mirror of
https://github.com/ntop/ntopng.git
synced 2026-04-28 23:19:33 +00:00
4543ab092c
* Logstash code cleanup * removed unnecesary trace warnings from LS code * sync * Logstash readme updated + code cleanup * changed back to default bulk mechanism * Logstash extension code improvements * PR #1143 revision * logstash event timestamp addition to json * avoid control char 0 * Testing json output without memset * null byte * change init for vars * changed length of data sent on socket * fix logstash timestamp field conflict * revert debug trace * fix for undefined val in case of LS export * fix code logic * revert+cleanup * save original timestamp for flow * Use ntopng provided timestamp for timeline (Logstash) * Clear redundant timestamp value
64 lines
1.3 KiB
Text
64 lines
1.3 KiB
Text
Introduction
|
|
------------
|
|
|
|
Logstash is a data collection engine that implements a data processing pipeline for ElasticSearch.
|
|
|
|
How To Enable It
|
|
----------------
|
|
In order to enable this feature you need to start ntopng with the -F.
|
|
|
|
Example:
|
|
$ ntopng -F "logstash;localhost;tcp;5510"
|
|
|
|
Syntax:
|
|
logstash;<host>;<protocol>;<port_number>
|
|
|
|
Using It
|
|
--------
|
|
Enabling this option will cause ntopng dump flow information in Logstash so that
|
|
the data can be enriched before it gets indexed in ElasticSearch.
|
|
|
|
Once started, ntopng will push to LS flows that are expired or periodically send
|
|
(every 5 mins) partial flows for long lasting flows.
|
|
|
|
Logstash configuration example :
|
|
|
|
input {
|
|
tcp {
|
|
host => "localhost"
|
|
port => 5510
|
|
codec => json
|
|
type => "ntopng-ls"
|
|
}
|
|
}
|
|
|
|
filter {
|
|
if [type] == "ntopng-ls" {
|
|
date {
|
|
match => ["ntop_timestamp" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
|
|
target => "@timestamp"
|
|
}
|
|
# Clear redundant field value
|
|
mutate {
|
|
remove_field => ["ntop_timestamp"]
|
|
}
|
|
if "" not in [IPV4_SRC_ADDR] and "" not in [IPV6_SRC_ADDR] {
|
|
drop {}
|
|
}
|
|
...
|
|
}
|
|
}
|
|
|
|
output {
|
|
if [type] == "ntopng-ls" {
|
|
...
|
|
}
|
|
}
|
|
|
|
|
|
Future Work
|
|
-----------
|
|
In the future we plan:
|
|
|
|
- Extend the input plugin list that can be used in communication between ntopng
|
|
and logstash
|