mirror of
https://github.com/ntop/ntopng.git
synced 2026-05-02 00:40:10 +00:00
c1406e1d61
* Logstash code cleanup * removed unnecesary trace warnings from LS code * sync * Logstash readme updated + code cleanup * changed back to default bulk mechanism
106 lines
2.5 KiB
Text
106 lines
2.5 KiB
Text
Introduction
|
|
------------
|
|
|
|
Logstash is a data collection engine that implements a data processing pipeline for ElasticSearch.
|
|
|
|
How To Enable It
|
|
----------------
|
|
In order to enable this feature you need to start ntopng with the -F.
|
|
|
|
Example:
|
|
$ ntopng -F "logstash;localhost;tcp;5510"
|
|
|
|
Syntax:
|
|
logstash;<host>;<protocol>;<port_number>
|
|
|
|
ntopng will NOT create the mappings automatically - a template should be created.
|
|
|
|
Example:
|
|
$ curl -XPUT localhost:9200/_template/ntopng -d '
|
|
{
|
|
"template" : "ntopng*",
|
|
"settings" : {
|
|
"index.refresh_interval" : "5s"
|
|
},
|
|
"mappings" : {
|
|
"_default_" : {
|
|
"_all" : {"enabled" : true, "omit_norms" : true},
|
|
"dynamic_templates" : [ {
|
|
"string_fields" : {
|
|
"match" : "*",
|
|
"match_mapping_type" : "string",
|
|
"mapping" : {
|
|
"type" : "string", "index" : "analyzed", "omit_norms" : true,
|
|
"fields" : {
|
|
"raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
|
|
}
|
|
}
|
|
}
|
|
}, {
|
|
"geo_fields" : {
|
|
"match" : "*_IP_LOCATION",
|
|
"mapping": {
|
|
"type": "geo_point"
|
|
}
|
|
}
|
|
}, {
|
|
"ip_fields" : {
|
|
"match" : "IPV4_*",
|
|
"match_mapping_type" : "string",
|
|
"mapping": {
|
|
"type": "ip"
|
|
}
|
|
}
|
|
} ],
|
|
"properties" : {
|
|
"@version": { "type": "string", "index": "not_analyzed" }
|
|
}
|
|
}
|
|
}
|
|
}'
|
|
|
|
|
|
|
|
|
|
Using It
|
|
--------
|
|
Enabling this option will cause ntopng dump flow information in Logstash so that
|
|
the data can be enriched before it gets indexed in ElasticSearch.
|
|
|
|
Once started, ntopng will push to LS flows that are expired or periodically send
|
|
(every 5 mins) partial flows for long lasting flows.
|
|
|
|
Logstash configuration example :
|
|
|
|
|
|
input {
|
|
tcp {
|
|
host => "localhost"
|
|
port => 5510
|
|
codec => json
|
|
type => "ntopng-ls"
|
|
}
|
|
}
|
|
|
|
filter {
|
|
if [type] == "ntopng-ls" {
|
|
if "" not in [IPV4_SRC_ADDR] and "" not in [IPV6_SRC_ADDR] {
|
|
drop {}
|
|
}
|
|
...
|
|
}
|
|
}
|
|
|
|
output {
|
|
if [type] == "ntopng-ls" {
|
|
...
|
|
}
|
|
}
|
|
|
|
|
|
Future Work
|
|
-----------
|
|
In the future we plan:
|
|
|
|
- Extend the input plugin list that can be used in communication between ntopng
|
|
and logstash
|