Zum Hauptinhalt springen

Config Standards

The Config Standards page compares system configuration (/rest/system/config) across every PBX in your fleet, highlights where each server deviates from your standard, and lets super admins fix drift remotely with a single click.

Requirements

Requires Vodia PBX v69 or later. Older PBXes are simply excluded from comparison. Keys that don't exist on a given PBX version are shown as n/a, never as drift.

How It Works

Monitor polls each PBX's system config hourly and stores a redacted snapshot — a new snapshot is only written when the config actually changes, and history is kept for 90 days. Around 140 keys are tracked across these categories:

CategoryExamples
Securitytls_min_version, password_policy, session_timeout, rest_rate_limit, csp
Blacklistblacklist_min_duration, blacklist_attempts_domain, blacklist_user_agent
Retentioncdr_keep, rec_keep, log_keep, alert_keep
SIP / RTPcodec_preference, max_regs, port_begin/port_end, symmetrical_rtp
Notificationsemail_trunk_change, email_cert_expire, performance_limit
Logginglog_event_* levels, log_duration
Partner / brandingapp_product, app_logo, provredirect, email_from
Provisioningpnp_*, provisioning paths

Individual keys can be excluded from comparison in Settings.

Baseline Modes

The "standard" each PBX is compared against comes from one of two modes, selected in Settings:

  • Fleet majority (default) — the most common value across the fleet is the baseline, per key. Stale servers are excluded from the derivation.
  • Reference PBX — nominate one server as the golden config; all others are compared against it.

Comparison Rules

Not every key is a simple string match. Each tracked key uses the rule that fits it:

  • Exact — normalized string equality (most keys).
  • Set — token lists such as blacklist_user_agent are compared order-insensitively and quote-aware, so a reordered list doesn't false-alarm but a missing scanner signature does.
  • Presence — checks configured vs empty (e.g. provredirect, snmp_trusted_ip), regardless of the actual value.
  • Contains — checks a value contains a configured substring. Enter your Monitor server's egress IP in Settings and every PBX is verified to have it whitelisted in pw_adr — catching Vodia's anti-flood IP block before it silently stops polling.

Views

Built to stay readable at 100+ servers:

  • By key — every tracked key with its baseline, a compliance bar, and chips for each drifting value (e.g. tls10 ×4). Expand a key to see exactly which PBXes hold each variant.
  • By PBX — compliance score per server, worst first. Fully compliant servers are hidden behind a toggle. Expand a server for its complete drift report.

Summary cards at the top show fleet compliance %, servers with drift, keys with drift, and stale/missing data. Poll now queues an immediate refresh across the fleet.

Push to Fix

Super admins can correct drift remotely. Clicking Fix on a drifting value opens a confirmation showing the exact before → after change for every affected PBX. On confirm, Monitor pushes the single key, re-reads the config to verify the value took, and shows a per-PBX result: applied, verify failed, or error.

Guardrails:

  • Super admin only, rate limited, and every push is written to the Audit Log with before/after values.
  • One key per push — there is deliberately no "apply entire baseline" button.
  • Lockout-capable keys are view-onlypw_adr, pw_api, and HTTP/SIP port keys cannot be pushed, since a bad value could lock Monitor (and you) out of the PBX.
  • Presence and contains rules are informational only and cannot be pushed.

Security & Privacy

Snapshots are redacted before storage. Passwords, API keys, tokens, provisioning credentials, and other secret-bearing keys are stripped and never written to the Monitor database — and therefore can never be viewed or pushed from Monitor.