高度な設定

Pandora RC (formerly called eHorus) saves its parameters in a file called ehorus_agent.conf whose location varies depending on the operating system used.

Pandora RC (以前は eHorus と呼んでいました) はパラメータを ehorus_agent.conf というファイルに保存しています。場所は利用しているオペレーティングシステムにより変化します。

/etc/ehorus/ehorus_agent.conf

To be able to modify this file you need administrator privileges (root).

このファイルを編集するには管理者権限 (root) が必要です。

/usr/local/ehorus_agent/ehorus_agent.conf

To be able to modify this file you need administrator privileges (root).

このファイルを編集するには管理者権限 (root) が必要です。

%ProgramFiles%\ehorus_agent\ehorus_agent.conf

To modify this file you need to run Notepad as administrator (right mouse button → run as administrator).

このファイルを編集するにはメモ帳 を管理者権限で起動する必要があります。(マウスを右クリック → 管理者として実行)

To make any configuration changes to the agent, it is required to be restarted with root or administrator rights.

エージェントの設定を変更するには、root または 管理者 権限で再起動する必要があります。

• On GNU/Linux® (root):
• GNU/Linux® の場合 (root):

systemctl start pandorarc_agent_daemon

• On MS Windows® (administrator):
• MS Windows® の場合 (administrator):

Control Panel → Herramientas administrativas → Services → eHorus Agent → Restart.

コントロールパネル → 管理ツール → サービス → eHorus Agent → 再起動

• On Mac OS (root):
• Mac OS の場合 (root):

launchctl start com.ehorus.ehorus_agent

Optionally, a different agent connection password can be specified for each machine. This password is specified -clearly, without encryption- in the agent configuration file, in the following configuration token:

オプションで、各マシンに異なるエージェント接続パスワードを指定できます。このパスワードは平文で暗号化せず、下記設定トークンでエージェント設定ファイルに指定します。

password xxxx

Once the agent is restarted, the password will be hashed like this:

エージェントを再起動すると、パスワードはこのようにハッシュ化されます。

password [[db6f086273f8c93e57808dafef45eae6ae67ae639eb34b6a6|]]

This behavior is normal and is similar for other configuration tokens that may contain sensitive information (proxy access username and password, etc.).

この挙動は正常で、機密情報を含む可能性のある他の設定トークン(プロキシアクセスユーザ名やパスワードなど)でも同様です。

The Pandora RC WEB client remains connected to the agent while the browser session is open and while there is a connection. If you leave the session open and unused, the session on that computer will be locked until you close it.

Pandora RC WEB クライアントはブラウザセッションがオープンで接続がある限りエージェントへの接続を維持します。セッションがオープンで未使用な状態が続くと、このコンピュータへのセッションは閉じるまでロックされます。

To prevent this, the agent has an inactivity timeout mode that is set to 300 seconds by default. You can override that behavior by modifying the following configuration token:

これを防ぐために、エージェントにはデフォルトで300秒の非アクティブタイムアウトモードがあります。下記設定トークンを変更することで挙動を上書きできます。

session_timeout 300

The design goal of Pandora RC is for the agent to be accessible wherever it is, even in complex topologies with poor connectivity. For this there are some configuration tokens that regulate how the agent connects with the server.

Pandora RC の設計目標は、複雑な経路で貧弱な接続性であってもどこのエージェントにもアクセス可能であることです。そのためエージェントがサーバへ接続する方法を制御する設定トークンがいくつかあります。

The agent periodically checks that the connection is still alive (even though it appears to be connected), this is known as “keepalive”. You can regulate how many seconds it is done if you think this can improve the behavior of your agent in the event of power outages, etc.

エージェントは定期的にコネクションがまだ有効か(接続済みと表示されていても)チェックしており、これは「keepalive」として知られています。エージェントが電源喪失であるときの挙動を改善できるといった考えのもと、何秒ごとにこれを行うか制御できます。

ping_interval 300

In addition, you can modify the general network timeout, to lower or raise it depending on your specific needs. By default it is 5 seconds.

加えて、必要に応じて一般的なネットワークタイムアウトを増減できます。デフォルトでは5秒です。

timeout 5

There are two advanced parameters that should be handled with care, they are those that regulate the maximum payload size and the maximum block size, and both are specified in bytes:

注意して取り扱うべき高度なオプションが2つあります。最大ペイロードサイズと最大ブロックサイズを制御するもので、バイト単位で指定します。

max_payload_size 131072
block_size 16384

The Pandora RC agent connects to a Pandora RC server on the internet with port 18080, if it cannot connect, the agent can be (optionally) told to try a connection through a proxy.

Pandora RC エージェントは Pandora RC サーバへインターネット経由の 18080 番ポートで接続します。接続できない場合は、エージェントは(オプションで)プロキシを通して接続を試みることができます。

To do this, it is necessary to edit the agent's configuration file (in administrator mode) and use the following configuration tokens, specifying the IP address and the port of the HTTP proxy that the agent will use.

そのためには、エージェントの設定ファイルの(管理者権限での)編集と、エージェントが使用する HTTP プロキシの IP アドレスとポートを指定する必要があります。

proxy_address 127.0.0.1
proxy_port 3186

By default, the Pandora RC agent sends a small summary of the computer where it is installed (Disk, RAM, CPU, OS version, etc.). If for privacy you do not want to send this information, you can deactivate it with the following configuration token:

デフォルトでは、Pandora RC エージェントはインストールされているコンピュータの簡単な概要(ディスク、RAM、CPU、OS バージョン、など)を送信します。プライバシーのためにこの情報を送信したくない場合は、下記の設定トークンで無効化できます。

disable_info 1

There is an (optional) mode that allows the agent to listen on a local IP address and port and allow incoming connections directly from the Pandora RC client. Despite the fact that the connection is local, the Pandora RC agent will always contact the Pandora RC server on the Internet to validate the client's connection (username and password) and give them access, in addition to the agent's local authentication, if any.

これは Pandora RC クライアントから直接接続を受け付けるローカル IP アドレスとポートをエージェントがリッスンする(オプションの)モードです。

eh_local_port 41118

The agent will try to find out which is the most appropriate IP address to listen to, and it will be the one that “publishes” in the portal for which the client connects. Generally this will be the IP address by which you connect to the server. If it does not detect it well or you prefer to enter it by hand, you can use the following configuration token:

エージェントはどれがリッスンに最も適切な IP アドレスかを調べ、これはクライアントが接続するポータルで「公開」されるものの1つとなります。一般的にこれはサーバに接続する IP アドレスになります。うまく検出できない場合、もしくは手動で入力したい場合は下記設定トークンを使用できます。

eh_local_address 192.168.50.2

It must be taken into account that when using this connection mode, we will notice a substantial improvement in speed, especially in remote desktop and in file transfer. On the other hand, furthermore, it will require communication between client and remote client is clear of obstacles such as corporate or local firewalls. In the case of MS Windows® or GNU/Linux®, it will be necessary to deactivate the firewalls that are installed by default in said systems.

この接続モードを使用する場合、特にリモートデスクトップで速度が大幅に改善すること を考慮しなければなりません。一方で更に、クライアントとリモートクライアントの間で会社もしくはローカルのファイアウォールといった障害をクリアする必要があります。MS Windows® や GNU/Linux® の場合、これらのシステムでデフォルトでインストールされているファイアウォールを無効化する必要があります。

When an agent is in local connection mode, the machine can be accessed directly, using an interface modification that allows you to choose between remote connection or direct connection. Due to security restrictions of the Web Socket protocol, in order to make the local connection, you will have to do it exclusively from Google Chrome®, Mozilla Firefox® or Microsoft Edge® browsers. This connection mode is not supported with Safari® or MS Internet Explorer®.

エージェントがローカル接続モードであるとき、マシンはリモート接続か直接接続かを選ぶインターフェイスの変更によって直接接続することができます。Web ソケット プロトコルのセキュリティ制約により、ローカル接続を行うためには Google Chrome®、Mozilla Firefox®、Microsoft Edge® のいずれかのブラウザを使用しなければいけません。この接続モードは Safari® と MS Internet Explorer® ではサポートされていません。

For the local connection to be secure and reliable, it is possible to indicate to the agent a valid SSL certificate file (by a CA recognized by the browser to be used). This must be manually configured using the following configuration tokens:

eh_local_cert /full_path/to_public_ssl_cert
eh_local_key /full_path/to_private_ssl_key

The files must be in PEM (OpenSSL) format.

Right-clicking will bring up a dialog informing you that we are trying to load unauthorized sequences. Click on “Load unsafe scripts”.

conexion-sin-ssl-chrome.png}}

In the case of Mozilla Firefox® you must modify the general settings of the browser. In a new tab, type: about:config. There is a warning that the configuration is for advanced users, click Accept the Risk and Continue.

conexion-sin-ssl-firefox.png}}

Search for the token network.websocket.allowInsecureFromHTTPS and click the button to change it to the opposite value, true.

conexion-sin-ssl-firefox-modificar.png}}

This change is permanent. You will not need to change the configuration again in subsequent browser sessions.

The agent allows to specify a directory from which files can be uploaded/downloaded, this base directory is specified in the configuration file using the following configuration token:

storage_dir /home/ehorus

On MS Windows if you want to access all system drives, you can set this parameter to the value / .

The agent can store in a text record (log file) the information on its status, incoming connections, problems, and so on. To do this, you must activate the configuration token specified in the log file:

log_file 'C:\ProgramData\ehorus_agent\ehorus_agent.log'


</file>

And you can also modify how much information to dump to that file with the following configuration token.

<code>verbose x

Where X can be a numeric value from 0 to 9. A value of 0 is minimal information, and a value of 9 is maximum debugging information. The agent does not control the size of the log, so if it is configured to return the maximum information, it can generate a very large log.

verbose 4

If for whatever reason, you need to reprovision the agent, follow these steps:

• Stop the agent.
• Delete from the configuration file the configuration tokens: eh_hash and eh_key and start the agent again. It should be provisioned again with a different EKID.

You can disable (default is enabled) the functionality of deleting files from the remote file manager. To do this use the following configuration token:

enable_file_delete 0


</file>

==== Hide App Icon ====

It is possible to deactivate (by default it is activated) the Pandora RC agent service launching the desktop notification application. This application displays its icon in the notification area (tray area). To do this use the following configuration token:

<code>hide_tray 1

The value 1 means that the application is not launched and therefore the icon is not seen. The default value is 0.

There is an optional functionality that allows the user who is using the computer to receive a notification to inform or require confirmation of external access. This is especially critical to comply with certain legal regulations for remote access to computers. By default it is deactivated, but to activate it, it is enough to activate certain configuration tokens.

This functionality can be configured individually to regulate how each service is accessed (file transfer, process management, service management, remote shell, remote desktop, access sharing) and also serves to disable the use of one of those services in case you don't want it to be available.

The possible values for these configuration items are:

• Request: The user will be asked to accept the incoming connection, through a pop-up window. This window is timed out, and if the connection to the service is not explicitly accepted, access will be denied.
• Inform: It will only inform the user. If the user does not see it or presses the button that has seen it, the remote user will still enter.
• Always: The remote user enters without the local user having to authorize or see any pop-up messages. It is the default value
• Disable: The service will not be available in any case.

access_terminal always|request|inform|disable
access_display always|request|inform|disable
access_processes always|request|inform|disable
access_services always|request|inform|disable
access_files always|request|inform|disable
access_share always|request|inform|disable


</file>

On the other hand, the configuration element that defines the confirmation window timeout is:
<code>
access_dialog_timeout 30

The default value is 30 seconds. This timeout cannot be greater than the client keepalive refresh time, which is 60 seconds.

To use a customizable popup system, you must load an external DLL:

access_method 'C:\path\to\dll'

What the “Information” screen looks like is this:

pandora_rc-popup-informacion.png}}

And when the configuration “forces” the local user to confirm the connection, the information displayed is the following:

pandora_rc-popup-confirmar-conexion.png}}

In GNU/Linux this functionality is not implemented.

On Windows systems that have more than one display, the agent will automatically attempt to discover the primary display. If you want to use another screen or both screens at the same time, you will have to modify the agent configuration file:

display_selected -1 | 0 | 1 | 2

• The value -1 shows all screens.
• The value 0 (default) will show the main screen.
• Value 1 shows screen No. 1 (the second, in most cases)
• Value 2 (to infinity) will display screen 2..3.. etc (if any).

As of version 1.1.0, the Pandora RC agent can automatically request a new server from the directory before each connection attempt. To enable this feature, add the following line to the agent configuration file:

huh_balancing 1

Back to Pandora FMS Documentation Index