0

So I've been looking around trying to find how to add a graph in Kibana that will query the log database and return the IP addresses of the hosts with the most Denies generated by the firewall. Our firewall sends permit and deny logs to the log relay server, which puts it in a database that is searchable via the Kibana interface. I work in the Information Security department and now I'm tasked every week with finding the five hosts on our network who are being denied by the firewall the most. I found a similar article here: How do I create a stacked graph of HTTP codes in Kibana? Except the solution in the article assumes you know a few of the things you're looking for, such as HTTP codes. I'm not going to try to add every address (20000+ active) we have to the query, so I need to find a query and graph that will find the top 5 talkers for me and compare the number of Deny logs associated with them. Can this be done in Kibana? Go easy on me, this is my first post and I'm a newbie with Kibana.

Thanks!

Community
  • 1
  • 1
Gabe
  • 1
  • Sounds difficult to do with Kibana's histogram. I haven't tried it, but you might see if you can get ES to build a [terms facet](http://www.elasticsearch.org/guide/en/kibana/current/_terms.html), or see if you can get running with Logstash and [statsd](http://logstash.net/docs/1.4.2/outputs/statsd). – rutter Sep 12 '14 at 00:09

1 Answers1

0

This may be what you want:

You can create a queries that will find the two kinds of messages you want to count instances of (for example message_type:permit or message_type:deny.

You can then create two terms panel with the ip address field and tell each to use a different query.

Now that you've got the two panels, you can see your top talkers and your top denies.

You can add in an event table at the bottom tied to the deny query that will show you the specific events associated with the deny query. Your term panel can be used to filter down to look at a specific IP's DENYs.

Alcanzar
  • 16,985
  • 6
  • 42
  • 59