Nagios Support Forum

NNA 2.2.0
I have set up alerting within NNA to notify us when traffic drops to zero bytes. To test, I stopped the nfcapd process and started firewalld. In watching the alert under Alerting > Checks, I see the check last ran over 15 minutes ago, and there is no option to force a recheck. It doesn't indicate how often checks are run.

Also, when we do get alerts (from earlier testing,) the messages don't contain a OK, Critical, or Warning. It simply says that the bytes crossed a threshold. It seems to use the plugin perfdata to clue you in to what the issue is, which is less than optimal. The web interface however knows if its a OK, warning, or critical.

So, questions:

Does the nfcapd process have to be running for alerting to work?
Is there a way to force a recheck?
How often are checks run?
Can the state be passed to the emails?

So I found that the alerts run every five minutes by starting the nfcapd process back up from the web interface.

The web interface indicates the status of the alert is ok, but I am now getting email alerts every five minutes informing me of the current byes in.

Whats even more odd is withfirewalld up, we seem to be receiving traffic in, whereas before, it fully stopped any traffic for over 35 days.

(for reference, this is the thread where this was discussed previously: https://support.nagios.com/forum/viewto ... 16&t=38910 )

I can monitor if the nfcapd process stops via XI, and I can monitor whether firewalld is up or down via XI (although that now doesnt seem to matter??) so that covers two aspects of what could happen worst case scenerio, but getting emails every five minutes about an alert in an OK state is stumping me.

I'll try to answer all your questions, but let me know if I've over looked anything....

Does the nfcapd process have to be running for alerting to work?
Absolute yes, Nagios Network Analyzer relies on nfcapd/sfcapd to capture flow data. Once the data is collected it is stored in binary files that are able to be read using a program called nfdump. This program is used by the Network Analyzer Backend to reap flow data files every 5 minutes. Every 5 minutes the backend will loop through each of the Sources you have created and consolidate bandwidth data into an RRD file and pull out any data for the Views that are associated with each Source.

More about this here:
https://assets.nagios.com/downloads/nag ... ackend.pdf
https://support.nagios.com/kb/article.p ... ategory=46

Is there a way to force a recheck?
No, we have to wait 5 minutes, for reasons described above. I agree, this delay can be annoying when testing changes.

How often are checks run?
I think you mean when is new flow data available? Every 5 minutes as you've observed - refer to this doc; section "Processing alerts " https://support.nagios.com/kb/article.p ... ategory=46

Regarding the state and emails, can you post the email you receive (scrub any sensitive data) and a screenshot of the Alert you have configured in NNA that pertains to the Ok status of current bytes in?

Thanks for the links, I will definitely take a look at those.

The email reads:
======================
Wakem, Griffin,

The source NetflowListener1 has been evaluated for flows given these contraints:

dst port 80

Looking at the number of bytes that passed through, here is the plugin
result:

bytes on NetflowListener1 with filter `dst port 80` is 109745281 | bytes=109745281;2000:;1000:;0

Yours Truly,

NagiosNA Servbot
======================

This is odd. Below are my settings / results Can you PM me to set up a remote session for Monday sometime? This will be most efficient, thanks

I'll bet you are using NNA version 2.2.0 - I've been testing using 2.2.1 and just learned of this:

Fixed bug in Alerting table where the Last Stdout column was showing the wrong Bytes, Flows, Packets or Bytes/sec, which broke the alert [TPS#6371] -SS, LG
https://assets.nagios.com/downloads/nag ... HANGES.TXT

Can you upgrade to 2.2.1? This may resolve the issue.

I can try upgrading to 2.1.1. The change log lists that fix in 2.2.0 however (which I am using,) and 2.2.1 only had two changes listed neither of which should affect this.

Good catch - I'll be talking to you in a few minutes over our remote session and hopefully we'll get this resolved there.