Config Standards
The Config Standards page compares system configuration (/rest/system/config) across every PBX in your fleet, highlights where each server deviates from your standard, and lets super admins fix drift remotely with a single click.
Requires Vodia PBX v69 or later. Older PBXes are simply excluded from comparison. Keys that don't exist on a given PBX version are shown as n/a, never as drift.
How It Works
Monitor polls each PBX's system config hourly and stores a redacted snapshot — a new snapshot is only written when the config actually changes, and history is kept for 90 days. Around 140 keys are tracked across these categories:
| Category | Examples |
|---|---|
| Security | tls_min_version, password_policy, session_timeout, rest_rate_limit, csp |
| Blacklist | blacklist_min_duration, blacklist_attempts_domain, blacklist_user_agent |
| Retention | cdr_keep, rec_keep, log_keep, alert_keep |
| SIP / RTP | codec_preference, max_regs, port_begin/port_end, symmetrical_rtp |
| Notifications | email_trunk_change, email_cert_expire, performance_limit |
| Logging | log_event_* levels, log_duration |
| Partner / branding | app_product, app_logo, provredirect, email_from |
| Provisioning | pnp_*, provisioning paths |
Individual keys can be excluded from comparison in Settings.
Baseline Modes
The "standard" each PBX is compared against comes from one of two modes, selected in Settings:
- Fleet majority (default) — the most common value across the fleet is the baseline, per key. Stale servers are excluded from the derivation.
- Reference PBX — nominate one server as the golden config; all others are compared against it.
Comparison Rules
Not every key is a simple string match. Each tracked key uses the rule that fits it:
- Exact — normalized string equality (most keys).
- Set — token lists such as
blacklist_user_agentare compared order-insensitively and quote-aware, so a reordered list doesn't false-alarm but a missing scanner signature does. - Presence — checks configured vs empty (e.g.
provredirect,snmp_trusted_ip), regardless of the actual value. - Contains — checks a value contains a configured substring. Enter your Monitor server's egress IP in Settings and every PBX is verified to have it whitelisted in
pw_adr— catching Vodia's anti-flood IP block before it silently stops polling.
Views
Built to stay readable at 100+ servers:
- By key — every tracked key with its baseline, a compliance bar, and chips for each drifting value (e.g.
tls10 ×4). Expand a key to see exactly which PBXes hold each variant. - By PBX — compliance score per server, worst first. Fully compliant servers are hidden behind a toggle. Expand a server for its complete drift report.
Summary cards at the top show fleet compliance %, servers with drift, keys with drift, and stale/missing data. Poll now queues an immediate refresh across the fleet.
Push to Fix
Super admins can correct drift remotely. Clicking Fix on a drifting value opens a confirmation showing the exact before → after change for every affected PBX. On confirm, Monitor pushes the single key, re-reads the config to verify the value took, and shows a per-PBX result: applied, verify failed, or error.
Guardrails:
- Super admin only, rate limited, and every push is written to the Audit Log with before/after values.
- One key per push — there is deliberately no "apply entire baseline" button.
- Lockout-capable keys are view-only —
pw_adr,pw_api, and HTTP/SIP port keys cannot be pushed, since a bad value could lock Monitor (and you) out of the PBX. - Presence and contains rules are informational only and cannot be pushed.
Security & Privacy
Snapshots are redacted before storage. Passwords, API keys, tokens, provisioning credentials, and other secret-bearing keys are stripped and never written to the Monitor database — and therefore can never be viewed or pushed from Monitor.