Skip to main content
Version: 1.2.1

Callbacks

When do callbacks trigger?#

All configured callbacks are triggered whenever nzyme detects a new alert. If you have an alert that is active for multiple hours, nzyme will only trigger the callbacks for this alert when it sees it for the first time and not subsequently using a grace period configuration.

Configuration#

You can find the alert callbacks configuration in the nzyme.conf file of your leader instance.

An example configuration looks like this, nested under the alerting section.

alerting {  # Notifications and callbacks for triggered alerts.  callbacks: [    {      type: email      enabled: false
      # One of: SMTP, SMTPS or SMTP_TLS      transport_strategy: SMTP_TLS
      host: smtp.example.org      port: 587      username: "your_username"      password: "your_password"
      from: "nzyme <nzyme@example.org>"      subject_prefix: "[NZYME]"
      recipients: [        "Somebody <somebody@example.org>",        "Somebody Else <somebody.else@example.org>"      ]    }  ]}

When you look at the callbacks variable, you will notice that its value is an array and that you can configure as many callbacks as you want.

You can also configure multiple callbacks of the same type. For example, if you want to have two differently configured email callbacks, you can set two independent callbacks in the callbacks array.

Callback type: File#

The file callback writes JSON-serialized alerts into a local file. This can be very useful if you want to further process the alerts or use a local agent to ship them to another location.

{  type: file  enabled: true
  path: /var/log/nzyme/alerts.log}

Example output of an alert in the alerts.log file:

pi@nzyme-demo:~ $ cat /var/log/nzyme/alerts.log{"first_seen":"2021-10-22T22:16:06.276-05:00","last_seen":"2021-10-22T22:16:06.276-05:00","frame_count":null,"is_use_frame_count":false,"subsystem":"DOT_11","description":"An SSID (network name) that has not been seen before was detected. Nzyme keeps a list of networks it has seen and this alert was triggered because a previously unknown network was advertised. Note that this is very often a legitimate network (see false positives below) and should be treated as a notice that needs further human investigation to determine if it is a potential threat or not.","false_positives":["A new and legitimate network might have been enabled by someone in the vicinity.","A legitimate network could have been in range temporarily. A common example is a car with smart functionality that brings its own WiFi network passing through the coverage area of nzyme."],"message":"New SSID [ASK4 Wireless (802.1x)] detected.","type":"UNKNOWN_SSID","fields":{"ssid":"ASK4 Wireless (802.1x)","bssid":"1e:15:11:e7:0a:c1","channel":6,"frequency":2437,"antenna_signal":-52},"documentation_link":"guidance-UNKNOWN_SSID"}

Callback type: Email/SMTP#

This callback sends an email to all configured recipients via SMTP.

{  type: email  enabled: false
  # One of: SMTP, SMTPS or SMTP_TLS  transport_strategy: SMTP_TLS
  host: smtp.example.org  port: 587  username: "your_username"  password: "your_password"
  from: "nzyme <nzyme@example.org>"  subject_prefix: "[NZYME]"
  recipients: [    "Somebody <somebody@example.org>",    "Somebody Else <somebody.else@example.org>"  ]}
  • transport_strategy: One of SMTP, SMTPS or SMTP_TLS
  • host: The SMTP server to use
  • port: The port of the SMTP server to use
  • username/password: The username and password combination used to authenticate with the SMTP server (We recommend to use quotes to avoid escaping issues)
  • from: The "from" address to use. Must be in full email address format that describes both the name and email address: "Some Body somebody@example.org"
  • subject_prefix: A prefix for the subject line of the email
  • recipients: A list of recipients for the email. Must be in full email address format that describes both the name and email address: "Some Body somebody@example.org"

Email Screenshot