Hi Luca, > Can you please tell me how you started nprobe so I can see what > template was used?
Hmm, I'm not using nprobe :) I'm sending them from ntopng using pcap. /usr/bin/ntopng \ -G=/var/tmp/ntopng.gid \ --interface 6 \ --local-networks "192.168.0.0/16,172.16.0.0/12,10.0.0.0/8" \ --dns-mode 1 \ --dump-flows 'es;flows;ntopng;http://el01.mydom.lan:9200/_bulk' \ --packet-filter 'ip and not (host 10.11.0.1 and port 161)' \ --ndpi-protocols /var/tmp/ntopng/protos.txt \ ; Hopefully that is supported? It seems to work :) When you say template, is that the EL mapping for the index? If so, here's that info for you: $ curl -XGET 'http://el01.mydom.lan:9200/ntopng-2014.12.02/_mapping?pretty=true' { "ntopng-2014.12.02" : { "mappings" : { "flows" : { "properties" : { "@timestamp" : { "type" : "date", "format" : "dateOptionalTime" }, "@version" : { "type" : "long" }, "DST_VLAN" : { "type" : "long" }, "FIRST_SWITCHED" : { "type" : "long" }, "IN_BYTES" : { "type" : "long" }, "IN_PKTS" : { "type" : "long" }, "IPV4_DST_ADDR" : { "type" : "string" }, "IPV4_SRC_ADDR" : { "type" : "string" }, "L4_DST_PORT" : { "type" : "long" }, "L4_SRC_PORT" : { "type" : "long" }, "L7_PROTO" : { "type" : "long" }, "LAST_SWITCHED" : { "type" : "long" }, "OUT_BYTES" : { "type" : "long" }, "OUT_PKTS" : { "type" : "long" }, "PROTOCOL" : { "type" : "long" }, "SRC_VLAN" : { "type" : "long" }, "TCP_FLAGS" : { "type" : "long" }, "type" : { "type" : "string" } } } } } } I've contemplated cutting out the ntopng redis pop & submit to elasticsearch, and use logstash instead to pop off of the ntopng redis server and apply additional filtering. Haven't had time to play with that yet. Thanks, Chris _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
