SurveyTrace

Dashboard

Operational command view

Current state at a glance: inventory posture, what needs review, scan recency, and the live activity stream. Use Executive mode for the same signals as roll-ups and trend charts. Next steps: Assets for drill-down, Scan history for job health, Reports for evidence, System health for services.

Trend window

Executive overview

Roll-up deltas, recent actions, and trend charts for the window above—same data as operator mode, framed for a quick read.

Overview

Loading…

Recent changes

Loading…

How to read this summary

Read the overview first, then risk snapshot and trends. Use links in tables for host or device detail.

Risk snapshot

Counts across assets, findings, and scans. Charts below follow the trend window.

Total systems tracked

—

Open security issues

—

Scans run (7d)

—

New issues found (7d)

—

new issues this week

Critical issues open

—

highest urgency

High-priority issues open

—

near-term remediation

Scan success rate (14d)

—

completed successfully

Avg scan time (7d)

—

Recent changes (14d)

Asset / coverage snapshot (14d)

Operational health (14d)

Issue severity mix

Loading…

Top risk items

Triage queue from the executive window — follow rows into host or device detail.

IP	Device	Hostname	Type	Top CVE	CVSS	Findings
Loading…

Operations overview

Single current-state strip: posture totals, attention cues (unclassified, open CVEs), scan freshness, then asset mix. Normal throughput metrics stay visually quiet; risk and review tiles read first.

Posture & attention

Total assets

—

loading…

Unclassified

—

needs review

Open CVEs

—

— critical

Last scan

—

Classification mix

Servers

—

Workstations

—

Network gear

—

IoT / OT / other

—

Top vulnerable assets

Priority rows for open findings — use as the triage short list before wider inventory search.

IP	Device	Hostname	Type	Vendor	Top CVE	CVSS	Findings
Loading…

Recent activity

Event timeline — scans, imports, and admin actions; refresh after you change configuration or queue work.

Loading…

Inventory

Assets

Live registry of scanned hosts. Triage with search, type, severity, lifecycle, and optional inventory scope, AI, or Zabbix filters — active constraints show in the summary above the table. Row selection powers bulk scope actions. Use Details / IP for host context; Reports for job-scoped evidence; Enrichment for Zabbix match workflows.

Search & filters

Primary query row, then optional AI / Zabbix / scope panels. Exports and Clear filters apply to the current result set.

Inventory list

Dense table — sort columns for risk, recency, or scope. Selection on this page ties to the bulk bar.

No rows often means tight filters — try Clear filters or widen search. A genuinely empty inventory is uncommon after successful scans.

	IP address	Device	Hostname	Type	Life	Vendor / model	Open ports	CVEs	CVSS	Zbx	Scope	Last seen	Edit
Loading assets…

Tip: click Details (or the IP address) to open full host details.

—

Organization

Scopes are named organization buckets for scan and inventory context. Job scope (scan_jobs.scope_id) is saved when work is queued and powers historical reporting; inventory scope (assets.scope_id) groups current assets and posture. Those dimensions are related by name but independent by storage, so changing asset tags does not rewrite prior jobs.

Create & edit scope

Use + New scope to add catalog entries with name, optional description, environment, and CIDR hints. Use Edit per row to update metadata safely. Scope assignment happens from Scan, Schedules, Assets bulk actions, or Enrichment workflows; this page manages the scope catalog and impact visibility.

Scope inventory

Dense list of configured scopes. Counts show live assets, finished jobs, and linked schedules; use these to spot populated vs dormant scopes before changes.

Name	Description	Environment	Assets	Jobs	Schedules	Actions
Loading scopes…

Operator controls

Edit updates labels/metadata without changing historical evidence. Delete clears dependent references after confirmation and shows impact counts first (assets unscoped, job/schedule scope links cleared, related mappings removed). For assignment workflows, use Assets bulk scope tools, Scan/Schedules scope selectors, or Enrichment scope apply.

Identity

Devices

A device is a stable device_id — the logical identity SurveyTrace uses to group IP-based assets that belong to the same system (shared MAC / correlation rules). Assets remain one row per address; open a device to see linked IPs, hostnames, and recency. Use Assets to browse all addresses for a device; use Merge in the side panel only after operator review (confirmed, audited).

Search & sort

Find devices by id, normalized MAC, label, or any linked IP/hostname. Sort highlights busy identities (# assets, last activity) or MAC order.

Device inventory

Dense list — click ID for detail and linked addresses; Assets jumps to the Assets tab filtered to this device_id. Multi-address devices get a light emphasis.

ID	MAC (norm)	# Assets	IP sample	Last activity	Created
Loading…

—

Risk

Vulnerabilities

CVE-centric review and triage: sort and filter by severity, asset type, resolution, age, and detection confidence. Each row ties a finding to an asset (IP/hostname); use IP filters or row clicks to narrow. Evidence columns summarize match method; open host detail for full context. Actions (when permitted): mark resolved after remediation or accept risk with audit — exports respect the same filters as the table.

Triage controls

Combine search, IP, severity, asset class, open vs resolved, publication year, confidence, and sort. CSV/JSON exports use the current filter set.

Findings

Dense table — severity chips and triage scores surface risk; high/critical rows are subtly highlighted. Use pagination to walk the full filtered set.

CVE ID	Asset IP	Hostname	Type	Description	CVSS	Triage	Match	Published	Actions
Loading vulnerabilities…

—

Review actions

Resolve when remediation is verified (finding leaves the open list; audited). Accept risk documents acceptance and suppresses recurring open alerts for that finding while it remains accepted — use with governance alignment. Readers see status only. If the table is empty, confirm whether filters exclude everything vs. no data yet (see message in the findings grid).

Risk

Vulnerability Dashboard

Operator-focused risk posture at a glance: severity counts, highest-risk assets, aging criticals, common vulnerable packages, recent findings, suppressions, and analyst overrides. All data is locally computed from advisory correlation — bounded, offline, no external enrichment.

Summary

Open findings

—

total affected

Critical

—

highest severity

High

—

near-term priority

Medium

—

standard risk

Low / Info

—

low urgency

Affected assets

—

distinct hosts

Stale >30d

—

aging findings

Suppressed

—

active suppressions

Overrides

—

analyst overrides

Highest-risk assets

Top assets ordered by weighted risk score (critical=40, high=10, medium=3, low=1). Capped at 25 rows.

Asset	Risk band	Score	Critical	High	Total	Oldest
Loading…

Oldest critical/high findings

Critical and high-severity findings open more than 30 days without resolution.

Advisory	Severity	Asset	CVSS	Age (days)	First seen
Loading…

Most common vulnerable packages

Packages affecting the most assets across the environment.

Package	Ecosystem	Affected assets	Findings
Loading…

Recent findings

Most recently detected open findings (latest 50). Use pagination for more.

Advisory	Severity	Asset	CVSS	First seen
Loading…

—

Suppressed findings

Active suppressions (accepted risk or deferred).

Advisory	Severity	Asset	Reason	Expires
Loading…

Analyst overrides

Findings where analysts have overridden the model priority.

Advisory	Severity	Asset	Priority	Changed by	When
Loading…

Remediation status

Operator remediation workflow tracking: overdue, verification failures, and recently resolved.

Overdue

—

past due date

Unresolved >30d

—

aging actions

Verification failures

—

remediation not confirmed

Resolved (7d)

—

recently completed

Operations

Scan launch workspace

What you’re scanning — CIDR targets, exclusions, optional label and reporting scope. Profile sets port depth and intensity. Discovery and scan steps control how hosts are found and what runs on each. Enrichment applies your configured sources after collection (per-job overrides below). After you queue, live counters and the job table link forward to Scan history for full status.

Targets

Targets & profile

Define addresses in scope, what to skip, and how aggressively to scan. Rate limits and discovery mode apply to this job only.

Target & scope

CIDR target(s) Auto-split targets broader than /24 into /24 batch jobs (safer resume/checkpoint behavior) Exclusion list (IPs, CIDRs, ranges, # comments) Scan label (optional) Reporting scope (optional)

Tags the job for Reports & Analysis so drift and baselines stay within the same network/environment.

Credential profile (optional; future)

Credentialed checks never auto-run from scans. Use Settings → Credentialed Checks jobs for explicit operator-triggered execution.

Rate limiting

Max packets/sec per host

15 pps50

Inter-host delay

0200 ms2000

Discovery mode

Auto

ARP for same-subnet, ping scan for routed

Routed

ICMP/TCP ping scan only — no ARP (cross-router)

Force (-Pn)

⚠ Scan all IPs regardless of ping — use for firewalled hosts

Scan profile

Standard Inventory: Balanced default for general-purpose networks. Scans common ports with light banner probing, then correlates CVEs.

Behavior

Scan steps & enrichment

Turn scan steps on or off for this run. Enrichment uses sources from the Enrichment tab; override inclusions here without changing saved defaults.

Scan steps

Passive discovery

ARP watch, mDNS/Bonjour sniff — zero packets sent

ICMP sweep

Ping / ARP sweep all hosts in scope

Port & banner probe

TCP connect on safe port list only

Service fingerprinting

OUI + banner + port profile → CPE

SNMP GET (read-only)

sysDescr, sysName, ifTable — no SET

OT protocol probes

⚠ Modbus/S7 read coils only — no writes

CVE correlation

Match CPE strings against local NVD db

Network enrichment (this scan)

Network enrichment runs the sources you configure under Enrichment (controllers, SNMP, logs, and other integrations). All enabled sources are used by default; uncheck any you want to skip for this job only, or turn all off to skip enrichment for this run.

Loading…

Launch

Queue, progress & job list

Send the job to the collector queue. Counters reflect the active run when applicable; the table below mirrors queued work on this page — open Scan history for the full log.

Collector & priority

Collector target

Route this run to a remote collector when you need local-site ARP/mDNS visibility.

Queue priority (1 = highest, 100 = lowest)

Hosts found: 0 · Scanned: 0 · Elapsed: 0s

Queue and past runs:

Job queue

No jobs queued or running right now.

Operations

Queue & execution log

Job queue and finished scans. New jobs: .

Status

Live queue

Jobs waiting or executing now — progress, priority, and start time.

No jobs queued or running right now.

History & outcomes

Finished and failed runs in time order — filter by view, source, label, target, or job id.

#	Job / target	Status	Profile	Hosts	AI	Duration	Completed	Actions
Loading scan history…

Reports

Reports & Analysis

Evidence workspace: pick report mode first — job scope is historical scan evidence (finished runs, snapshots, drift, trends, baselines). Inventory scope is current operational posture (live assets and open findings by tag) — not scan history. Same scope names; different lineage.

Job scope completed scans → drift, trends, baseline, exports
Inventory scope live posture → summary only; switch to job mode for history

Scope & mode

Controls below set whether outputs reflect which finished jobs or which live inventory bucket. Generate analysis after the scope matches your question.

Report scope

Job scope filters completed scan jobs by scan_jobs.scope_id. Inventory scope filters current assets by assets.scope_id and summarizes open findings for those assets.

Report mode

Which completed scans

Job mode: each named option shows assets · done jobs (live inventory tag vs finished scans whose scan_jobs.scope_id was set when queued).

Job scope vs asset tags (technical)

Job list filter: named options limit charts and job pickers to completed scans whose scan_jobs.scope_id matches the tag stored when the job was queued.

Dropdown labels: assets = live inventory tag (assets.scope_id); done = finished scans with this scan_jobs.scope_id. Charts filter by the job count, not the asset count.

Scope filter debug (admin)

Historical scan evidence

Latest job snapshot, drift vs a reference, and bounded job history for the selected job scope. If sections stay empty, the filter may have no completed jobs yet — or you are in the wrong mode.

No data? Confirm Job scope reports and a bucket with finished scans. For live posture only, use Inventory scope reports above — drift and trends stay job-only.

At a glance

Summary for the latest completed scan that matches your report scope, plus a quick compliance readout when available.

What “Live” and the compliance line mean

Live / current — inventory and open findings as of now (Dashboard API). Compliance line — snapshot rules for the latest completed scan matching your scope filter (All scopes = globally latest; named scope = latest in that scope); the job number is called out in the sentence.

Loading…

Snapshot drift

Automatic drift compares the latest finished scan in your filter to a reference scan (saved baseline, prior job in the same scope, or a compatible prior for unscoped jobs). Read-only.

How automatic drift picks a reference scan

All scopes: drift uses the latest scan’s named scope baseline when applicable, else an operator-set legacy global baseline for unscoped jobs only, else the prior finished job in the same named scope.

Unscoped latest scans: the prior reference is chosen only when a compatibility signal matches (same schedule, batch, target CIDR, or label prefix); unrelated legacy scans are not auto-paired.

Named / Unscoped filter: baseline rules for that bucket, then a compatible prior when unscoped.

Loading…

Trends

Each point is one finished job in the current report scope (last N jobs). Not real-time.

More about snapshot trends

Charts use the same bounded history list as the job count above. All scopes includes every completed job in the list; a named scope or Unscoped only limits which jobs appear.

Last N completed jobs

History loads when you open this tab.

Advanced operator tools

Manual analysis tools

Explicit compares, compliance detail, baseline management, and saved artifacts. Compare and Load compliance are read-only for all roles. Set baseline and artifact Details need scan editor or admin.

Compare any two completed scans

Pick any two finished jobs for a custom snapshot diff (same style as automatic drift above). Use when you need a specific pair or automatic drift is not available.

Reference scan

Current scan

Pick a reference scan and a current scan, then Compare.

Compliance detail

Full rule text for one completed job. Optional: evaluate extra rules against the saved baseline. The At a glance section shows a quick pass/fail for the latest job only.

Completed scan job

Vs baseline rules

Select a job and Load compliance for rule-by-rule output.

Baseline for this report scope

Which scan is used as the reference for automatic drift and optional compliance-vs-baseline checks. Status is read-only; scan editors can set a baseline when a named scope or Unscoped only is selected (not All scopes).

Loading…

Saved report artifacts

ID	Created	Schedule	Compare job	Baseline	Title
Loading…

#	Status	Label	Hosts	Queued	Finished
Loading…

Execution record

Scan detail

Compare

Against same target same profile/mode

Progress & status

Summary

Full summary snapshot (collapsed by default)

Assets discovered

IP	Hostname	Category	Ports
Loading assets…

Logs / raw details

Show scan log tail & raw fields

Actions

Automation

Recurring scans are optional — ad-hoc runs from Scan control work without any row here. When you do use schedules, each definition has its own target, profile, cron cadence, and timezone; the scheduler computes next run while the entry is enabled and not paused. Pause freezes cadence without deleting; turning Cron enabled off in the editor marks the definition dormant. Collectors and reporting scopes attach per schedule so jobs queue to the right agent and inherit context.

Create & edit

Open + New schedule or the edit (✎) control on a row. The dialog keeps target CIDR, cron (and presets), profile, discovery mode, rate limits, scan steps, enrichment sources, timezone, collector vs master, optional reporting scope, exclusions, missed-run policy, and cron enabled — same fields as before, grouped for quicker scanning.

Schedule inventory

Each row is one automation: ON / OFF is the cron switch; Paused (when ON) stops advancing until you Resume. Scan next / last run, profile, scope, and collector columns summarize what will execute.

Name	Target	Scope	Profile	Cron	Collector	Missed runs	Next run	Last run	Last result	On
Loading…

Operator controls

Hist opens run history; Pause / Resume toggles frozen cadence; ▶ Run now queues an immediate job (confirm if prompted). Delete (✕) removes the schedule permanently — confirm before proceeding. Row shading highlights active (enabled, not paused), paused, or off schedules.

Infrastructure

Optional remote scan agents: the master queues work and ingests results; each collector registers with an install token, polls for assigned jobs, runs work locally (better ARP/mDNS visibility on-site), and uploads chunked artifacts back for async ingest, CVE correlation, and enrichment. Master-only installs never need a collector row here. Generate or rotate install tokens under Settings (admin).

Fleet status & registration

Live counts and one row per registered collector: name/site context, allowed CIDR ranges, schedule assignments, heartbeat, last IP, and chunk queue health (pending / failed).

Loading…

ID	Name	Status	Last seen	IP	Pending	Failed
Loading…

Operator controls

Per row: Set ranges constrains target CIDRs for that collector; Manage in schedules ties recurring work to a collector; Rotate token invalidates old install credentials (confirm, then update the agent); Revoke permanently removes the collector and its tokens — use only when decommissioning. Job assignment and chunk return health show in Pending / Failed; use Refresh and System health for broader service state.

Traceability

Audit log

Operational event record for operator and system activity across SurveyTrace. Use this stream to answer what changed, who acted, and when, with source IP context and severity labels for investigation.

Filters & review controls

Filter by free-text and level, refresh the stream, and toggle auto-scroll for live review. Controls are read-only and preserve backend audit semantics.

Audit event stream

Dense chronological entries. Timestamp + level indicate recency and severity; message body includes actor/IP context when emitted by the source subsystem.

Loading…

Event details & no-data guidance

Message text is shown inline for fast triage. If the stream is empty, either no entries have been recorded yet or current filters return no matches — clear filters or refresh before concluding no activity.

Enrichment

External context & operator workflows

Configure network enrichment sources (SNMP, files, APIs, integrations) for scan-time context. Optionally connect Zabbix: sync pulls host data into SurveyTrace; review validates candidate matches; apply writes only after explicit confirmation. Output push (when enabled) is separate from sync — it sends state out to monitoring, not into the cache.

Sources what runs during scans
Sync pull into SurveyTrace
Review matches & rules before apply
Apply confirmed identity / scope only
Push optional outbound integration

Configure sources

Enable and tune connectors used as network enrichment on the Scan tab and in scheduled jobs.

Configured

Loading…

Available sources

Types you can add; status reflects readiness on this server.

Loading…

How enrichment works

Enrichment sources run during each scan as network enrichment (you can narrow or skip them per job on the Scan tab).
They add hostnames, MACs, VLANs, and other context the scanner may not see on its own — especially across routers or for hosts that barely respond to probes.

Integrations — vendor APIs and dashboards you already use can return many clients in one call when that system already knows them.

SNMP — read-only walks on routers or switches (ARP tables, bridge data) as a vendor-neutral option.

Files and logs — DHCP leases, DNS or firewall exports, and similar paths pull names and clients from your own records.

Sync external context (Zabbix)

Connector status, last sync, cache freshness, and manual pull. Run sync now refreshes the in-app host cache — not an output push.

Zabbix monitoring

Zabbix: Loading status…

Loading…

Review · apply · link

Match review & workflows

Same connector as Integrations → Zabbix. Match review and scope rules stay here; host Details shows linked context. Use Diagnostics for rule validation and integration health.

Review matches, apply scope rules, and link assets.

Match review

Candidate matches and confidence — summary first; expand for long lists. Manual link sets match_method / confidence (marked manual).

Open tools above, then click Refresh.

Scope map rules

Rules default to disabled. Each row needs a valid scan scope. Saving rejects incomplete or invalid rows (nothing is silently dropped).

—

Apply actions

Preview and confirm workflows for hostname fill and inventory scope mapping.

Identity

Fill blank SurveyTrace hostname from the linked Zabbix name (preview → confirm → apply only). Does not touch locked or non-empty hostnames. Apply also sets hostname lock and high identity confidence so later scans do not overwrite the applied name. Separate from scope mapping.

—

I confirm updating hostname for the selected assets only (blank hostname, not locked), and locking the hostname after apply.

Manual link / unlink

Use the Zabbix hostid from unmatched hosts or Zabbix. One asset ↔ one Zabbix host.

Operations

Operational status console for services, scheduler, storage, database files, and integration freshness (feeds, Zabbix, collectors). All checks are read-only — use Refresh for a new snapshot. Follow Needs attention when anything requires operator follow-up; raw detail stays under Advanced diagnostics.

Open this tab or choose Refresh to load the latest health snapshot.

Trace over time

Change alerts

Review stream for observed state changes across scans and inventory. Alerts capture what changed, affected assets, detection time, and lifecycle signals (new, reopened, mitigated) so operators can triage expected vs suspicious drift quickly.

Filters & review controls

Refresh updates the open-change view. Dismiss all is available for scan editors/admins and hides open rows without altering underlying scan/finding data.

Change alert stream

Dense table for timestamp, change type, affected asset/job, and evidence summary. Rows with unresolved CVE changes are visually emphasized for review.

When	Type	Target	Detail	Actions
Loading…

Review & resolution actions

Dismissing hides an item from this list only. For new CVE and CVE reopened rows, Accept risk acknowledges the finding (same as Vulnerabilities), dismisses related open alerts, and suppresses repeats until risk is unaccepted.

Identity

Access control

Security administration workspace for local users, role assignment, OIDC/SSO, and emergency breakglass access. UI permissions are role-aware: viewer, scan editor, and admin capabilities are enforced server-side and reflected throughout the product.

Users and roles

Account state, role, MFA status, and sensitive actions are managed here. Disabled users stay in the list for auditability.

Daily admin tasks

Authentication mode

Legacy Basic Auth remains backend-compatible for upgrades, but is intentionally not shown as a selectable mode here.

SSO role assignment

Local accounts remain available for breakglass (if enabled), even when primary authentication uses OIDC.

Breakglass local access

Allow emergency local login during SSO outage

Advanced security and SSO settings

Password requirements

Minimum length

Require uppercase letter

Require lowercase letter

Require number

Require symbol

Password hashing Max failed attempts Lockout minutes

OIDC configuration

Enable OIDC sign-in

Local users and roles

Use this table to assign application roles. In SurveyTrace-managed mode, SSO users keep the role assigned here.

User	Name	Email	Role	MFA	Disabled	Actions
Loading…

Save applies account fields immediately. Password opens a dialog to set an optional temporary password.

Live auth operations (non-historical)

Operational view of current failed/locked sign-in state. This is not a permanent history.

User	Failed attempts	Last failed (UTC)	Locked until (UTC)	IP
Loading…

Historical user audit

Persistent trail of sign-ins, account, and scan operator actions.

When (UTC)	Action	Actor	Target	IP
Loading…

Security-sensitive controls

Password policy, OIDC secret fields, breakglass username, MFA reset, password reset, role changes, and user deletion are trust-affecting actions. Use these controls deliberately; confirmations and server-side authorization remain enforced.

Data flow

Integrations

Connector workspace for inbound pull consumers and outbound push delivery targets. Pull integrations expose SurveyTrace data endpoints (Grafana, Prometheus/Alloy, scripted inputs) with per-integration tokens; push integrations deliver canonical events outward (webhook, syslog, Splunk HEC, Loki) when you run Test / Sample. Secrets and token hashes remain server-side and are never returned raw.

Configured integrations

Two inventories below: Push destinations (outbound delivery) and Pull/API consumers (inbound reads into external dashboards/tools). Enabled state, endpoint summary, auth/token state, and recency are shown per row.

Loading pull token status…

Quick start (Grafana, Prometheus / Alloy, Splunk)

Grafana Infinity

Choose Grafana Infinity dashboard pull for the starter (one token on the Infinity datasource). Endpoints include /api/integrations_dashboard.php (?view=trends|events|metrics|compliance), report summary, and optional JSON metrics/events. Or use Grafana Infinity / report summary pull for dashboard + report summary only.

Grafana / Prometheus / Alloy

Choose Prometheus / Grafana metrics pull. Endpoint: /api/integrations_metrics.php. Auth: Authorization: Bearer <token>.

Splunk HEC

Choose Splunk HEC push. Set HEC URL and token in the form. Use Test / Sample to validate.

Splunk scripted / modular input

Choose Splunk scripted input / JSON events pull. Endpoint: /api/integrations_events.php?since=…&format=jsonl. Auth: Authorization: Bearer <token>. See integrations/starter/splunk_surveytrace/.

Push integrations

Destination URLs or syslog host:port. Use Test / Sample to send a canonical reporting event.

Name	Type	Mode	On	Destination	Auth	Last test	Actions
Loading…

Pull / API integrations

Per-row Generate / Rotate token. After rotation, copy the plaintext once — it will not be shown again.

Name	Type	Mode	On	API paths	Token	Last used	Actions
Loading…

Add integration workflow

Create connectors with name, type, enabled state, endpoint/host settings, and optional secret token fields. Pull/API types hide destination secret inputs and show endpoint-specific token usage help. Edit uses the existing modal with the same save and secret-clear behavior.

Add integration

Enabled

Delivery & diagnostics

Use row-level Last test and Last used fields to detect stale/failing connectors quickly. For push connectors, run Test / Sample after edits; for pull connectors, rotate tokens if compromised and verify client-side bearer usage.

Zabbix (integration)

Transport only — pulls hosts, interfaces, groups, tags, and problems into local tables. Sync runs in the background; the API token is never returned from the server. Match review, scope mapping, manual link/unlink, and apply workflows are on the Enrichment tab (Zabbix tools panel, after sync).

Name

Enabled

Enable output (SurveyTrace → Zabbix)

Sender server is where zabbix_sender connects on TCP (default port 10051). This may differ from the API URL if the API is behind a proxy or tunnel.

Sender server / address Sender port Output host (Zabbix Host name)

Use the exact Host name from Zabbix (Configuration → Hosts). This is not the sender TCP address.

Output key prefix API URL API token

—

SurveyTrace sends health and security summary metrics to Zabbix. No alerts are created by default.

Tokens & security

Pull APIs: use Authorization: Bearer <token> in production. Legacy ?token= still works but is deprecated (responses include a Warning header). Starter files: integrations/starter/ (see README).

Integrations are optional. Common first deployments: Grafana pull dashboards, Prometheus/Alloy metrics pull, Splunk webhook/HEC or scripted pull, syslog forwarding, and custom webhooks for external dashboards/automation.

Configuration

Settings

System configuration workspace for app/service behavior, feeds, AI automation, and maintenance controls. Authentication and user lifecycle policy live in Access control; this tab focuses on runtime/system options and operational tuning.

Configuration groups

Each card keeps its own save/test actions. Use section tabs to focus on one operational area at a time.

Core application behavior, security defaults, session policy, and role-aware access controls.

External systems, collectors, feeds, API access, and data exchange settings.

Credential profiles, bounded check jobs, execution history, and authenticated evidence controls. Credentialed checks run as separate jobs on the master credential-check worker. Optional per-job recurring schedules are driven by surveytrace-scheduler (not scan_schedules).

Operational lifecycle tools for retention, backup/restore validation, secret rewrap, and stuck-worker recovery.

Low-frequency controls, AI behavior, and experimental or diagnostic configuration.

Reference material, build information, category definitions, and operational documentation links.

Security & session

Sign-in session

Idle timeout for the PHP session cookie after you sign in (session auth) or after the first successful basic-auth request. Each API request while signed in resets the idle clock. Range 5 minutes to 7 days.

Session idle timeout (minutes)

Extra routed safe ports (comma-separated)

Added only to routed full_tcp safe-port scans (finite port union on high-latency paths). Example: 10000,15672,11434

Security controls

When enabled, viewer accounts can no longer call the System Health or inventory export APIs—only scan editor and admin roles. Default is off (unchanged from prior releases).

Require scan editor/admin for System Health

Require scan editor/admin for exports

System Health — Background jobs (preview): warn when the count of worker_jobs in failed status is at least this number. Use 0 to turn off that hint (failed counts still appear). Default 1 matches prior behavior.

Failed worker jobs warn threshold

Credentialed checks — operational summary

At-a-glance status

Compact posture from profiles/jobs plus credentialed-run and worker health snapshots.

Loading summary…

Credentialed checks — profiles

Credential profiles

Define reusable credential metadata per transport using structured fields (plus optional advanced JSON). Principals never contain passwords or keys — those are stored as encrypted envelopes. The encryption key is set in /etc/surveytrace/surveytrace.env (readable by the surveytrace user, not the web pool); the web UI invokes daemon/cred_secret_ops_cli.php via a narrow sudo rule to encrypt secrets and run handshake tests. Without a working helper you can still save profile metadata, but storing secrets, handshake tests, and credentialed runs that need decryption fail safely. Handshake tests are available for SSH and SNMPv3; WinRM handshake is deferred.

Encryption status: —

Name	Transport	Principal	Scope	On	Secret	Last test
—

Credentialed checks — jobs & runs

Check jobs (queue / worker)

Credentialed checks run on the master worker (surveytrace-credential-check-worker) — not on remote collectors. They are not triggered by normal scans or scan_schedules; create a job, optionally enable a recurring schedule (processed by surveytrace-scheduler via credential_schedule_tick.php), and use Run now or wait for the next schedule_next_run_at. Each launch enqueues worker_jobs (job_type=credentialed_check). Implemented plugins: ssh.linux.os_release@1.0.0, ssh.linux.package_inventory@1.0.0, and snmpv3.device_identity@1.0.0 with bounded outputs/artifacts and trusted-data observation writes. Intentionally not implemented here: arbitrary commands, remediation, WinRM execution, CVE/finding fusion, or custom SNMP walk/SET behavior.

Jobs

Name	Profile	Mode	On	Schedule	Next run	Last run
—

Recent runs

Run list shows bounded previews only in Detail (no full package dumps). Stored credential_check_results / artifact metadata grow with history; automatic TTL is not enabled. From the server install tree: sudo -u surveytrace php /opt/surveytrace/scripts/prune_credential_runtime_history.php --dry-run (default), then --apply --days=N --keep-runs=N after review — preserves active runs and non-terminal jobs per script policy. Broader retention: prune_operational_history.php (optional --include-runs). See docs/wiki/deployment.md and docs/wiki/credentialed-checks-integration.md.

Status Transport Profile Plugin contains

Run	Job	Profile	Plugins	Status	Trigger	Targets	Duration	Worker job	Started	Finished
—

API keys, feeds & external data

NVD, CVE intelligence & offline fingerprint feeds

One server job and one log per run in data/feed_sync_result.json. The sections that follow describe each feed; you can also run NVD, OUI, WebFP, and CVE intel in a single job at the bottom of this card.

NVD (CVE / CPE correlation)

Last sync: —

Maps CPE strings to CVE IDs for offline correlation. Refreshed weekly via cron; sync_nvd.py or use the button below.

NVD API key (optional)

Request a free key at nvd.nist.gov for higher rate limits. Stored in the local database (never sent back to the browser). If NVD_API_KEY is set in the server environment, it overrides the saved key. To replace a saved key, remove it first, then paste the new one.

The browser returns immediately. Incremental NVD often takes several minutes (10+ is normal for large NIST batches, or longer without an API key). Cancel stops after the current fetch. If you killed a process on the host and the UI is stuck, Reset sync lock. If the network drops, the job retries; run again when the link is back.

OUI & WebFP (MAC vendors & web fingerprints)

OUI last sync: — · prefixes: 0
WebFP last sync: — · rules: 0

IEEE OUI registries and Wappalyzer technologies (synced daily via cron). These two buttons do not run NVD; use Sync NVD now (above) or Sync all feeds (below) if you need CVE data refreshed too.

CVE intelligence (KEV, EPSS, OSV)

Last sync: — · rows: 0

CISA KEV (actively exploited catalog), FIRST EPSS (exploitation probability), and OSV (ecosystem/package context: Linux distros, macOS / Apple platforms, Android where indexed, language ecosystems in containers, and more). This complements NVD across Linux, Windows Server and desktops, macOS, Hyper-V and other hypervisor stacks, iOS / iPadOS and Android where CVEs map to shared components, and Docker-heavy fleets. Run after NVD so EPSS/OSV can target CVEs you already track.

NVD + OUI + WebFP + CVE intel in one job

Runs NVD, then OUI, then WebFP, then CVE intel in order. Expect a long run—NVD alone is often many minutes; CVE intel may take additional time on first run. The sections above let you refresh each feed on its own.

Shows the most recent run (whichever set of buttons you used). Sync all appends NVD, OUI, WebFP, and CVE intel sections in one file. The same log loads after a page reload.

Reference information

About

SurveyTrace v1.0.5
PHP + SQLite + Python scanner daemon
Data stored in data/surveytrace.db
View release notes

Asset categories

srv	Server (Linux, Windows Server, macOS in server roles)
ws	Workstation / laptop (Windows, macOS, ChromeOS) and mobile-style endpoints (iOS, iPadOS, Android) when fingerprinting indicates a client device
net	Network gear (switch, router, firewall)
iot	IoT device
ot	OT / ICS (PLC, SCADA, HMI)
voi	VoIP phone / PBX
prn	Printer / MFP
hv	Hypervisor (VMware ESXi / vSphere / vCenter, Proxmox VE, Hyper-V)

Integrations & credentials

Collector setup

Loading…

Not configured

Maintenance & operations

Scan trash retention

Trashed scans are permanently purged after this many days by the scheduler daemon.

Database backups

Scheduler-triggered SQLite backups using daemon/backup_db.sh.

Enabled

Backup cron

Format: minute hour day-of-month month day-of-week

Retention (days)

Keep latest

Last run: —

Operational maintenance reference

Read-only runbook shortcuts for manual maintenance tools. Run dry-run first and take a DB backup before any --apply operation.

php scripts/rewrap_credential_secrets.php
php scripts/prune_operational_history.php --older-than-days=90
php scripts/recover_stale_worker_jobs.php --older-than-minutes=60

These tools are CLI-only in this release. No browser-triggered maintenance actions are exposed. Runbook · Troubleshooting

AI / automation

AI enrichment

Generated summary and suggestions. Verify before acting.

Sizing guide: /24 homelab → 4 vCPU / 8-12 GB RAM / 64+ GB disk · multi-/24 batches → 6-8 vCPU / 12-16 GB RAM / 80+ GB disk. Keep scans split by /24 and run sequentially for best stability on smaller hosts.

Runtime: checking…

Models: —

Ollama is not installed on this server. Run on the SurveyTrace host shell: curl -fsSL https://ollama.com/install.sh | sh

Enable AI enrichment

Provider

Model tag

Timeout (ms)

Max hosts/scan

Operator AI wait (s)

Max gen tokens

Temp

Banner lines

CPU threads

Ctx tokens

Only run on ambiguous classification cases

Suggest-only mode (do not auto-apply category changes)

Run only when AI disagrees with current category

Min confidence

Min net↔srv confidence

Trends and distributions

Create & edit scope

Operator controls

Review actions

Summary

At a glance

Snapshot drift

Trends

Compare any two completed scans

Compliance detail

Baseline for this report scope

Saved report artifacts

Identity & cadence

Profile & performance

Scan steps

Network enrichment

Timezone

Execution & reporting

Missed runs & catch-up

Activation & save

Create & edit

Operator controls

Operator controls

Event details & no-data guidance

Review & resolution actions

Sign-in methods

Security-sensitive controls

Add integration workflow

Delivery & diagnostics

Tokens & security