Chat now with support
Chat with Support

Foglight 6.3.0 - Administration and Configuration Guide

Administering and Configuring Foglight Extending Your Monitoring Reach with Foglight Cartridges Administering Foglight Configure Rules and Metric Calculations to Discover Bottlenecks Customizing Your Foglight Environment with Tooling

Email Configuration

A proper configuration of email parameters enables Foglight to send email messages to selected recipients when certain thresholds are reached. Use the Email Configuration dashboard to view, configure and test email configuration parameters in Foglight.

The dashboard contains two views, each listing a set of configuration parameters: Email Server Configuration and Email Routing. Each parameter contains a registry value that Foglight uses to perform email actions. The following table describes the email parameters and identifies the registry variables they are associated with.

mail.host

Yes

Name or IP address of the mail server.

mail.from

Yes

Email address of the user that Foglight uses to send email messages.

mail.user

No

User name of the account that Foglight uses to send email messages.

mail.password

No

Password of the user account that Foglight uses to send email messages

mail.port

No

Port number that Foglight uses to communicate with the mail server. The default value is 25. If you want to use a different port number, set this parameter to the desired value.

mail.transport.protocol

No

Protocol used for sending email messages. The default protocol is SMTP. The only other protocol type supported, aside from SMTP, is SMTPS.

mail.debug

No

Indicates whether email-related debugging information is stored in the log.

mail.smtp.starttls.enable

No

Indicates whether you want to enable the STARTTLS protocol and use encryption when sending email messages from Foglight.

mail.use.ssl

No

Indicates whether you want to enable the SSL protocol and use encryption when sending email messages from Foglight.

alarm.notification.template.body.greeting

No

Body message of the customized alarm email. Only string type is supported.

alarm.notification.template.body.signature

No

Signature of the customized alarm email. Only string type is supported.

alarm.notification.template.subject

No

Subject of the customized alarm email. Only string type is supported.

DBADMIN

No

Email address of the database administrator.

J2EEADMIN

No

Email address of the Java EE technologies administrator.

SYSADMIN

No

Email address of the system administrator.

mail.recipient

No

Email address of the default recipient.

Use the Edit button on the Email Configuration dashboard to edit email settings.

1
On the navigation panel, under Dashboards, click Administration > Setup > Email Configuration.
3
In the Edit column, click .
5
Static values only. Specify the parameter value as instructed in the dwell and click Save. The Email Configuration dashboard refreshes, showing the newly configured value in the Value column.
6
Dynamic values only. Use the registry editor to specify the email settings that are likely to change over time, orthat need to be scoped to particular object instances.
a
In the dwell, click Use the advanced registry variable editor for routing based on schedules or specific monitored objects.
The display area refreshes, showing the Edit Registry Variable view in the Email Configuration dashboard.
When you finish updating the variable in the Edit Registry Variable view, click Save. Use the bread crumb trail at the top to return to the Email Configuration dashboard.

Test your email configuration to ensure that the potential recipients can receive email messages when pre-defined thresholds are reached.

For testing purposes, use an email address that you can easily access, such as your own email address. If you successfully configured email actions, the test email arrives at the specified destination address immediately after initiating the email test action.

1
On the navigation panel, under Dashboards, click Administration > Setup > Email Configuration.
On the Email Configuration dashboard, in the Email Server Configuration view, observe the Value column of each individual parameter.
TIP: The Mail Server (Name or IP) and Email Sender Address parameters are mandatory for a successful email configuration. Your mail server setup may require you to set additional parameters, such as the user name and password of the default sender, among others.
The Email Server Configuration view, illustrating a basic configuration with the mandatory parameters set.
3
In the Email Server Configuration view, click Test Configuration. The Test Configuration dialog box opens.
In the Test Configuration dialog box, in the Additional Addresses box, type your email address, then click Send Test Email.
7
Close the Successful and Test Configuration dialog boxes.

Users and Security

A Foglight user has a user name and a password and can belong to one or more groups. A user account has access to all the roles associated with the groups the user belongs to, and any additional roles associated with that account. Logging in to Foglight as a specific user authorizes you to perform a certain set of actions, based on the roles that are associated with that user account. Foglight can store user passwords on the Management Server, or in an external directory.

The Users tab lists all Foglight users, including:

the default foglight account

For every user, the list shows the following:

Internal. Internal users include the users that are created after the installation. When you create an internal user in Foglight, you assign a user name and password to that user.
Built In. Built-in users include the users that come with Foglight. One default account is included with Foglight. Unless you specify a different user name at installation time, that user name is foglight. This account has full access to all of Foglight features.
External. After Foglight validates external users, they are mapped from one of the LDAP-compatible directory services that Foglight supports (Active Directory, Oracle Directory Server Enterprise Edition, and OpenLDAP). When an external directory service is configured in Foglight, a user account is added to the list of existing users the first time an external user logs in to the browser interface. For more information about configuring Foglight to use an external directory service, see Configuring directory services.

The Users tab includes controls for managing user settings, creating new users, deleting users, forcing password changes, unlocking a user accounts, and a search tool. Clicking a user’s role or group entry allows you to quickly edit user permissions.

To access this tab, on the navigation panel, click Dashboards > Administration > Users & Security. From there, to start managing user access, click Manage Users, Groups, Roles and ensure that the Users tab is open in the display area.

The Users and Security dashboard allows you to look for user account, given a part of their user name.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
2
On the Users and Security Management dashboard, under User Look Up, type a part of the user name for the user that you want to find.
3
Click Look up. The Select a user dialog box opens, listing the users whose name matches the specified pattern.
4
In the Select a user dialog box, select the row containing the user entry that you want to look up and click View Detail.
The Details of User View shows the profile of a selected user.

The Users tab includes a wizard that allows you to create new users and grant them access permissions. The wizard is invoked using the New User button on the Users tab. Using this flow you can create one or more users with the same set of permissions.

Alternatively, use the fglcmd security:createuser command to create a user. For more information, see the Command-Line Reference Guide.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
On the Users tab, click New User. The New User dialog box opens.
a
In the Name box, type the user name; in the Email box, type the email address.
b
To specify additional user names, click Add more names, and type them into the list.
c
Click Next. The New User dialog box refreshes.
5
Select one or more groups that you want this user to belong to, followed by clicking Next. Adding a user to a group grants that user access to all of the roles that are associated with the group.
The New User dialog box refreshes.
6
Selecting Change Password at the next logon protects the user credentials by ensuring that the user you are about to create is asked to change their password after the first successful logon attempt. This is particularly useful if you are creating multiple user accounts using this flow. Forcing the password change in this step causes each of those users to change their individual passwords, thereby protecting their user credentials.
On the Select Home Page page, the navigation tree in the Name column shows dashboards grouped by module. Each module contains one or more dashboards. For each dashboard or module, the Allowed Roles column shows the roles associated with that component.
a
In the New User dialog box, review the list of dashboards in the Name column, paying special attention to the allowed roles. The list can be sorted alphabetically by module or allowed role, and includes a search tool.
c
Optional — Select the row containing the default time range for the data appearing on the home page. For example, to have the home page display the data collected in the last eight hours, select Last 8 Hours in the Default Time Range column.
d
Specify the refresh interval for the selected dashboard in seconds. For example, typing 600 causes the dashboard data display to refresh every ten minutes.
8
Click Finish.
The Editing user dialog box closes and the Make User Progress message box opens.
9
Close the Make User Progress message box and observe the Users tab. The newly created user entry appears in the list.

Use the Remove Users button on the Users tab to remove user accounts from Foglight. You can only delete those users that are added after the installation, or users imported into Foglight from an external directory. Their types appear as Internal and External, respectively, on the Users tab. The type of the default user account included with Foglight appears as Built-In. The Built-In account, or the account used to log in to Foglight, cannot be removed.

Deleting an external user from Foglight does not remove that account from the external directory.

Alternatively, you can delete internal or external users using the security:deleteuser command that comes with the fglcmd interface. For more information, see the Command-Line Reference Guide.

Copying a user account is useful in situations when you need to quickly create a modified version of an existing user. Instead of re-creating all of the account’s settings, such as adding groups or roles, simply copy an existing account and edit the required parameters. Copying external accounts creates a copy of that account in Foglight, with no effects on the external directory in which the account is defined. A copy of an external account appears as an internal account in Foglight and shows no association with external groups that the original account belongs to.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
3
On the Users tab, select a user account that you want to delete.
4
Click Remove Users. The Delete Objects dialog box opens.
5
Click Delete. The Delete Objects dialog box closes and the Users tab refreshes.
1
On the navigation panel, under Dashboards, click Administration > Users & Security.
3
On the Users tab, in the row containing the user account that you want to edit, click the Name column and choose Copy from the shortcut menu that appears.
a
In the Name box, type the user name; in the Email box, type the email address.
b
To specify additional user names, click Add more names, type them into the list that appears, then click Add.
c
Click Next. The Editing user dialog box refreshes.
Selecting Change Password at the next logon protects the user credentials by ensuring that the user you create is asked to change their password after the first successful logon attempt.
On the Select Home Page page, the navigation tree in the Name column shows dashboards grouped by module. Each module contains one or more dashboards. For each dashboard or module, the Allowed Roles column shows the roles associated with that component.
a
In the New User dialog box, review the list of dashboards in the Name column, paying special attention to the allowed roles. You can sort the list alphabetically by module or allowed role, or use the search tool.
c
Optional — Select the row containing the default time range for the data appearing on the home page. For example, to have the home page display the data collected in the last eight hours, select Last 8 Hours in the Default Time Range column.
d
Specify the refresh interval for the selected dashboard in seconds. For example, typing 600 causes the dashboard data display to refresh every 10 minutes.
8
Click Finish.
The Editing user dialog box closes and the Make User Progress message box opens.
9
Close the Make User Progress message box and observe the Users tab. The newly copied user entry appears in the list.

Adding a user account to a group grants that user account access to all the roles associated with that group. Adding a role to a user account grants that user account access to any actions associated with that role, in addition to the roles previously given to the groups that user is a member of. Individual roles that are associated with a group a user belongs to cannot be removed from the user account, without removing the user from that group.

Groups and roles can be associated with a user account in many different flows, for example, when creating new accounts or editing user details. This topic describes the process of editing users’ groups and roles directly on the Users tab.

On the Users tab, the Groups column shows the names of groups that are associated with each account, or the number of groups, if that number is higher than five. The Roles column contains the names of the roles that are granted to each group, or the number of roles, if a group takes on six or more roles.

Hovering over these columns shows a list of the groups and roles assigned to the user entry.

When hovering over an entry that contains an external user account, the list also displays the groups from the external directory that the user belongs to, and that are selected for visibility on the Groups tab.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, in the row containing the user account that you want to edit, click the Groups column.
5
Click Save. A message box opens, indicating the progress.
6
Observe the Groups column on the Users tab. Hovering over this column shows the list of current groups, taking into account the latest changes.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, in the row containing the user account that you want to edit, click the Roles column.
5
Click Save. The dialog box closes and a message box opens, indicating the progress.
6
Observe the Roles column on the Users tab. Hovering over this column shows the list of current roles, taking into account the latest changes.

Foglight password settings dictate the restrictions for password creation for internal and built-in users. Passwords for external users are defined and managed in the external LDAP directory.

The restrictions include the number of unsuccessful attempts after which an account is locked, or the number of days after which a password expires. The Locked column on the Users tab indicates if an account is locked, while Password Expired shows which user accounts have an expired password. Force Password Change identifies the user accounts that, upon a successful login, are asked to change their passwords. Additionally, Token Available indicates if the Auth Token is available for an account. This setting is recommended during the user creation process, to protect user credentials.

For example, the configured number of unsuccessful login attempts dictates the number of bad logins after which a user account is locked.

It is also possible to set individual user passwords to never expire or to set a specific expiry date.

For more information about password settings, see Configuring Password settings.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, in the row containing a built-in or internal user account whose password you want to change, click the Name column.
4
In the shortcut menu, click Change Password. The Change Password dialog box opens.
5
Type the new password in the Password and Confirm Password boxes.
6
Click Change.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, in the row containing a built-in or internal user account whose password you want to change, click the Name column.
4
In the shortcut menu, click Force Password Change. The Force to Change Password dialog box opens.
5
In the Force to Change Password dialog box, click Change Password Next Logon.
The Force to Change Password dialog box closes and the Force Change Password column refreshes on the Users tab, indicating that the password change is required upon the next login attempt.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, in the row containing a built-in or internal user account whose password you want to unlock, click the Locked column.
4
In the shortcut menu that appears, click Unlock. The Unlock Users dialog box opens.
5
In the Unlock Users dialog box, click Unlock.
The Unlock Users dialog box closes and a message box opens, indicating the progress.
After a few moments, the message box closes and the Locked column refreshes on the Users tab, indicating that the password is no longer locked.
The User Management view appears in the display area with the Users tab open.
4
On the Users tab, select the user whose password you set to never expire.
The Password Expires field should be set to Never.
TIP: To set a specific expiry date, run the command:
fglcmd.bat -cmd security:passwordexpiry -set <date> -u <user_name>
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
2
On the Users and Security Management dashboard that appears in the display area, click Manage Users, Groups, Roles.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, click the user account whose password you want to set.
The Details of <user account> view appears in the display area.
5
Click Expiration Policy.
The Change Password Expiration Policy dialog box opens.
6
Select the Password Never Expires checkbox, and click OK.
The Details of <user account> view refreshes, and the Password Expires field is automatically updated to Never.
The Token Available field is automatically updated to Yes.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
2
On the Users and Security Management dashboard that appears in the display area, click Manage Users, Groups, Roles.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, click the user account which Auth Token you want to reset, then click Set Auth Token from the shortcut menu.
The Set Auth Token dialog box appears.
4
Click Set.
The Token Available field is automatically updated to Yes.
The Token Available field is automatically updated to No.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
2
On the Users and Security Management dashboard that appears in the display area, click Manage Users, Groups, Roles.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, click the user account which Auth Token you want to reset, then click Delete Auth Token from the shortcut menu.
The Delete Auth Token dialog box appears.
4
Click Delete.
The Token Available field is automatically updated to No.

The Details of User View shows current user profile. It also allows you to edit individual settings, such as password changes, groups and roles associated with the user, and the user audit trail. Drill down to this view by clicking the Name column on the Users tab, and choosing View from the shortcut menu that appears.

You can also edit user information using a wizard flow. This flow is limited to internal and built-in users only. It is similar to the one for creating new users. Start this flow by clicking the Name column on the Users tab, and choosing Edit from the shortcut menu.

1
On the navigation panel, under Dashboards, select Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, locate the row containing a built-in or internal user account whose details you want to view. In that row, click the Name column and choose View from the shortcut menu that opens.
Profile shows the basic user details, such as the user name, status, logon statistics, and other. Clicking Unlock, Change Password, or Force PasswordChange allows you to perform these operations, as required.
Groups & Roles tab lists the groups and roles associated with the user account. Clicking Edit in the Groups or Roles view allows you to edit the user’s groups or roles.
User Audit Trail tab lists the audited operations related to the user’s login attempts.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
On the Users tab, in the row containing the built-in or internal user account whose details you want to edit, click the Name column.
4
In the shortcut menu, click Edit. The Editing user dialog box opens. Any groups associated with the user account appear pre-selected in the flow.
5
Click Next. The Editing user dialog box refreshes and the groups associated with the user account appear selected.
6
If required, add or remove one or more groups, followed by clicking Next. Adding a user to a group grants access to all of the roles that are associated with that group.
Selecting Change Password in the next logon protects the user credentials by ensuring that the user you are about to create is asked to change their password after the first successful logon attempt.
In the Editing user dialog box, the navigation tree in the Name column shows dashboards grouped by module. Each module contains one or more dashboards. For each dashboard or module, the Allowed Roles column shows the roles associated with that component.
a
In the Editing user dialog box, review the list of dashboards in the Name column, paying special attention to the allowed roles. The list can be sorted alphabetically by module or allowed role, and includes a search tool.
c
Select the row containing the default time range for the data appearing on the home page, and click Next. For example, to have the home page display the data collected in the last eight hours, select Last 8 Hours in the Default Time Range column.
d
Specify the refresh interval for the selected dashboard in seconds, and click Finish. For example, typing 300 causes the dashboard data display to refresh every five minutes.
9
Click Finish. The Editing user dialog box closes and the Make User Progress message box opens.
10
Close the Make User Progress message box and observe the Users tab.
The newly copied user entry appears in the list. The Groups and Roles columns show any changes made to the user’s groups or roles, if applicable.

In Foglight, groups contain users. Roles are assigned to groups. A role that assigned to a group is also assigned to each member of that group.

The Groups tab lists all Foglight users. This includes the default groups included with Foglight and any groups that you create after the installation. For every group, the list shows its name, the roles and users associated with that group, and the group type. There are three types of groups in Foglight:

Internal. Includes the groups that are created after the installation.
Built-In. Includes the built-in groups that come with Foglight:
Foglight Users. All Foglight users are assigned to this group by default.
Cartridge Developers. Allows the users to modify core dashboards and system modules.
Foglight Administrators. Grants access to administration-level dashboards, except for the Users & Security dashboard.
Foglight Operators. Allows the users to have access to core and cartridge dashboards.
Foglight Security Administrators. Provides access to the Users & Security dashboard.
External. The groups that are mapped from an LDAP-compatible directory service that Foglight supports as part of the process of mapping external users. When an external directory service is configured in Foglight, you can display selected external groups on the Groups tab. For more information about configuring Foglight to use an external directory service, see Configuring directory services.

This tab includes controls for creating new groups, deleting existing groups, editing roles and users, and a search tool. Clicking a user’s role or group entry allows you to quickly edit group details.

To access this tab, on the navigation panel, choose Dashboards > Administration > Users & Security. From there, to start managing user access, click Manage Users, Groups, Roles and open the Groups tab.

The Groups tab includes a wizard that allows you to create new groups and associate them with roles and users. The wizard is invoked using the New Group button on the Groups tab. Using this flow you can create one or more groups.

Alternatively, you can create groups using the security:createuser fglcmd. For more information, see the Command-Line Reference Guide.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Select the Groups tab.
4
On the Groups tab, click New Group. The New Group dialog box opens.
a
In the Name box, type the group name.
b
To create multiple groups, click Add more names, type the names into the list, then click Add.
c
Optional — In the Description box, type the group description.
For example: A group that grants email administrators access to Foglight administrative dashboards.
d
Click Next.
The New Group dialog box refreshes. The list shows the existing user accounts, including the default foglight account, and any users that are created after the installation. To quickly find a desired user, for example, if the list of users is too long, you can issue a search.
6
Select one or more users that you want to add to the group. Click Next. Adding a user to a group grants that user access to all of the roles that you are associating with the group.
7
Select one or more roles that you want to associate with the group. Click Finish. Adding a role to a group grants the members of that group access to all of the roles that you are associating with that group.

LDAP groups are any user groups that are mapped from an LDAP-compatible directory service supported by Foglight, when external directory services are configured. By default, external groups do not appear on the Groups tab of the Users & Security Management dashboard. You can enable them for visibility, when required. Any groups that appear on this tab also appear in other flows.

You need to turn group visibility on and then configure LDAP group access permissions for the visible groups. Importing LDAP groups into Foglight and granting them access permissions enables their users to access the browser interface. Failure to do so prevents them from using the browser interface.

Groups with a certain set of permissions likely require similar permission levels in Foglight. For example, consider granting the Foglight Administrator role to those LDAP groups that already have administrative privileges in the external directory. In any case, follow you organization’s standards when configuring access permissions.

When you integrate Foglight with an external directory service, any user that is granted the Security Administration role (regardless of whether their account type is internal, built-in, or external), can import LDAP groups. To import one or more LDAP groups into Foglight, you must log in with an internal Foglight account (for example, foglight/foglight) to import and configure LDAP groups.

For more information about configuring Foglight to use an external directory service, see Configuring directory services.

2
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
4
Open the Groups tab.
5
On the Groups tab, click LDAP groups.
6
In the LDAP Group Visibility Settings dialog box, click Import Groups.
7
In the Import External Groups dialog box, find one or more groups that you want to import.
a
Optional — Limit the number of search results. In the Import External Groups dialog box, click Results Limit and select an appropriate value.
b
Enter a text string as a filter. For example, to find the groups whose names start with Office.Services, in the Group Name box, type Office.Services, and click Update Group List.
In the Import External Groups dialog box, the LDAP Groups to Import list refreshes, showing the groups that match the provided search criteria.
The Import External Groups dialog box closes and the Import Successful message box opens.
9
Close the Import Successful message box and observe the updated LDAP Group Visibility Settings dialog box.
10
In the LDAP Group Visibility Settings dialog box, select the groups that you want to import and click Save.
The Setting Saved message box opens.
11
Close the Setting Saved message box and observe the Groups tab.

From here, you can grant appropriate Foglight roles to the imported groups. For more information, see Associate users with groups and roles .

In a default Foglight installation, the Welcome page is the default page that appears in the display area after a successful login. In large distributed environments, some users may require access to other, role-specific dashboards immediately after logging in. A Foglight administrator, for example, may want to have the Administration home page as the landing page, instead of being taken to the Welcome page and having to navigate to the Administration page from there. Similarly, an operator may need to go directly to the Alarms dashboards, to review potential bottlenecks.

Foglight Security administrators have the ability to assign different home pages to different users or groups, when required. This can be done by configuring user preferences. In addition to changing the home page, configuring user preferences allows you to set the time range for the home page along with the refresh interval for the data appearing on that page. This is particularly useful when the home page displays important performance metrics that affect the behavior of your monitored system, and your organization as a whole.

You can configure user preferences for a user or a group. Changing a group’s home page affects all users that belong to that group, even if some of them already have a different home page assigned. For example, if a user belongs to the Foglight Administrators group, and you want that user to have a different home page, you can change that user’s preferences. However, changing the Foglight Administrators group preferences at a later time overwrites the user’s preferences causing that user to have the same home page as other members of the Foglight Administrators group.

When assigning home pages, it is important to take into consideration the allowed roles that are associated with individual dashboards. Although it is possible to view and select the dashboards for which a selected user or group does not generally have access permissions, doing so does not grant access to those dashboards. For example, setting the Administration dashboard as an operator’s home page results in the following message after the operator logs in to Foglight:

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
If you want to edit user preferences for one or more users, on the Users tab, select those users, and click User Preferences.
If you want to edit user preferences for one or more groups, open the Groups tab, select those groups, and click User Preferences.
In the Group Confirmation Dialog box, click Change to continue with user preference edits.
The Edit User Preferences dialog box opens.
The Edit User Preferences dialog box contains a navigation tree in the Name column, where dashboards are grouped by module. Each module contains one or more dashboards. For each dashboard or module, the Allowed Roles column shows the roles associated with that component.
4
In the Edit User Preferences dialog box, review the list of dashboards in the Name column, paying special attention to the allowed roles. The list can be sorted alphabetically by module or allowed role, and includes a search tool.
6
Select the row containing the default time range for the data appearing on the home page, and click Next. For example, to have the home page display the data collected in the last eight hours, select Last 8 Hours in the Default Time Range column.
TIP: The default value is Last 4 Hours.
7
Specify the refresh interval for the selected dashboard in seconds, and click Finish. For example, typing 600 causes the dashboard data display to refresh every ten minutes.
The Edit User Preferences dialog box closes. The user preferences are now successfully applied.

Use the Remove Groups button on the Groups tab to remove groups from Foglight. You can only delete those groups that are added after the installation, or groups from en external directory that are selected for visibility on the Groups tab. Their types appear as Internal and External, respectively, on the Groups tab. The type of the default groups included with Foglight appears as Built-In. Built-In groups cannot be removed. Removing an external group has no effect on the external directory in which it is defined.

Alternatively, you can delete internal or external groups using the security:deleteuser fglcmd command. For more information, see the Command-Line Reference Guide.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Groups tab.
4
On the Groups tab, select the group that you want to delete.
5
Click Remove Groups.
6
In the Delete Objects dialog box, click Delete.
The Delete Objects dialog box closes. The Groups tab refreshes, no longer showing the newly-deleted group entry.

Adding a user account to a group grants that user account access to all the roles associated with that group. You can only edit users for built-in and internal groups, but not for external groups. Adding a role to a group grants the members of that group access to any actions associated with that role.

Roles and users can be associated with a group in many different flows, for example, when creating new groups or editing existing groups. This describes the process of editing groups’ users and roles directly on the Groups tab.

On the Groups tab, the Role Names column shows the roles granted to each group, or the number of roles, if that number is higher than five. The User Names column contains the names of the users that belong to each group, or the number of users, if a group contains six or more users.

Hovering over these columns shows a list of the groups and roles associated with the group entry.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Groups tab.
4
On the Groups tab, in the row containing the group entry that you want to edit, click the Role Names column.
6
Click Save. The dialog box closes and a message box opens, indicating the progress.
7
Observe the Roles Names column. Hovering over this column shows the list of current roles, taking into account the latest changes.
1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Groups tab.
4
On the Groups tab, in the row containing an internal or built-in group entry that you want to edit, click the User Names column.
6
Click Save. A message box opens, indicating the progress.
7
Observe the User Names column. Hovering over this column shows the list of current users, taking into account the latest changes.

You can edit group details using a wizard. This workflow is very similar to the one used creating new groups. Start it by clicking the Name column on the Groups tab.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Groups tab.
4
On the Groups tab, in the row containing the user account whose details you want to edit, click the Name column.
The Editing group dialog box opens.
5
Click Next.
For Internal and built-in groups only: The Editing group dialog box refreshes.
6
Internal and built-in groups only: If required, add or remove one or more groups, then click Next. Adding a user to a group grants access to all of the roles that are associated with that group.
The Editing user dialog box refreshes.
7
If required, add or remove one or more roles, then click Finish. Granting a role to a group grants all members of that group access to the role.
The message box closes, indicating success. The Groups tab refreshes, along with the Role Names and User Names columns, taking into account the latest changes, as applicable.

In Foglight, roles are granted to groups and individual users. A role that is assigned to a group is also assigned to each member of that group.

There are two types of roles in Foglight:

Built-In. They dictate what actions users can perform. That is, when a role is assigned to a group, it enables the members of that group to use specific features or components for which access is controlled.
Built-In roles are also used in Foglight to determine which dashboards appear and are accessible to each user. See the Foglight User Guide for information about the relationship between roles and dashboards.
Administrator. This role enables a user to access the Administration Module, the Web Console (web.xml), hidden Administration URLs, and the JMX-Console. An Administrator can manipulate agents, rules, derived metrics, registry variables, cartridges, types, and scripts. Users with this role also have access to all available report templates. Other users can use only those report templates whose roles match their user roles. The only limitation for Administrators is that they cannot access or edit the Users and Security dashboard, or access the Dashboard Development dashboard.
Advanced Operator. This role builds on the Operator role by adding the ability to access build-oriented dashboards such as the Service Builder and the Reports page, where users can add, manage, and manipulate scheduled reports. Users with this role can only access the report templates with advanced operator roles.
Cartridge Developer. This role extends the Dashboard Designer role by allowing the user to modify core dashboards and system modules. It also grants access to the Dashboard Development dashboard.
Console User. This role enables a user to access the Web Console (web.xml) only. It is the base level locked-down read-only role. Users assigned this role will not have access to core dashboards.
Core Reports. This role is assigned to all report templates included with the Management Server. This role is required by vFoglight to limit access to the reports provided by Core.
Dashboard Designer. This role builds on the Dashboard User role by adding the ability to access all dashboard tools such as Definitions and Data Sources. This role is for users who design dashboards using these advanced dashboard tools.
Dashboard User. This role is similar to the Console User role, but with additional access to any additional dashboards associated with the user. This role also includes permission to create new dashboards, new reports, and to configure the dashboard environment.
General Access. This role is for pre-5.2 cartridges installed on a version 5.2 or later Management Server. The role will be added to the appropriate views so that dashboards from the cartridge will appear in the Foglight interface.
Operator. This is the base level role for monitoring in Foglight. Users assigned this role have access to the core dashboard set such as Hosts, Alarms, Services, and Reports, with the ability to create new dashboards. Users with this role can only access the report templates with operator-level roles. This is the recommended default for new users.
Report Manager. This role allows users to generate and schedule the reports to which they have role access. It is different from the Operator role in that the users granted the Operator role can generate reports but not schedule them. The Report Manager role does not allow the user to create report templates with either the Definitions editor or custom report builder. For complete information about the Definitions editor, see the Web Component Guide. For details about the custom report builder feature, see “Creating a Report based on the Current Dashboard” in the Foglight User Help.
Security. This role provides access to the Users & Security dashboard.
Support. Users with this role have access to the Manage Support Bundles dashboard and the report artifacts necessary to generate the Diagnostic report contained in the support bundle.
Internal. Users with the Security role can create Internal roles.

This tab includes controls for creating new roles, deleting existing roles, editing groups, and a search tool. Clicking a group column entry allows you to quickly edit the groups that are associated with a role.

To access this tab, on the navigation panel, choose Dashboards > Administration > Users & Security. From there, to start managing user access, click Manage Users, Groups, Roles and open the Roles tab.

The Roles tab includes a wizard that allows you to create new roles and associate them with groups. The wizard is invoked using the New Role button on the Roles tab. Using this flow you can create one or more roles.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Select the Roles tab.
On the Roles tab, click New Role. The New Role dialog box opens.
a
In the Name box, type the role name.
b
To create multiple groups, click Add more names, and type them into the list that appears, followed by clicking Add.
c
Optional — In the Description box, type the role description.
For example: A role that grants email administrators access to Foglight administrative dashboards.
d
Click Next.
The New Role dialog box refreshes.
The list shows the existing groups. If any external groups are selected for visibility on the Groups tab, they also appear in the list. To quickly find a desired group, for example, if the list of groups is too long, you can issue a search.
6
Select one or more groups to which you want to grant the role you are about to create, followed by clicking Finish. Granting a role to group grants that role to all of the users that are the members of that group.
After a successful role creation, the message box closes. The Roles tab refreshes, showing the newly-created role entry.

Use the Remove Roles button on the Roles tab to remove roles from Foglight. You can only delete internal roles that are added after the installation.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Roles tab.
4
On the Roles tab, select the internal role that you want to delete.
5
Click Remove Roles. The Delete Objects dialog box opens.
6
Click Delete.
The Delete Objects dialog box closes. The Roles tab refreshes, no longer showing the newly-deleted role entry.

Granting a role to a group grants the role access to all users that are the members of that group.

Roles and groups can be associated with a group in many different flows, for example, when creating new roles or editing existing roles. This describes the process of editing roles’ groups directly on the Roles tab.

On the Roles tab, the Groups column shows the roles granted to each group, or the number of roles, if that number is higher than five.

Hovering over this column shows a list of the groups associated with the role entry.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Roles tab.
4
On the Roles tab, in the row containing the role entry that you want to edit, click the Groups column.
6
Click Save. The dialog box closes and a message box opens, indicating the progress.
7
Observe the Groups column. Hovering over this column shows the list of current groups, taking into account the latest changes.

You can edit role details using a wizard flow. This flow is very similar to the one used creating new roles. Start this flow by clicking the Name column on the Roles tab.

1
On the navigation panel, under Dashboards, choose Administration > Users & Security.
The User Management view appears in the display area with the Users tab open.
3
Open the Roles tab.
4
On the Groups tab, in the row containing the user account whose details you want to edit, click the Name column.
The Editing role dialog box opens.
5
Click Next.
The Editing role dialog box refreshes.
6
If required, add or remove one or more groups, followed by clicking Finish. Associating a group with a role grants the group members access to that role.
The message box closes, indicating success. The Roles tab refreshes, along with the Groups column, taking into account the latest changes, as applicable.

Foglight administrators can use the setting to control dashboard access for a specific role.

NOTE: This feature requires cartridge support. If a cartridge supports Dashboard Access Control Settings feature, the key dashboards which support access control will be displayed on the Dashboard Access Control Settings view.

To get access to Dashboard Access Control Settings, click Dashboards > Administration > Users & Security in the Navigation panel.

The Dashboard Access Control Settings include the following fields:

Module Filter: Click the filter to hide the undesired modules.
Roles Filter: Click the filter to filter the desired roles.
Restore All to Defaults: If you have made any access state changes to the roles or modules, clicking this button will restore all the changes to default value.
Export Config: Export the current configuration as an .xml file.
Import Config: Import an existing configuration from an .xml configuration file to a new environment.
Restore Selected to Defaults: By checking the checkbox in Module column, restore the access state change of that row back to default value.

Configure Password Settings

Foglight password settings dictate the restrictions for password creation. Use the Password Settings view to explore and edit these settings to comply with your security requirements.

For example, you can set the complexity level that must be used in the passwords of internal users and the users with the Security role. Foglight uses the following levels:

1: Passwords are not checked for complexity.
2: Passwords must contain both alphabetic and numeric characters.
3: Passwords must contain at least one upper case letter, lower case letter, and numeric character, as well as at least one character that is not alphanumeric.

The security levels are set as User password complexity level and Administrator password complexity level values.

By default, the complexity level for internal users’ passwords is 2, while the default complexity level for users with the Security role is 3. The complexity level for administrator passwords must be set to 2 or higher.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
3
On the Password Settings view, click the Value of the property that you want to edit.
The Password Settings view refreshes, showing the updated setting.
4
Editing multiple settings. On the Configure Password Settings view, click Edit.
The Settings Editor dialog box opens.
Click Save.
After a few moments, the message box closes, indicating success. The Configure Password Settings view refreshes, taking into account the latest changes, as applicable.

Configure Directory Services

Default settings for LDAP directory servers are different. Use the following information as guidelines and substitute the default settings with the most appropriate values. See the documentation for your specific LDAP server for more information about these settings and the applicable values.

If you are using Active Directory, and have trusts configured to allow users from one domain to access resources in different domain, keep in mind that these trusts require OS authentication and as such cannot be used in Foglight. When LDAP is configured, Foglight authenticates users through the main Active Directory forest, but it only searches the domains that are the children of the primary LDAP server (specified by the Nearest LDAP server URL setting). If the primary LDAP server fails, it searches the domains that are the children of the secondary LDAP server (specified by the Secondary LDAP server URL setting). For more information about problems that you may encounter when configuring LDAP with Active Directory, see Common Active Directory configuration problems.

Learn more about:

Nearest LDAP server URL: The URL to the primary LDAP server.
host is the fully qualified domain name or IP address of the LDAP server.
port is the port number of the LDAP server.
Secondary LDAP server URL: The URL to the secondary LDAP server.
If you are using Active Directory, and the primary LDAP server (specified by the Nearest LDAP server URL setting) fails, Foglight searches the domains that are the children of the secondary LDAP server.
Account is anonymous: If set to true, Foglight uses an anonymous service account to search for users in the extended directory. The default user name for anonymous service accounts is __anonymous__. Enabling this option sets the Distinguished name of the service account to __anonymous__.
Distinguished name of the service account: The distinguished name (DN) of the service account for further user searching, or a special account, such as __anonymous__. In Active Directory, typically, a common name (CN) is used instead of DN.
Group attribute for nested group searching: Specifies the name of the attribute of groups (for example, member) that contains nested groups’ distinguished names. It is used for resolving nested group membership in indirect Mode of group searching.
JAAS LoginModule Name: This setting is internal and as such should never be modified.
Match on User DN: Indicates if user distinguished names are matched.
Maximum level of group nesting: Specifies the maximum number of nested groups that can be queried.
Parent group attribute ID: Specifies the name of the attribute of users and groups (for example, memberOf) that holds the containing groups’ distinguished names. Used for resolving group membership of users and recursive groups in direct Mode of group searching.
Password: The password of the service account used for user searching in the external directory.
LDAP query prefix, LDAP query suffix: An LDAP query searches for user accounts in the external directory. It takes the user information provided on the Foglight login page (see Logging in to the Foglight browser interface) and searches for user information in the external directory. The directory tree typically contains multiple levels. Searching individual parts of the directory tree makes the authentication process shorter and more efficient as opposed to searching the entire directory tree which can result in request time-outs. You can narrow down to the specific groups that you want the LDAP queries to use by setting the prefix and suffix of the query.
LDAP query suffix: ,CN=Users,DC=2k3,DC=dom
Role attribute ID, Is Role attribute a DN: Groups in the external directory are objects with attributes. Each attribute has an ID and a value.

The setting Role attribute ID specifies the name of the attribute that uniquely identifies the name of the role in the external directory. LDAP queries use the role attributes to authenticate users.

Is Role attribute a DN
specifies if the role attribute is a distinguished name.
Mode of group searching: Indicates the direction in which groups are searched:
disabled: Do not search for groups.
direct: Search for groups using the Parent group attribute ID (for example, memberOf).
The scope(s) to search for groups, The second group namespace, and The third group namespace: These settings indicate the groups in the external directory tree that are queried for a specific user whose authentication information is provided on the Foglight login page. You can specify up to three groups in the external directory, as required. The order in which the groups are searched is determined by the order these settings are listed: first, the query searches the group specified by the The scope(s) to search for groups setting, then the group specified by The second group namespace, and finally, the group specified by The third group namespace.
Environments with up to three or four users: There is no need to assign these groups. Instead, have the Foglight administrator assign the required roles after the initial user logins.
Larger environments: In Active Directory, create the same set of groups that exist in Foglight: Foglight Administrators, Foglight Security Administrators, and Foglight Operators. Add Active Directory user accounts that you want to integrate with Foglight to these groups, and set the The scope(s) to search for groups to point to the OU containing these groups.
LDAP search timeout (milliseconds): Specifies the maximal duration of an LDAP search, in milliseconds. LDAP searches that take longer than that result in time-outs.
Name of JAAS security domain: This setting is internal and as such should never be modified.
User alias attribute ID: User accounts in an external directory can have aliases. This setting specifies the name of the attribute associated with the user alias.
User attribute ID to search for groups: Specifies the name of the attribute of groups (for example, member) that contains users’ distinguished names. It is used for resolving group membership through groups in indirect Mode of group searching.
The LDAP context for user searching: Similar to specifying the groups in the directory tree, this setting provides a way for selecting a portion of the directory tree, giving a context to the query.
LDAP query suffix: ,CN=Users,DC=2k3,DC=dom
The LDAP context for user searching: CN=Users,DC=2k3,DC=dom

ldap://ukdatemea01:389

ldap://uklonemea01:389

No

Yes

No

CN=JW admin,OU=EMEA Admins,DC=emea,DC=corp,DC=apax,DC=com

__anonymous__

CN=foglight_admin, O=services

member

uniqueMember

member

com.quest.nitro.service.security.auth.spi.NitroExtendedLdapLoginModule

true

5

memberOf

********

CN=

uid=

CN=

,CN=Users,DC=emea,DC=corp,DC=apax,DC=com

,OU=Employees,DC=example,DC=com

,O=novell

name

cn

cn

false

direct

indirect

direct

OU=Foglight Admins,DC=emea, DC=corp,DC=apax,DC=com

Note: Setting the scope to search for a group with the ldap root DN may cause a javax.naming.PartialResultException during searching. To search from the root DN, change the ldap url to use a global category. For example, setting the Nearest LDAP server as ldap://ukdatemea01:3268 should prevent a javax.naming.PartialResultException.

OU=Groups,DC=example,DC=com

O=novell

OU=EMEA Admins, DC=emea,DC=corp,DC=apax,DC=com

 

OU=Dynamic Groups,DC=example,DC=com

N/A

CN=Foglight,OU=EMEA Admins,DC=emea,DC=corp,DC=apax,DC=com

N/A

10000

fgl-web-console

sAMAccountName

uid

uniqueId

memberOf

uniqueMember

member

OU=EMEA Admins,DC=emea,DC=corp,DC=apax,DC=com

OU=People,DC=example,DC=com

o=novell

Integrating Active Directory with Foglight can sometimes result in configuration problems. This topic lists the common configuration problems and provides the suggested solutions.

The Service Account must use the distinguished name (DN) format. The syntax must match exactly how the LDAP directory sees the object. You can use an LDAP browser (free LDAP browsers are available for download) to inspect your LDAP directory.

You can use the Active Directory dsquery command to see the DN for a Service Account.

This command creates a text file that you can search for proper Service Account DNs.

For example:

Foglight uses the LDAP context for user searching setting to determine where to start looking for LDAP users in the LDAP directory when an LDAP user logs into Foglight. Foglight searches for that user in that location, and every container level under that starting point. If the user account is at a higher level than what is set by the LDAP context for user searching, the login fails.

To test this behavior, simply set the context to the highest level of the LDAP tree. In Microsoft Active Directory, this is the Domain. For example, if the AD domain is example.com, the .LDAP context for user searching can be set to DC=example,DC=com.

You can adjust this setting later after ensuring that Foglight integration with LDAP works.

Foglight can only handle any check and return requests coming from LDAP. For example, Foglight cannot process requests for changing passwords that occur during login. Other types of requests that are also not handled by Foglight include: prevention of logon hours, prevention of logon to (specific workstations), password expirations, disabling accounts, and proprietary security requests. See your LDAP Administrator to help you inspect the Service Account.

To test this, log in to a Windows machine, to the Domain using the specified LDAP account. If anything is presented other than a successful login, Foglight will have a problem with this when it tries to submit an authentication. See your LDAP administrator to resolve your LDAP account issues.

If LDAP authentication is not working in Foglight, try configuring the LDAP query prefix setting to force using older NTLM authentication. Do this by changing the LDAP query prefix from “CN=” to “sAMAccount=” .

Cross-reference your Configure Directory Services settings with those on another Management Server that are not edited. Compare the formats of the entries. Check the settings that you think have not changed. Examples of incorrect formatting include:

Missing the leading comma in the LDAP query suffix setting. The valid format looks like this:
Changes to the JAAS LoginModule Name setting. The valid format looks like this:

Observing the result of a login attempt can often tell you if LDAP is successfully configured.

To do that, log in to the Foglight browser interface using your Active Directory account. If LDAP is successfully configured, you see the following message:

This message confirms that the LDAP configuration is successful. You just need to log in as a Foglight Security Administrator and add the newly added LDAP (External) user to a Foglight group which has the appropriate abilities (roles) granted.

If LDAP is not configured correctly, you see the following message:

You can return to the beginning of this topic and go through the troubleshooting steps to determine the problem.

Starting with the Foglight Management Server 5.7.5.7, it is possible to configure multiple LDAP directories and you are allowed to select any of the LDAP configurations for user authentication.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
The Configure Directory Services view appears.
3
From the Configuration for drop-down list, select an LDAP configuration to be used for leverage.
4
Click Copy & Create on the upper right corner of the Configure Directory Services view.
The Copy Configuration dialog box appears.
5
Click OK to copy and create a new LDAP configuration based on the selected one.

You are allowed to activate an LDAP configuration for authenticating the user login to Active Directory, as needed.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
The Configure Directory Services view appears.
3
From the Configuration for drop-down list, select an LDAP configuration that you want to use for the user authentication.
4
Click Activate.
The Update Directory Services Status dialog box appears, and the selected LDAP configuration is activated.

Once an LDAP configuration is activated, the Activate button will be changed to Deactivate. You can repeat the above workflow to deactivate this LDAP configuration when needed.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
The Configure Directory Services view appears.
3
From the Configuration for drop-down list, select an LDAP configuration that you want to delete.
4
Click Delete.
The Delete Configuration dialog box appears.
5
Click OK.
The Configure Directory Services view refreshes automatically and removes the selected LDAP configuration.

With the support of multiple LDAP configurations, the Foglight Management Server enables you to sort the LDAP query configurations for more effective user authentication.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
The Configure Directory Services view appears.
3
Click Reorder on the upper right corner of the Configure Directory Services view.
The Sort LDAP Configurations dialog box appears.
4
Click the arrow under the Move Up or Move Down column to sort LDAP configurations, as needed.
5
Click Save.

Use the Configure Directory Services view to enable Foglight to access user information that is stored in an external directory and to test these settings.

2
On the navigation panel, under Dashboards, click Administration > Users & Security.
The Configure Directory Services view appears.
1
On the Configure Directory Services view, click Reorder.
The Sort LDAP Configurations dialog box appears.
2
Click Move Up or Move Down to sort LDAP configurations, as needed.
5
Editing one setting at a time. On the Configure Directory Services view, click the Value column of the setting you want to edit.
Type the desired value into the dialog box and click Save. A message box opens, indicating that your changes are being saved.
After a few moments, the message box closes, indicating success. The Configure Directory Services view refreshes, showing the updated setting.
a
To edit the LDAP server’s URL, in the LDAP Locations view, click Edit.
Replace the default Nearest LDAP server URL and Secondary LDAP server URL entries with the valid values, as applicable. To test the connectivity to the nearest and secondary LDAP servers, click Test. When done, save your changes by clicking Save.
The URLs Editor dialog box closes and a message box opens, indicating that your changes are being saved.
After a few moments, the message box closes and the LDAP Locations view refreshes, showing the newly-edited values.
b
To edit the remaining settings, in the Settings view, click Edit.
The Settings Editor dialog box closes and a message box opens, indicating that your changes are being saved.
After a few moments, the message box closes and the Settings view refreshes, showing the newly-edited values.
a
In the Settings view, click Test Configuration.
The Test Configuration dialog box opens.
b
In the Test Configuration dialog box, type the name of a user account that exists in the newly integrated external directory, and click Test.
The Name Lookup Tracker message box opens.
After a few moments, the Name Lookup Tracker message box closes and the Test Result message box opens, listing the user names that start with the provided text.

Use the User Session Settings link on the Users & Security Management dashboard to configure the period of time after which Foglight logs out inactive users. You can set it to a desired number of minutes, or to an infinite period, as required. The time-out session minimum is five minutes.

1
On the navigation panel, under Dashboards, click Administration > Users & Security.
The Change User Session Timeout dialog box opens.
To define a specific user session timeout, in the Number of minutes after which user should be logged out box, type the number of minutes.
4
In the Change User Session Timeout dialog box, click OK.
The Change User Session Timeout dialog box closes and the User Session Settings task entry refreshes, indicating the newly configured timeout.

By default, global search is enabled for the Management Server. In some cases, you may want to disable global search, either for individual users, or for the entire Management Server. You can disable global search by following this procedure.

After you have disabled global search, you can enable it for specific users. Any users that require access to global search must have the WCF permission globalSearch set on their account. This allows you to control what users can access in their designated environment.

Where **Some other Role** is a role that you have created and assigned to users or groups that you want to be able to perform global search.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating