I am trying to realise a scenario and want to ask you, how this would be made best. The scenario looks like this:
We are logging our firewalls via logstash / grok patterns and store the logs in elastic. On the other side we have a list of thousands "bad ips". This list can be just simple in a text file, or could also be get from a database. What we now want to do is to check continously, if a connection goes to any of these thousands of bad IPs and if it does, we want to be informed. Bad thing, we don't have the alerting license, only a basic license.
How would you solve this problem?