Alerts: Difference between revisions

From VoIPmonitor.org
No edit summary
(Clarify limitation: Last sip response (full text) cannot use percentage thresholds, only numeric SIP response field supports % triggering)
 
(42 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Alerts&Reports contains tools to generate email alerts based on QoS parameters or SIP error conditions. It can also generate daily report or generate ad hoc reports. All generated alerts and reports are saved in history.
{{DISPLAYTITLE:Alerts & Reports}}
Alerts are processed by PHP script which has to be placed to crontab
[[Category:GUI manual]]


Debian
= Alerts & Reports =
echo "* * * * * root php /var/www/php/run.php cron" >> /etc/crontab


Centos
Email notifications triggered by QoS thresholds, SIP errors, or sensor health conditions. The system stores all alerts in history for review.
echo "* * * * * root php /var/www/html/php/run.php cron" >> /etc/crontab


(it depends where is the voipmonitor GUI installed, it should point to run.php file)  
<kroki lang="plantuml">
@startuml
skinparam shadowing false
skinparam defaultFontName Arial
rectangle "Sensor" as sensor
database "MySQL" as db
rectangle "Cron\n(1min)" as cron
rectangle "Alert\nProcessor" as processor
rectangle "MTA" as mta
actor "Admin" as admin
sensor --> db : CDRs
cron --> processor : Trigger
processor --> db : Query
processor --> mta : Email
mta --> admin : Alert
@enduml
</kroki>


modify
== Prerequisites ==


Do not forget to killall -HUP cron (crond)
=== Email Configuration ===


= Configure alerts =
Alerts use PHP's <code>mail()</code> function via the server's MTA (Postfix/Exim/Sendmail).


Email alerts trigger alerts based on SIP protocol or RTP QoS metrics.
{| class="wikitable"
|-
! Setting !! Location !! Description
|-
| From Address || GUI > Settings > System Configuration > Email || <code>DEFAULT_EMAIL_FROM</code> - sender address for all alerts
|-
| Cron Job || <code>/etc/crontab</code> || Required for alert processing
|}


[[File:alertgrid.png]]
<syntaxhighlight lang="bash">
# Add cron job (required)
echo "* * * * * root php /var/www/html/php/run.php cron" >> /etc/crontab
killall -HUP cron  # Debian/Ubuntu
# or: killall -HUP crond  # RHEL/CentOS
</syntaxhighlight>


Alerts are divided into two types RTP alerts and SIP signalization. Each of those shares common filters: Duration of call, IP addresses, Numbers and E-mails to which the alert is sent.
== Alert Types ==


Alert type RTP allows alerts to trigger based on MOS, Packet loss, jitter, Delay, one way call (call was answered and one of RTP stream is missing) and Missing RTP (call was answered and both RTP stream is missing). An alert is triggered once one of the thresholds is reached and number of incidents is greater than the set value or number of CDR is over percent threshold.  
Access via '''GUI > Alerts'''.


[[File:alertrtpform.png]]
=== RTP Alerts ===


SIP response alert type triggers alerts based on SIP response type.
Trigger on voice quality metrics:
* '''MOS''' - below threshold
* '''Packet loss''' - percentage exceeded
* '''Jitter''' - variation exceeded
* '''Delay''' (PDV) - latency exceeded
* '''One-way calls''' - one RTP stream missing
* '''Missing RTP''' - both RTP streams missing


[[File:alertsipform.png]]
Configure alerts to trigger when number of incidents OR percentage of CDRs exceeds threshold.


If the SIP response is empty - all call attempts are reported based on the filter criteria only. This is for example useful to watch calls to 112. If SIP response is 0 - all calls with no response are triggered (unreplied INVITE)
=== RTP&CDR Alerts ===


IP/Number group – choose to which group of IP/Numbers the alert is applied. Groups are defined in Groups main menu. IP address/Numbers – choose individual IP addresses/numbers or network ranges to which is the alert applied. Delimited by [enter]E-mail Group – choose to which Emails defined in groups should be alert sent. E-mails – choose individual list of E-mails for alert delivery. Delimited by [enter].  
Combine RTP metrics with CDR conditions including '''PDD (Post Dial Delay)'''.


[[File:alertgroup.png]]
'''Using Filter Templates:'''
= Sent alerts =
# Create CDR filter in '''GUI > CDR'''
Each sent alert is saved into history and looks exactly same as delivered in the email.
# Save as template
# In alert config, select from '''Filter template''' dropdown


[[File:alert-sentalerts.png]]
{{Tip|1=Use filter templates for complex conditions like <code>duration > 14400</code> (calls over 4 hours) or <code>absolute_timeout</code> (truncated recordings).}}
In the parameters table overall QoS metrics are shown with bad values highlighted.  


[[File:alert-perameters.png]]
=== SIP Response Alerts ===
The CDR records table shows individual cases. Alert flag column shows if the call alerted because of (M)OS, (J)itter, (P)packet loss or (D)elay.
 
{| class="wikitable"
|-
! Response Code !! Meaning
|-
| Empty || All call attempts per filters
|-
| '''0''' || No response received (routing loops)
|-
| '''408''' || Timeout after provisional response (server unresponsive)
|-
| Specific || Exact codes (404, 503, etc.)
|}
 
==== "from all" Checkbox (Percentage Thresholds) ====
 
{{Warning|1=This setting is critical for IP group monitoring.}}
 
* '''CHECKED''': % calculated from ALL CDRs in database
* '''UNCHECKED''': % calculated only from filtered CDRs (correct for specific IP groups)
 
 
 
==== SIP Response vs Last SIP Response ====
 
There are two different fields for matching SIP responses:
 
{| class="wikitable"
|-
! Field !! Location !! Supports % Threshold !! Use Case
|-
| '''SIP response''' || GUI > Alerts > SIP Response Alerts || {{Yes}} || Match by numeric code (e.g., 487, 503)
|-
| '''Last sip response''' || GUI > Alerts > Filter common || {{No}} || Match by full text (e.g., "487 Request Terminated")
|}
 
{{Warning|1=The GUI '''cannot trigger alerts based on percentage of full textual response strings'''. If you need percentage-based triggering for SIP response codes, use the '''SIP response''' numeric field instead.}}
 
The '''Last sip response''' field supports wildcard patterns (%, %Request Terminated%, %487%) but only triggers based on count thresholds, not percentages.
=== International Call Alerts (Called Number Prefixes) ===
 
Monitor calls to international destinations using '''prefix-based matching''' (dialing patterns like 00, +).
 
{{Note|1=This uses phone number prefix detection, NOT IP geolocation. For GeoIP-based detection, see [[Anti-fraud|Anti-Fraud Rules]].}}
 
'''Configuration:'''
# '''GUI > Settings > Country prefixes''' - Define international prefixes (00, +), local country, minimum digits
# '''GUI > Alerts > Filter common''' - Configure:
 
{| class="wikitable"
|-
! Setting !! Description
|-
| Called number prefixes || Which prefixes trigger alert (uncheck ALL for all international)
|-
| Exclude called number || Country codes to exclude (e.g., +44, 0044 for UK)
|-
| Strict for prefixes || Require international prefix (00/+)
|-
| NANPA || North American Numbering Plan
|}
 
=== Sensors Alerts ===
 
Monitor sensor health and status:
* '''Offline detection''' - Sensor not communicating
* '''Old CDR''' - No recent CDRs written (capture or DB issue)
* '''Big SQL queue stat''' - Growing queue indicates DB bottleneck (warning: >20 files, critical: >100)
 
=== SIP REGISTER Alerts ===
 
{| class="wikitable"
|-
! Alert Type !! Purpose !! Use Case
|-
| '''SIP REGISTER RRD beta''' || Response time monitoring || Network latency, packet loss
|-
| '''SIP failed Register (beta)''' || Failed registrations by IP || Brute-force, credential stuffing
|-
| '''multiple register (beta)''' || Same account from multiple IPs || Credential compromise detection
|}
 
{{Warning|1='''multiple register (beta)''' detects SIMULTANEOUS registrations from multiple IPs (security). For detecting IP changes when device moves networks, use CDR&RTP alert with external script.}}
 
=== CDR Trends Alerts ===
 
Monitor metric deviations from historical baselines (e.g., ASR drops).
 
{| class="wikitable"
|-
! Parameter !! Description
|-
| Type || Metric to monitor (ASR, ACD, etc.)
|-
| Offset || Historical baseline (1 week, 1 day)
|-
| Range || Current evaluation window (1 hour)
|-
| Method || Deviation (%) or Threshold (absolute)
|-
| Limit Inc./Dec. || Trigger threshold percentage
|}
 
== Common Filters ==
 
All alert types support:
* '''IP/Number Group''' - Predefined groups from '''Groups''' menu
* '''IP Addresses''' / '''Numbers''' - Individual values (one per line)
* '''Email Group''' / '''Emails''' - Recipients
* '''Last sip response''' - Filter by response text (requires <code>save_sip_history = responses</code>)
* '''External script''' - Custom script path for integrations
 
{{Warning|1=Alerts use '''OR logic''' between conditions. AND logic is NOT supported. Workaround: create separate alerts and correlate manually.}}
 
=== Caller vs Called Filtering ===
 
The Numbers filter matches against '''both caller and called fields'''. You cannot create alerts that trigger only when a number is the caller or only the called. Use IP Groups with Trunk/Server checkboxes for direction-based filtering. See [[Groups]].
 
== External Scripts ==
 
Enable webhook integration (Datadog, Slack, custom systems).
 
'''Configuration:''' Enter full absolute path in '''External script''' field (e.g., <code>/usr/local/bin/alert-webhook.sh</code>).
 
'''Arguments passed to script:'''
{| class="wikitable"
|-
! Arg !! Description
|-
| <code>$1</code> || Alert ID
|-
| <code>$2</code> || Alert name
|-
| <code>$3</code> || Unix timestamp
|-
| <code>$4</code> || JSON data with CDR IDs
|}
 
'''Example - Slack notification:'''
<syntaxhighlight lang="bash">
#!/bin/bash
# /usr/local/bin/slack-alert.sh
SLACK_WEBHOOK="https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
curl -X POST "$SLACK_WEBHOOK" -H "Content-Type: application/json" \
  -d '{"text": "VoIPmonitor Alert: '"$2"'"}'
</syntaxhighlight>
 
{{Note|1=IP addresses in CDR table are decimal integers. Use <code>long2ip()</code> (PHP) or <code>INET_NTOA()</code> (MySQL) for conversion.}}
 
== Sent Alerts ==
 
View triggered alerts via '''GUI > Alerts > Sent Alerts'''. Shows:
* '''Parameters table''' - QoS metrics with highlighted bad values
* '''CDR records''' - Calls that triggered alert with flags: (M)OS, (J)itter, (P)acket loss, (D)elay
 
== Custom Report Alerts ==
 
Alert on criteria not in native types (e.g., custom SIP headers).
 
'''Workflow:'''
# Capture header in <code>/etc/voipmonitor.conf</code>: <code>custom_headers = Max-Forwards</code>
# Enable in '''GUI > Settings > CDR Custom Headers'''
# Create filter in CDR view, save as template
# Create Daily Report with filter in '''GUI > Reports > Configure Daily Reports'''
 
{{Note|1=Custom report alerts cannot group by caller/called for threshold detection (e.g., "alert if same caller has >X failures"). Use CDR Summary reports for aggregated data.}}
 
== Troubleshooting ==
 
=== Email Not Sent ===
 
'''Diagnosis:'''
* Entries in "Sent Alerts" but no email → MTA issue
* No entries in "Sent Alerts" → Alert conditions or cron issue
 
<syntaxhighlight lang="bash">
# Test MTA
echo "Test" | mail -s "Test" your@email.com
 
# Check MTA status
systemctl status postfix  # or exim4/sendmail
 
# Check logs
tail -f /var/log/mail.log  # Debian/Ubuntu
tail -f /var/log/maillog  # RHEL/CentOS
 
# Check mail queue
mailq
</syntaxhighlight>
 
'''Status 250 or "Queued mail for delivery"''' = Your server delivered successfully. If recipient didn't receive, issue is on their side (spam folder, quarantine, blacklisting).
'''Mail Queue Not Delivering:'''
If emails accumulate in the queue but are not being sent:
 
<syntaxhighlight lang="bash">
# Verify queue manager is running
ps aux | grep qmgr
 
# Restart Postfix
systemctl restart postfix
 
# Force immediate delivery of queued emails
postfix flush
</syntaxhighlight>
=== Alerts Not Triggering ===
 
'''Enable debug logging:'''
<syntaxhighlight lang="php">
// Add to ./config/system_configuration.php
define('CRON_LOG_FILE', '/tmp/alert.log');
</syntaxhighlight>
 
<syntaxhighlight lang="bash">
# Monitor processing
tail -f /tmp/alert.log
</syntaxhighlight>
 
'''Common causes:'''
* Cron not running - verify with <code>crontab -l</code>
* PHP CLI version mismatch - use <code>update-alternatives --set php /usr/bin/php8.x</code>
* SQL queue growing - DB can't keep up (see [[Scaling]])
* Alert disabled or filter mismatch
 
=== Concurrent Calls Alerts ===
 
{| class="wikitable"
|-
! Type !! Data Source !! Aggregation !! Timing
|-
| '''Fraud concurrent calls''' || SIP INVITEs (realtime) || Source IP only || Immediate
|-
| '''Regular concurrent calls''' || CDRs (database) || Source/Dest IP, Domain, Custom || Delayed
|}
 
Use regular concurrent calls for destination IP monitoring (trunk capacity).
'''Investigating Fraud: Realtime Concurrent Calls Alerts'''
 
Since this alert type triggers before CDRs are written, use the following procedure to investigate the calls that triggered the alert:
# Navigate to '''GUI → CDR'''
# Use the filter form to add the '''is international''' filter
# Set the '''from''' and '''to''' date range to match the time the alert was sent
# Go to the bottom of the CDR view and enable grouping by '''country'''
# Analyze the traffic by country to identify the source of the fraudulent activity
=== External Script Not Running ===
 
# Use '''preview button''' to test alert triggers
# Verify absolute path (not relative)
# Check permissions: <code>chmod 755 /path/to/script.sh</code>
# Include shebang: <code>#!/bin/bash</code>
# Use full command paths (e.g., <code>/usr/bin/curl</code>)
# For URLs, create script with curl/wget - cannot put URL directly in field
 
=== "Crontab Log Too Old" Warning ===
 
'''Causes:'''
# Cron not running → Add cron entry
# PHP CLI version mismatch → <code>update-alternatives --set php /usr/bin/php8.x</code>
# Database overload → Check SQLq in '''GUI > Settings > Sensors''', see [[Scaling]]
 
== See Also ==
 
* [[Anti-fraud|Anti-Fraud Rules]] - Realtime fraud detection
* [[Reports]] - Daily reports and report generator
* [[Groups]] - IP and number groups for filtering
 
 
 
 
== AI Summary for RAG ==
 
'''Summary:''' VoIPmonitor Alerts system provides email notifications for QoS thresholds (RTP: MOS, jitter, packet loss), SIP response codes (0=no response, 408=timeout), sensor health, and registration monitoring. Alert types include RTP, RTP&CDR (with filter templates for duration/absolute_timeout), SIP Response (use "from all" unchecked for IP group percentages), International Calls (prefix-based, NOT GeoIP), Sensors, SIP REGISTER alerts (RRD beta for latency, failed Register beta for brute-force, multiple register beta for credential compromise), and CDR Trends (ASR deviation monitoring). External scripts enable webhook integrations. CRITICAL: Alerts use OR logic only - AND not supported. IP addresses stored as integers - use long2ip()/INET_NTOA() for conversion.
 
'''Keywords:''' alerts, email notifications, QoS, MOS, jitter, packet loss, SIP response, 408 timeout, sensors monitoring, SIP REGISTER, brute force, credential stuffing, international calls, called number prefixes, CDR trends, ASR, external scripts, webhooks, from all checkbox, OR logic, crontab, MTA, Postfix, CRON_LOG_FILE, concurrent calls, SQL queue
 
'''Key Questions:'''
* How do I configure email alerts in VoIPmonitor?
* What alert types are available (RTP, SIP, Sensors)?
* How do I configure international call alerts with prefix filtering?
* What does the "from all" checkbox do in percentage alerts?
* How do I integrate alerts with webhooks (Slack, Datadog)?
* Why are my alerts not triggering?
* How do I troubleshoot email delivery issues?
* What is the difference between fraud and regular concurrent calls alerts?
* How do I detect SIP registration attacks (brute-force)?
* Do alerts support AND logic between conditions?

Latest revision as of 02:14, 10 January 2026


Alerts & Reports

Email notifications triggered by QoS thresholds, SIP errors, or sensor health conditions. The system stores all alerts in history for review.

Prerequisites

Email Configuration

Alerts use PHP's mail() function via the server's MTA (Postfix/Exim/Sendmail).

Setting Location Description
From Address GUI > Settings > System Configuration > Email DEFAULT_EMAIL_FROM - sender address for all alerts
Cron Job /etc/crontab Required for alert processing 
# Add cron job (required)
echo "* * * * * root php /var/www/html/php/run.php cron" >> /etc/crontab
killall -HUP cron   # Debian/Ubuntu
# or: killall -HUP crond  # RHEL/CentOS

Alert Types

Access via GUI > Alerts.

RTP Alerts

Trigger on voice quality metrics:

  • MOS - below threshold
  • Packet loss - percentage exceeded
  • Jitter - variation exceeded
  • Delay (PDV) - latency exceeded
  • One-way calls - one RTP stream missing
  • Missing RTP - both RTP streams missing

Configure alerts to trigger when number of incidents OR percentage of CDRs exceeds threshold.

RTP&CDR Alerts

Combine RTP metrics with CDR conditions including PDD (Post Dial Delay).

Using Filter Templates:

  1. Create CDR filter in GUI > CDR
  2. Save as template
  3. In alert config, select from Filter template dropdown

💡 Tip: Use filter templates for complex conditions like duration > 14400 (calls over 4 hours) or absolute_timeout (truncated recordings).

SIP Response Alerts

Response Code Meaning
Empty All call attempts per filters
0 No response received (routing loops)
408 Timeout after provisional response (server unresponsive)
Specific Exact codes (404, 503, etc.)

"from all" Checkbox (Percentage Thresholds)

⚠️ Warning: This setting is critical for IP group monitoring.

  • CHECKED: % calculated from ALL CDRs in database
  • UNCHECKED: % calculated only from filtered CDRs (correct for specific IP groups)


SIP Response vs Last SIP Response

There are two different fields for matching SIP responses:

Field Location Supports % Threshold Use Case
SIP response GUI > Alerts > SIP Response Alerts ✓ Yes Match by numeric code (e.g., 487, 503)
Last sip response GUI > Alerts > Filter common ✗ No Match by full text (e.g., "487 Request Terminated")

⚠️ Warning: The GUI cannot trigger alerts based on percentage of full textual response strings. If you need percentage-based triggering for SIP response codes, use the SIP response numeric field instead.

The Last sip response field supports wildcard patterns (%, %Request Terminated%, %487%) but only triggers based on count thresholds, not percentages.

International Call Alerts (Called Number Prefixes)

Monitor calls to international destinations using prefix-based matching (dialing patterns like 00, +).

ℹ️ Note: This uses phone number prefix detection, NOT IP geolocation. For GeoIP-based detection, see Anti-Fraud Rules.

Configuration:

  1. GUI > Settings > Country prefixes - Define international prefixes (00, +), local country, minimum digits
  2. GUI > Alerts > Filter common - Configure:
Setting Description
Called number prefixes Which prefixes trigger alert (uncheck ALL for all international)
Exclude called number Country codes to exclude (e.g., +44, 0044 for UK)
Strict for prefixes Require international prefix (00/+)
NANPA North American Numbering Plan

Sensors Alerts

Monitor sensor health and status:

  • Offline detection - Sensor not communicating
  • Old CDR - No recent CDRs written (capture or DB issue)
  • Big SQL queue stat - Growing queue indicates DB bottleneck (warning: >20 files, critical: >100)

SIP REGISTER Alerts

Alert Type Purpose Use Case
SIP REGISTER RRD beta Response time monitoring Network latency, packet loss
SIP failed Register (beta) Failed registrations by IP Brute-force, credential stuffing
multiple register (beta) Same account from multiple IPs Credential compromise detection

⚠️ Warning: multiple register (beta) detects SIMULTANEOUS registrations from multiple IPs (security). For detecting IP changes when device moves networks, use CDR&RTP alert with external script.

CDR Trends Alerts

Monitor metric deviations from historical baselines (e.g., ASR drops).

Parameter Description
Type Metric to monitor (ASR, ACD, etc.)
Offset Historical baseline (1 week, 1 day)
Range Current evaluation window (1 hour)
Method Deviation (%) or Threshold (absolute)
Limit Inc./Dec. Trigger threshold percentage

Common Filters

All alert types support:

  • IP/Number Group - Predefined groups from Groups menu
  • IP Addresses / Numbers - Individual values (one per line)
  • Email Group / Emails - Recipients
  • Last sip response - Filter by response text (requires save_sip_history = responses)
  • External script - Custom script path for integrations

⚠️ Warning: Alerts use OR logic between conditions. AND logic is NOT supported. Workaround: create separate alerts and correlate manually.

Caller vs Called Filtering

The Numbers filter matches against both caller and called fields. You cannot create alerts that trigger only when a number is the caller or only the called. Use IP Groups with Trunk/Server checkboxes for direction-based filtering. See Groups.

External Scripts

Enable webhook integration (Datadog, Slack, custom systems).

Configuration: Enter full absolute path in External script field (e.g., /usr/local/bin/alert-webhook.sh).

Arguments passed to script:

Arg Description
$1 Alert ID
$2 Alert name
$3 Unix timestamp
$4 JSON data with CDR IDs

Example - Slack notification: 

#!/bin/bash
# /usr/local/bin/slack-alert.sh
SLACK_WEBHOOK="https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
curl -X POST "$SLACK_WEBHOOK" -H "Content-Type: application/json" \
  -d '{"text": "VoIPmonitor Alert: '"$2"'"}'

ℹ️ Note: IP addresses in CDR table are decimal integers. Use long2ip() (PHP) or INET_NTOA() (MySQL) for conversion.

Sent Alerts

View triggered alerts via GUI > Alerts > Sent Alerts. Shows:

  • Parameters table - QoS metrics with highlighted bad values
  • CDR records - Calls that triggered alert with flags: (M)OS, (J)itter, (P)acket loss, (D)elay

Custom Report Alerts

Alert on criteria not in native types (e.g., custom SIP headers).

Workflow:

  1. Capture header in /etc/voipmonitor.conf: custom_headers = Max-Forwards
  2. Enable in GUI > Settings > CDR Custom Headers
  3. Create filter in CDR view, save as template
  4. Create Daily Report with filter in GUI > Reports > Configure Daily Reports

ℹ️ Note: Custom report alerts cannot group by caller/called for threshold detection (e.g., "alert if same caller has >X failures"). Use CDR Summary reports for aggregated data.

Troubleshooting

Email Not Sent

Diagnosis:

  • Entries in "Sent Alerts" but no email → MTA issue
  • No entries in "Sent Alerts" → Alert conditions or cron issue
# Test MTA
echo "Test" | mail -s "Test" your@email.com

# Check MTA status
systemctl status postfix  # or exim4/sendmail

# Check logs
tail -f /var/log/mail.log  # Debian/Ubuntu
tail -f /var/log/maillog   # RHEL/CentOS

# Check mail queue
mailq

Status 250 or "Queued mail for delivery" = Your server delivered successfully. If recipient didn't receive, issue is on their side (spam folder, quarantine, blacklisting). Mail Queue Not Delivering: If emails accumulate in the queue but are not being sent: 

# Verify queue manager is running
ps aux | grep qmgr

# Restart Postfix
systemctl restart postfix

# Force immediate delivery of queued emails
postfix flush

Alerts Not Triggering

Enable debug logging: 

// Add to ./config/system_configuration.php
define('CRON_LOG_FILE', '/tmp/alert.log');

# Monitor processing
tail -f /tmp/alert.log

Common causes:

  • Cron not running - verify with crontab -l
  • PHP CLI version mismatch - use update-alternatives --set php /usr/bin/php8.x
  • SQL queue growing - DB can't keep up (see Scaling)
  • Alert disabled or filter mismatch

Concurrent Calls Alerts

Type Data Source Aggregation Timing
Fraud concurrent calls SIP INVITEs (realtime) Source IP only Immediate
Regular concurrent calls CDRs (database) Source/Dest IP, Domain, Custom Delayed

Use regular concurrent calls for destination IP monitoring (trunk capacity). Investigating Fraud: Realtime Concurrent Calls Alerts

Since this alert type triggers before CDRs are written, use the following procedure to investigate the calls that triggered the alert:

  1. Navigate to GUI → CDR
  2. Use the filter form to add the is international filter
  3. Set the from and to date range to match the time the alert was sent
  4. Go to the bottom of the CDR view and enable grouping by country
  5. Analyze the traffic by country to identify the source of the fraudulent activity

External Script Not Running

  1. Use preview button to test alert triggers
  2. Verify absolute path (not relative)
  3. Check permissions: chmod 755 /path/to/script.sh
  4. Include shebang: #!/bin/bash
  5. Use full command paths (e.g., /usr/bin/curl)
  6. For URLs, create script with curl/wget - cannot put URL directly in field

"Crontab Log Too Old" Warning

Causes:

  1. Cron not running → Add cron entry
  2. PHP CLI version mismatch → update-alternatives --set php /usr/bin/php8.x
  3. Database overload → Check SQLq in GUI > Settings > Sensors, see Scaling

See Also



AI Summary for RAG

Summary: VoIPmonitor Alerts system provides email notifications for QoS thresholds (RTP: MOS, jitter, packet loss), SIP response codes (0=no response, 408=timeout), sensor health, and registration monitoring. Alert types include RTP, RTP&CDR (with filter templates for duration/absolute_timeout), SIP Response (use "from all" unchecked for IP group percentages), International Calls (prefix-based, NOT GeoIP), Sensors, SIP REGISTER alerts (RRD beta for latency, failed Register beta for brute-force, multiple register beta for credential compromise), and CDR Trends (ASR deviation monitoring). External scripts enable webhook integrations. CRITICAL: Alerts use OR logic only - AND not supported. IP addresses stored as integers - use long2ip()/INET_NTOA() for conversion.

Keywords: alerts, email notifications, QoS, MOS, jitter, packet loss, SIP response, 408 timeout, sensors monitoring, SIP REGISTER, brute force, credential stuffing, international calls, called number prefixes, CDR trends, ASR, external scripts, webhooks, from all checkbox, OR logic, crontab, MTA, Postfix, CRON_LOG_FILE, concurrent calls, SQL queue

Key Questions:

  • How do I configure email alerts in VoIPmonitor?
  • What alert types are available (RTP, SIP, Sensors)?
  • How do I configure international call alerts with prefix filtering?
  • What does the "from all" checkbox do in percentage alerts?
  • How do I integrate alerts with webhooks (Slack, Datadog)?
  • Why are my alerts not triggering?
  • How do I troubleshoot email delivery issues?
  • What is the difference between fraud and regular concurrent calls alerts?
  • How do I detect SIP registration attacks (brute-force)?
  • Do alerts support AND logic between conditions?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Alerts&oldid=10549"