Connect to ClickHouse¶
To connect ntopng to ClickHouse use option -F. The format of this option is the following
clickhouse;<host[@port]|socket>;<dbname>;<user>;<pw>
or
clickhouse-cluster;<host[@port]|socket>;<dbname>;<user>;<pw>;<cluster name>
Where
<host[@port]|socket>Specifies the databasehostor asocketfile. By default, port9000is used for the connection. To use a different port, specify it with@port. The host can be a symbolic name or an IP address.<dbname>Specifies the name of the database to be used and defaults tontopng<user>Specifies an user with read and write permissions on<dbname><pw>Specifies the password that authenticates<user><cluster name>Specifies the name of the ClickHouse cluster<user>
If you use a stand-alone ClickHouse database you need to use -F clickhouse;.... whereas with a cluster you need to use -F clickhouse-cluster;....
Example¶
To connect ntopng and ClickHouse, both running on the same machine, the following line can be used
./ntopng -F="clickhouse;127.0.0.1;ntopng;default;default"
In the example above, 127.0.0.1 is used to connect using IPv4 (using the symbolic string localhost could resolve to an IPv6 address). A user default, identified with password default, with read and write permissions on database ntopng is indicated as well. As shortcut you can use -F clickhouse for F="clickhouse;127.0.0.1;ntopng;default;default"
The above example with a ClickHouse cluster would be:
./ntopng -F="clickhouse-cluster;127.0.0.1;ntopng;default;default;ntop_cluster"
Stored Information¶
ntopng stores both historical flows and alerts in ClickHouse.
IPv4 and IPv6 flows are stored in table flows. A column INTERFACE_ID is used to identify the interface on which the flow was seen, this is useful ntopng is monitoring multiple interfaces (see -i).
Alerts are stored in several tables, all ending with suffix _alerts. The table prefix indicates the alert family, e.g. host_alerts table contains alerts for hosts, flow_alerts table contains alerts for flows, and so on.