ContextQMD
Back to Ntopng

ElasticSearch

doc/src/flow_dump/elasticsearch/index.rst

6.62.3 KB
Original Source

.. _FlowDumpElasticsearch:

ElasticSearch

Elasticsearch is an Open-Source real-time search and analytics engine with a powerful RESTful API built on top of Apache Lucene. Ntopng can connect to an external Elasticsearch cluster as client using the Bulk insert API for JSON mapped indexing.

Elasticsearch is designed for quickly and dynamically analyzing or searching through large amounts of data and thus is ideal for flows generated by ntopng, enabling users and integrators to create a virtually infinite number and variety of statistics using Kibana.

To learn more about Elasticsearch visit: https://www.elastic.co/guide.

To dump expired flows to Elasticsearch ntopng requires the -F modifier followed by a string in the following format:

.. code:: bash

es;<idx type>;<idx name>;<es URL>;<http auth>

The string has 5 semi-colon separated fields

  • es instructs ntopng to dump flows to Elasticsearch
  • <idx type> “_type” to use in exported documents
  • <idx name> index to use for exported documents [ accepts strftime() format ]
  • <es URL> URL of Elasticsearch Bulk API [ ie: http://127.0.0.1:9200/bulk]
  • <http auth> Basic HTTP Authentication [ username:password ]

Example:

.. code:: bash

es;ntopng;ntopng-%Y.%m.%d;http://localhost:9200/_bulk;

Definitions:

Indexes are like ‘databases’ in a RDBMS terms. An index is a logical namespace which maps to one or more primary shards and can have zero or more replica shards distributed across nodes of a cluster. Index mapping defines the multiple supported types.

Mapping is required for Elasticsearch to correctly interpret all fields produced by ntopng, specifically those containing IP and Geo Location data. This is achieved by using a mapping template for ntop types, automatically inserted by the application at startup. Note this action requires full admin rights on the cluster in order to be performed successfully.

Ntopng will create Indexes and Mapping automatically on startup with no action required. Each time the index name changes, a new Index is created. By default, ntopng creates one daily index (i.e.: ntopng-2015.11.21). Index types can be used to differentiate instances.

Data Rotation:

The official Curator tool from Elastic can be used to manage and rotate Indexes created by ntopng according to the user preferences and requirements.