如何在弹性搜索中比较来自两个不同特定日志的两个源 IP

编程问答 2022-05-23

问题描述

在 Elasticsearch 中,我想将两个日志(natlogGateway log)与 DSL 查询进行比较。

在 nat 日志中有 srcip1,在网关日志中有 srcip2

如果这个条件 srcip1 === srcip2 满足,我想在结果中显示 "agent.id"

在它之上,我将放置我已经进行的相关查询

{
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "location": "\\Users\\Saad\\Desktop\\nat.log"
          }
        },{
          "match": {
            "location": "\\Users\\Saad\\Desktop\\attendance-logs-with-ports.log"
          }
        }
      ],"must": [
        {
          "term": {
            "data.srcip": "1.1.1.1"
          }
        }
      ]
    }
  },"fields": [
    "data.srcip1"
  ],"_source": false
  
}

我尝试了多种方法,但都没有成功。

解决方法

要显示您使用聚合的数据摘要。如果您想根据某个 ip 的日志类型比较不同的代理,查询将是这样的:

提取数据

POST test_saad/_doc
{
  "location": "\\Users\\Saad\\Desktop\\nat.log","data": {
    "srcip1": "1.1.1.1"
  },"agent": {
    "id": "agent_1"
  }
}

POST test_saad/_doc
{
  "location": "\\Users\\Saad\\Desktop\\attendance-logs-with-ports.log","data": {
    "srcip2": "1.1.1.1"
  },"agent": {
    "id": "agent_1"
  }
}

POST test_saad/_doc
{
  "location": "\\Users\\Saad\\Desktop\\nat.log","agent": {
    "id": "agent_2"
  }
}

请求

POST test_saad/_search
{
  "size": 0,"query": {
    "bool": {
      "must": [
        {
          "bool": {
            "should": [
              {
                "term": {
                  "data.srcip1.keyword": "1.1.1.2"
                }
              },{
                "term": {
                  "data.srcip2.keyword": "1.1.1.2"
                }
              }
            ],"minimum_should_match": 1
          }
        },{
          "bool": {
            "should": [
              {
                "term": {
                  "location.keyword": """\Users\Saad\Desktop\nat.log"""
                }
              },{
                "term": {
                  "location.keyword": """\Users\Saad\Desktop\attendance-logs-with-ports.log"""
                }
              }
            ],"minimum_should_match": 1
          }
        }
      ]
    }
  },"aggs": {
    "log_types": {
      "terms": {
        "field": "location.keyword","size": 10
      },"aggs": {
        "agent_types": {
          "terms": {
            "field": "agent.id.keyword","size": 10
          }
        }
      }
    }
  }
}

回复

{
  "took" : 2,"timed_out" : false,"_shards" : {
    "total" : 1,"successful" : 1,"skipped" : 0,"failed" : 0
  },"hits" : {
    "total" : {
      "value" : 3,"relation" : "eq"
    },"max_score" : null,"hits" : [ ]
  },"aggregations" : {
    "log_types" : {
      "doc_count_error_upper_bound" : 0,"sum_other_doc_count" : 0,"buckets" : [
        {
          "key" : """\Users\Saad\Desktop\nat.log""","doc_count" : 2,"agent_types" : {
            "doc_count_error_upper_bound" : 0,"buckets" : [
              {
                "key" : "agent_1","doc_count" : 1
              },{
                "key" : "agent_2","doc_count" : 1
              }
            ]
          }
        },{
          "key" : """\Users\Saad\Desktop\attendance-logs-with-ports.log""","doc_count" : 1,"doc_count" : 1
              }
            ]
          }
        }
      ]
    }
  }
}
elasticsearchkibana-7wazuh