What’s In The (Alert) Inbox?

Posted · Add Comment

ntopng emits alerts in order to report relevant. They can be triggered by traffic thresholds, user scripts, behavioural checks, or due to Security issues, including those detected by IDS systems integrated with ntopng (the full list of built-in checks, and related alerts, that can be enabled in ntopng is available in the Alerts section of the documentation). Sometimes they are really critical and should be handled immediately to fix the problem, this is the case of Security events for instance (e.g. a compromised host that must be sanitized as soon as possible). In other cases they do not really need a manual intervention, as they report small issues with low severity, such as minor Network performance issues (e.g. a connection issue).

Alerts generated by ntopng can be notified to messaging systems or in many other ways using one of the Endpoints and Recipients available in the Notifications engine, which allows you to control which alerts should be delivered to each end recipient (e.g. based on the family, category, severity, hosts, etc.). However, in addition to notifications, alerts can also be inspected at any time through the Alerts Explorer, available in the ntopng user interface. The explorer allows you to navigate alerts by family, in a selected time range, and applying filters, based on many criteria, to be able to query the alerts database and retrieve what you need, in a few, simple steps.

In ntopng 5.6, and earlier versions, alerts for each family were organized into 3 tabs:

  • Engaged
  • Past
  • Acknowledged

The Engaged tab was listing alerts related to ongoing issues, triggered and not yet released (e.g. a threshold exceeded, where the actual traffic is still above the threshold and not yet returned to normal levels). The Past tab was listing all historical alerts, related to past events which have been stored in the database. Then the user had the possibility to acknowledge alerts and move them to the Acknowledged tab, to leave in the Past tab only those that were not yet “processed” and “marked” by the user. This in theory was a good system to enable alerts management. As soon as there was an alert, the user was supposed to go to the Past tab, read them, and, after fixing the issue, mark them as acknowledged. Thus the Past tab was supposed to be almost empty. However, in practice, with the addition of several traffic checks to ntopng, on huge networks with many of them enabled, the system is usually reporting a large number of alerts, where most of them are minor Network issues that do not really require manual intervention for each of them individually, and this makes impossible to keep the Past tab empty.

For the above reasons, ntopng 5.7 introduces a new “inbox” design for the Alerts Explorer. The new interface consists of 3 new tabs: Engaged, Unread (“Require Attention“), All.

The Engaged tab (hourglass icon) remains unchanged, reporting alerts related to ongoing issues.

The All tab (drawer icon) reports all historical alerts, similar to an archive, including both unread and read/acknowledged alerts.

The Unread, or “Require Attention“, tab (eye icon) instead, lists only alerts that are supposed to require the user intervention (e.g. Security related) and that are very important. In fact, the system, for each individual check, decides whether an alert should be emitted as “unread” (for those that require attention) or already “read” (for those that are not really important to be analyzed by the user). For instance, security-related alerts are likely to appear in the Unread tab, while alerts related to minor Network issues will probably be archived in the All tab. However, minor alerts, contribute to the score of the host affected by those issues, and if the problem persists and occurs many times, you will definitely notice them as the score on the related host keeps growing (and an alert with higher severity is triggered as a consequence of this).

In short, the Unread tab is what the user should check, daily, to acknowledge alerts that require attention. In any case, all the alerts can still be inspected from the All tab.

We hope that this new design will simplify alert management and enable users to see what alerts are relevant without digging all of them.

Enjoy !