I have squid proxy log that I want to mine for persistent connections from my client workstations to the internet (ie: teamviewer, gotomypc, spyware C&C, etc.
Looking to do a search to determine if clients connect to the same URL or IP address during each 1 hour period of the prior 24 hours.
I have started with this query:
index=proxy | bucket _time span=1h | stats count by _time,user,url | sort - user
Which gives me a list of all urls by user by count, I think I need to then search this query for all occurrences by user by hour for each URL to determine if they are in all 24 hour periods.
Suggestions? Thoughts? Thanks
↧
