I think this should be within my grasp, but I don't seem to be able to create a search that returns what I'm looking for.
I'm trying to return from syslog any IP address that hits a specific port (say 12345), but also attempts connecting to any other ports other than 12345. In my scenario, a well-behaved host should exclusively connect to port 12345 and nothing else.
What I'm coming up with either returns no results or only results matching DPT=12345; it does not return anything in between.
Thanks
Hi @lucamarc,
how about something along those lines.
As you didn't provide any example log data, I'm not sure how your logs look like. --> This is pseudo-code.
index=whatever DPT=* | eval port_type=if(DPT=="12345", "Normal", "Other") | stats values(DPT) by IP, port_type
Thanks @pyro_wood, I probably didn't explain this very well. I think that what you suggested is returning every host that ever attempted a connection, no matter if it never attempted connecting to port 12345.
I'm only interested in (the very few) IPs that both:
1. connect (or attempt to connect) to port 12345 AND
2. attempted connecting to a different port (any other port)
I'm collecting logs from Ubuntu 18.04 LST servers. This is the query I tried, based on your suggestion:
index="syslog" DPT=* | eval port_type=if(DPT=="12345", "Normal", "Abuser") | stats values(DPT) by SRC, port_type