Hey guys, we are acutally setting up some security relevant searches in our ES-database and came over the following case, which i dont get managed by myself:
We want to make an query, that checks if a IP-address is accessing different ports in a given amout of time. So what we basically need to do is, make a terms aggregation on a field called "remote_ip" and match the terms with an filter/query like "port:XXX AND port:XXY AND port:XXZ" but that query must go over different logs (port:XXX is in log1, port:XXZ is in log2). So that query should return all remote_ips that have accessed all 3 ports in the given time. I really struggle with that log-comprehensive searches, cause im not that fit in aggregation yet. Some tipps would be really appreciated. Thanks -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
