Hi.
everyone.Please forgive my English level.I hope my description of the problem is clear enough.I have a lot of indexes to store different types of events, for example :
`index=nginx `、`index=firewall`、`index=apache`、`index=vpn`、`index=waf`
Each index has a very large amount of log.Some indexes have 10 million logs a day.
For different indexes. I created a lot of alert.
For the Apache and nginx logs, I created the Web Attack Alert. for the firewall logs , I created the Port Scan alert. etc..
When trigger alarm. It will output results.
I hope it can output the results into a new index (index=attack_info).
so , I used the summary index to solve the problem. But I found that summary index has a lot of bug。
1、There are a lot of duplicate events in summary index,I don't know why, the summary index will have duplicate events, and I'll make sure that the original event is not repeated ,(For example, there are no duplicate events in indexes such as nginx and Apache)
2、Sometimes, after the alarm is triggered, it doesn't necessarily write exactly to summary index (I'm sure the result is not empty)。That is to say, sometimes it doesn't write the results to summary index
3、The third question is a silly question. I'd like to ask if the summary index is for the report or for the alert? In Web UI - >settings - >Searches, reports, and alert, I choose an alert, and then enable summary indexing。Then I clicked on "Alerts" on the navigation bar,
that alert has disappeared, but that alert appears in “Reports”. why ? Why does it transfer from alerts to reports when I enable the summary index?
ok...So there are a lot of flaws in the summary index, and I don't think it can meet my needs.
I hope that the results of each triggered alert can be output to a new index( for example: index=attack_info). Then I can use `index=attack_info` to search for all the attack results.Because I need to create monthly report every month,monthly report will show the last month of attack information.So, I can't search from every index (`index=nginx` or `index=apache` or `index=firewall`),Because their log volume is very large, so the search is very, very very very very slow.
If there is two alerts:
`index=nginx sourcetype=nginx_access| eval result=case(match(uri,"Jmx-console"),"Jboss Attack",match(uri,"/manager/html"),"Tomcat attack",match(uri,"_memberAccess"),"Struts2 Attack") |where result!=""|table _time scan_ip uri user_agent status_code result`
`index=firewall "Port scan attack:drop!" |table _time attack_ip dst_ip dst_port`
then at the zero of every day,Use the above search statement to filter the events of the previous day.Then it writes the result to the "attack_info" index.
Well, is there a better way to meet my needs, whether using a report or an alert?.
If you can tell me every step, I will thank you very much.Because I'm a Splunk newbie
↧