Log monitoring in Pandora FMS is established in two different ways:
+
Log monitoring in **Pandora FMS** allows the user to visualize in a single console all the logs from multiple sources to be captured, organizing the information sequentially, using the time stamp in which the logs were processed.
- **Based on modules**: It represents logs in Pandora FMS as asynchronous monitors, being able to associate alerts to detected entries that meet a series of conditions preconfigured by the user. The modular representation of the logs allows:
+
This information does not contain structures or formats, it is stored in text format along with a time stamp (of the time of receipt), in addition to the original time stamps that the files may have had.
-
- Creating modules that count the occurrences of a regular expression in a log.
+
-
- Obtaining the lines and context of the log messages.
+
-
- **Based on combined display**: It allows the user to see in a single Console all the log information from multiple sources that is desired to be captured, organizing the information sequentially, using the timestamp in which the logs were processed.
These logs can be used to generate security events ([[[:en:documentation:pandorafms:monitoring:21_siem|SIEM]]) and/or for troubleshooting, legal compliance or forensic analysis purposes. The log processing capacity is limited only by the capacity of the device used to store them.
-
Starting with version 7.0 NG 774, Pandora FMS incorporates OpenSearch to store log information. See also "[[:en:documentation:pandorafms:technical_annexes:38_opensearch_installation|OpenSearch installation and configuration]]".
**Pandora FMS** uses **OpenSearch** to store log information. See also "[[:en:documentation:pandorafms:technical_annexes:38_opensearch_installation|OpenSearch installation and configuration]]" for how to configure it properly.
* The logs analyzed by the [[:en:documentation:pandorafms:introduction:03_glossary|Software Agents]] (**eventlog** or text files), are forwarded to Pandora FMS server, in RAW form within the [[:en:documentation:pandorafms:introduction:03_glossary|XML]] agent report.
+
* The logs analyzed by the [[:en:documentation:pandorafms:introduction:03_glossary#software_agent|Software Agents]](<wrap :en>**eventlog**</wrap> or text files), are forwarded to the Pandora FMS server, in RAW form inside the [[:en:documentation:pandorafms:introduction:03_glossary#data_filesdata_xml|XML]] agent report.
-
* The Pandora FMS Data Server receives the agent's XML, which contains both monitoring and log information.
+
* The **Pandora FMS Data Server** receives the XML from the agent, which contains both monitoring and log information.
-
* When the Data Server processes the XML data, it identifies the information in the logs, saving in the main database the references of the reporting agent and the source of the log and then automatically sending the information to OpenSearch.
+
* When the Data Server processes the XML data it identifies the log information, storing in the main database the references of the reporting agent and the origin of the log and then automatically sending the information to OpenSearch.
-
* Pandora FMS stores data in OpenSearch indexes, generating a unique index daily for each Pandora FMS instance.
+
* Pandora FMS stores the data in OpenSearch indexes generating daily a unique index for each Pandora FMS instance.
-
* Pandora FMS server has a maintenance task that deletes the indexes at the interval defined by the system administrator (by default, 30 days).
+
* The Pandora FMS server has a maintenance task that deletes the indexes in the interval defined by the system administrator (by default, 30 days, modifiable).
+
* The logs travel through the network encrypted to avoid formatting problems.
+
* If you want the logs to travel over the network encrypted, you can use a secure transport ([[:en:documentation:pandorafms:technical_reference:09_tentacle#ks6|Secure communication Tentacle]]) for this purpose.
+
* The logs can be sent by **Syslog** to Pandora FMS Syslog Server, which directly processes the logs from a local Syslog server, making the processing much faster.
+
* The load can be distributed using different agents and remote Syslog servers to adopt the best distribution and suitability to the network topology.
Log collection is done through agents, both in the agent for Microsoft Windows® and in Unix® agents (Linux®, MacOS X®, Solaris®, HPUX®, AIX®, BSD®, etc.). In the case of MS Windows® agents, information can also be obtained from the operating system's event viewer, using the same filters as in the event viewer monitoring module.
+
Log collecting is carried out by agents, both in Microsoft Windows® agents and in Unix® agents (Linux®, MacOS X®, Solaris®, HPUX®, AIX®, BSD®, etc).
For version 774 or later, the lines that appear under ''Logs extraction'' must be //uncommented//:
+
For version 782 or later, the following lines must be added to retrieve **Syslog** messages. As an example, the messages coming from the **dnf** command are excluded with the ''module_pattern_exclude'' directive:
For more information about the description of log type modules check the following section referring to [[:en:documentation:pandorafms:installation:05_configuration_agents|Specific directives]].
+
By using the ''module_type log'' directive, it is indicated //not to// store it in the database, but to send it to the //log// collector. Any module with this type of data will be sent to the collector, as long as it is enabled: //otherwise information will be discarded//.
For more information about log module description, please refer to the [[:en:documentation:pandorafms:installation:05_configuration_agents#ks6_2|Specific directives]].
For version 774 or later, the following lines must be configured for //log// retrieval:
-
By defining this type of tag, ''module_type log'', it is indicated that it must **not** be stored in the database, but rather that it must be sent to the log collector. Any module with this type of data will be sent to the collector, as long as it is enabled: otherwise the information will be discarded.
Similar to the log parsing plugin (**grep_log**), the **grep_log_module** plugin sends the processed log information to the Log Collector with the name "Syslog" as the source. It uses the regular expression ''\.\*'' (in this case "everything") as a pattern when choosing which lines to send and which not to send.
This option allows you to save frequently used filtering preferences, thus creating a list of filters. Once all filter values have been set up, click <wrap :en>**Save filter**</wrap> and assign a name, which will allow you to click <wrap :en>**Save**</wrap> and thus save your preferences or changes (can be saved to an existing filter).
At any other time, these preferences may be loaded by means of <wrap :en>**Load filter**</wrap> to drop down the list of saved filters. Select one of them and click <wrap :en>**Load filter**</wrap>.
In the <wrap :en>**Operation → Logs → Filters**</wrap> menu, you can edit filters, including their individual or mass deletion. Filters can also be created using this option.
</WRAP>
</WRAP>
-
Through this option you may save frequently used filtering preferences, thus creating a list of frequent filters. When you have configured all the filter values, click **Save filter**, assign a name and click **Save**. At any other time you may load these preferences using the **Load filter** button, then download the list of saved filters, select one of them and click **Load filter**.
By using the favorites system in PFMS, a shortcut to the <wrap :en>**Log viewer**</wrap> with filtering preferences may be saved by clicking on the star icon in the section title.
Favorite elements work separately from [[#ks4_3|frequent filters]].
</WRAP>
</WRAP>
-
<WRAP center round info 60%>
+
<WRAP center round important 90%>
-
バージョン 770 以上
+
お気に入りの要素は [[#ks4_3|頻繁に使用するフィルタ]] とは別に機能します。
</WRAP>
</WRAP>
-
-
Using the favorites system in PFMS you may save a shortcut for the **Log viewer** with filtering preferences by clicking the star icon in the section title.