we are acutally setting up some security relevant searches in our
ES-database and came over the following case, which i dont get managed by
myself:
We want to make an query, that checks if a IP-address is accessing
different ports in a given amout of time.
So what we basically need to do is, make a terms aggregation on a field
called "remote_ip" and match the terms with an filter/query like "port:XXX
AND port:XXY AND port:XXZ" but that query must go over different logs
(port:XXX is in log1, port:XXZ is in log2).
So that query should return all remote_ips that have accessed all 3 ports
in the given time.
I really struggle with that log-comprehensive searches, cause im not that
fit in aggregation yet.
The "port:XXX AND port:XXY AND port:XXZ" will give you the results, you can
then agg on IP on top of that.
I'd suggest you install Kibana4 and then get a table/chart that gives you
the output you want and then use the inspect functionality (the I on a
panel) to see the query it used to get the data.
we are acutally setting up some security relevant searches in our
ES-database and came over the following case, which i dont get managed by
myself:
We want to make an query, that checks if a IP-address is accessing
different ports in a given amout of time.
So what we basically need to do is, make a terms aggregation on a field
called "remote_ip" and match the terms with an filter/query like "port:XXX
AND port:XXY AND port:XXZ" but that query must go over different logs
(port:XXX is in log1, port:XXZ is in log2).
So that query should return all remote_ips that have accessed all 3 ports
in the given time.
I really struggle with that log-comprehensive searches, cause im not that
fit in aggregation yet.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.