With the introduction of ntopng endpoints and recipients, it is now possible to handle alerts in a flexible fashion by means of recipients. ntopng embeds a SQLite database for turn-key alert storage and reporting. However in large organizations with many alerts scalability of this solution is limited due to the limited number of records (16k) that can be handled. In the latest ntopng 4.1.x versions it is now possible to export alerts in an external ElasticSearch database (not available in the community edition). This post shows you how to use this integration in ntopng 4.1.x and soon 4.2.
As shown in the video the first element to create is an endpoint for ElasticSearch that points to the instance running on our datacenter or on the same host where ntopng is running.
At this point you need to define a recipient for this Endpoint
In order to instruct ntopng to send notifications are sent to this recipient you need to configure the pools that use this recipient.
This is done by clicking on the icon highlighted by the arrow in the above picture that will bing you to the pools page.
For each entity (Hosts, Flows, SNMP…) for which you want to deliver alerts, you need to click on edit and specify on the dropdown menu the list of recipients to which notifications will be delivered. Note that you have always a built-in SQLite recipient enabled and used by ntopng to display alerts in the web GUI.
If you want to check if the notification delivery is working you can check (see the picture below) if the number of uses increases.
At this points alerts are stored in Elastic and they can visualised and explored using Kibana. In order to do that you first need to create an index pattern (menu “Stack Management” -> “Index Patterns”) selecting @timestamp as index as shown in the picture below.
Done this you can visualize alerts and create beautiful dashboards with them