Types Definition

ntopng identifies alerts and flows status by a 64 bit ID. ID definitions are located into the following folders:

  • scripts/callbacks/alert_defs: contains alert definitions
  • scripts/callbacks/status_defs: contains flow status definitions

The directories contains Lua scripts in a well defined format, which is described below. When implementing new alerts, the first thing to do is to define a new alert type, picking an unused ID. The available and used IDs can be easily visualized by visiting the /lua/defs_overview.lua page.

Alert Definition

An alert definition script must return a table with the following fields:

  • alert_id: the unique ID of the alert
  • i18n_title: a title for the alert (e.g. “Syn Flood”) or i18n localization string.
  • i18n_description (optional): a description for the alert, i18n localization string or formatter function.
  • icon: a css class for icon for the alert (e.g. fa-exclamation).

Warning

In order to avoid alert_id collisions with new ntopng scripts, users should use the dedicated custom IDs (e.g. alert_consts.custom_alert_1) in their custom scripts.

If the i18n_description can be a formatter function whith the following signature:

function alert_formatter(ifid, alert, info)
  return "formatted string"
end

where:

  • ifid: the interface ID where the alert was generated
  • alert: container for the alert information
  • info: a custom JSON passed during alert generation

Status Definition

A flow definition script must return a table with the following fields:

  • alert_type: type of alert generated by this status
  • alert_severity: severity for the alert generated (e.g. alert_consts.alert_severities.error)
  • i18n_title: a title for the status (e.g. “Too many retransmissions”) or i18n localization string.
  • i18n_description (optional): a description for the status, i18n localization string or formatter function.

If the i18n_description can be a formatter function whith the following signature:

function status_formatter(status, flowstatus_info)
  return "formatted string"
end

where:

  • status: the current status of the flow
  • flowstatus_info: a custom JSON passed during alert generation