Best practice for an "IP Check"

Dear all,
I am trying to realise a scenario and want to ask you, how this would be made best. The scenario looks like this:
We are logging our firewalls via logstash / grok patterns and store the logs in elastic. On the other side we have a list of thousands "bad ips". This list can be just simple in a text file, or could also be get from a database. What we now want to do is to check continously, if a connection goes to any of these thousands of bad IPs and if it does, we want to be informed. Bad thing, we don't have the alerting license, only a basic license.
How would you solve this problem?


for detecting IP that is on blacklist - you can use Logstash and filter plugin Translate.

For alerting you can use

  1. Elastalert - configurable by admins on server (config files)
  2. Sentinl - Can be integrated to Kibana but you won't be able to keep up with the latest version of Elasticsearch.
  3. Logstash output nagios_nsca plugin - some version had problem with working
  4. Custom script (e.g. Shell) with knowledge of Elasticsearch Query - you'll have to program logic of alerting (repeating alerts - silents, etc.)

X-Pack feature will you save a lot of time. Furthermore it is integrated to Kibana UI.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.