Elasticsearch + MySQL

Marcos_Felix · November 26, 2018, 3:31pm

Hello,
Getting logs from ntopng - was thinking sending it to MySQL and then using Elasticsearch to query it and obviously visualize it in Kibana.
Is this ideal? Im looking to keep 1 year worth of logs. On top of ntopng logs I will have cisco and winevt.
I was suggested to just send the logs directly to Elasticsearch rather than using MySQL - what's the downside to this?
Cheers

warkolm · November 26, 2018, 10:55pm

The downside is you have another system to maintain.
There are plenty of upside though.

Marcos_Felix · November 27, 2018, 9:20am

You mean if I go with MySQL I will have one more system to maintain? Fair enough, but what would be big upside to this? I'm trying to get as much perspective as I can before moving in with this. Thanks

warkolm · November 28, 2018, 1:39am

Fast, customisable search that's built for search and not just a table scan. Plus a whole bunch of analytics that can be API or Kibana driven. Native geospatial datasets and queries.

And then there things like Machine Learning and Alerting which add a heap of extra value.

Marcos_Felix · November 28, 2018, 10:20am

Okay, so let me get this straight - is it possible to do this:
ntopng > mysql > elasticsearch > kibana
Use MySQL to store data and Elasticsearch to query data? or should I just do this:
ntopng > elasticsearch > kibana
I have been getting some information on Graylog and apparently its impossible to do what I mentioned (ntopng > mysql > elasticsearch > graylog) and instead I should do:
ntopng > logstash > graylog > elasticsearch.
Also I heard with MySQL the search would be slower and that with ES it'd be faster.
Opinions?

warkolm · November 28, 2018, 8:35pm

I'm not familiar with ntopng, but if it can send direct to Elasticsearch then I would just do that.
Also Graylog uses Elasticsearch, so you wouldn't have any further steps once it got there.

Yes, Elasticsearch search will be much faster than MySQL.

Marcos_Felix · November 30, 2018, 11:42am

I apologize for this post. My original intention was mislead by a colleague.
Anyhow, since we are here. I was wondering if I have Graylog doing all the logging (ntopng + winevt + cisco) and I have Kibana installed on the same server. Will I then be able to use Kibana only for its visualization?
My intention is: Graylog for logging | Kibana for visualization.
Since all the logging from Graylog will be stored in ES, if I have Kibana installed - surely it will pick up these logs?
Thanks

warkolm · December 1, 2018, 3:56am

I believe you can do this, yes.

system · December 29, 2018, 4:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.