Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In nProbe —json-labels seems to be working with the default template, but not with custom ones #616

Open
xavibonet opened this issue Jun 7, 2024 · 3 comments
Open

In nProbe —json-labels seems to be working with the default template, but not with custom ones #616

xavibonet opened this issue Jun 7, 2024 · 3 comments
Assignees
@MatteoBiscosi

Comments

@xavibonet
Copy link

We're sending data from nprobe in collector mode to an ELK node.

When we're using standard templates in conjunction with --json-labels, not using -T parameter, everything works fine. Data is received and seen ok on ELK.

If we use a custom template with -T, and not using --json-labels, we receive all the info in ELK but we don't see the field names, just the IDs.

If we send custom templates, -T parameter, in conjuction with --json-labels data is not seen in ELK. It seems that custom templates with --json-labels have some weird behaviour. I must say that data seems to be sent to ELK because we can see traffic flowing through the FW from nProbe to ELK.

Our nprobe config is :

Version: 10.4.240307
Build OS: Ubuntu 22.04.3 LTS
Edition: nProbe Enterprise L

Thanks
@xavibonet xavibonet changed the title —json-labels seems to be working with the default template, but not with custom ones In nProbe —json-labels seems to be working with the default template, but not with custom ones Jun 7, 2024
@xavibonet
Copy link
Author

So far our workaround is to modify Kibana Index Patterns

@lucaderi
Copy link
Member

Can you please provide an example for reproducing the defect?

@xavibonet
Copy link
Author

It all started when we tried to add some new fields to the @NTOPNG@ template. We wanted to get nflow not just from the switches but from our Paloalto FW too. We needed three more fields and I'll try to explain what we found.

The problem arises when we use the -T @NTOPNG@ in our config. If we don't use "-T " parameter then we can use add "--json-labels" and it works, just there's not all the info that we need there because the default template is used. See image1.

imagen

If we use "-T @NTOPNG@" we stop seeing the name of the fields, just the ID, but all the fields are there, even the new ones from paloalto because we add the file with the definition, we use the following config:

-T "@NTOPNG@ %FIREWALL_EVENT %PALOALTO_APPID %PALOALTO_USERID %PALOALTO_FLOWID"
--load-custom-fields /etc/nprobe/newfields_netflow.txt

We can see all the fields here in image2:

imagen

And finally, if now we add the "--json-labels" we stop seeing info in the ELK node, just look at the records in the timeline that's become flat at 0 (although we can see in our FW that there's information flowing from nprobe to ELK):

imagen

I don't know if my explanation use clear or just a bunch of images 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MatteoBiscosi MatteoBiscosi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lucaderi @MatteoBiscosi @xavibonet