Bootstrap 4 Blog Template For Developers

Запрос elk

Выведем все запросы с ip 139.162.229.202

Идем в кибану и добавляем соответ. фильры и копирем json запрос

Правим json запрос под себя


{
  "size": 5000,
  "version": true,
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": true,
      "query": {
      "bool": {
      "must": [],
      "filter": [
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "now-7d",
              "lte": "now"
            }
          }
        },
        {
          "match_phrase": {
            "remote_addr": "139.162.229.202"
          }
        }
      ],
      "should": [],
      "must_not": [
        {
          "match_phrase": {
            "error.type": "json"
          }
        }
      ]
    }
  }
}

php скрипт


<?php

require_once '/opt/web/vendor/autoload.php';

use Elasticsearch\ClientBuilder;

class find {

 private $hosts;
 private $client;
 private $index_id;
 private $req;


 public function init()
 {

  $this->index_id='haproxy-log-*';
  $this->hosts = [
    [
      'host' => '127.0.0.1',
      'port' => '30006',
      'user' => 'elastic',
      'pass' => '12345678'
    ]
];

  $this->client = ClientBuilder::create()
                    ->setHosts($this->hosts)
                    ->build();
  $this->get_req();
 }

 private function get_req()
  {
          $json= '{
  "size": 5000,
  "version": true,
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": true,
      "query": {
      "bool": {
      "must": [],
      "filter": [
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "now-7d",
              "lte": "now"
            }
          }
        },
        {
          "match_phrase": {
            "remote_addr": "139.162.229.202"
          }
        }
      ],
      "should": [],
      "must_not": [
        {
          "match_phrase": {
            "error.type": "json"
          }
        }
      ]
    }
  }
}';

$params = [
    'index' => $this->index_id,
    'body'  => $json
];

$results = $this->client->search($params);
for($i=0;$i<count($results['hits']['hits']);$i++)
{
     $this->req=$results['hits']['hits'][$i]['_source']['request'];
     printf("%s\n",$this->req);
}


}

}

$find = new find;
$find->init();

Выводим запросы(request)


[root@vm elk]# php find.php
/
/
/
/
/server-status
/__Additional
/.git/HEAD
/server-status
/__Additional
/nmaplowercheck1664542337
/inicio.html
/scripts/WPnBr.dll
/7Cnt
/
/docs/cplugError.html/
/base.jhtml
/
/favicon.ico
/start.pl
/menu.pl
/main.cgi
/CSS/Miniweb.css
/
/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
/
/
/nice%20ports%2C/Tri%6Eity.txt%2ebak
/
/CSS/Miniweb.css
/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
/Portal0000.htm
/Portal/Portal.mwsl
/
/.git/HEAD
/nmaplowercheck1664542337
/HNAP1
/Portal/Portal.mwsl
/
/index.php
/
/
/
/
/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
/
/sdk
/
/
/