Hey guys,

we are acutally setting up some security relevant searches in our 
ES-database and came over the following case, which i dont get managed by 
myself:

We want to make an query, that checks if a IP-address is accessing 
different ports in a given amout of time.

So what we basically need to do is, make a terms aggregation on a field 
called "remote_ip" and match the terms with an filter/query like "port:XXX 
AND port:XXY AND port:XXZ" but that query must go over different logs 
(port:XXX is in log1, port:XXZ is in log2).

So that query should return all remote_ips that have accessed all 3 ports 
in the given time.

I really struggle with that log-comprehensive searches, cause im not that 
fit in aggregation yet.

Some tipps would be really appreciated.

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/220ed49b-5cf6-45cf-879b-10acecacc36e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to