and 'Manage Policies' on the left side of the Pandora FMS web console as shown below.



Politicas.jpg



Adding a Policy

If you click on the 'Administration' and 'Manage Policies' menus, all available policies are going to be shown.



Politicas1.jpg



Please click on the 'Create' button to create a new policy. You have a policy creation screen here, in which we're required to insert the name, the group to which it's going to belong to, and an optional description.



Policia.jpg



Deleting a Policy

If you intend to delete any policy, please make sure that it doesn't have any agent associated to it.

If one policy contains agents, the delete button is disabled and a button to delete all its agents is shown next to it. This button is going to introduce the deletion process into the queue. Once it has been processed, the policy deletion button is going to be in an active state again.



Borrar agentes.jpg



Duplicating a Policy

There is also a button to duplicate a policy. It's located in the middle of the policy operation buttons.



Duplicar politica.jpg



The copy of the policy which will be created here is going to be shown as 'not applied', regardless of the original policy's state.

Configuring a Policy

In order to configure the policy, please click on the policy's name under 'Administration' and 'Manage Policies' or access it directly by hovering the mouse over it and clicking on the policy you intend to configure.



Windows5.jpg



The policy configuration contains options for the following elements:

  • Agents
  • Modules
  • Inventory Modules
  • Alerts
  • External Alerts
  • Collections
  • Linking
  • Queue
  • Agent Plug Ins

The different executable actions aren't going to be applied until the policy is applied. If you're adding an agent to the policy, you're e.g. able to create several modules and alerts, but they're not going to come into effect until you're applying the policy.

If we e.g. have one policy applied and we're modifying or deleting elements, the changes aren't going to come into effect until its next execution.

All changes are displayed shown within the 'Queue' window. You're able to introduce the policy into the process queue there, in which it's going to wait for its turn to be applied.

Policy Propagation

Policy propagation means the activation of the modules, alerts and collections which are configured within the defined agents. This means that these modules and alerts are going to be added to the agents.

A policy can be propagated to a specific agent or a complete policy.

In order to propagate it to an agent, you're required to go to the 'Agents' section and choose to which agent you intend to apply it to. If you intend to apply an entire policy, you're required to open the 'Queue' section to do so.

Policy Queues Management



Queue.jpg




The policy operations queue contains a summary of the elements which have been changed since their last application:

This list contains the elements which are required to be updated and the ones pending to delete:

  • Pending to update
    • Agents
    • Adopted modules pending to link
    • Adopted modules pending to unlink
  • Pending to delete
    • Agents
    • Modules
    • Inventory Modules
    • Alerts
    • External Alerts
    • Collections

This summary is going to show you whether you should apply the policy or not. Sometimes, a button will be shown to apply them next to the icon of agents pending to apply.

If the pending changes only affect the database, e.g. changes in alerts, this button is going to conduct the changes on this level only, so the application will be quicker.



Queue onlydb.png



If the configuration which affects the configuration files has been changed, e.g. if collections or local modules have been modified, the application is complete.



Queue onlydbconf.png



Under summary, there is a button called 'Apply All', regardless of the pending modifications.



Queue applyall.png



If we select to apply we're going to add the policy agents to the application queue. The Pandora FMS Server will be in charge of applying the pending policies to the queue. If we refresh the screen, we're able to see the application's progress. In the moment it's completed, it's going to be mentioned in the queue as completed, along with the time which passed since it has finished the process.



Queue progress.png



Agents

This window was designed to add or to delete agents from the policy.



Brocha3.jpg



Massive Actions

The upper part is intended to massively add or to delete agents.



Policy agentstop.jpg



You're able to filter them by group and with a substring. It's possible to conduct a multiple selection to add them to the policy by clicking on the arrow which points to the right. These agents are going to be moved to the box on the right and associated to the policy in a 'pending to apply' mode.

The policy's agents could be deleted by multiple selection with the help of a filter in order to move them into the box on the left with the arrow which points to the left. If you select one or several agents to delete from the policy in this way, they will be shown as crossed out in the box on the right. They can be re associated to the policy if you select them again in the left box and link them as if they weren't.

Unit Actions

In the window shown below, there is a list, containing all the agents associated to the policy, including the ones which are in a 'pending to delete' mode.



Policy agentsbottom.jpg



The agent's list was designed to filter by group, substring or an application state:

It displays:

  • The agent's name
  • The remote configuration
  • The agent's state within the policy
  • The number of unlinked modules in the agent
  • The button to introduce this agent into the queue in order to apply it
  • The date and hour of the last application
  • The button of delete, undo and remove

If an agent is removed, it's going to be displayed with its name crossed out. In the place of the deleted button, a new button (intended to undo the deletion and to link the agent to the policy again) appears.

Modules

The modules menu allows to configure the modules which are going to be added to the policy.



Windows6.jpg



In order to add modules, you're required to pick the type of module in the drop-down menu, to select one module, e.g. 'data server', 'network', 'red', 'plug in', 'WMI', 'prediction' and 'web' and to click on the 'Create' button.



Windows7.png



Creating a Data Server Module

The Data Server Modules are the modules which are going to be added to the software agents. In order to work with these modules, it's necessary for the agents to have the remote configuration enabled.

Please select the option 'Create a new data server module' and click on the 'Create' button in order to create a new data server module.



Windows8.jpg



Subsequently, a screen intended to configure all the module fields is going to be displayed. The field called 'Data Configuration' is the one which allows you to introduce the module's code which is going to be applied to the agents subscribed to this policy. This change will be contained in this particular agent's 'pandora_agent.conf' file.



Windows9.jpg



You're able to gain access to the advanced options by clicking on the 'Advanced Options' button.



Windows10.jpg



It's possible to review the description of these particular features in the Templates and Components section. There are two options: To fill out the fields or to have a previously defined local component ready to invoke here.

Creating a Network Server Module

The network server modules are modules which are managed by the Network Server.

Please select the option called 'Create a new Network Server Module' and click on the 'Create' button in order to create a new network server module.



Grafic1.jpg



Subsequently, a window intended to configure all the module fields is going to be displayed.



Grafic2.jpg



Please click on the 'Advanced Options' button to gain access to the advanced options.



Grafic3.jpg



It's possible to review the description of these particular features and options in the Templates and Components section. Please click on 'Create' button once all fields have been filled out.

Please keep in mind that the modules are quite similar most of the time. Instead of filling out the fields any time one module is added, the best option is to preliminarily define it as a component and to use it as such. In order to use a component, please fill out the combo which is located under 'Using module component' in which it's possible to choose between the different component groups.



Grafic4.jpg



Once the group has been selected, another combo pops up in which you're able to choose the component you intend to use.



Grafic5.jpg



In this example, we've selected the component called 'Catalyst CPU Usage' of the Cisco MIBs Group.



Grafic6.jpg



Once the component is selected, it's possible to modify any of the fields. Please click on the 'Create' button once all the fields have been filled out appropriately.

Creating a Module for the Plug-in Server

The modules of the plug-in servers are the modules which are getting managed by it.

In order to create a module for the complement server, please click on 'Create a new Plug-In Server Module' and click on the 'Create' button.



Cosa1.jpg



In this moment, a window intended to configure all the module's fields is going to appear.



Cosa2.jpg



You may gain access to the advanced options by clicking on the 'Advanced Options' button as shown on the bottom left on the picture above.



Cosa3.jpg



You're also able to review the description of the above mentioned features and options within the Templates and Components section again.

Once you have filled out all the fields appropriately, please click on the 'Create' button.

Please keep in mind that the modules are quite similar most of the time. Instead of always filling out the fields any time a module is added, the best option is to preliminarily define it as a component and to use it as such. The use of components is thoroughly explained in the section called Creating a Network Server Module.

Template warning.png

Use macros to configure dynamic parameters, like the IP address of an agent.

 




Policy plugin macro.png



Creating a Module for the WMI Server

The modules of the WMI Server are the ones which are getting managed by it.

In order to create a module of the Network Server, please click on 'Create a new WMI Server Module' and click on the 'Create' button as shown below.



Cosa4.jpg



In this moment, a window intended configure all the module's fields is going to appear.



Cosa5.jpg



You may gain access to the advanced options by clicking on the 'Advanced Options' button as shown on the bottom left on the picture above.



Cosa6.jpg



It's also possible to review the description of these features and options in the Templates and Components section.

Once all the fields have been filled out appropriately, please click on the 'Create' button.

Please keep in mind that the modules are quite similar most of the time. Instead of always filling out the fields any time a module is added, the best option is to preliminarily define it as a component and to use it as such.

Creating a Module for the Prediction Server

The modules of the prediction server are the ones which are getting managed by it.

In order to create a module for the prediction server, please select the option called 'Create a new Prediction Server Module' and click on the 'Create' button.



Cosa7.jpg



Subsequently, a window intended to configure all the module's fields is going to appear.



Cosa8.jpg



You may gain access to the advanced options by clicking on the 'Advanced Options' button.



Cosa9.jpg



Please feel free to review these features and options in the Templates and Components section.

Once all the fields have been filled out appropriately, please click on the 'Create' button.


Template warning.png

In this particular context, the modules of the prediction server are not considered components.

 


Creating a Module for the Web Server

The modules of the web server are the modules which are getting managed by it.

In order to create a module for the web server, please select the option called 'Create a new Web Server Module' and click on the 'Create' button.



Monstruo1.jpg



Subsequently it's going to display a window intended to configure all the module's fields.



Monstruo2.jpg



You may gain access to the advanced options by clicking on the 'Advanced Options' button.



Monstruo3.jpg



Please feel free to review these features and options in the Templates and Components section.

Once all the fields have been filled out appropriately, please click on the 'Create' button.


Template warning.png

In this particular context, the modules of the web server are not considered components.

 


Modifying a previously created Module

It's possible to modify all modules created in a preliminarily generated policy.



Rama1.jpg



In order to do so, please click on the module's name so the module configuration options are shown.

Once they have been modified appropriately, please click on the 'Update' button.



Rama2.jpg



Info.png

If the policy module is renamed, the name is going to be renamed like any other field in the moment the policy is applied.

 



Template warning.png

If a module with the new name already exists in one of the agents in the moment the policy module is renamed, this module is going to be adopted while the old module's name is deleted.

 


Deleting an already created Module

In order to delete the module from the policy and remove it from the agents that have it installed, please click on the x-shaped button on the right of the module's name. Once you've done that, the module is still going to be shown but crossed out. Subsequently, the 'Delete' button will be replaced by the 'Undo' button.



Rama4.jpg



Using Plug Ins within the Policies

The format used is quite simple. You're only required to 'outwit' the system, declaring one module for each type of module that the plug in returns. In order to do this, you're required to foreknow how many modules the plug in would return. If you're not completely sure, you're able to choose to register the plug in once and that the modules, which are going to be created, are going to work from outside of the policy. The data will arrive, but we can't parametrize them by the policies, because they are modules which are going to arrive without being associated to the policy.

All the data linked to one policy has to be previously defined. The policies don't specifically contain 'non-defined' information.

Supposing that we're going to execute this plug in which dynamically returns the free space in bytes which all the units of the system have.

In this example, the plug-in exit returns several unities (C:, D: and Z:)



Plugin exec sample.png



If you intend to manage them as policy modules, it's recommended to define several modules and the real call of the plug in within only one of them. Please leave the field called 'module_plugin' empty in any other cases.

module_begin
module_name C:
module_type generic_data
module_plugin cscript //B "%ProgramFiles%\pandora_agent\util\df.vbs"
module_end

module_begin
module_name D:
module_type generic_data
module_plugin 
module_end

module_begin
module_name Z:
module_type generic_data
module_plugin 
module_end

Inventory Modules

It's also possible to create inventory modules within a policy by picking one from the list of the available ones in the system, thereby picking an interval and the credentials for it.



Policy inventory modules.png



Like the rest of the policy's elements, if we remove an inventory module, it's going to be shown as crossed out. The 'Undo' button is going to be displayed instead in case you intend to undo the action.



Policy inventory modules undo.png



Alerts

The Alert menu allows you to configure the alerts which are going to be added to the policy.



Salva1.jpg



Adding Alerts

In order to add an alert, you just have to link it to one of the predefined templates or to one module which belongs to the policy and to click on the 'Add' button.



Salva2.jpg



Modifying Alerts

It's possible to add actions to alerts, to put them in a stand-by mode or to deactivate them.

If you intend to change any module or template, it's recommended to delete it and to create a new one.

Deleting Alerts

In order to delete an alert from the policy and remove it from the agents that have it installed, please click on the x-shaped button on the right of the module's name. Once you've done that, the alert is still going to be shown but crossed out. Subsequently, the 'Delete' button will be replaced by an 'Undo' button.



Brocha2.png



External Alerts

The external alerts are very similar to the regular alerts. The difference is that this type allows you to link alerts to agent modules which aren't contained in the policy module's main list. It's sometimes very useful to only assign alerts to some agent modules but not to all of them.

Adding External Alerts

In order to create an external alert, you're required to fill out the form shown on the picture below. The first field is intended to select the agent's modules. Only the ones which aren't contained in the policies are mentioned here. The second field is intended to select the appropriate alert template.



External-alert-filled.png



Modifying External Alerts

Considering how easy it is to create new external alerts along with their few variables, the possibility of modifying external alerts doesn't exist. In order to modify an external alert, it's recommended to just delete it and to create a new one.

Deleting External Alerts

In order to delete an external alert from the policy and remove it from the agents that have it installed, please click on the x-shaped button on the right of the module's name.



External-alert-action-added.png



The deletion system is the same as the one of the regular alerts. The deletion isn't going to come into effect until the policy is applied. The 'Delete' button is going to be replaced by an 'Undo' button in order to undo an e.g. accidental deletion.

Agent Plug Ins

Since Pandora FMS 5.0 it's possible propagate the agent's plug ins easily by the plug ins editor within the policies.

It's possible to add agent plug ins to be created in each local agent within a policy in the moment of applying it.



Policy plugins editor.png



Types of Modules

If a policy is applied, it's possible to review the different modules within the agent's view. If you click on 'Manage Agents' and 'Modules' menu, there are three different types of modules:



Modules0.jpg



Adopted Modules

These modules were created in the policy with the same name of an already existing module within the agent. When applying the policy, Pandora FMS is going to use the existing module's data instead of creating a new one.



Modules1.jpg



If you delete a policy, the adopted modules aren't going to be deleted from the agents. They're only going to be defined as 'non-adopted' modules. The data column for these modules is going to look like the one shown on the picture below.



Modules1 1.jpg



Linked Modules

These modules are created in the policy. If you're applying the policy, they're also being created within the agent. These are the average modules created in the policies.



Modules2.jpg



You're able to link and unlink modules by clicking on 'Manage Agents' and 'Modules'. Please select the appropriate module and click the button on the picture below in order to unlink the module ...



Modules3.jpg



... and this button to link it.



Modules4.jpg



If you delete a policy, the linked and unlinked modules are deleted from the agents.

Unlinked Modules

If a module is unlinked, the future changes conducted in the policy aren't going to be applied onto them. The unlinked modules are useful, because they allow to define 'individual exceptions' to modules which belong to a certain policy. You're able to 'customize' an agent in a policy without removing it from the policy and only for a specific module in this way.



Modules5.jpg



The changes in the policies are only going to be applied if the module is linked again.

File Collections

A file collection is not just an option to policies - it's usually utilized in them. A file collection is a group of files (e.g. scripts or executables) which are automatically copied to a specific directory of the agent (under Windows or UNIX). The file collections allow to be propagated along with the policies in order to be used by a group of agents, using a 'package' of scripts and modules which use them.

First we learn how to use the file collections in the agent's view, how to conduct it manually, agent by agent, without using collections, and how to do the same thing by using policies.

Our first task is to arrange a compilation of files. In order to do this, please go to the agent's administrator. Subsequently, we're going to see a 'sub option' called 'Collections'. Please click on it in order to create a new collection as we can see on the picture below.



File collection create.png



Once you've created the file collection, please feel free to upload any appropriate file to it. These files can be binaries, scripts or data files. All files are moved to the same base directory. It's extremely important that each file collection has its own base directory. In the console, file collections are stored under a directory called '/pandora_console/attachment/collection', bearing a name like 'fc_XXX', where 'XXX' is the collection's numerical ID. The file collections are also able to contain subdirectories. The file collections are transferred as ZIP files to the agent.

File collections are only supported if you use the Tentacle transference mode.

On the second picture below, you can see how the example collection we've created (fc_1383033439) has received two files:



File collection addfile.png



If we go back to the mail collection screen, we can see both collections as a triangular icon, which indicates a problem. This happens because the collections aren't synchronized. It's recommended to synchronize them by clicking on the triangular icon shown below.



File collection sync.png



When a file collection is synchronized, a green arrow-shaped icon is displayed as shown on the picture below.



File collection sync1.png



Once we've synchronized the collection, it's going to be applied onto the agent - this time without using any policies. Please go to the agent's administrator mode and look for the collection's tabulator (it's a disk-shaped icon). The available collections are going to be displayed there in order to pick one of them and apply it to the agent, as you can see in the windows utilities example on the picture below.



Agent collection apply1.png



Now it has been applied. Next time the agent contacts the server, we're going to receive the file and a little modification in the '.conf' file, which is going to look like this:

file_collection fc_1383033439



Agent collection apply2.png



File Collections and Policies

This works in a similar way as the single agent collections. Instead of applying a collection on a specific agent it's applied to one policy, as we can see below.



File collection policyadd.png



It's very easy to use a module which works with a file included in the collection: Only refer to the directory which contains the collection by using its fixed ID. This is an example which uses a plug-in module:



Collection module usage plugin.png



Location of File Collections within Agents

Each file collection has a 'short name'. In this example, it's called 'fc_1383033439', which means the utilities, scripts or executables contained in the collection are located in '%Archivos de programa%\pandora_agent\collections\fc_1383033439'. It's important to keep in mind that the collection is sent in a compressed format to the agent, so this file collection should contain the unzip tool to be able to unpack the file. Since the agent's version 3.2, this utility is installed under '%Archivos de programa%\pandora_agent\utils'.

This information is important in order to use modules which work by using these files and to be able to specify the complete 'real' path.


This is another example:

If the collection's short name is 'fc_18', the location will be '%ProgramFiles%\pandora_agent\collections\fc_18' in case the English language is used on this particular computer.

Each file collection is stored in a different location in order to avoid the file collections to overwrite each other or to create conflicts among them.

Any locally modified file (on the same system on which the agent is executed) will be overwritten by the agent in the moment it establishes contact to the server. This is done in order to avoid local modifications and to ensure the collections are identical in all the systems in which they've been shown on. This mechanism utilizes the same method the remote configurations management does. It's based on MD5 hashes.

This is an example of one plug in which uses the 'df_percent.vbs' file, contained in one collection called 'fc_1383033439' for a windows-based agent:

module_plugin cscript //B "%ProgramFiles%\pandora_agent\collections\fc_1383033439\df_percent.vbs"

Go back to Pandora FMS Documentation Index