Howard-Chang · August 21, 2018 05:34
diff --git a/syslog API b/syslog API
 #top10 protocol name
 GET _search
  {
  "size" : 0,
  "query": {
    "bool": {
      "should": [
        {
            "term":{"IPV4_SRC_ADDR":"203.68.62.36"}
        },
        {
            "term":{"IPV4_DST_ADDR":"203.68.62.36"}
        }
      ],"minimum_should_match": 1,
      "must":[
        {
          "range":{
            "@timestamp":{
            "gte":"now-1d"
            }
          }
        }
      ]
    }
  },
    "aggs": {
      "genres":{
        "terms" : {
                "field" : "L7_PROTO_NAME.keyword" 
            }
    }
  }
 }


 #level=alert
 GET _search
  {
  "_source": { "includes": ["level","action","msg","ref","IPV4_SRC_ADDR","IPV4_DST_ADDR"]},

  "query": {
    "bool": {
      "must":[
        {
          "range":{
            "@timestamp":{
            "gte":"now-1d"
            }
          }
        },
        {
          "term":{"level":"alert"}
        }
      ]
    }
  }
 }
 #使用P2P軟體的IP
 GET _search
  {
  "_source": { "includes": ["IPV4_SRC_ADDR","IPV4_DST_ADDR","L7_PROTO_NAME","action"]},

  "query": {
    "bool": {
      "must":[
        {
          "range":{
            "@timestamp":{
            "gte":"now-1d"
            }
          }
        },
        {
          "term":{"appcat.keyword":"P2P"}
        }
      ]
    }
  }
 }
	#top10 protocol name
	GET _search
	{
	"size" : 0,
	"query": {
	"bool": {
	"should": [
	{
	"term":{"IPV4_SRC_ADDR":"203.68.62.36"}
	},
	{
	"term":{"IPV4_DST_ADDR":"203.68.62.36"}
	}
	],"minimum_should_match": 1,
	"must":[
	{
	"range":{
	"@timestamp":{
	"gte":"now-1d"
	}
	}
	}
	]
	}
	},
	"aggs": {
	"genres":{
	"terms" : {
	"field" : "L7_PROTO_NAME.keyword"
	}
	}
	}
	}


	#level=alert
	GET _search
	{
	"_source": { "includes": ["level","action","msg","ref","IPV4_SRC_ADDR","IPV4_DST_ADDR"]},

	"query": {
	"bool": {
	"must":[
	{
	"range":{
	"@timestamp":{
	"gte":"now-1d"
	}
	}
	},
	{
	"term":{"level":"alert"}
	}
	]
	}
	}
	}
	#使用P2P軟體的IP
	GET _search
	{
	"_source": { "includes": ["IPV4_SRC_ADDR","IPV4_DST_ADDR","L7_PROTO_NAME","action"]},

	"query": {
	"bool": {
	"must":[
	{
	"range":{
	"@timestamp":{
	"gte":"now-1d"
	}
	}
	},
	{
	"term":{"appcat.keyword":"P2P"}
	}
	]
	}
	}
	}