devName in SET_ALWAYS is not updated if already set

[Rikysonic]

What installation are you running?

Production (netalertx) 📦

Is there an existing issue for this?

• I have searched the existing open and closed issues and I checked the docs https://docs.netalertx.com/

The issue occurs in the following browsers. Select at least 2.

• Firefox
• Chrome
• Edge
• Safari (unsupported) - PRs welcome
• N/A - This is an issue with the backend

Current Behavior

The devName field is NOT overwritten by any plugin if it was previously set by another plugin, even if it is added in the SET_ALWAYS array for those plugins.

Expected Behavior

The devName field is overwritten by the plugins, as expected by the SET_ALWAYS array.

Steps To Reproduce

Note: this flow shows DIGSCAN not updating devName, but it occurs with SYNC as well (I guess every plugin that sets devName is affected).

Prerequisites:

• devName in SET_ALWAYS for DIGSCAN plugin
• devName NOT in SET_ALWAYS for NBTSCAN
• Device exposes its hostname via mDNS
• Device hostname is NOT present in DNS
• REFRESH_FQDN is enabled

How to reproduce:

• NetAlertX discovers a new device that is not on DNS - NBTSCAN assigns its mDNS name (let's say mDNS name is A) as both devName and FQDN
• I manually add the correct hostname on DNS following our business standard (let's call it B.domain.local)
• When the next scan occurs, the FQDN is correctly overwritten by DIGSCAN plugin as B.domain.local, but the devName is still A (last updated by NBTSCAN), even if devName is set in SET_ALWAYS for the DIGSCAN plugin and not set for the NBTSCAN plugin.

Relevant app.conf settings

docker-compose.yml

services:
  netalertx:
  #use an environmental variable to set host networking mode if needed
    container_name: netalertx                       # The name when you docker contiainer ls
    image: ghcr.io/netalertx/netalertx:latest
    network_mode: ${NETALERTX_NETWORK_MODE:-host}   # Use host networking for ARP scanning and other services

    read_only: true                                 # Make the container filesystem read-only
    cap_drop:                                       # Drop all capabilities for enhanced security
      - ALL
    cap_add:                                        # Add only the necessary capabilities
      - NET_ADMIN                                   # Required for ARP scanning
      - NET_RAW                                     # Required for raw socket operations
      - NET_BIND_SERVICE                            # Required to bind to privileged ports (nbtscan)
      - CHOWN                                       # Required for root-entrypoint to chown /data + /tmp before dropping privileges
      - SETUID                                      # Required for root-entrypoint to switch to non-root user
      - SETGID                                      # Required for root-entrypoint to switch to non-root group
    # --- ARP FLUX MITIGATION ---
    # Note: When using `network_mode: host`, these sysctls require the
    # NET_ADMIN capability to be applied to the host namespace.
    # 
    # If your environment restricts capabilities, or you prefer to configure
    # them on the Host OS, REMOVE the sysctls block below and apply via:
    # sudo sysctl -w net.ipv4.conf.all.arp_ignore=1 net.ipv4.conf.all.arp_announce=2
    # ---------------------------
    # sysctls:                                        # ARP flux mitigation (reduces duplicate/ambiguous ARP behavior on host networking)
    #   net.ipv4.conf.all.arp_ignore: 1
    #   net.ipv4.conf.all.arp_announce: 2

    volumes:
      - ./netalertx_data/config:/data/config:rw
      - ./netalertx_data/db:/data/db:rw

    # Example custom local folder called /home/user/netalertx_data
    # - type: bind
    #   source: /home/user/netalertx_data
    #   target: /data
    #   read_only: false
    # ... or use the alternative format
    # - /home/user/netalertx_data:/data:rw

      - type: bind                                  # Bind mount for timezone consistency
        source: /etc/localtime
        target: /etc/localtime
        read_only: true

      # Mount your DHCP server file into NetAlertX for a plugin to access
      # - path/on/host/to/dhcp.file:/resources/dhcp.file

    # tmpfs mount consolidates writable state for a read-only container and improves performance
    # uid/gid default to the service user (NETALERTX_UID/GID, default 20211)
    # mode=1700 grants rwx------ permissions to the runtime user only
    tmpfs:
      # Comment out to retain logs between container restarts - this has a server performance impact.
      - "/tmp:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

      # Retain logs - comment out tmpfs /tmp if you want to retain logs between container restarts
      # Please note if you remove the /tmp mount, you must create and maintain sub-folder mounts.
      # - /path/on/host/log:/tmp/log
      # - "/tmp/api:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
      # - "/tmp/nginx:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"
      # - "/tmp/run:uid=${NETALERTX_UID:-20211},gid=${NETALERTX_GID:-20211},mode=1700,rw,noexec,nosuid,nodev,async,noatime,nodiratime"

    environment:
      LISTEN_ADDR: ${LISTEN_ADDR:-0.0.0.0}                   # Listen for connections on all interfaces
      PORT: ${PORT:-20211}                                   # Application port
      GRAPHQL_PORT: ${GRAPHQL_PORT:-20212}                   # GraphQL API port (passed into APP_CONF_OVERRIDE at runtime)
  #    NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0}                 # 0=kill all services and restart if any dies. 1 keeps running dead services.
  #    PUID: 20211                             # Runtime PUID override, set to 0 to run as root
  #    PGID: 20211                             # Runtime PGID override

    # Resource limits to prevent resource exhaustion
    mem_limit: 2048m            # Maximum memory usage
    mem_reservation: 1024m      # Soft memory limit
    cpu_shares: 512             # Relative CPU weight for CPU contention scenarios
    pids_limit: 512             # Limit the number of processes/threads to prevent fork bombs
    logging:
      options:
        max-size: "10m"         # Rotate log files after they reach 10MB
        max-file: "3"           # Keep a maximum of 3 log files

    # Always restart the container unless explicitly stopped
    restart: unless-stopped

Debug or Trace enabled

• I have read and followed the steps in the wiki link above and provided the required debug logs and the log section covers the time when the issue occurs.

Relevant app.log section

13:25:26 [Plugins] objects_to_update: [(REDACTED),('DIGSCAN', '00:26:73:XX:XX:XX', '10.1.1.9', '2026-05-22 08:19:03', '2026-05-22 08:19:03', '', 'pio-mpc2050-02.REDACTED.local.', '', '', 'watched-not-changed', '', 'null', '00:26:73:XX:XX:XX', '', '', '', '', '', '2666f766-95c4-b96a-3421-3fa0f8dee2e7', 222),(REDACTED)]
13:25:26 [check_plugin_data_changed] No relevant plugin changes since last check for ['DIGSCAN', 'NSLOOKUP', 'NBTSCAN', 'AVAHISCAN']

Docker Logs

 _   _      _    ___  _           _  __   __
| \ | |    | |  / _ \| |         | | \ \ / /
|  \| | ___| |_/ /_\ \ | ___ _ __| |_ \ V /
| .   |/ _ \ __|  _  | |/ _ \  __| __|/   \
| |\  |  __/ |_| | | | |  __/ |  | |_/ /^\ \
\_| \_/\___|\__\_| |_/_|\___|_|   \__\/   \/
   Network intruder and presence detector.
   https://netalertx.com


Startup pre-checks
--> data migration.sh
--> capabilities audit.sh
--> mounts.py
 Path                     | R | W | Mount | RAMDisk | Performance | DataLoss
--------------------------+---+---+-------+---------+-------------+----------
 /data/db                 | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅
 /data/config             | ✅| ✅|   ✅  |    ➖   |      ➖     |    ✅
 /tmp/run/tmp             | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅
 /tmp/api                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅
 /tmp/log                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅
 /tmp/run                 | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅
 /tmp/nginx/active-config | ✅| ✅|   ✅  |    ✅   |      ✅     |    ✅
--> first run config.sh
--> first run db.sh
--> mandatory folders.sh
    * Creating NetAlertX log directory.
    * Creating NetAlertX API cache.
    * Creating System services runtime directory.
    * Creating nginx active configuration directory.
    * Creating Plugins log.
    * Creating System services run log.
    * Creating System services run tmp.
    * Creating DB locked log.
    * Creating Execution queue log.
--> apply conf override.sh
--> override individual settings.sh
--> host optimization.sh
--> writable config.sh
--> nginx config.sh
--> expected user id match.sh
--> host mode network.sh
--> excessive capabilities.sh
--> appliance integrity.sh
--> ports available.sh
APP_CONF_OVERRIDE detected (set from GRAPHQL_PORT)
Starting supercronic --quiet "/services/config/cron/crontab" >>"/tmp/log/cron.log" 2>&1 &
Starting /usr/sbin/php-fpm83 -y "/services/config/php/php-fpm.conf" -F (tee stderr to app.php_errors.log)
Starting python3  -m server > /tmp/log/stdout.log 2> >(tee /tmp/log/stderr.log >&2)
Starting /usr/sbin/nginx -p "/tmp/run/" -c "/tmp/nginx/active-config/nginx.conf" -g "error_log stderr; error_log /tmp/log/nginx-error.log; daemon off;" &
2026/05/22 13:18:48 [error] 243#243: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.X.X, server: , request: "GET /server/messaging/in-app/unread HTTP/1.1", upstream: "http://127.0.0.1:20212/messaging/in-app/unread", host: "10.1.X.X:20211", referrer: "http://10.1.X.X:20211/devices.php"
Successfully updated IEEE OUI database (114319 entries)