# Base config file for Pandora FMS Windows Agent # (c) 2006-2017 Artica Soluciones Tecnologicas # Version 7.0NG.742 # This program is Free Software, you can redistribute it and/or modify it # under the terms of the GNU General Public Licence as published by the Free Software # Foundation; either version 2 of the Licence or any later version # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, without ever the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE # Edit this file to change your parameters or/and add your own modules # Any line with a # character at the first column will be ignored (comment) # General Parameters # ================== # NOTE: The variables $*$ will be substituted in the installation wizard server_ip $ServerIP$ server_path /var/spool/pandora/data_in temporal "%ProgramFiles%\pandora_agent\temp" # Group assigned for this agent (descriptive, p.e: Servers) group $GroupName$ # If set to 1 allows the agent to be configured via the web console # (only works on enterprise version). Set to 0 to disable it remote_config 0 #include "C:\Archivos de programa\pandora_agent\pandora_agent_alt.conf" #broker_agent name_agent # Agent uses your hostname automatically, if you need to change agent name # use directive agent_name (do not use blank spaces, please). # This parameter is CASE SENSITIVE. # agent_name My_Custom_Agent_name # To define agent name by specific command, define 'agent_name_cmd'. # If agent_name_cmd is defined, agent_name is ignored. # (In the following example, agent name is 'hostname_IP') # If set to __rand__ the agent will generate a random name. #agent_name_cmd cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\agentname.vbs" agent_name_cmd __rand__ # Agent alias. Name should be unique rather than alias. Hostname by default # agent_alias $Alias$ #Parent agent_name #parent_agent_name caprica # address: Enforce to server a ip address to this agent # You can also try to detect the first IP using "auto", for example address auto # or setting a fixed IP address, like for example: #address 192.168.36.73 # This limits operation if temporal dir has not enough free disk. #temporal_min_size 1024 # Delay start execution X second before start to monitoring nothing #startup_delay 30 # Interval is defined in seconds interval 300 # tranfer_modes: Possible values are local, tentacle (default), ftp and ssh. transfer_mode tentacle server_port 41121 # timeout in seconds for file transfer programs execution (30 by default) #transfer_timeout 30 # In case of using FTP or tentacle with password. User is always "pandora" #server_pwd pandora # Extra options for the Tentacle client (for example: server_opts -v -r 5). #server_opts # If set to 1 disables log writing into pandora_agent.log #disable_logfile 1 # Debug mode renames XML in the temp folder and continues running # debug 1 # Default 0, set to 1 to avoid module executions and report to server # standby 1 # XML encoding (ISO-8859-1 by default). Most windows servers experience problems when you set to UTF-8. Other special codepages may be specified here. #encoding ISO-8859-1 # If set to 1 start Drone Agent's Proxy Mode # proxy_mode 1 # Max number of simultaneus connection for proxy (by default 10) # proxy_max_connection 10 # Proxy timeout (by default 1s) # proxy_timeout 1 # Enable or disable XML buffer. xml_buffer 1 # Agent mode: Learn (default), No-learn, Autodisable # agent_mode autodisable # EHorus configuration file default full path. #It try to find the EKID and set it like a custom field. ehorus_conf "C:\Program Files\ehorus_agent\ehorus_agent.conf" # Secondary groups. You can select several groups separated by comma. # secondary_groups Group1,Group2 # Secondary server configuration # ============================== # If secondary_mode is set to on_error, data files are copied to the secondary # server only if the primary server fails. If set to always, data files are # always copied to the secondary server. #secondary_mode on_error #secondary_server_ip localhost #secondary_server_path /var/spool/pandora/data_in #secondary_server_port 41121 #secondary_transfer_mode tentacle #secondary_transfer_timeout 30 #secondary_server_pwd mypassword #secondary_server_ssl no #secondary_server_opts # Example UDP server to be able to execute remote actions such # as starting or stopping process. #udp_server 1 #udp_server_port 4321 #udp_server_auth_address 192.168.1.23 #process_firefox_start firefox #process_firefox_stop killall firefox #service_messenger 1 ############################################### # Module Definition # Check online documentation and module library at http://pandorafms.org # ================= # CPU Load using WMI module_begin module_name CPU Load module_type generic_data module_wmiquery SELECT LoadPercentage FROM Win32_Processor module_wmicolumn LoadPercentage module_max 100 module_min 0 module_description User CPU Usage (%) module_min_warning 70 module_max_warning 90 module_min_critical 91 module_max_critical 100 module_unit % module_group System module_end # Basic info about TCP Connection module_begin module_name TCP_Connections module_type generic_data module_exec netstat -an | find /c /v "estab" module_description Total number of TCP connections active module_group Networking module_end # Example plugin to retrieve drive usage module_plugin cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\df_percent_used.vbs" # Example plugin to retrieve memory usage module_plugin cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\mem_percent_used.vbs" # Example plugin to retrieve network usage module_plugin cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\network.vbs" ## Windows inventory module (This information will be displayed only in enterprise version) ## Please check the WMI is healthy before activate this functionality #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\cpuinfo.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\moboinfo.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\diskdrives.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\cdromdrives.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\videocardinfo.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\ifaces.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\monitors.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\printers.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\raminfo.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\software_installed.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\userslogged.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\productkey.vbs" #module_crontab * 12-15 * * 1 #module_end #module_begin #module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\productID.vbs" #module_crontab * 12-15 * * 1 #module_end ######################################### # EXAMPLES # ######################################### # Example: get Network information using Agent plugin #module_plugin cscript //B "%ProgramFiles%\Pandora_Agent\util\nettraffic.vbs" # External inventory plugin #module_begin #module_plugin cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\software_installed.vbs" #module_interval 288 ## 288 x 5min = 24 hr, one execution per day, using module_interval #module_end # Free Memory #module_begin #module_name FreeMemory #module_type generic_data #module_freepercentmemory #module_description Free memory (%). #module_min_warning 21 #module_max_warning 30 #module_min_critical 0 #module_max_critical 20 #module_end # Log events #module_begin #module_name System Events (TermService) #module_type async_string #module_logevent #module_description Log Events coming from Terminal Service #module_source System #module_application TermService #module_end #module_begin #module_name Security Events (Invalid Login) #module_type async_string #module_description Security log events for invalid login attempt #module_logevent #module_source Security #module_eventcode 529 #module_end # Check if Dhcp service is enabled #module_begin #module_name DHCP Enabled #module_type generic_proc #module_service Dhcp #module_description Check DCHP service enabled #module_end #Antivirus monitoring #This modules checks the antivirus is running on your system, if there is and antivirus #This module gets the last date the signature file was updated and send this date to pandora. #module_begin #module_name Antivirus Last Update #module_type async_string #module_precondition =~ avguard.exe cmd.exe /c tasklist | grep avguard.exe | gawk "{print $1}" #module_exec dir "%ProgramFiles%\Avira\AntiVir Desktop\aevdf.dat" | grep aevdf.dat | gawk "{print $1\" \"$2}" #module_description Last update for Antivirus Signature file #module_end # Number processes #module_begin #module_name Number processes #module_type generic_data #module_exec tasklist | gawk "NR > 3 {print$0}" | wc -l #module_description Number of processes running #module_min_warning 175 #module_max_warning 249 #module_min_critical 250 #module_max_critical 300 #module_end # Example plugin to retrieve drive usage #module_plugin cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\df.vbs" # Free space on disk C: (%) #module_begin #module_name FreeDiskC #module_type generic_data #module_freepercentdisk C: #module_description Free space on drive C: (%) #module_min_warning 31 #module_max_warning 40 #module_min_critical 0 #module_max_critical 30 #module_end # CPU usage percentage #module_begin #module_name CPUUse #module_type generic_data #module_cpuusage all #module_description CPU# usage #module_min_warning 70 #module_max_warning 90 #module_min_critical 91 #module_max_critical 100 #module_end # Free space on disk D: (%) # module_begin # module_name FreeDiskD # module_type generic_data # module_freepercentdisk D: # module_description Free space on drive D: (%) # module_end ## Plugin example for custom fields (version, architecture, IP, IPv6, MAC) # module_begin # module_plugin cscript.exe //B //t:20 "%PROGRAMFILES%\Pandora_Agent\util\win_cf.vbs" # module_crontab * 12-15 * * 1 # module_end # Example plugin to retrieve last 5 min events in log4x format # module_plugin cscript.exe //B "%ProgramFiles%\Pandora_Agent\util\logevent_log4x.vbs" Aplicacion System 300 # Sample on how to get a value from registry # This returns the last time user launch microsoft Windows update #module_begin #module_name Windows_Update_LastRun #module_type generic_data_string #module_exec getreg LM "SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" SetupWizardLaunchTime #module_description Last date and time user launch microsoft Windows update #module_end # Example of a remote TCP check #module_begin #module_name Google Port 80 #module_type generic_proc #module_tcpcheck http://www.google.com #module_port 80 #module_timeout 5 #module_description Check local port 80 #module_end # Example of regexp matching #module_begin #module_name PandoraAgent_log #module_type generic_data_string #module_regexp C:\archivos de programa\pandora_agent\pandora_agent.log #module_description This module will return all lines from the specified logfile #module_pattern .* #module_end # Get processor time from Performance Counter (SPANISH only, check your # locale string) using the Windows Performance tool to # identify proper PerCounter strings. Check documentation for detailed steps. #module_begin #module_name Processor_Time #module_type generic_data #module_perfcounter \Procesador(_Total)\% de tiempo de procesador #module_end # Example of module exec, used to know about the memory used by pandora process # grep.exe and gawk.exe are included in the util directory of the agent. #module_begin #module_name PandoraFMS RAM #module_type generic_data #module_exec tasklist | grep Pandora | gawk "{ print $5 }" | tr -d "." #module_end # Example of module exec, used get number of active terminal services sessions # Works on Windows 2003. In Windows XP the query.exe and quser.exe files were # moved to %WINDIR%\system32\dllcache. If XP, copy the exe to %WINDIR%\system32 #module_begin #module_name Active TS Sessions #module_type generic_data_string #module_exec query session | grep Activ | gawk "{ print $2 }" |wc -l #module_description Number of active TS Sessions #module_end # Example of watchdog process opening it if it gets closed # NOTE: This need to enable "Service can interactuate with the deskop" option # in the Pandora FMS Service configuration (Windows Service Control management). #module_begin #module_name TaskManager #module_type generic_proc #module_proc taskmgr.exe #module_description This keeps taskmgr always running in the system #module_async yes #module_watchdog yes #module_start_command c:\windows\system32\taskmgr.exe #module_end # Example of watchdog service opening it if it gets closed #module_begin #module_name ServiceVNC_Server #module_type generic_proc #module_service winvnc #module_description Service VNC Server watchdog/service #module_async yes #module_watchdog yes #module_end # Example of preconditions #module_begin #module_name Test Precondicion #module_type generic_data #module_precondition < 10 cmd.exe /c echo 5 #module_precondition > 10 cmd.exe /c echo 15 #module_precondition = 10 cmd.exe /c echo 10 #module_precondition != 10 cmd.exe /c echo 5 #module_precondition =~ 10 cmd.exe /c echo 10 #module_precondition (5,15) cmd.exe /c echo 10 #module_freepercentmemory #module_description Precondition test module #module_end # Example of postconditions #module_begin #module_name Test Postcondicion #module_type generic_data #module_condition < 10 cmd.exe /c echo min >> c:\log.txt #module_condition > 3 cmd.exe /c echo max >> c:\log.txt #module_condition = 5 cmd.exe /c echo equal >> c:\log.txt #module_condition != 10 cmd.exe /c echo diff >> c:\log.txt #module_condition =~ 5 cmd.exe /c echo regexp >> c:\log.txt #module_condition (3,8) cmd.exe /c echo range >> c:\log.txt #module_exec echo 5 #module_description Postcondition test module #module_end # Example of native encoding. #module_begin #module_name Written Accent #module_type generic_data_string #module_exec echo Bordón #module_native_encoding OEM #module_end