Export and Archive ClickHouse Flows in ntopng for Regulatory Compliance

Most ntopng users make extensive use of ClickHouse support for storing historical flow data and running analysis on it. ClickHouse is highly optimized and offers a high compression rate (estimated at an average of 60 bytes per flow), allowing for long data retention even with limited storage.

However, to comply with regulations such as GDPR, SOX, HIPAA, and PCI DSS, it is often necessary to retain data for extended periods. This is manageable when flow rates are low to moderate, but can require significant disk space when flow rates are high.

To support long-term data retention on limited storage, we have introduced the ability to export flow data from the database. This feature allows administrators to back up data to external long-term storage systems before it is deleted due to TTL (time to live), ensuring regulatory compliance while freeing up local disk space.

• Regulatory Compliance: Meet data retention requirements for GDPR, SOX, HIPAA, PCI DSS, and other regulations.
• Storage Optimization: Export data before TTL deletion to free up space.
• Audit Trail: Maintain historical network flow records for forensic analysis.
• Data Recovery: Re-import archived flows for compliance investigations.

Configuration

Enabling this feature is as simple as enabling the preference from the UI. From the Left navbar in ntopng: Settings → Preferences (Expert View) → Clickhouse, and toggle the option as shown in the picture below. With this configured, at each midnight ntopng will export flow records deleted due to TTL.

By default, flows are exported to /var/lib/ntopng, one file per each day is created before deleting data from the clickhouse database due to TTL. It is possible to configure a custom export path from the configuration file or from command line by setting the –db-archive-dir <path> parameter.