Mailing List Archive

Brian,

Alert-to-syslog support is now added:


For threshold-based alerts you also have indication if the alert is:
* ENGAGED -- that is, the threshold condition holds true
* RELEASED -- that is, the threshold condition no longer holds true

See:

simone@devel:~/nProbe$ sudo tail -f /var/log/syslog
Aug 7 14:39:37 devel ntopng: [Alert] host <A HREF='/lua/host_details.lua?host=192.168.2.222&ifid=0&page=alerts'>devel</A> contacted blacklisted host <A HREF='/lua/host_details.lua?host=80.82.77.33&ifid=0&page=alerts'>sky.census.shodan.io</A> [ICMP 192.168.2.222:0 &gt; 80.82.77.33:0 [proto: 81.81/ICMP][device: 0 in: 0 out:0][3/3 pkts][294/294 bytes][]]

Aug 7 14:40:00 devel ntopng: [Alert] [ENGAGED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]

Aug 7 14:43:00 devel ntopng: [Alert] [RELEASED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]


A new build with the change will be available tomorrow.



Regards,
Simone

> On 7 Aug 2017, at 00:14, Brian Ball <brian.ball@globaleagle.com> wrote:
>
> Hi!
>
> I have recently gotten NTOP-NG running in my environment and am fairly pleased with it so far. What I would like to do that I have not been able to find much information on is forwarding any alerts from syslog to a syslog collector – graylog in my case. I may be able to figure this out on my own but to start with I cannot seem to find the location in the filesystem that this is logged at. I have the “syslog option” turned on in the preferences but if I search the default /var/log/syslog I find no mention of anything generated from ntop at all let alone anything related to an alert. That said – if this were ever to work I’d really like to not forward the servers entire syslog to graylog and parse it down to only what is needed from ntop.
>
> I am running this on Ubuntu 16.04 LTS with the default rsyslog install.
>
> Any suggestions on how to go about this?
>
>
> Brian Ball
> Senior Systems Administrator, IT
> DL +1 (954) 538-4070
> M +1 (954) 348-9192
> <image001.png> <http://www.globaleagle.com/>
> Teamwork | Excellence | Action | Commitment | Honor
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

Brian,

Alert-to-syslog support is now added:


For threshold-based alerts you also have indication if the alert is:
* ENGAGED -- that is, the threshold condition holds true
* RELEASED -- that is, the threshold condition no longer holds true

See:

simone@devel:~/nProbe$ sudo tail -f /var/log/syslog
Aug 7 14:39:37 devel ntopng: [Alert] host <A HREF='/lua/host_details.lua?host=192.168.2.222&ifid=0&page=alerts'>devel</A> contacted blacklisted host <A HREF='/lua/host_details.lua?host=80.82.77.33&ifid=0&page=alerts'>sky.census.shodan.io</A> [ICMP 192.168.2.222:0 &gt; 80.82.77.33:0 [proto: 81.81/ICMP][device: 0 in: 0 out:0][3/3 pkts][294/294 bytes][]]

Aug 7 14:40:00 devel ntopng: [Alert] [ENGAGED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]

Aug 7 14:43:00 devel ntopng: [Alert] [RELEASED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]


A new build with the change will be available tomorrow.



Regards,
Simone

> On 7 Aug 2017, at 00:14, Brian Ball <brian.ball@globaleagle.com> wrote:
>
> Hi!
>
> I have recently gotten NTOP-NG running in my environment and am fairly pleased with it so far. What I would like to do that I have not been able to find much information on is forwarding any alerts from syslog to a syslog collector – graylog in my case. I may be able to figure this out on my own but to start with I cannot seem to find the location in the filesystem that this is logged at. I have the “syslog option” turned on in the preferences but if I search the default /var/log/syslog I find no mention of anything generated from ntop at all let alone anything related to an alert. That said – if this were ever to work I’d really like to not forward the servers entire syslog to graylog and parse it down to only what is needed from ntop.
>
> I am running this on Ubuntu 16.04 LTS with the default rsyslog install.
>
> Any suggestions on how to go about this?
>
>
> Brian Ball
> Senior Systems Administrator, IT
> DL +1 (954) 538-4070
> M +1 (954) 348-9192
> <image001.png> <http://www.globaleagle.com/>
> Teamwork | Excellence | Action | Commitment | Honor
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

Thank you Simone!!

Brian Ball
Senior Systems Administrator, IT
DL +1 (954) 538-4070
M +1 (954) 348-9192
[cid:image001.png@01D2885F.A4D10C80]<http://www.globaleagle.com/>
Teamwork | Excellence | Action | Commitment | Honor

From: ntop-bounces@listgateway.unipi.it [mailto:ntop-bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
Sent: Monday, August 07, 2017 8:46 AM
To: ntop@unipi.it
Cc: ntop@listgateway.unipi.it
Subject: Re: [Ntop] Syslog Alert forwarding?

Brian,

Alert-to-syslog support is now added:


For threshold-based alerts you also have indication if the alert is:
* ENGAGED -- that is, the threshold condition holds true
* RELEASED -- that is, the threshold condition no longer holds true

See:

simone@devel:~/nProbe$ sudo tail -f /var/log/syslog
Aug 7 14:39:37 devel ntopng: [Alert] host <A HREF='/lua/host_details.lua?host=192.168.2.222&ifid=0&page=alerts'>devel</A> contacted blacklisted host <A HREF='/lua/host_details.lua?host=80.82.77.33&ifid=0&page=alerts'>sky.census.shodan.io<http://sky.census.shodan.io></A> [ICMP 192.168.2.222:0 &gt; 80.82.77.33:0 [proto: 81.81/ICMP][device: 0 in: 0 out:0][3/3 pkts][294/294 bytes][]]

Aug 7 14:40:00 devel ntopng: [Alert] [ENGAGED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]

Aug 7 14:43:00 devel ntopng: [Alert] [RELEASED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]


A new build with the change will be available tomorrow.



Regards,
Simone

On 7 Aug 2017, at 00:14, Brian Ball <brian.ball@globaleagle.com<mailto:brian.ball@globaleagle.com>> wrote:

Hi!

I have recently gotten NTOP-NG running in my environment and am fairly pleased with it so far. What I would like to do that I have not been able to find much information on is forwarding any alerts from syslog to a syslog collector – graylog in my case. I may be able to figure this out on my own but to start with I cannot seem to find the location in the filesystem that this is logged at. I have the “syslog option” turned on in the preferences but if I search the default /var/log/syslog I find no mention of anything generated from ntop at all let alone anything related to an alert. That said – if this were ever to work I’d really like to not forward the servers entire syslog to graylog and parse it down to only what is needed from ntop.

I am running this on Ubuntu 16.04 LTS with the default rsyslog install.

Any suggestions on how to go about this?


Brian Ball
Senior Systems Administrator, IT
DL +1 (954) 538-4070
M +1 (954) 348-9192
<image001.png><http://www.globaleagle.com/>
Teamwork | Excellence | Action | Commitment | Honor

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Thank you Simone!!

Brian Ball
Senior Systems Administrator, IT
DL +1 (954) 538-4070
M +1 (954) 348-9192
[cid:image001.png@01D2885F.A4D10C80]<http://www.globaleagle.com/>
Teamwork | Excellence | Action | Commitment | Honor

From: ntop-bounces@listgateway.unipi.it [mailto:ntop-bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
Sent: Monday, August 07, 2017 8:46 AM
To: ntop@unipi.it
Cc: ntop@listgateway.unipi.it
Subject: Re: [Ntop] Syslog Alert forwarding?

Brian,

Alert-to-syslog support is now added:


For threshold-based alerts you also have indication if the alert is:
* ENGAGED -- that is, the threshold condition holds true
* RELEASED -- that is, the threshold condition no longer holds true

See:

simone@devel:~/nProbe$ sudo tail -f /var/log/syslog
Aug 7 14:39:37 devel ntopng: [Alert] host <A HREF='/lua/host_details.lua?host=192.168.2.222&ifid=0&page=alerts'>devel</A> contacted blacklisted host <A HREF='/lua/host_details.lua?host=80.82.77.33&ifid=0&page=alerts'>sky.census.shodan.io<http://sky.census.shodan.io></A> [ICMP 192.168.2.222:0 &gt; 80.82.77.33:0 [proto: 81.81/ICMP][device: 0 in: 0 out:0][3/3 pkts][294/294 bytes][]]

Aug 7 14:40:00 devel ntopng: [Alert] [ENGAGED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]

Aug 7 14:43:00 devel ntopng: [Alert] [RELEASED] Minute <b>traffic</b> crossed by host <a href='/lua/host_details.lua?ifid=0&host=192.168.2.222'>devel</a> [693.44 KB &gt; 1 Byte]


A new build with the change will be available tomorrow.



Regards,
Simone

On 7 Aug 2017, at 00:14, Brian Ball <brian.ball@globaleagle.com<mailto:brian.ball@globaleagle.com>> wrote:

Hi!

I have recently gotten NTOP-NG running in my environment and am fairly pleased with it so far. What I would like to do that I have not been able to find much information on is forwarding any alerts from syslog to a syslog collector – graylog in my case. I may be able to figure this out on my own but to start with I cannot seem to find the location in the filesystem that this is logged at. I have the “syslog option” turned on in the preferences but if I search the default /var/log/syslog I find no mention of anything generated from ntop at all let alone anything related to an alert. That said – if this were ever to work I’d really like to not forward the servers entire syslog to graylog and parse it down to only what is needed from ntop.

I am running this on Ubuntu 16.04 LTS with the default rsyslog install.

Any suggestions on how to go about this?


Brian Ball
Senior Systems Administrator, IT
DL +1 (954) 538-4070
M +1 (954) 348-9192
<image001.png><http://www.globaleagle.com/>
Teamwork | Excellence | Action | Commitment | Honor

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop