このトピックでは、WAF のログクエリおよび分析に基づいたアラート設定 13 例について説明します。 このトピックの SQL ステートメントテンプレートを参照して、WAFログダッシュボードのグラフを設定し、推奨されるアラートパラメーターに基づいてアラートを設定できます。
手順
例に基づいてアラートを設定するには、WAF ログダッシュボードを作成する必要があります。 詳細については、「手順1: WAFログ分析ダッシュボードの作成」をご参照ください。
- ダッシュボードの作成方法の詳細については、「ステップ2: ログチャートの設定」をご参照ください。
- ダッシュボードの作成方法の詳細については、「手順3: ログアラートの設定」をご参照ください。
このトピックでは、以下の 13 例のアラート設定について説明します。
4xx ステータスコードの異常率
SQL 文のテンプレート
user_id:11111111110000 and not
real_client_ip:1.1.1.1|select user_id,host as "Domain",Rate_2XX as
"2xx codes percentage",Rate_3XX as "3xx codes percentage",Rate_4XX as "4xx codes percentage",Rate_5XX
as "5xx codes percentage",countall as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round
(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,
host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where countall>120 order by Rate_4XX DESC limit 5アラートの推奨パラメーター設定
チャートには以下のパラメーターが表示されます。 aveQPS (ドメインのリクエストレート)、 2xx コードの割合、3xx コードの割合、4xx コードの割合、および5xx コードの割合。 外部の理由ではなく、システムワークロードによって引き起こされたステータスコードの変化を示すため、 4xx コード には、HTTPフラッド攻撃によってトリガーされた 444 および 405 コードと WAF によってブロックされたWeb攻撃は含まれていません。 。 これらのパラメーターを1つ以上選択して、アラートを設定できます。
たとえば、 aveQPS>10 && 2xx codes percentage<60 は、指定されたドメイン名のリクエストレートが 10 QPS を超え、指定された期間における 2xx ステータスコードの割合が 60% 未満であることを示します。
レスポンスパラメーターは次のとおりです。
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.countall>3000&& $0.4xx codes percentage>80 - 通知トリガーのしきい値:2
- 通知間隔:10 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0]. Domain} - Product:WAF - Total number of requests in the last five minutes:${Results[0].RawResults[0].countall} - 2xx codes percentage:${Results[0].RawResults[0].2xx codes percentage} % - 3xx codes percentage:${Results[0].RawResults[0].3xx codes percentage} % - 4xx codes percentage:${Results[0].RawResults[0].4xx codes percentage} % - 5xx codes percentage:${Results[0].RawResults[0].5xx codes percentage} %
5xxステータスコードの異常率
SQL 文のテンプレート
user_id:11111111110000 and not
real_client_ip:1.1.1.1|select user_id,host as "Domain",Rate_2XX as
"2xx codes percentage",Rate_3XX as "3xx codes percentage",Rate_4XX as "4xx codes percentage",Rate_5XX
as "5xx codes percentage",countall as "Requests in specified relative time period",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round
(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from(select
user_id,
host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500) as
status_4XX,count_if(status>=500 and
status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where countall>120 order by Rate_5XX DESC limit 5アラートの推奨パラメーター設定
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.countall>3000&& $0.5xx codes percentage>80 - 通知トリガーのしきい値:2
- 通知間隔:10 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0]. Domain} - Product:WAF - Total number of requests in the last five minutes:${Results[0].RawResults[0].countall} - 2xx codes percentage:${Results[0].RawResults[0].2xx codes percentage% - 3xx codes percentage:${Results[0].RawResults[0].3xx codes percentage} % - 4xx codes percentage:${Results[0].RawResults[0].4xx codes percentage} % - 5xx codes percentage:${Results[0].RawResults[0].5xx codes percentage} %
異常クエリ率
SQL 文のテンプレート
user_id: 11111111110000 and not
real_client_ip:1.1.1.1|select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2)
as Rate_3XX, round(round
(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from(select
user_id,
host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where countall>120 order by aveQPS DESC limit 5アラートの推奨パラメーター設定
- 検索期間:1 分
- 頻度:1 分
- トリガー条件:
$0.aveQPS>=50 - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF - Average query rate in the past 1 minute:${Results[0].RawResults[0].aveQPS} - Status code 2xx percentage:${Results[0].RawResults[0].Rate_2XX}% - Status code 3xx percentage:${Results[0].RawResults[0].Rate_3XX}% - Status code 4xx percentage:${Results[0].RawResults[0].Rate_4XX}% - Status code 5xx percentage:${Results[0].RawResults[0].Rate_5XX}%
クエリ率の急激な増加
SQL 文のテンプレート
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,in_ratio,t1.host,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (
(
SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(round(c[1]/60,0)/round(c[2]/60,0)*100-100,0) as in_ratio ,host from
(SELECT
compare(t, 60) as c,host, user_id from
(SELECT
COUNT(*) as t,host,user_id from log GROUP by host, user_id ) GROUP by host, user_id) where c[3] >1.1
and (c[1]>180 or c[2]>180
)
)t1
join
(select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id, host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and status<600) as
status_5XX,COUNT(*) as countall from log group by host,user_id)
) where countall>1
)t2
on t1.host=t2.host) order by in_ratio DESC
limit 5アラートの推奨パラメーター設定
- 検索期間:1 分
- 頻度:1 分
- トリガー条件:
$0.now1mqps>50&& $0.in_ratio>300 - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF - Average query rate in the past 1 minute:${Results[0].RawResults[0].now1mqps} - Abrupt increase ratio of query rate:${Results[0].RawResults[0].in_ratio}% - Status code 2xx percentage:${Results[0].RawResults[0].rate_2xx}% - Status code 3xx percentage:${Results[0].RawResults[0].Rate_3XX}% - Status code 4xx percentage:${Results[0].RawResults[0].Rate_4XX}% - Status code 5xx percentage:${Results[0].RawResults[0].Rate_5XX}%
クエリ率の急激な低下
SQL 文のテンプレート
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,de_ratio,t1.host,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (
(
SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(100-round(c[1]/60,0)/round(c[2]/60,0)*100,2) as de_ratio,host from
(SELECT compare(t, 60) as c,host, user_id from
(SELECT
COUNT(*) as t,host,user_id from log GROUP by host, user_id ) GROUP by host, user_id ) where c[3] <0.9
and (c[1]>180 or c[2]>180
)
)t1
join
(select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as
Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from
(select
user_id, host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as status_3XX,count_if
(status>=400 and status<500 and status<>444
and status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as status_5XX,COUNT(*) as countall from log group by host,user_id)
) where countall>1
)t2 on
t1.host=t2.host) order by de_ratio DESC limit 5アラートの推奨パラメーター設定
チャートには以下のパラメーターが表示されます。
now1mpqs (現在の 1 分間の平均クエリ率)、past1mqps (直前の 1 分間の平均クエリ率)、 de_ratio (クエリ率の減少率)、およびhost。 これらのパラメーターを選択して、アラートを設定できます。
- 検索期間:1 分
- 頻度:1 分
- トリガー条件:
$0.now1mqps>10&& $0.de_ratio>50 - 通知トリガーのしきい値:2
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF (International) - Average query rate in the past 1 minute:${Results[0].RawResults[0].now1mqps} - Abrupt decrease ratio of query rate:${Results[0].RawResults[0].de_ratio}% - Status code 2xx percentage:${Results[0].RawResults[0].rate_2xx}% - Status code 3xx percentage:${Results[0].RawResults[0].Rate_3XX}% - Status code 4xx percentage:${Results[0].RawResults[0].Rate_4XX}% - Status code 5xx percentage:${Results[0].RawResults[0].Rate_5XX}%
過去 5 分間に HTTP ACL ポリシーによってブロックされたリクエスト
SQL 文のテンプレート
User_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "Requests blocked by anti-scan rules",count_if(block_action='acl')
as "Requests blocked by HTTP ACL policy",count_if(aliwaf_action='block')
as "Requests blocked by web application protection",count_if(cc_action='close') as
"Requests blocked by HTTP flood protection",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("Requests blocked by HTTP ACL policy" >=0 and "Requests blocked by web application protection" >=0 and "Requests blocked by HTTP flood protection">=0
and totalblock>10) order by "Requests blocked by HTTP ACL policy" DESC limit 5アラートの推奨パラメーター設定
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.totalblock>=500&&($0.Requests blocked by HTTP ACL policy>=500) - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF - Total requests blocked in the last five minutes:${Results[0].RawResults[0].totalblock} - Requests blocked by HTTP ACL policy:${Results[0].RawResults[0].Requests blocked by HTTP ACL policy} - Requests blocked by web application protection:${Results[0].RawResults[0].Requests blocked by web application protection} - Requests blocked by HTTP flood protection:${Results[0].RawResults[0].Requests blocked by HTTP flood protection} - Requests blocked by anti-scan rules:${Results[0].RawResults[0]. Requests blocked by anti-scan rules}
過去 5 分間に Web アプリケーション保護によってブロックされたリクエスト
SQL 文のテンプレート
user_id:11111111110000
|select user_id,host,count_if(block_action='antiscan') as "Requests blocked by anti-scan rules",count_if(block_action='acl')
as "Requests blocked by HTTP ACL policy",count_if(aliwaf_action='block')
as "Requests blocked by web application protection",count_if(cc_action='close') as
"Requests blocked by HTTP flood protection",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("Requests blocked by HTTP ACL policy" >=0 and "Requests blocked by web application protection" >=0 and "Requests blocked by HTTP flood protection">=0
and totalblock>10) order by "Requests blocked by web application protection" DESC limit 5アラートの推奨パラメーター設定
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.totalblock>=500&&($0.Requests blocked by web application protection>=500) - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF - Total requests blocked in the last 5 minutes:${Results[0].RawResults[0].totalblock} - Requests blocked by HTTP ACL policy:${Results[0].RawResults[0].Requests blocked by HTTP ACL policy} - Requests blocked by web application protection:${Results[0].RawResults[0].Requests blocked by web application protection} - Requests blocked by HTTP flood protection:${Results[0].RawResults[0].Requests blocked by HTTP flood protection} - Requests blocked by anti-scan rules:${Results[0].RawResults[0]. Requests blocked by anti-scan rules}
過去 5 分間に HTTP フラッド保護によってブロックされたリクエスト
SQL 文のテンプレート
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "Requests blocked by anti-scan rules",count_if(block_action='acl')
as "Requests blocked by HTTP ACL policy",count_if(aliwaf_action='block')
as "Requests blocked by web application protection",count_if(cc_action='close') as
"Requests blocked by HTTP flood protection",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("Requests blocked by HTTP ACL policy" >=0 and "Requests blocked by web application protection" >=0 and "Requests blocked by HTTP flood protection">=0
and totalblock>10) order by "Requests blocked by HTTP flood protection" DESC limit 5アラートの推奨パラメーター設定
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.totalblock>=500&&($0.Requests blocked by HTTP flood protection>=500) - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF - Total requests blocked in the last five minutes:${Results[0].RawResults[0].totalblock} - Requests blocked by HTTP ACL policy:${Results[0].RawResults[0].Requests blocked by HTTP ACL policy} - Requests blocked by web application protection:${Results[0].RawResults[0].Requests blocked by web application protection} - Requests blocked by HTTP flood protection:${Results[0].RawResults[0].Requests blocked by HTTP flood protection} - Requests blocked by anti-scan rules:${Results[0].RawResults[0]. Requests blocked by anti-scan rules}
過去 5 分間にアンチスキャンルールによってブロックされたリクエスト
SQL 文のテンプレート
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "Requests blocked by anti-scan rules",count_if(block_action='acl')
as "Requests blocked by HTTP ACL policy",count_if(aliwaf_action='block')
as "Requests blocked by web application protection",count_if(cc_action='close') as
"Requests blocked by HTTP flood protection",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("Requests blocked by HTTP ACL policy" >=0 and "Requests blocked by web application protection" >=0 and "Requests blocked by HTTP flood protection">=0
and totalblock>10) order by "Requests blocked by anti-scan rules" DESC limit 5アラートの推奨パラメーター設定
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.totalblock>=500&&($0. Requests blocked by anti-scan rules>=500) - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF (International) - Total requests blocked in the last 5 minutes:${Results[0].RawResults[0].totalblock} - Requests blocked by HTTP ACL policy:${Results[0].RawResults[0].Requests blocked by HTTP ACL policy} - Requests blocked by web application protection:${Results[0].RawResults[0].Requests blocked by web application protection} - Requests blocked by HTTP flood protection:${Results[0].RawResults[0].Requests blocked by HTTP flood protection} - Requests blocked by anti-scan rules:${Results[0].RawResults[0]. Requests blocked by anti-scan rules}
単一のIPアドレスからの攻撃
SQL 文のテンプレート
user_id:
11111111110000 |select user_id,real_client_ip,concat('Requests blocked by HTTP ACL policy:',cast(aclblock as
varchar(10)),' ','Requests blocked by web application protection:',cast(wafblock as varchar(10)),'
','Requests blocked by HTTP flood protection:',cast(aclblock as varchar(10))) as
blockNum,totalblock,allRequest from (select user_id,real_client_ip,count_if(block_action='acl')
as aclblock,count_if(aliwaf_action='block') as
wafblock,count_if(cc_action='close') as ccblock,count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close') as totalblock,COUNT(*) as
allRequest from log group by user_id,real_client_ip having totalblock>1
order by totalblock DESC limit 5)アラートの推奨パラメーター設定
チャートには以下のパラメーターが表示されます。
real_client_ip、blockNum (Requests blocked by HTTP ACL policy、Requests blocked by web application protection、およびRequests blocked by HTTP flood protectionを含む)、 totalblock (ブロックされたリクエスト数の合計)、およびallRequest (リクエスト数の合計). これらのパラメーターを選択してアラートを設定できます。
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.totalblock >=500 - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Product:WAF - Top 3 attack source IP addresses in the last 5 minutes: - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum}) - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum}) -${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})
単一のIPアドレスによって攻撃されたドメインの数
SQL 文のテンプレート
user_id:
11111111110000 and not
upstream_status:504 and not upstream_addr:- and request_time_msec < 5000 and
upstream_status:200 and not ua_browser:bot |SELECT user_id,host,upstream_time,request_time,ssl_handshake,requestnum
from (select user_id,host,round(avg(upstream_response_time),2)*1000 as
upstream_time,round(avg(request_time_msec),2) as
request_time,round(avg(ssl_handshake_time)*1000,2) as ssl_handshake,COUNT(*) as
requestnum from log group by host,user_id) where requestnum>30 order by
request_time DESC limit 5アラートの推奨パラメーター設定
チャートには以下のパラメーターが表示されます。
real_client_ip (攻撃者の IP アドレス)、totalblock (ブロックされたリクエスト数の合計)、およびdomainnum (攻撃されたドメイン数)。 これらのパラメーターから 1 つ以上選択して、アラートを設定できます。 例えば、totalblock>500&& domainnum>5は、1 つの IP アドレスから行われた攻撃の回数が 500 回を超え、攻撃対象のドメイン数が 5 を超える場合を意味します。
- 検索期間:5 分
- 頻度:1 分
- トリガー条件:
$0.domainnum>=10 - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Product:WAF - Attacker IP:${Results[0].RawResults[0].real_client_ip} - Number of attacked domains:${Results[0].RawResults[0].domainnum} - Total requests blocked in the last 5 minutes:${Results[0].RawResults[0].totalblock} - Please handle the alert in a timely manner.
過去 5 分間の平均遅延
SQL 文のテンプレート
user_id:
11111111110000 and and not upstream_status:504 and not upstream_addr:- and
request_time_msec < 5000 and upstream_status:200 and not ua_browser:bot|SELECT
user_id,host,upstream_time,request_time,ssl_handshake,requestnum from (select user_id,host,round(avg(upstream_response_time),2)*1000
as upstream_time,round(avg(request_time_msec),2) as
request_time,round(avg(ssl_handshake_time)*1000,2) as ssl_handshake,COUNT(*) as
requestnum from log group by host,user_id) where requestnum>30 order by
request_time DESC limit 5アラートの推奨パラメーター設定
- 検索期間:5 分
- 頻度:5 分
- トリガー条件:
$0.request_time>1000&& $0.requestnum>30 - 通知トリガーのしきい値:2
- 通知間隔:10 分
- コンテンツ
- [Time]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - Domain:${Results[0].RawResults[0].host} - Product:WAF (International) - [Trigger condition]:${condition} - Top 3 domains with the longest delay in the last 5 minutes (unit: millisecond) - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}
単一ユーザーによるクエリ率の急激な低下
SQL 文のテンプレート
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,de_ratio,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (
(
SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(100-round(c[1]/60,0)/round(c[2]/60,0)*100,2) as de_ratio from
(SELECT compare(t, 60) as c, user_id from
(SELECT
COUNT(*) as t,user_id from log GROUP by user_id ) GROUP by user_id ) where c[3] <0.9 and
(c[1]>180 or c[2]>180
)
)t1
join
(select
user_id,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as
Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from
(select
user_id,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as status_3XX,count_if
(status>=400 and status<500 and status<>444
and status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as status_5XX,COUNT(*) as countall from log group by user_id)
) where countall>0
)t2 on
t1.user_id=t2.user_id) order by de_ratio DESC limit 5アラートの推奨パラメーター設定
- 検索期間:1 分
- 頻度:1 分
- トリガー条件:
$0.de_ratio>50&& $0.now1mqps>20 - 通知トリガーのしきい値:1
- 通知間隔:5 分
- コンテンツ
- [Time]:${FireTime} - [UID]:${Results[0].RawResults[0].user_id} - Product:WAF - Average query rate in the past 1 minute:${Results[0].RawResults[0].now1mqps} - [Trigger condition (abrupt decrease ratio of query rate & query rate)]:${condition} - Abrupt decrease ratio of query rate:${Results[0].RawResults[0].de_ratio}% - Status code 2xx percentage:${Results[0].RawResults[0].rate_2xx}% - Status code 3xx percentage:${Results[0].RawResults[0].Rate_3XX}% - Status code 4xx percentage :${Results[0].RawResults[0].Rate_4XX}% - Status code 5xx percentage:${Results[0].RawResults[0].Rate_5XX}%