is it possible to make watch that looks forward to two or more logs of different type but one field in common?
We have:
log A - AD login
log B - DB login
I want to set up watch that looks for both logs (in time window set in watch check), with the same user but i dont want to define user as string in watch because i dont yet know which user will behave as described.
Filter description of log A + Filter description of log B but logs are matched by the same user narme.
User "Red Baron" logs into the Active Directory and logs to Database normally. - > No Watch Event
User "John Doe" logs into the Active Directory but user "John Doe" fails to login to Database. - > Watch event is generated
User "Bill Gates" logs into the Active Directory but user "Bill Gates" fails to login to Database. - > Watch event is generated
I think the main question here is, what does this specific check boil down to in terms of requests and logical checks as part of a watch.
I assume, you are indexing all login attempts, that contain some field that mark this login as successful or failed. I also assume, that users have to log into active directory first before they can log into the database.
So, we basically need two queries to get to our data set.
Get the user ids of all successful LDAP login events in the last n minutes.
Get the user ids of all failed DB login events in the last n minutes.
After we have this, this basically boils down to the user ids, which are in both data sets.
So, a possible solution might be a terms aggregation on the user ids, based on a query for all successful login events in the last n minutes and a terms aggregation on the user ids of failed login events.
These two different queries could be executed by using a chained input.
The comparison and finding out which user ids occur in both datasets can be done with a script in the condition, which compares the search results. If the condition is true, you could trigger an action.
I am sure there are many different ways to do this (and especially to optimize this to have as small queries as possible), but this might be something to get you started.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.