How do we add custom alert methods?

Ive found the location that the methods appear to be stored, however, they appear to be stored within a directory named similar to a DB identity.

Is there an easy way to add an alert method?

If there’s no easy way (script, tool, etc.) Can I add it manually?

I pulled the tasks.db SQLite DB and looked through that. While the directory structure appears to be a UUID from the database, I didn’t see the alert_methods listed in the database.

Any other places to look?

Based on what I’ve found thus far… It appears that alert methods are integrated into the C code and not modular at all. Odd.

You can find global alert methods from /usr/[local]/share/openvas/openvasmd/global_alert_methods. As you have noticed, some alert methods are hard-coded.

1 Like

The best way to create your own alert methods is to start from the source code of gvmd.
Clone one of the existing that appears closest to what you want.

However, this is not a user feature. You will not find user-documentation on how to add a new alert method. You rather have to search through the source code about what to consider. It might also help if you search for some commits where alerts were added.
If you are not a developer, this is a considerable challenge.

1 Like

I’ve noticed this is not as easy as write the method and add it to the list of available alerts. For now I’ll have to find another way.

All I wanted to do was pass the report xml file to a local process on the same server as the scanner.

As an alternative you can run GMP scripts to pull data from GVM and send/process it the way you
need. In fact, this is pretty convenient. You need your own scheduling though.

There are also a number of alerts that simply place a report XML into some storage, for example via SCP.

You then would handle all that arrives in the drop zone. Several SIEM can use such a scheme to import data.

1 Like

Thanks Jan,

I’m setting up an alert that uses SCP. We’ll see how that goes.


This is exactly how I have done the OpenVAS-Splunk interface. Report is copied by SCP alert to localhost into target directory where Splunk picks it up. I’m aware that I could do Splunk integration with “Send to host” alert as well, however, I found this approach works better for me.

1 Like