Nginx anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use Filebeat to ship access logs from your Nginx HTTP servers to Elasticsearch and store it using fields and datatypes from the Elastic Common Schema (ECS). For more details, see the datafeed and job definitions in GitHub.

low_request_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the event rate of http requests.
  • Detects unusually low counts of HTTP requests compared to the previous event rate (using the low_count function).
source_ip_request_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the event rate of HTTP requests by source IP.
  • Detects source IPs with unusually high request rates in the HTTP access log compared to the previous rate (using the high_count function).
source_ip_url_count_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the event rate of HTTP requests by source IP.
  • Detects source IPs with unusually high distinct count of URLs in the HTTP access log (using the high_distinct_count function).
status_code_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the occurrences of HTTP response status codes (partition_field_name is http.response.status_code).
  • Detects unusual status code rates in the HTTP access log compared to previous rates (using the count function).
visitor_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models visitor rates.
  • Detects unusual visitor rates in the HTTP access log compared to previous rates (using the non_zero_count function).