Hello guys,
I'm new here and I discovered the ELK stack a few days ago. I managed to parse all my webserver logs and now I'm having fun with elasticSearch to perform some research.
Right now I have a query idea but I really don't now how I can do it, mostly because I'm not famililiar with the ElasticSearch vocabolary so it's difficult for me to search the right stuff.
In my logs and ElasticSearch DB, I have a field for the visitor IP address and another field for the webserver name. I have multiple servers and I want to find all IPs that visit at least 2 websites hosted on differents servers.
The idea is to detect all IP accessing different servers within a reasonable period of time, I think it's interesting in a security point of view because I'm pretty sure I'll find a lot of servers scans.
Is it possible to do such things with ES ? How can I do that ? (how is this called at least ? like I said, i'm not familiar with the vocabular of ES yet).
Thank in advance,
Have a great day,
Alexis