Analyzing apache access logs with elasticsearch Watcher - access-log

I am using the ELK Stack to analyze logs and I need to analyze and detect anomalies of apache access logs. What can I analyze with apache access logs and how should I give the conditions with curl -XPUT to Watcher?

If you haven't found it already, there's a decent tutorial at https://www.elastic.co/guide/en/watcher/watcher-1.0/watch-log-data.html. It provides a basic example of creating a log watch.
You can analyze/watch anything that you can query in Elasticsearch. It's just a matter of formatting the query with the correct JSON syntax. The guide for crafting the conditions is at https://www.elastic.co/guide/en/watcher/watcher-1.0/condition.html.
You'll also want to look at https://www.elastic.co/guide/en/watcher/watcher-1.0/actions.html to get an idea of the possible actions Watcher can take when a query meets a condition.
As far as the post to Watcher, each watch is essentially a JSON object. Because they can get pretty elaborate, I have found that it's best to create a file for each watch you want to create, and post them like this:
curl -XPUT http://my_elasticsearch:9200/_watcher/watch/my_watch_name -d #/path/to/my_watch_name.json
my_watch_name.json should have these basic elements (as described in the first link above):
{
"trigger" : { ... },
"input" : { ... },
"condition" : { ... },
"actions" : { ... }
}
The actions section is going to be specific to your use case, but here's a basic example of the other sections that I'm using successfully:
{
"trigger" : {
"schedule" : { "interval" : "5m" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "logstash" ],
"body" : {
"query" : {
"filtered" : {
"query" : {
"match" : { "message" : "error" }
},
"filter" : {
"range" : { "#timestamp" : { "gte" : "now-5m" } }
}
}
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 } }
},
"actions" : {
...
}
}

Related

Mongo text search with AND operation for multiple words partially enered

{
TypeList" : [
{
"TypeName" : "Carrier"
},
{
"TypeName" : "Not a Channel Member"
},
{
"TypeName" : "Service Provider"
}
]
}
Question :
db.supplies.find("text", {search:"\"chann\" \"mem\""})
For above query I want display :
{
TypeName" : "Not a Channel Member"
}
But I am unable to get my result.
What are changes I have to do in query .
Please help me.
The below query will return your desired result.
db.supplies.aggregate([
{$unwind:"$TypeList"},
{$match:{"TypeList.TypeName":{$regex:/.*chann.*mem.*/,$options:"i"}}},
{$project:{_id:0, TypeName:"$TypeList.TypeName"}}
])
If you can accept to get an output like this:
{
"TypeList" : [
{
"TypeName" : "Not a Channel Member"
}
]
}
then you can get around using the aggregation framework which generally helps performance by running the following query:
db.supplies.find(
{
"TypeList.TypeName": /chann.*mem/i
},
{ // project the list in the following way
"_id": 0, // do not include the "_id" field in the output
"TypeList": { // only include the items from the TypeList array...
$elemMatch: { //... where
"TypeName": /chann.*mem/i // the "TypeName" field matches the regular expression
}
}
})
Also see this link: Retrieve only the queried element in an object array in MongoDB collection

Firebase and Ionic: Best way to return an object in scope

I'm new in Ionic and I have a simple question I think :
Here is my JSON :
"profiles" : {
"wXD7sHme9gSoWXcB799VgzZDDA03" : {
"uid": "wXD7sHme9gSoWXcB799VgzZDDA03",
"languesDispo": [0,2]
}
},
"langues" : {
"anglais" : {
"id" : 0
},
"allemand": {
"id" : 1
},
"espagnol": {
"id" : 2,
}
}
I would like to return in scope an object (or array) with all langues based on the ids in the profiles node at languesDispo.
I would like to know what is the best way to do that, what can I use between
$firebaseArray()
$firebaseObject()
ref.on()
ref.once()
loaded()
I have to admit I'm a little bit confused. Thank you very much for your help!

Multiple level of sections in page_objects in nightwatch.js

I have just started out using nightwatch.js , and I am using page_objects to access elements in my tests. So what I was wondering is there anyway we can have sections within sections in page objects? I know that we can specify one level of section. What I have done is something like this :
module.exports = {
url : 'http://127.0.0.1:8111/local.html#open?view=shelf&lang=en_US',
sections : {
topContainer : {
selector : '.top_container',
elements : {
logo : {
selector : '.logo'
},
settingsButton : {
selector :'.dropdown'
},
searchBox : {
selector : '.search_box'
},
sortOrderButton : {
selector : '.icond'
}
}
},
library : {
selector : '.library',
bookList : {
selector : 'ul.library_container'
}
}
}
};
Can we have sections inside sections , and in case not , how do we select in test case with #variable
client.elements('css selector','#top_container ul.dropdown-menu li', function (result) {
if ( result.value.length == 3 ) {
this.verify.ok(result.value.length, '3 languages loaded');
}
});
Thanks !
The nightwatch.js documentation for "Working With Page Objects" specifies
Note that every command and assertion on a section (other than expect assertions) returns that section for chaining. If desired, you can nest sections under other sections for complex DOM structures.
So , I tried using by hit and try to make the correct json structure , and it works great now :)
Sample code in page_object
sections : {
book_view : {
selector : '.read_book_view',
sections : {
top_container : {
selector : '.top_container',
elements : {
lib_view : {
selector : '.lib_view'
},
toc_link : {
selector : '.dropdown .dropdown-toggle'
},
toc_index : {
selector : '.dropdown .index-dropdown'
},
notes_and_hightlights : {
selector : '.page_access'
},
settings : {
selector : '#settings_b'
},
search : {
selector : '.search_trigger'
},
zoom : {
selector : '.zoom_iconsset'
}
}
}
}
}
}
and referring to them in test cases, like this
var bookSection = bookView.section.book_view;
// Top container
var topSection = bookSection.section.top_container;
topSection.expect.element('#lib_view').to.be.present;
Thanks !

Boosting specific field value in Elastic search

Hi I need to boost the documents based on the on a particular value of a field.. My documents contains a field called Region.. Based on the value present in the region i need to boost my documents..
These are my documents
{
"title":"INOX: Malleshwaram - Mantri Square",
"region":"Bangalore"
}
{
"title":"INOX: Bund Garden Road",
"region":"Pune"
}
{
"title":"INOX: Glomax Mall, Kharghar",
"region":"Mumbai"
}
I have tried to use rescore query in my query which look like this
"rescore" : {
"query" : {
"score_mode":"total",
"query_weight" : 2.5,
"rescore_query_weight" : 0.5,
"rescore_query" : {
"match" : {
"region" : {
"query" : "mumbai",
"slop" : 2
}
}
}
}
}
}
But its not working properly as required..Is there any way to solve this?..
Thanks in advance!
Why rescoring, all you need is boosting. Based on the query type you are using, boosting is possible in
"query_string": {
"fields":["region^56"],
"use_dis_max" : true,
"query": "mumbai"
}
where ^56 is the boosting value.
You can also use as mentioned here http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-boosting-query.html
If you are using the bool query you can use boost like this to boost all queries
{
"bool" : {
"must" : {
"term" : { "region" : "mumbai" }
},
"boost" : 25.0
}
}

How to geo_distance filter against multiple location fields in Elasticsearch

I have an arbitrary # of location data points per document (anywhere up to 80). I want to perform a geo_distance filter against these locations. The elasticsearch docs claim that:
The geo_distance filter can work with multiple locations / points per document.
Once a single location / point matches the filter, the document will be included in the filter.
It's never made clear how to achieve this. I assume that you have to define the # of locations ahead of time, such that your indexed document looks contains these nested fields:
{
"pin" : {
"location" : {
"lat" : 40.12,
"lon" : -71.34
}
}
}
{
"alt_pin" : {
"location" : {
"lat" : 41.12,
"lon" : -72.34
}
}
}
I assume that you would then filter against pin.location and alt_pin.location somehow.
What if I had an arbitrary number of locations (pin1, pin2, pin3, ...)? Can I do something like this:
"pin" : {
"locations" : [{
"lat" : 41.12,
"lon" : -72.34
}, {
"lat" : 41.12,
"lon" : -72.34
}]
}
}
Would some variation on that work? Maybe using geo_hashes instead of lat/lng coordinates?
Multiple location values can be represented as an array of location fields. Try this:
{
"pin": [
{
"location" :{
"lat": 40.12,
"lon": -71.34
}
},
{
"location" :{
"lat": 41.12,
"lon": -72.34
}
}
]
}

Resources