elasticsearch missing mac

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring

http://www.ntop.org

GNU General Public License v3.0

6.17k stars 648 forks source link

elasticsearch missing mac #8667

Closed xiamaohan closed 1 week ago

xiamaohan commented 3 weeks ago

We want to know is it normal that when we set “-i view:all” in ntopng config, elasticsearch is missing data of server.mac and client.mac. But with the following configs, the mac data are existed in elasticsearch. -i=enp3s0f0@0 -i=enp3s0f0@1 -i=enp3s0f0@2 -i=enp3s0f0@3 -i=enp3s0f0@4 -i=enp3s0f0@5 -i=enp3s0f0@6 -i=enp3s0f0@7

MatteoBiscosi commented 3 weeks ago

Hi @xiamaohan which info are you exporting to elastic, flows or alerts?

xiamaohan commented 2 weeks ago

Hi @xiamaohan which info are you exporting to elastic, flows or alerts?

Hi, flows

MatteoBiscosi commented 1 week ago

In that case it's normal, because there is no concept of MAC Address on all the interfaces except for the view:all one (that in reality has no real flow, it's just a view). So if you want to export flows to elastic and have MACs i'd suggest on removing the view:all option