Howard-Chang · January 25, 2018 04:40
diff --git a/ntopng+nprobe指令 b/ntopng+nprobe指令
 ntopng /c -i "tcp://127.0.0.1:5556" --prefs-dir "C:\Program Files\ntopng\runtimetemp" -F "mysql;localhost;ntopng;flows;root;"
 nprobe /c -n 127.0.0.1:5556 --zmq tcp://127.0.0.1:2055 
 ntopng /c -F "es;ntopng;ntopng-%Y.%m.%d;http://192.168.0.159:9200/_bulk;"   //ELK 原本是localhost

 ES版本:
 /*
 ntopng /c -i "tcp://127.0.0.1:2055" --local-networks "192.168.0.0/16" -F "es;ntopng;ntopng-%Y.%m.%d;http://192.168.0.159:9200/_bulk";
 nprobe /c --collector-port 5556 --zmq tcp://127.0.0.1:2055
 */
 Mysql版本:
 nprobe /c --zmq "tcp://*:2055" -i none -n none --collector-port 5556
 ntopng /c -i tcp://127.0.0.1:2055 -F "mysql;localhost;ntopng;flows;root;"

 logstash版本:
 ntopng /c -F "logstash;192.168.0.159;tcp;5510"
 nprobe /c --zmq "tcp://*:2055" -i none -n none --collector-port 5556

 logstash版本(有丟netflow):
 ntopng /c -i tcp://127.0.0.1:2055 -F "logstash;192.168.0.159;tcp;5510" --local-networks "192.168.0.0/16"
 nprobe /c --zmq "tcp://*:2055" -i none -n none --collector-port 5556


 flow.conf:
 input{
 	tcp{
 		host => "120.127.160.91"
 		port => 5510
 		codec => json
 		type =>"ntopng-*"
 		
 	}
 }
 	filter{
 		if[type]=="ntopng-*"
 		{
 			if "" not in [IPV4_SRC_ADDR] and "" not in [IPV6_SRC_ADDR]
 			{
 				drop{}
 			}
 		}
 	}
 output{
 elasticsearch {
                hosts => ["120.127.160.91:9200"]
        }
 	if[type]=="ntopng-*"
 	{
 		stdout{codec=> rubydebug}
 	}
 }






 PUT /_template/logstash
 {
 "template": "logstash-*", 
 "order": 1, 
 "settings": {
 "index": {
 "refresh_interval": "5s"
 }
 },
 "mappings": {
 "default": { 
 "_all": {
 "norms": false,
 "enabled": true
 },
 "properties": {
 "IPV4_SRC_ADDR": { "type": "ip"},
 "IPV4_DST_ADDR": { "type": "ip"}
 }
 }
 }
 }

 PUT _template/logstash
 {
  "index_patterns": "logstash-*",
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "type1": {
      "_source": {
        "enabled": false
      },
      "properties": {
        "IPV4_DST_ADDR": {
          "type": "ip"
        },"IPV4_SRC_ADDR": {
          "type": "ip"
        }
      }
    }
  }
 }
	ntopng /c -i "tcp://127.0.0.1:5556" --prefs-dir "C:\Program Files\ntopng\runtimetemp" -F "mysql;localhost;ntopng;flows;root;"
	nprobe /c -n 127.0.0.1:5556 --zmq tcp://127.0.0.1:2055
	ntopng /c -F "es;ntopng;ntopng-%Y.%m.%d;http://192.168.0.159:9200/_bulk;" //ELK 原本是localhost

	ES版本:
	/*
	ntopng /c -i "tcp://127.0.0.1:2055" --local-networks "192.168.0.0/16" -F "es;ntopng;ntopng-%Y.%m.%d;http://192.168.0.159:9200/_bulk";
	nprobe /c --collector-port 5556 --zmq tcp://127.0.0.1:2055
	*/
	Mysql版本:
	nprobe /c --zmq "tcp://*:2055" -i none -n none --collector-port 5556
	ntopng /c -i tcp://127.0.0.1:2055 -F "mysql;localhost;ntopng;flows;root;"

	logstash版本:
	ntopng /c -F "logstash;192.168.0.159;tcp;5510"
	nprobe /c --zmq "tcp://*:2055" -i none -n none --collector-port 5556

	logstash版本(有丟netflow):
	ntopng /c -i tcp://127.0.0.1:2055 -F "logstash;192.168.0.159;tcp;5510" --local-networks "192.168.0.0/16"
	nprobe /c --zmq "tcp://*:2055" -i none -n none --collector-port 5556


	flow.conf:
	input{
	tcp{
	host => "120.127.160.91"
	port => 5510
	codec => json
	type =>"ntopng-*"

	}
	}
	filter{
	if[type]=="ntopng-*"
	{
	if "" not in [IPV4_SRC_ADDR] and "" not in [IPV6_SRC_ADDR]
	{
	drop{}
	}
	}
	}
	output{
	elasticsearch {
	hosts => ["120.127.160.91:9200"]
	}
	if[type]=="ntopng-*"
	{
	stdout{codec=> rubydebug}
	}
	}






	PUT /_template/logstash
	{
	"template": "logstash-*",
	"order": 1,
	"settings": {
	"index": {
	"refresh_interval": "5s"
	}
	},
	"mappings": {
	"default": {
	"_all": {
	"norms": false,
	"enabled": true
	},
	"properties": {
	"IPV4_SRC_ADDR": { "type": "ip"},
	"IPV4_DST_ADDR": { "type": "ip"}
	}
	}
	}
	}

	PUT _template/logstash
	{
	"index_patterns": "logstash-*",
	"settings": {
	"number_of_shards": 1
	},
	"mappings": {
	"type1": {
	"_source": {
	"enabled": false
	},
	"properties": {
	"IPV4_DST_ADDR": {
	"type": "ip"
	},"IPV4_SRC_ADDR": {
	"type": "ip"
	}
	}
	}
	}
	}