Nginx anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use Filebeat to ship access logs from your Nginx HTTP servers to Elasticsearch and store it using fields and datatypes from the Elastic Common Schema (ECS). For more details, see the datafeed and job definitions in GitHub.

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

low_request_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the event rate of http requests.
  • Detects unusually low counts of HTTP requests compared to the previous event rate.
source_ip_request_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the event rate of HTTP requests by source IP.
  • Detects source IPs with unusually high request rates in the HTTP access log compared to the previous rate.
source_ip_url_count_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the event rate of HTTP requests by source IP.
  • Detects source IPs with unusually high distinct count of URLs in the HTTP access log.
status_code_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models the occurrences of HTTP response status codes.
  • Detects unusual status code rates in the HTTP access log compared to previous rates.
visitor_rate_ecs
  • For HTTP web access logs where event.dataset is nginx.access.
  • Models visitor rates.
  • Detects unusual visitor rates in the HTTP access log compared to previous rates.