Timeseries¶
Ntopng creates historical timeseries to be visualized in the charts. In order to store timeseries data, ntopng supports RRD and InfluxDB as timeseries drivers.
The resolution of data depends on the actual timeseries type. For example, the network interfaces traffic is usually recorded with a 1 second resolution, whereas the hosts L7 protocols data usually have 5 minutes resolution. Moreover, in same cases (e.g. RRD), the resolution of the data depends on how old is the data.
RRD Driver¶
RRD is the default driver used. It writes data in the form of local .rrd files. RRD automatically aggregates old data to save space, reducing its resolution. Hence older data will be aggregated together and finally be removed after 1 year (in fact RRD stands for Round Robin Database).
Querying a single data series is efficient since the data is contained into a single file, while performing more complex queries on multiple data series (e.g. when trying to determine the top protocols) can take some time. Moreover RRD has shown some limitations when writing a large volume of data, usually leading to gaps in the timeseries data points. With a large volume of data, the use of InfluxDB is suggested.
InfluxDB Driver¶
ntopng supports writing and fetching timeseries data from an InfluxDB server. Since database communication happens via the network, the server can also be located on an external host.
Note
ntopng supports InfluxDB version 1.x (no 2.x series) and the minimum supported version is 1.5.1
Here is an overview of the features ntopng provides:
- A database is automatically configured according to the InfluxDB Database field value
- It is possible to specify authentication credentials if the InfluxDB database is protected
InfluxDB is really suitable to export high frequency data due to the high insertion throughput. For this reason it’s possible to increase the timeseries resolution to get more detailed historical data. This can be configured from the “L7 Application Resolution” preference.
Warning
Increasing the timeseries resolution involves more buffering into ntopng. This will have a strong impact on the RAM usage on large networks.
Warning
In order to avoid “max-values-per-tag limit exceeded” errors with InfluxDB leading to new data being rejected, it’s necessary to set max-values-per-tag = 0 in the InfluxDB configuration file, usually located at /etc/influxdb/influxdb.conf
Warning
In order to avoid “max-series-per-database limit exceeded” errors with InfluxDB leading to new data being rejected, it’s necessary to set max-series-per-database = 0 in the InfluxDB configuration file, usually located at /etc/influxdb/influxdb.conf. Please note that an high cardinality of timeseries may lead to writes/reads performance degradation. You can reduce the cardinality by disabling some timeseries and decreasing the maximum timeseries Data Retention.
Note
It is possible to review the current InfluxDB storage size used by ntopng from the “Runtime Status” page.
InfluxDB status can be monitored using the InfluxDB Monitor.
Authentication¶
InfluxDB supports HTTP/HTTPS authentication. To enable HTTP/HTTPS authentication, use the preferences toggle and specify a valid username/password pair.
To enable InfluxDB authentication follow the steps highlighted at https://github.com/influxdata/influxdb/issues/8824#issuecomment-329746475.
Note
ntopng creates retention policies and continuous queries. This requires an InfludDB user with admin privileges. It is not possible for non-admin users to create retention policies (https://stackoverflow.com/a/45656074).
Therefore, an admin user is required the first time ntopng is set up to use InfluxDB to allow creation of retention policies and continuous queries. Once the database has been created, a non-privileged user can used.
Timeseries Configuration¶
Individual timeseries can be enabled or disabled based on the user needs or system limits. Such limits usually are:
- the storage size (more timeseries means more storage)
- the storage speed
- the time needed to write such timeseries to the timeseries database (in particular, this is a problem with RRD)
Moreover, having a lot of timeseries usually means slower query time.
Enabling a “Traffic” timeseries usually has little impact on the performance. On the other hand, enabling the “Layer-7 Applications” (in particular for the local hosts) has a high impact since there are many protocols and timeseries must be processed for each of them.
It is possible to skip timeseries generation for a specific network interface from the interface settings page. By disabling timeseries generation on a network interface, no timeseries data will be written for the interface itself and for all the local hosts belonging to it.
ntopng also provides timeseries on other traffic elements such as Autonomous Systems, Countries, VLANs and so on, which can be enabled independently.
Network Matrix Timeseries¶
Note
Network Matrix is not available in the community edition.
ntopng can store timeseries for communicatins across local networks, called Network Matrix.
It represent the traffic done between Local Networks (can be added to ntopng using the -m option in the configuration file), both sent and received.
It can be found into the Networks timeseries page; to jump to it, access the Networks tab and then click the charts icon. This pspecific timeseries is reported in all time presets except the last 5 minutes.