nProbe icon indicating copy to clipboard operation
nProbe copied to clipboard

Published 20 hours ago verified publisher icon ntop

Unable to send the template to ELK

Open cllasyx opened this issue 7 months ago • 0 comments

Description

nProbe is unable to send the JSON index template to Elasticsearch.

Cause

nProbe tries to send the index template to the REST API address at https://elasticsearch.mydomain.com:9200/_template but index templates are located at https://elasticsearch.mydomain.com:9200/_index_template.

Log output (flow statistics omitted)

root@nprobe:~# nprobe -b 1 --simulate-collection --flow-deduplication 5 -3 2055 -n none --event-log /var/log/nprobe/eventlog.log -T "%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR %DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %ICMP_TYPE %SAMPLING_INTERVAL %SAMPLING_ALGORITHM %FLOW_ACTIVE_TIMEOUT %FLOW_INACTIVE_TIMEOUT %MIN_TTL %MAX_TTL %DST_TOS %SRC_VLAN %DST_VLAN %IP_PROTOCOL_VERSION %DIRECTION %IN_DST_MAC %IN_SRC_MAC %OUT_DST_MAC %OUT_SRC_MAC %L7_PROTO %L7_PROTO_NAME %FIRST_SWITCHED %LAST_SWITCHED %IPV6_SRC_ADDR %IPV6_DST_ADDR" --elastic 'flows;nprobe-%Y.%m.%d;https://elasticsearch.mydomain.com:9200/_bulk;nprobe:passwd_for_nprobe' --json-labels -t 30 -d 3 -l 60 --dump-stats /var/log/nprobe/flow_stats.log
28/Feb/2025 14:49:14 [plugin.c:178] No plugins found in ./plugins
28/Feb/2025 14:49:14 [plugin.c:186] Loading 23 plugins [.so] from /usr/lib/nprobe/plugins
28/Feb/2025 14:49:14 [nprobe.c:6224] Disabling flow cache during collection
28/Feb/2025 14:49:14 [nprobe.c:8175] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
28/Feb/2025 14:49:14 [nprobe.c:8178] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
28/Feb/2025 14:49:14 [nprobe.c:8226] -i is ignored as --collector-port|-3 has been used: using '-i none'
28/Feb/2025 14:49:14 [nprobe.c:8278] Flow cache is disabled in flow collection mode
28/Feb/2025 14:49:14 [nprobe.c:8281] Welcome to nProbe v.10.5.240802 for x86_64-pc-linux-gnu with native PF_RING acceleration
28/Feb/2025 14:49:14 [nprobe.c:8303] Enterprise L Edition running on Debian GNU/Linux 12 (bookworm)
28/Feb/2025 14:49:14 [nprobe.c:8311] Current limits [32 ZMQ exporters][128 collector devices]
28/Feb/2025 14:49:14 [nprobe.c:8326] SystemId: REDACTED
28/Feb/2025 14:49:14 [nprobe.c:8419] Sample rate [packet: 1][flow collection/export: 1/1]
28/Feb/2025 14:49:14 [exportPlugin.c:624] Using ElasticSearch for data dump [flows][nprobe-%Y.%m.%d][https://elasticsearch.mydomain.com:9200/_bulk]
28/Feb/2025 14:49:14 [exportPlugin.c:628] [template: https://elasticsearch.mydomain.com:9200/_template/nprobe_template][query: https://elasticsearch.mydomain.com:9200/]
28/Feb/2025 14:49:14 [nprobe.c:10498] Using template %IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR %DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %ICMP_TYPE %SAMPLING_INTERVAL %SAMPLING_ALGORITHM %FLOW_ACTIVE_TIMEOUT %FLOW_INACTIVE_TIMEOUT %MIN_TTL %MAX_TTL %DST_TOS %SRC_VLAN %DST_VLAN %IP_PROTOCOL_VERSION %DIRECTION %IN_DST_MAC %IN_SRC_MAC %OUT_DST_MAC %OUT_SRC_MAC %L7_PROTO %L7_PROTO_NAME %FIRST_SWITCHED %LAST_SWITCHED %IPV6_SRC_ADDR %IPV6_DST_ADDR
28/Feb/2025 14:49:14 [nprobe.c:10500] Using NetFlow Packet Payload Len: 1472
28/Feb/2025 14:49:14 [plugin.c:1207] 1 plugin(s) enabled
28/Feb/2025 14:49:14 [nprobe.c:10864] Skipping plugin Export Plugin: no IEs defined
28/Feb/2025 14:49:14 [nprobe.c:11049] Each flow is 149 bytes long
28/Feb/2025 14:49:14 [nprobe.c:11050] The # flows per packet has been set to 8
28/Feb/2025 14:49:14 [nprobe.c:11053] IP TOS is accounted
28/Feb/2025 14:49:14 [nprobe.c:12006] Flow export type (-T): unidirectional flows
28/Feb/2025 14:49:14 [nprobe.c:12048] Enable flow deduplication [frequency: 5]
28/Feb/2025 14:49:14 [nprobe.c:12200] Flows ASs will not be computed (no GeoDB files loaded with --as-list)
28/Feb/2025 14:49:14 [nprobe.c:12232] Flows will be exported in NetFlow 9 format
28/Feb/2025 14:49:14 [nprobe.c:12470] Not capturing packet from interface (collector mode)
28/Feb/2025 14:49:14 [util.c:5378] Enlarged socket buffer [echo 8388608 > /proc/sys/net/core/rmem_max]
28/Feb/2025 14:49:14 [util.c:5433] nProbe changed user to 'nprobe'
28/Feb/2025 14:49:14 [export.c:487] Using JSON as serialization format
28/Feb/2025 14:49:14 [nprobe.c:12784] nProbe started successfully
28/Feb/2025 14:49:14 [exportPlugin.c:899] [EXPORT] Starting thread
28/Feb/2025 14:49:18 [exportPlugin.c:454] WARNING: Unable to send the template to ELK
28/Feb/2025 14:49:18 [exportPlugin.c:539] [EXPORT] Ready to send data to ElasticSearch...

Elasticsearch settings

nprobe user that is assigned to nprobe-* indices has all the privileges for that index enabled, yet still the template cannot be loaded due to the incorrect URL.

cllasyx avatar Feb 28 '25 14:02 cllasyx