Using ntopng Recipients and Endpoints for Flexible Alert Handling

Posted · Add Comment

In the latest ntopng 4.1.x versions (and soon 4.2) we have completely reworked the way alerts are delivered to subscribers. Up to 4.0 the ntopng engine was configured in a single way for all alerts: go to the preferences page and specify where to deliver alerts. This was suboptimal for many reasons, including the fact that it was not possible to send alerts to different recipients on different channels, or selectively decide when send alerts out.

For this reason we have introduced the concept of

  • Endpoints
    server account configuration where to send alerts to. It is used to configure once the server parameters (for email for instance you need to configure the server IP, username and password) that you can reuse multiple times.
  • Recipient
    Endpoint users to which deliver an alert. For instance once you have configured a email server account endpoint, you can define several recipients that can be reached over the same endpoint simply inheriting the configuration of the endpoint and defining just the recipient email address.

For impatients we have prepared a video that shows you all steps to follow in detail

otherwise you can follow this short tutorial below.

How to Configure Recipients and Endpoints

This is done by selecting the System interface, using the Notification submenu.

Endpoints have to be defined first as follows

Note that there are several endpoint families including

  • Email
  • ElasticSearch
  • Slack
  • WebHook
  • Discord
  • Syslog

At this point you can define a recipient that is the one who will receive the alert message.

Note that you can specify what alert severity and category can be delivered to this person. This way you can for instance deliver security events to one recipient, and network events to another.

Of course you can define multiple recipient and endpoints.

Binding Recipients to Alerts

Now that we have defined where alerts should be delivered we need to specify how/when alerts are delivered to the specified recipients. This is implements through Pools that you can access under the System menu.

Pools are a way to cluster up resources for which we want to apply a specific setup. As you can see from the picture below there are various pool families:

  • Hosts
  • Interfaces
  • Local networks
  • SNMP Devices
  • Active Monitoring
  • Host Pools (pools of host pools)
  • Flows
  • Devices
  • System (Interface)

Suppose you want to send an alert when active monitoring has an alert to report. All you need to do is

  • Select the Active Monitoring Tab
  • Click on the Edit button and specify on the dropdown menu the recipient we have just defined and save it

If you want to double check if this setup is correct, you can go to an active monitoring resource you defined and edit it.

As you can see on the highlighted text above, the new recipient we defined has been defined and is now in use.

What if now you want do define different recipients for each monitored host? Well you need to go back to the pools page, select active monitoring (this will applies to other tabs) and define new pools as show below, and associate different recipients to them.

Then you can now go back to the active monitoring page and select for each host, the pool you like for such host as shown below

 

To make things more complicated, you need to master how host pools are defined. Contrary to active monitoring, host pools can be quite complex as you might want to define pool members based on IP addresses, networks (CIDR) and Mac Addresses (great for DHCP networks where IPs are floating).

 

Final Words

We hope that the concept of recipients and endpoints is now clear. What you can do now is have the flexibility to deliver events to selected recipients in a simple yet effective way. All these features are part of ntopng 4.1.x and soon of the next 4.2 stable release.

Enjoy!