CT-Ops

Host Monitoring

How to use host metrics, heartbeat history, checks, and alert rules in CT-Ops.

The Monitoring area is where CT-Ops shows whether a host is behaving normally over time. Use it when a host is slow, noisy, intermittently offline, or failing a service-level check.

Open it from a host detail page. The host detail navigation separates monitoring into two operational tabs:

  • Metrics shows resource charts, heartbeat intervals, and host notification charts.
  • Checks shows host-specific checks, recent check history, check health, and check alert rules.

Metrics tab

The Metrics tab is the time-series view for a single host. CT-Ops loads the selected host’s metric and heartbeat history only while this tab is active, then refreshes the live range every 60 seconds.

At the top of the tab, the range selector controls the time window used by all charts in the tab:

ControlWhat it does
Last hourShows the most recent 1 hour. Use this for active incidents and very recent changes.
Last 6hShows the most recent 6 hours. Use this for same-shift troubleshooting.
Last 24hShows the most recent 24 hours. This is the default view and is useful for daily operating patterns.
Last 7 daysShows the most recent 7 days. Use this for recurring pressure, weekday patterns, and trend review.
Last 30 daysShows the most recent 30 days. Use this for capacity and longer-term drift.
Reset zoomAppears after selecting a region on the charts. It returns the charts to the selected preset range.

The CPU, memory, and heartbeat charts share the same horizontal time axis. Drag across a chart to zoom into a narrower time window. When zoomed, CT-Ops shows the exact start and end timestamps beside Reset zoom and pauses automatic live refetching for the zoomed view so the selected window does not move while you are inspecting it.

If the host has not sent metric history for the selected period, the tab shows No metric history yet. Data appears after the agent starts sending heartbeats that include resource telemetry.

CPU, memory, and disk usage chart

The CPU, Memory & Disk Usage (%) chart is a line chart with three series:

SeriesMeaning
CPUHost CPU usage percentage reported by the agent.
MemoryHost memory usage percentage reported by the agent.
DiskRoot or primary disk usage percentage reported by the agent.

The Y axis is fixed from 0% to 100%, which makes spikes and sustained pressure easy to compare across hosts and time ranges. Hover a point to see the exact timestamp and percentage for each series at that time.

Use this chart to answer whether a problem is:

  • a short spike, such as a batch job or restart
  • a sustained plateau, such as memory pressure or a full disk
  • a repeating pattern, such as backups, sync jobs, or scheduled workloads
  • correlated across resources, such as CPU and memory rising together

For long ranges, gaps can indicate missing heartbeat telemetry, an offline agent, or an ingestion problem.

Heartbeat history

The Heartbeat Interval chart shows the number of seconds between consecutive agent heartbeats. It answers a different question from the host online/offline badge: it shows whether the agent has been reporting consistently over time.

The chart is a bar chart:

Visual elementMeaning
Bar heightSeconds between heartbeats. Taller bars mean longer gaps.
30s dashed reference lineThe expected normal heartbeat interval.
Green barsHeartbeats close to normal, up to 45 seconds apart.
Amber barsDelayed heartbeats, more than 45 seconds and up to 120 seconds apart.
Red barsLarge heartbeat gaps, more than 120 seconds apart.

For ranges longer than 2 hours, the chart label notes max per bucket. In that mode, each bar represents the largest heartbeat gap in its time bucket, so brief dropouts remain visible even on wider ranges.

Use heartbeat history to distinguish:

  • a host resource issue, where metrics change but heartbeats remain regular
  • an agent or network issue, where heartbeat bars stretch or disappear
  • an ingestion outage, where many hosts show heartbeat gaps at the same time

If heartbeats are missing but the host should be online, check network connectivity to ingest, the agent service state, and whether the agent still has valid identity material.

Notification charts

The Metrics tab also includes two host-specific notification charts. They refresh every 60 seconds.

Notification Severity

Notification Severity is a donut chart for all notifications recorded against the host, grouped by severity.

SliceMeaning
CriticalHighest-impact notifications for this host.
WarningDegraded or attention-needed notifications.
InfoInformational notifications.

Hover a slice to see the notification count and percentage of the host’s total. If there are no notifications for the host, the chart shows No notifications for this host.

Use this chart to understand whether a host is mostly producing critical alerts, lower-priority warning noise, or a balanced mix.

Notification Trend

Notification Trend is a line chart for critical and warning notifications over time. It deliberately excludes info notifications so operational noise does not hide incident-level trends.

The range selector in this chart is separate from the metrics range selector:

ControlWhat it does
Last 1 hourShows very recent alert activity.
Last 6 hoursShows same-shift alert movement.
Last 12 hoursShows half-day activity.
Last 24 hoursShows daily alert movement.
Last 7 daysShows weekly recurrence.
Last 30 daysShows monthly trends.
Last 3 monthsShows long-term notification patterns.

The line chart has one line for Critical notifications and one line for Warning notifications. Hover a point to inspect the counts for that period. Daily ranges include a bucket for every day in the selected period, even when a day has no notifications. Those empty days stay on the chart with zero counts, so the trend line dips instead of skipping over quiet periods.

Use this chart to decide whether a host had one isolated event, repeated failures, or alert activity that lines up with metric pressure or maintenance.

Checks tab

The Checks tab manages checks that run for the current host. CT-Ops refreshes the check list and recent history every 30 seconds.

The top row contains:

Control or valueWhat it does
Check countShows No checks configured or the number of configured checks.
Assign global checksApplies the instance’s Global Check Settings templates to this host. The button is disabled when no global checks exist.
Add checkOpens the add-check form for a new host-specific check.

After assigning global checks, CT-Ops shows a success or error message. The success message includes how many checks and alert rules were assigned.

When checks exist, CT-Ops shows a health summary card:

Summary stateMeaning
All checks passingEvery check with a latest result is passing.
Mostly healthyAt least 80% of checks are passing.
Partially degradedAt least 40% of checks are passing, but failures or pending checks exist.
Awaiting resultsAll configured checks are still pending their first result.
DegradedFewer than 40% of checks are passing, or the host has significant check failure.

The summary also lists how many checks are passing, failing, and pending out of the total.

Check rows and history charts

Each check row shows the check name, type badge, alert badge when enabled alert rules exist, recent results, current health, and row actions.

Row elementMeaning
Expand arrowOpens or closes the recent history area for that check.
Check nameOperator-facing name configured on the check.
Type badgeThe check type, such as Port, HTTP, Cert File, or Patch Status.
Alert badgeShows the number of enabled failure-alert rules. The badge color reflects the highest configured severity.
Last 5 result dotsThe five most recent results at a glance: green for pass, red for fail, amber for error, and gray for empty slots.
Health iconSummarizes the last five results: no data, all passing, mostly passing, partially failing, or mostly failing.
Latest timestampShows when the latest result ran.
Enabled switchEnables or disables the check. Disabled checks remain configured but do not run.
Edit buttonOpens the edit-check form.
Delete buttonOpens a confirmation dialog and then deletes the check and its history.

Checks are sorted so noisy checks appear first: CT-Ops prioritizes checks with more recent status changes, then checks with recent failures or errors.

When a row is expanded, CT-Ops shows how many results are stored for that check, the latest formatted output when available, and a compact history chart. Up to 100 recent results are loaded.

The compact history chart changes its metric by check type:

Check typeChart value
Port and HTTPResponse time in milliseconds.
ProcessPass/fail state.
Certificate and Certificate FileDays until certificate expiry when available; otherwise response time.
Folder SizeCurrent folder used or free value, in percent or GB based on the check configuration.
File SizeCurrent file size in GB.
Docker VolumeCurrent Docker volume size in GB.
Service AccountsNumber of accounts discovered.
SSH Key ScanNumber of SSH keys discovered.
Patch StatusNumber of available updates, colored by patch age policy.

For patch status charts, green means the patch age is within policy, amber means the patch age is close to the configured maximum age, red means it is over the configured maximum, and gray means the agent did not return enough patch-age data to classify it.

Creating checks

Click Add check to open the Add Check dialog. The form always includes the common fields below, then shows additional fields based on the selected type.

FieldWhat it does
NameRequired display name for the check. It can be up to 100 characters. Use a name that identifies the dependency, path, or policy being checked.
TypeSelects the kind of check and determines which type-specific fields appear. The type cannot be changed after the check is created; create a new check if the monitoring method changes.
IntervalHow often the agent should run the check. The value is stored in seconds. The allowed range is 10 seconds to 24 hours.
Interval unitChooses Seconds, Minutes, or Hours for the interval value. Seconds have a minimum value of 10. Minutes and hours have a minimum value of 1.
Alerts on failureOptional list of failure-alert rules to create with the check. A check can have up to 10 alert rules.

The Add check submit button is disabled until Name has a value. If the server rejects a field, CT-Ops shows the validation error in the dialog.

Port check form

Choose Port - TCP connectivity to verify that the agent can connect to a TCP port.

Field or controlWhat it does
HostHostname or IP address to connect to from the monitored host. Use localhost for a service listening locally on the same host.
PortTCP port number. The UI accepts ports from 1 to 65535.
Query serverAsks the agent to list listening ports on the host. While running, the button shows Querying server….
Listening-port resultClick a returned port to fill Port. If Host is empty, CT-Ops fills it with localhost. Returned rows show protocol, port, and process name when available.

Use port checks for databases, reverse proxies, message brokers, and local services where TCP reachability is the basic service signal.

Process check form

Choose Process - running process to verify that a process or service is running.

Field or controlWhat it does
Process nameProcess or systemd service name the agent should look for, such as nginx or docker.service.
Query serverAsks the agent to list running services.
Running-service resultClick a returned service to fill Process name with the service unit reported by the host.

Use process checks when a service can be unhealthy because it has stopped, even if no network listener is exposed.

HTTP check form

Choose HTTP - health endpoint to verify an HTTP or HTTPS endpoint from the host.

FieldWhat it does
URLFull URL to request, including scheme, host, port when needed, and path. For local services, use values such as http://localhost:8080/health.
Expected status codeHTTP status code that counts as success. The default is 200.

Use HTTP checks for health endpoints, local admin endpoints, or service probes where a TCP connection alone is not enough.

Certificate check form

Choose Certificate - TLS certificate to inspect a certificate served over TLS.

FieldWhat it does
HostHostname or IP address to connect to for the TLS handshake.
PortTCP port for the TLS service. The default is 443; the UI accepts ports from 1 to 65535.
Server name (SNI)Optional SNI name to send during the TLS handshake. Leave it blank to use the Host value. Set it when a server hosts multiple certificates behind the same address.

Use certificate checks for externally or internally served TLS endpoints where certificate expiry must be visible before it becomes an incident.

Certificate file check form

Choose Certificate - File on disk to inspect certificate material stored on the monitored host.

FieldWhat it does
File pathAbsolute path to the certificate or keystore file on the host, such as /etc/ssl/certs/app.pem.
FormatFile format to parse. Options are PEM (.pem / .crt / .cer), PKCS#12 (.p12 / .pfx), and Java KeyStore (.jks).
PasswordOptional keystore password. This field appears for PKCS#12 and JKS formats.
AliasOptional JKS alias. This field appears only for JKS and defaults to the first entry when left blank.

Use certificate file checks when the certificate is not directly served on a network port or when you need to monitor Java keystores and packaged certificate files.

Folder size check form

Choose Folder Size - Path usage to monitor disk usage for a path.

FieldWhat it does
Folder pathPath to measure, such as /var/lib/docker.
MeasureChooses whether the check evaluates Used space or Free space.
UnitChooses % or GB for the threshold.
ThresholdNumeric threshold. Percent thresholds are limited to 0 through 100 in the UI. GB thresholds allow decimal values.

Used-space checks fail above the threshold. Free-space checks fail below the threshold. Use used-space checks for growth control and free-space checks for minimum-capacity policies.

File size check form

Choose File Size - Specific file threshold to monitor one file.

FieldWhat it does
File pathAbsolute path to the file, such as /var/log/app.log.
ConditionChooses Greater than or Less than.
Threshold (GB)Numeric threshold in GB. The UI accepts decimal values to three decimal places.

Use file size checks for log growth, queue files, exports, or state files where an unusual size is a useful signal.

Docker volume check form

Choose Docker Volume - Volume size threshold to monitor a Docker volume.

Field or controlWhat it does
Docker volumeDocker volume name to measure, such as postgres-data.
Query serverAsks the agent to list Docker volumes on the host.
Docker-volume resultClick a returned volume to fill Docker volume. If Name is empty, CT-Ops also fills it with a name like <volume> volume size. Returned rows show the volume name and driver when available.
ConditionChooses Greater than or Less than.
Threshold (GB)Numeric threshold in GB. The UI accepts decimal values to three decimal places.

Use Docker volume checks for database, registry, cache, and application volumes where growth can consume disk unexpectedly.

Service account check form

Choose Service Accounts - discover system users to discover local accounts. This check has no additional fields. The agent reads /etc/passwd and checks for running processes so CT-Ops can report system accounts observed on the host.

Use this check when account inventory and service-account drift matter for the host.

SSH key scan check form

Choose SSH Key Scan - discover SSH keys to scan user home directories for SSH key material. This check has no additional fields. It looks for authorized_keys files and identity files, then reports key type, fingerprint, and age.

Use this check to make SSH access paths visible and to find stale or unexpected keys.

Patch status check form

Choose Patch Status - OS patch age and updates to monitor operating-system patch posture.

FieldWhat it does
Max patch age daysPolicy threshold for patch age. The default is 30; the UI allows 1 through 3650. Results are colored against this policy in the history chart.
Max updates listedMaximum number of available updates the agent should include in output. The default is 500; the UI allows 1 through 1000.

Use patch status checks when a host should raise attention because it has not been patched recently or has too many outstanding package updates.

Alert rules

The Alerts on failure panel appears in both the add and edit check dialogs. It defines alert rules that turn check failures into CT-Ops alert instances.

Click Add Alert to open the alert editor.

FieldWhat it does
Consecutive failuresNumber of consecutive failed or errored check runs required before the alert rule fires. The allowed range is 1 through 10. The default is 3.
SeverityAlert severity to raise when the threshold is met. Options are Info, Warning, and Critical. The default is Warning.

Saved alert rules appear in the panel with their severity and threshold. Use the pencil button to edit a rule and the trash button to remove it. CT-Ops supports up to 10 alert rules per check, which lets you configure escalation patterns such as a warning after 3 failures and a critical alert after 10 failures.

Severity describes impact. Consecutive failures describe confidence. For noisy network checks, use a higher threshold. For checks where one failure is already meaningful, use a lower threshold.

Editing checks

Click the pencil button on a check row to open Edit Check. The edit dialog uses the same type-specific fields as the add dialog and also includes:

ControlWhat it does
Delete historyDeletes all stored results for the check after confirmation. The button is disabled when the check has no stored results.
ConfirmAppears after clicking Delete history and performs the history deletion.
Query serverAvailable when editing a process check. It asks the agent to list running services and lets you replace the process or service name from the returned list.
Save changesSaves name, interval, type-specific configuration, and alert-rule changes.

The check type itself is fixed in the edit dialog. To change a port check into an HTTP check, create a new check and delete the old one after the replacement has results.

Global defaults

Administrators can define global check defaults for the CT-Ops instance. On a host’s Checks tab, Assign global checks copies those defaults onto the current host and creates any configured alert rules that belong to the defaults.

Use global defaults to bring a host back in line with the standard monitoring baseline. This is useful after onboarding a host, replacing checks that were removed, or correcting drift. Host-specific checks and edits remain useful for exceptions where one machine legitimately needs different monitoring.