CT-Ops
Checks & Alerts
Operator guide for the CT-Ops Alerts page, alert history, silences, and notification channels.
The Monitoring -> Checks & Alerts menu item opens /alerts. Use this page as the alert
triage and delivery-control centre for the current CT-Ops instance.
The page shows active alert instances, historical alert instances, maintenance silences, and notification channels. It does not create alert rules directly. Create host check alert rules from Host Monitoring or service alerts from Host Infrastructure. Global check templates and default check-alert rules are managed under Global Checks.
Access and refresh behaviour
Users with instance access can view alert instances, silences, and notification channels. Creating notification channels and sending test notifications require administrator access. Acknowledging alerts and creating or deleting silences require write access.
The active alert list refreshes every 30 seconds. Notification channels and silences refresh every 60 seconds. Alert history is collapsed by default, shows the matching history-item count in the header, and loads rows in pages of 25 after an operator opens it.
Alert and silence timestamps are shown with the instance Display Settings.
Active alerts
The page header shows the total number of active firing alerts. The Severity filter narrows the active list to All severities, Critical, Warning, or Info without changing alert history.
The Active Alerts table lists currently firing alert instances.
| Column | Meaning |
|---|---|
| Severity | Rule severity: Critical, Warning, or Info. |
| Host | Host that owns the alert instance. Select the hostname to open the host detail page. |
| Rule | Alert rule name that produced the instance. For check-based alerts this is usually derived from the check name and failure threshold. |
| Message | Evaluation message from the alert engine, such as the failing check, breached metric threshold, certificate expiry, container condition, or image vulnerability state. Long messages are truncated in the table. |
| Triggered | Date and time when CT-Ops created the firing alert instance. |
| Actions | Operator actions for the firing instance. |
Use Incident when the alert needs incident tracking. CT-Ops creates an incident from the alert, invalidates the alert data, and redirects to the new incident page.
Use Acknowledge when an operator has accepted ownership or deliberately
suppressed continued active-alert triage for that instance. Acknowledgement
changes the instance status from firing to acknowledged, records the
acknowledgement time and user, and removes the row from the active table. It
does not disable the alert rule. If the underlying condition resolves and then
fires again later, CT-Ops creates a new alert instance.
Alert history
Alert History is collapsed by default so active triage stays at the top of the page. The header shows the number of matching history items while the table is closed. Use Show history to expand firing, resolved, and acknowledged alert instances, newest first. It is useful for handover, post-incident review, and identifying noisy rules.
| Control | What it does |
|---|---|
| Severity | Filters history to All severities, Critical, Warning, or Info. Changing it resets history pagination to page 1. |
| Show history / Hide history | Expands or collapses the history controls and table. |
| From | Filters to alerts triggered on or after the selected date. |
| To | Filters to alerts triggered on or before the selected date. The UI includes the whole selected day. |
| Clear | Appears when any history filter is active. It clears severity and date filters and returns to page 1. |
| Previous | Moves back one 25-row page. Disabled on page 1 or while a page is loading. |
| Next | Moves forward one 25-row page. Disabled on the last page or while a page is loading. |
The history table columns are:
| Column | Meaning |
|---|---|
| Severity | Severity stored on the alert rule when the instance is listed. |
| Status | Current alert instance status: Firing, Resolved, or Acknowledged. |
| Host | Host linked to the instance. Select it to inspect current host state. |
| Rule | Alert rule name. |
| Triggered | Time the instance was created. |
| Resolved / Acknowledged | Resolution time when the alert engine resolved the instance, or acknowledgement time when an operator acknowledged it. Shows a dash when neither timestamp exists. |
Use history to confirm whether a condition is still active, how often a rule fires, and whether alert volume lines up with maintenance windows or metric pressure on the host.
Silences
Silences suppress alert evaluation during planned work. CT-Ops checks active silence windows before evaluating host, Docker container, and Docker image alert rules. An instance-wide silence applies to every host; a host-specific silence applies only to the selected host.
Select Add Silence to open the silence form.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Host | All hosts (instance-wide) unless a host prefill is supplied by another flow | Optional host ID from the current instance | Selects one host or leaves the silence instance-wide. |
| Reason | Empty | Required, 1 to 255 characters | Records why alerts are suppressed. Use a ticket, change, or maintenance reference when possible. |
| Starts at | Current local date and time | Required date-time | Beginning of the silence window. |
| Ends at | One hour after the current local time | Required date-time, must be after Starts at | End of the silence window. |
| Create Silence | Enabled after required fields validate | Requires write access | Saves the silence and refreshes the silences list. |
| Cancel | n/a | n/a | Closes the form without creating a silence. |
The silences table columns are:
| Column | Meaning |
|---|---|
| Scope | Hostname for a host-specific silence, or All hosts for an instance-wide silence. Hostnames link to the host detail page. |
| Reason | Operator-entered reason. Long reasons are truncated in the table. |
| Starts | Start of the silence window. |
| Ends | End of the silence window. |
| Status | Upcoming before the start time, Active during the window, or Expired after the end time. |
| Actions | Trash button that deletes the silence. |
Use silences for planned maintenance, controlled restarts, known noisy dependencies, or temporary infrastructure work. Prefer host-specific silences when only one machine is affected; use instance-wide silences only for broad platform events where every alert would be expected noise.
Notification channels
Notification Channels defines where alert fired and resolved events are sent. CT-Ops supports webhook, email, Slack, and Telegram channels. Channel configuration is instance-scoped.
Global in-app notification routing and central SMTP relay settings live in Notification Delivery Settings. Email channels store recipients only; they use the global SMTP relay for delivery.
The notification channels table columns are:
| Column | Meaning |
|---|---|
| Name | Operator-facing channel name. |
| Type | Channel type: Webhook, Email, Slack, or Telegram. |
| Details | Webhook URL, email recipients, Slack webhook configured/missing state, or Telegram chat ID. Stored secrets are not shown. |
| Actions | Test, edit, and delete controls. |
Action controls:
| Control | What it does |
|---|---|
| Test notification | Sends a test message to the selected channel. The button shows a spinner while the request is running. Test notifications are limited to 5 per minute per instance and use a 10 second outbound timeout for webhook-style requests. |
| Edit channel | Opens the edit form for the channel type. Blank secret fields keep the existing stored secret for webhook, Slack, and Telegram channels. |
| Delete channel | Deletes the notification channel after the click. Existing alert history remains, but future alert events are no longer sent to that channel. |
After a test, CT-Ops opens a test-result dialog. Success confirms delivery was accepted by the destination or SMTP relay. Failure shows the returned error, such as an HTTP status, Telegram response body, SMTP relay error, or timeout.
Webhook channels
Select Add Webhook to send alert events to a custom HTTPS endpoint.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Name | Empty | Required, 1 to 100 characters | Label shown in the channel table. |
| URL | Empty | Required valid HTTPS URL. CT-Ops rejects private/internal targets. | Endpoint that receives JSON alert events. |
| Secret | Empty | Optional | When set, CT-Ops signs webhook payloads with HMAC-SHA256 and sends the signature in X-CT-Ops-Signature as sha256=<hex>. |
| Add Channel | n/a | Requires administrator access | Creates the channel. |
Editing a webhook requires Name and URL again. Leave Secret blank to keep an existing secret; enter a new value to replace it.
Use webhooks for incident platforms, custom automation, or ticketing systems that can accept CT-Ops alert events.
Email channels
Select Add Email to route alert events to one or more email recipients.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Name | Empty | Required, 1 to 100 characters | Label shown in the channel table. |
| Recipients | Empty | Required comma-separated email addresses; server validation requires at least one valid address. | Destination mailboxes for alert email. |
| Add Channel | n/a | Requires administrator access | Creates the channel. |
Editing an email channel lets administrators rename it or replace the recipient list. Email delivery requires the global SMTP relay to be enabled and valid. See Notification Delivery Settings.
Use email channels for shared operations mailboxes, escalation lists, or teams that do not use chat or webhook integrations.
Slack channels
Select Add Slack to send alerts to a Slack incoming webhook.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Name | Empty | Required, 1 to 100 characters | Label shown in the channel table, often the Slack channel name. |
| Incoming Webhook URL | Empty | Required valid HTTPS URL. CT-Ops rejects private/internal targets. | Slack incoming webhook destination. |
| Add Channel | n/a | Requires administrator access | Creates the channel. |
When editing Slack, the webhook URL field can be left blank to keep the existing stored URL. Enter a new HTTPS webhook URL to rotate the destination.
Use Slack channels for operational rooms where responders already coordinate active incidents.
Telegram channels
Select Add Telegram to send alerts through a Telegram bot.
| Field or control | Default | Validation | What it does |
|---|---|---|---|
| Name | Empty | Required, 1 to 100 characters | Label shown in the channel table. |
| Bot Token | Empty | Required for creation | Telegram bot token from BotFather. Stored tokens are not displayed after save. |
| Chat ID | Empty | Required | Numeric chat, group, or channel ID that receives messages. |
| Add Channel | n/a | Requires administrator access | Creates the channel. |
When editing Telegram, leave Bot Token blank to keep the existing token. The Chat ID field is always editable.
Use Telegram channels when the operations team uses Telegram for out-of-band or mobile alert delivery.
Alert rule sources
Alert instances shown on this page can come from several rule types:
| Source | Where operators configure it |
|---|---|
| Check status alerts | Host Monitoring checks and global check defaults. |
| Metric threshold alerts | Host monitoring alert defaults and host-specific metric rules. |
| Certificate expiry alerts | Certificate monitoring workflows. |
| Docker container alerts | Host Containers and container alert settings. |
| Docker image vulnerability alerts | Docker image scanning settings and findings. See Docker Container Settings. |
Severity values are Info, Warning, and Critical. Rule forms default severity to Warning unless the creating workflow overrides it.
Use the /alerts page for response and delivery operations. Use the host and
settings pages linked above when the rule definition itself needs to change.