Best practice for an "IP Check"

MarcusCaepio · June 17, 2019, 6:26am

Dear all,
I am trying to realise a scenario and want to ask you, how this would be made best. The scenario looks like this:
We are logging our firewalls via logstash / grok patterns and store the logs in elastic. On the other side we have a list of thousands "bad ips". This list can be just simple in a text file, or could also be get from a database. What we now want to do is to check continously, if a connection goes to any of these thousands of bad IPs and if it does, we want to be informed. Bad thing, we don't have the alerting license, only a basic license.
How would you solve this problem?

Cheers,
Marcus

vasek · June 17, 2019, 8:05am

Hi,
for detecting IP that is on blacklist - you can use Logstash and filter plugin Translate.

For alerting you can use

Elastalert - configurable by admins on server (config files)
Sentinl - Can be integrated to Kibana but you won't be able to keep up with the latest version of Elasticsearch.
Logstash output nagios_nsca plugin - some version had problem with working
Custom script (e.g. Shell) with knowledge of Elasticsearch Query - you'll have to program logic of alerting (repeating alerts - silents, etc.)

X-Pack feature will you save a lot of time. Furthermore it is integrated to Kibana UI.

system · July 15, 2019, 8:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Custom logs alert Kibana elastic-stack-alerting	5	525	June 9, 2022
【Please share info】Plugins and OSS for implementing alert functions in kibana (elasticsearch) version 7 series Kibana elastic-stack-alerting	1	238	May 1, 2023
I need advice on this new use case - IOC Elasticsearch	4	1410	September 25, 2017
Elasticsearch indexes - watcher notifications Elasticsearch elastic-stack-alerting	9	1574	September 15, 2017
Need help on elastic search Elastic Community and Ecosystem	2	1433	May 6, 2016

Best practice for an "IP Check"

Related topics