Merge branch 'ntop:dev' into main

doc/src/alerts/available_recipients.rst

@@ -342,9 +342,10 @@ ntopng alert severities are mapped to standard syslog severities as follow:
 - *Warning* becomes syslog :code:`LOG_WARNING` equal to the integer 4
 - *Error* becomes syslog :code:`LOG_ERR` equal to the integer 3
 
-Two formats are available when sending alerts to syslog, namely plaintext and JSON. The format defaults to plaintext and can be toggled from the ntopng preferences page.
+A few formats are available when sending alerts to syslog: Text (plaintext), JSON (Raw), ECS, Checkmk.
+The default format is Text and can be changed from the ntopng preferences page.
 
-**Plaintext**
+**Text**
 
 Plaintext alerts have the following format:
 
@@ -399,25 +400,30 @@ Examples of JSON alerts sent to syslog are
 
 This format is used to track ntopng events within checkmk.
 
-Checkmk messages have the following format:
+In order to export alerts to Checkmk, the Checkmk host, port and protocol should be configured in the syslog endpoint configuration in ntopng.
+
+Please check the *Setting up the Event Console* section of the Checkmk documentation to configure syslog ingestion in Checkmk. This usually requires enabling the syslog addon by using the omd tool, and adding a filter for the ntopng alerts under `Setup -> Event Console`.
+
+After that, alerts exported by ntopng should be visible under `Monitor -> Events` in Checkmk.
+
+Alerts exported using the Checkmk format have the following format:
 
 .. code:: bash
    [Checkmk@18662 sl="family_id" comment="(Interface) (Severity) (Type) (Entity) (Entity Value) (Action)" severity="severity"] ... and a plain text message...
 
 Fields have the following meanings:
 
-- :code: `sl`: an identifier of the event, used, for example, to perform searches.
-- :code: `comment`: contain the information described in the Plaintext section, except for timestamp, which is assigned by checkmk to the event.
-- :severity: `severity`: the severity of the alert.
+- :code:`sl`: an identifier of the event, used, for example, to perform searches.
+- :code:`comment`: contain the information described in the Plaintext section, except for timestamp, which is assigned by checkmk to the event.
+- :code:`severity`: the severity of the alert.
 
-An example of Checkmk alert sent to syslog is
+Example of alert sent to syslog with the Checkmk format:
 
 .. code:: bash
 
    devel ntopng: [Checkmk@18662 sl="4" comment=" (Interface: enp0s3) (Severity: Warning) (Flow) (Binary file/data transfer (attempt)) (vbox:43972 -> it.archive.ubuntu.com:80)  Binary file/data transfer (attempt)" severity="Warning"] Binary file/data transfer (attempt)
 
-
-The value for service level have to be manualy mapped inside Checkmk under `Global settings > Notifications > Service Levels`.
+The service level values have to be manualy mapped inside Checkmk under `Setup -> Global settings > Notifications > Service Levels`.
 
 The final result should look like the one showed in the image below.
 

include/ntop_typedefs.h

@@ -377,7 +377,7 @@ typedef struct zmq_remote_stats {
   char remote_probe_version[64], remote_probe_os[64];
   char remote_probe_license[64], remote_probe_edition[64];
   char remote_probe_maintenance[64];
-  u_int32_t source_id, num_exporters;
+  u_int32_t source_id, uuid_num, num_exporters;
   u_int64_t remote_bytes, remote_pkts, num_flow_exports;
   u_int32_t remote_ifspeed, remote_time, local_time, avg_bps, avg_pps;
   u_int32_t remote_lifetime_timeout, remote_idle_timeout,
@@ -1222,6 +1222,7 @@ typedef struct {
   u_int32_t num_sflow_flows;
   u_int32_t num_netflow_flows;
   u_int32_t num_drops;
+  u_int32_t unique_source_id;
 } ExporterStats;
 
 #endif /* _NTOP_TYPEDEFS_H_ */

src/ZMQParserInterface.cpp

@@ -367,7 +367,9 @@ u_int8_t ZMQParserInterface::parseEvent(const char *payload, int payload_size,
                  json_object_get_string(z));
       if (json_object_object_get_ex(w, "uuid", &z))
         snprintf(zrs.uuid, sizeof(zrs.uuid),
-                 "%s", json_object_get_string(z));
+                 "%s", json_object_get_string(z));           
+      if (json_object_object_get_ex(w, "uuid_num", &z))
+        zrs.uuid_num = (u_int32_t)json_object_get_int64(w);
       if (json_object_object_get_ex(w, "ip", &z))
         snprintf(zrs.remote_probe_address, sizeof(zrs.remote_probe_address),
                  "%s", json_object_get_string(z));
@@ -490,6 +492,8 @@ u_int8_t ZMQParserInterface::parseEvent(const char *payload, int payload_size,
             exp_stats.num_netflow_flows = (u_int32_t)json_object_get_int64(x);
           if (json_object_object_get_ex(val, "num_drops", &x))
             exp_stats.num_drops = (u_int32_t)json_object_get_int64(x);
+          if (json_object_object_get_ex(val, "unique_source_id", &x))
+            exp_stats.unique_source_id = (u_int32_t)json_object_get_int64(x);
 
           exporters_stats[ip] = exp_stats;
         }
@@ -3206,6 +3210,8 @@ void ZMQParserInterface::lua(lua_State *vm, bool fullStats) {
     lua_push_str_table_entry(vm, "probe.ip", zrs->remote_probe_address);
     lua_push_str_table_entry(vm, "probe.uuid",
                              zrs->uuid);
+    lua_push_uint64_table_entry(vm, "probe.uuid_num",
+                             zrs->uuid_num);
     lua_push_str_table_entry(vm, "probe.public_ip",
                              zrs->remote_probe_public_address);
     lua_push_str_table_entry(vm, "probe.probe_version",
@@ -3288,6 +3294,7 @@ void ZMQParserInterface::exporterLuaStats(lua_State *vm) {
     lua_push_uint64_table_entry(vm, "num_netflow_flows", it->second.num_netflow_flows);
     lua_push_uint64_table_entry(vm, "num_sflow_flows", it->second.num_sflow_flows);
     lua_push_uint64_table_entry(vm, "num_drops", it->second.num_drops);
+    lua_push_uint64_table_entry(vm, "unique_source_id", it->second.unique_source_id);
 
     lua_pushstring(vm, buf);
     lua_insert(vm, -2);