Hi Chris yes ES is supported even though it is under development. Glad to see ti works for you.
The template I am referring is the nprobe template I expect you to use: ignore my question Luca On 12/02/2014 04:01 AM, Chris Bennett wrote: > Hi Luca, > >> Can you please tell me how you started nprobe so I can see what >> template was used? > Hmm, I'm not using nprobe :) > > I'm sending them from ntopng using pcap. > > /usr/bin/ntopng \ > -G=/var/tmp/ntopng.gid \ > --interface 6 \ > --local-networks "192.168.0.0/16,172.16.0.0/12,10.0.0.0/8" \ > --dns-mode 1 \ > --dump-flows 'es;flows;ntopng;http://el01.mydom.lan:9200/_bulk' \ > --packet-filter 'ip and not (host 10.11.0.1 and port 161)' \ > --ndpi-protocols /var/tmp/ntopng/protos.txt \ > ; > > Hopefully that is supported? It seems to work :) > > When you say template, is that the EL mapping for the index? If so, > here's that info for you: > > > $ curl -XGET > 'http://el01.mydom.lan:9200/ntopng-2014.12.02/_mapping?pretty=true' > { > "ntopng-2014.12.02" : { > "mappings" : { > "flows" : { > "properties" : { > "@timestamp" : { > "type" : "date", > "format" : "dateOptionalTime" > }, > "@version" : { > "type" : "long" > }, > "DST_VLAN" : { > "type" : "long" > }, > "FIRST_SWITCHED" : { > "type" : "long" > }, > "IN_BYTES" : { > "type" : "long" > }, > "IN_PKTS" : { > "type" : "long" > }, > "IPV4_DST_ADDR" : { > "type" : "string" > }, > "IPV4_SRC_ADDR" : { > "type" : "string" > }, > "L4_DST_PORT" : { > "type" : "long" > }, > "L4_SRC_PORT" : { > "type" : "long" > }, > "L7_PROTO" : { > "type" : "long" > }, > "LAST_SWITCHED" : { > "type" : "long" > }, > "OUT_BYTES" : { > "type" : "long" > }, > "OUT_PKTS" : { > "type" : "long" > }, > "PROTOCOL" : { > "type" : "long" > }, > "SRC_VLAN" : { > "type" : "long" > }, > "TCP_FLAGS" : { > "type" : "long" > }, > "type" : { > "type" : "string" > } > } > } > } > } > } > > I've contemplated cutting out the ntopng redis pop & submit to > elasticsearch, and use logstash instead to pop off of the ntopng redis > server and apply additional filtering. Haven't had time to play with that > yet. > > Thanks, > > Chris > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
