ES comprehensive searches over different logs

Hey guys,

we are acutally setting up some security relevant searches in our
ES-database and came over the following case, which i dont get managed by
myself:

We want to make an query, that checks if a IP-address is accessing
different ports in a given amout of time.

So what we basically need to do is, make a terms aggregation on a field
called "remote_ip" and match the terms with an filter/query like "port:XXX
AND port:XXY AND port:XXZ" but that query must go over different logs
(port:XXX is in log1, port:XXZ is in log2).

So that query should return all remote_ips that have accessed all 3 ports
in the given time.

I really struggle with that log-comprehensive searches, cause im not that
fit in aggregation yet.

Some tipps would be really appreciated.

Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

The "port:XXX AND port:XXY AND port:XXZ" will give you the results, you can
then agg on IP on top of that.

I'd suggest you install Kibana4 and then get a table/chart that gives you
the output you want and then use the inspect functionality (the I on a
panel) to see the query it used to get the data.

On 6 March 2015 at 22:32, horst knete baduncle23@hotmail.de wrote:

Hey guys,

we are acutally setting up some security relevant searches in our
ES-database and came over the following case, which i dont get managed by
myself:

We want to make an query, that checks if a IP-address is accessing
different ports in a given amout of time.

So what we basically need to do is, make a terms aggregation on a field
called "remote_ip" and match the terms with an filter/query like "port:XXX
AND port:XXY AND port:XXZ" but that query must go over different logs
(port:XXX is in log1, port:XXZ is in log2).

So that query should return all remote_ips that have accessed all 3 ports
in the given time.

I really struggle with that log-comprehensive searches, cause im not that
fit in aggregation yet.

Some tipps would be really appreciated.

Thanks

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X-tr6vBSeRLnCdCOFxecuH3qi3%2BBk4MG%3D%3Dw7%2BVL7FW%3DgA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.