Connect to ClickHouse

To connect ntopng to ClickHouse use option -F. The format of this option is the following



clickhouse-cluster;<host[@port]|socket>;<dbname>;<user>;<pw>;<cluster name>


  • <host[@port]|socket> Specifies the database host or a socket file. By default, port 9000 is used for the connection. To use a different port, specify it with @port. The host can be a symbolic name or an IP address.
  • <dbname> Specifies the name of the database to be used and defaults to ntopng
  • <user> Specifies an user with read and write permissions on <dbname>
  • <pw> Specifies the password that authenticates <user>
  • <cluster name> Specifies the name of the ClickHouse cluster <user>

If you use a stand-alone ClickHouse database you need to use -F clickhouse;.... whereas with a cluster you need to use -F clickhouse-cluster;....


To connect ntopng and ClickHouse, both running on the same machine, the following line can be used

./ntopng -F="clickhouse;;ntopng;default;default"

In the example above, is used to connect using IPv4 (using the symbolic string localhost could resolve to an IPv6 address). A user default, identified with password default, with read and write permissions on database ntopng is indicated as well. As shortcut you can use -F clickhouse for F="clickhouse;;ntopng;default;default"

The above example with a ClickHouse cluster would be:

./ntopng -F="clickhouse-cluster;;ntopng;default;default;ntop_cluster"

Stored Information

ntopng stores both historical flows and alerts in ClickHouse.

IPv4 and IPv6 flows are stored in table flows. A column INTERFACE_ID is used to identify the interface on which the flow was seen, this is useful ntopng is monitoring multiple interfaces (see -i).

Alerts are stored in several tables, all ending with suffix _alerts. The table prefix indicates the alert family, e.g. host_alerts table contains alerts for hosts, flow_alerts table contains alerts for flows, and so on.