Look like ntopng is not sending the data to the ES server even with the right parameters! When running with the -F options, can you still connect to ntopng interface? Did you have more than one ES server running on the same subnet (192.168.1.x)?
Gerhard, On Jul 31, 2015, at 10:14 AM, Maurizio Molina <[email protected]<mailto:[email protected]>> wrote: Hi Gerhard, thanks for the tip... obviously it couldn't work like this as the ES in in my host machine (a MAC) while ntopng is running in a Ubuntu Guest inside a Virtualbox VM. Now I changed the configuration. The target ES is 192.168.1.11: maurizio@ubuntuMauriPC:~$ cat /etc/ntopng/ntopng.conf -G=/var/tmp/ntopng.pid -i=eth0 ntopng -F “es;flows;ntopng-%Y.%m.%d;http://192.168.1.11:9200/_bulk;”<http://192.168.1.11:9200/_bulk;%E2%80%9D> Still, I don't see anything going from ntopng to the target ES (which is 192.168.1.11). The ntopng is 192.168.1.13: new-host-2:~ mauriziomolina$ sudo tcpdump -i en1 -n src host 192.168.1.13 and dst host 192.168.1.11 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 1740 packets received by filter 0 packets dropped by kernel and this is the same tcpdump issuing from the ntopng host a test connection on port 9200: maurizio@ubuntuMauriPC:~$ telnet 192.168.1.11 9200 Trying 192.168.1.11... ^C as you see, the connection opening attempt packets are correctly received on the ES target. new-host-2:~ mauriziomolina$ sudo tcpdump -i en1 -n src host 192.168.1.13 and dst host 192.168.1.11 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:02:47.049771 IP 192.168.1.13.57671 > 192.168.1.11.9200: Flags [S], seq 2612417961, win 29200, options [mss 1460,sackOK,TS val 509452 ecr 0,nop,wscale 7], length 0 16:02:48.048740 IP 192.168.1.13.57671 > 192.168.1.11.9200: Flags [S], seq 2612417961, win 29200, options [mss 1460,sackOK,TS val 509702 ecr 0,nop,wscale 7], length 0 16:02:50.052887 IP 192.168.1.13.57671 > 192.168.1.11.9200: Flags [S], seq 2612417961, win 29200, options [mss 1460,sackOK,TS val 510203 ecr 0,nop,wscale 7], length 0 ^C 3 packets captured 1588 packets received by filter 0 packets dropped by kernel Am I still missing some configuration on the ntopng side? regards, Maurizio On 31/07/15 14:46, Gerhard Mourani wrote: Hello, Change ‘localhost' for the IP address of your ES, restart ntopng and check again. Gerhard, On Jul 31, 2015, at 8:42 AM, Maurizio Molina <[email protected]<mailto:[email protected]>> wrote: Hi Steve, my ntopng.conf is as follows: maurizio@ubuntuMauriPC:~$ more /etc/ntopng/ntopng.conf -G=/var/tmp/ntopng.pid -i=eth0 ntopng -F “es;flows;ntopng-%Y.%m.%d;<http://localhost:9200/_bulk;%E2%80%9D>http://localhost:9200/_bulk;”<http://localhost:9200/_bulk;%E2%80%9D> Any suggestion on how to debug this? rgds, Maurizio On 31/07/15 14:12, Steve Clark wrote: Hmmm...looks like maybe ntopng is not configured correctly to send to ES. You should see and index like yellow open ntopng2-2015.06.18 5 1 4546602 0 997.5mb 997.5mb On 07/31/2015 07:17 AM, Maurizio Molina wrote: Hi, I'd like to start using es/kibana to visualize ntopng results. I've seen the instructions on: http://www.ntop.org/ntopng/exploring-your-traffic-using-ntopng-with-elasticsearchkibana/ to configure the ntopng es export and implemented them. But (as I'm a newbie in es/kibana) I'd like to know the basic steps (on the kibana/es side) to connect and view to the defined index ntopng-%Y.%m.%d I installed both es and kibana (and marvel too!) and they appear to be up'n'running. The following command shows the available indexes, but obviously I need to do something to view also the ntopng... one. What? new-host-2:~ mauriziomolina$ curl 'localhost:9200/_cat/indices?v' health status index pri rep docs.count docs.deleted store.size pri.store.size yellow open .marvel-2015.06.24 1 1 1280 0 2.4mb 2.4mb yellow open accounts 5 1 1000 0 417.3kb 417.3kb yellow open .marvel-2015.07.28 1 1 23638 0 30.1mb 30.1mb yellow open logstash-2015.05.18 5 1 4631 0 16.8mb 16.8mb yellow open .kibana 5 1 4 0 15.6kb 15.6kb yellow open .marvel-2015.07.31 1 1 3785 0 7.8mb 7.8mb yellow open logstash-2015.05.20 5 1 4750 0 17.3mb 17.3mb yellow open logstash-2015.05.19 5 1 4624 0 16.1mb 16.1mb yellow open shakespeare 5 1 111396 0 17.9mb 17.9mb yellow open .marvel-kibana 1 1 1 0 6.4kb 6.4kb new-host-2:~ mauriziomolina$ Thanks, Maurizio _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop -- Stephen Clark NetWolves Managed Services, LLC. Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: [email protected]<mailto:[email protected]> http://www.netwolves.com<http://www.netwolves.com/> _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop -- Maurizio Molina CTO - Talaia Solutions S.R.L. +33.688431840 email: [email protected]<mailto:[email protected]> skype: mauriziomolina www.talaiasolutions.com<http://www.talaiasolutions.com/> _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop -- Maurizio Molina CTO - Talaia Solutions S.R.L. +33.688431840 email: [email protected]<mailto:[email protected]> skype: mauriziomolina www.talaiasolutions.com<http://www.talaiasolutions.com/> _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
