Skip to content

Latest commit

 

History

History

kibana

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
dashboards
dashboards
 
 
save
save
 
 
template
template
 
 
README.md
README.md
 
 
load.sh
load.sh
 
 

README.md

nProbe + Elasticsearch & Kibana

This document provides useful information and examples for using nProbe metrics with Elasticsearch and Kibana.

Requirements:

  • nProbe Pro + Export Plugin for Elasticsearch Bulk
  • nProbe Plugin(s) matching the desired Dashboard (ie: DNS, HTTP, etc)
  • Elasticsearch 2.x (cluster or single server)
  • Kibana 4.2+ (cluster or single server)

Setup

Import Demo Dashboards

A script is provided to automatically load all nProbe demo dashboards and settings:

# ./load.sh -url http://localhost:9200

Once imported, Kibana objects should become available:

Index Template

Before shipping nProbe metrics in Kibana, an index template is required to let Elasticsearch know which fields should be analyzed in which way. The provided template file can be adjusted and loaded with the following command:

curl -XPUT localhost:9200/_template/nprobe_template --data @template/nprobe-es-template.json

Index Pattern

Once the metrics are indexed in ES, a matching Kibana index pattern should be created as follows:

Path: Settings > Indices

Scripted Fields

Users can optionally generate scripted fields "on-the-fly" in Kibana when needed. The following example generate new flow fields with sum of IN/OUT Bytes and Packets:



Dashboard Examples

The provided Dashboards are a work-in-progress and community contributions are extremely welcome!

DNS

Start nProbe exporting %DNS_* fields:

nprobe --elastic "dns;nprobe-%Y.%m.%d;http://localhost:9200/_bulk;" -T "%IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %PROTOCOL %IN_BYTES %OUT_BYTES %FIRST_SWITCHED %LAST_SWITCHED %IN_PKTS %OUT_PKTS %IP_PROTOCOL_VERSION %APPLICATION_ID %L7_PROTO_NAME %ICMP_TYPE %SRC_IP_COUNTRY %DST_IP_COUNTRY %APPL_LATENCY_MS %DNS_QUERY %DNS_QUERY_ID %DNS_QUERY_TYPE %DNS_RET_CODE %DNS_NUM_ANSWERS %DNS_TTL_ANSWER %DNS_RESPONSE" ....

HTTP

Start nProbe exporting %HTTP_* fields:

nprobe --elastic "http;nprobe-%Y.%m.%d;http://localhost:9200/_bulk;" -T "%IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %PROTOCOL %IN_BYTES %OUT_BYTES %FIRST_SWITCHED %LAST_SWITCHED %IN_PKTS %OUT_PKTS %IP_PROTOCOL_VERSION %APPLICATION_ID %L7_PROTO_NAME %ICMP_TYPE %SRC_IP_COUNTRY %DST_IP_COUNTRY %APPL_LATENCY_MS %HTTP_URL %HTTP_METHOD %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME %HTTP_HOST %HTTP_SITE" ....