WAF日志告警配置案例
更新時(shí)間:
本文提供了典型的Web應(yīng)用防火墻(WAF)日志查詢與分析告警配置案例。您可以參考本文提供的告警配置參數(shù),在自定義WAF日志儀表盤中添加監(jiān)控圖表及配置告警。
重要
本文以舊版日志服務(wù)告警配置為例,介紹相關(guān)配置參數(shù)。如果您已升級(jí)使用了新版日志服務(wù)告警,請(qǐng)結(jié)合本文提供的查詢語句及告警參數(shù)建議,并參見快速設(shè)置日志告警來完成相關(guān)配置。
舊版日志服務(wù)告警的配置參數(shù)如下圖所示。
4XX比例異常告警
告警參數(shù)配置建議:
圖表名稱:4XX比例(忽略攔截?cái)?shù)據(jù))
查詢語句:
user_id :您的阿里云賬號(hào)ID and not real_client_ip :被攔截的請(qǐng)求IP | SELECT user_id, host AS "域名", Rate_2XX AS "2XX比例", Rate_3XX AS "3XX比例", Rate_4XX AS "4XX比例", Rate_5XX AS "5XX比例", countall AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY Rate_4XX DESC LIMIT 5該圖表包含以下字段:
aveQPS、2XX比例、3XX比例、4XX比例、5XX比例,分別表示域名QPS和各類型響應(yīng)狀態(tài)碼的占比。其中,4XX比例不包含WAF攔截的CC攻擊和Web攻擊等造成的444和405狀態(tài)碼,以便只展示因業(yè)務(wù)自身原因造成的狀態(tài)碼變化。在設(shè)置告警觸發(fā)條件時(shí),您可以自由組合上述字段。例如,aveQPS>10 && 2XX比例<60表示在設(shè)定的統(tǒng)計(jì)時(shí)間內(nèi),指定域名的QPS達(dá)到10以上且2XX比例小于60%。查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.countall>3000&& $0.4XX比例>80觸發(fā)通知閾值:2次
通知間隔:10分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].域名} - 產(chǎn)品:WAF - 最近5分鐘內(nèi)總請(qǐng)求數(shù):${Results[0].RawResults[0].countall} - 2XX比例:${Results[0].RawResults[0].2XX比例} % - 3XX比例:${Results[0].RawResults[0].3XX比例} % - 4XX比例:${Results[0].RawResults[0].4XX比例} % - 5XX比例:${Results[0].RawResults[0].5XX比例} %
5XX比例異常告警
告警參數(shù)配置建議:
圖表名稱:5XX比例
查詢語句:
user_id :您的阿里云賬號(hào)ID and not real_client_ip :被攔截的請(qǐng)求IP | select user_id, host AS "域名", Rate_2XX AS "2XX比例", Rate_3XX AS "3XX比例", Rate_4XX AS "4XX比例", Rate_5XX AS "5XX比例", countall AS "相對(duì)時(shí)間內(nèi)訪問量", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY Rate_5XX DESC LIMIT 5查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.countall>3000&& $0.5XX比例>80觸發(fā)通知閾值:2次
通知間隔:10分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].域名} - 產(chǎn)品:WAF - 最近5分鐘內(nèi)總請(qǐng)求數(shù):${Results[0].RawResults[0].countall} - 2XX比例:${Results[0].RawResults[0].2XX比例} % - 3XX比例:${Results[0].RawResults[0].3XX比例} % - 4XX比例:${Results[0].RawResults[0].4XX比例} % - 5XX比例:${Results[0].RawResults[0].5XX比例} %
QPS異常告警
告警參數(shù)配置建議:
圖表名稱:QPS TOP 5
查詢語句:
user_id :您的阿里云賬號(hào)ID and not real_client_ip :被攔截的請(qǐng)求IP | SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 as "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) as status_2XX, count_if( status >= 300 and status < 400 ) as status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) as status_4XX, count_if( status >= 500 and status < 600 ) as status_5XX, COUNT(*) as countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY aveQPS DESC LIMIT 5查詢區(qū)間:1分鐘(相對(duì))
頻率:固定間隔1分鐘
觸發(fā)條件:
$0.aveQPS>=50觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF - 過去1分鐘平均QPS:${Results[0].RawResults[0].aveQPS} - 響應(yīng)碼 2xx_rate :${Results[0].RawResults[0].Rate_2XX}% - 響應(yīng)碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應(yīng)碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應(yīng)碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
QPS突增告警
告警參數(shù)配置建議:
圖表名稱:QPS突增監(jiān)控
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, in_ratio, t1.host, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100 -100, 0 ) AS in_ratio, host FROM ( SELECT compare(t, 60) AS c, host, user_id FROM ( SELECT COUNT(*) AS t, host, user_id FROM log GROUP by host, user_id ) GROUP by host, user_id ) WHERE c [3] > 1.1 and ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 1 ) t2 on t1.host = t2.host ) ORDER BY in_ratio DESC LIMIT 5查詢區(qū)間:1分鐘(相對(duì))
頻率:固定間隔1分鐘
觸發(fā)條件:
$0.now1mqps>50&& $0.in_ratio>300觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF - 過去1分鐘平均QPS:${Results[0].RawResults[0].now1mqps} - QPS突增率:${Results[0].RawResults[0].in_ratio}% - 響應(yīng)碼 2xx_Rate :${Results[0].RawResults[0].rate_2xx}% - 響應(yīng)碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應(yīng)碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應(yīng)碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
QPS突降告警
圖表名稱:QPS突降監(jiān)控
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, de_ratio, t1.host, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( 100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100, 2 ) AS de_ratio, host FROM ( SELECT compare(t, 60) AS c, host, user_id FROM ( SELECT COUNT(*) AS t, host, user_id FROM log GROUP BY host, user_id ) GROUP BY host, user_id ) WHERE c [3] < 0.9 AND ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if ( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 1 ) t2 on t1.host = t2.host ) ORDER BY de_ratio DESC LIMIT 5該圖表中包含
now1mqps(當(dāng)前一分鐘的平均QPS)、past1mqps(過去一分鐘的平均QPS)、de_ratio(QPS下降率)、host等字段,您可以根據(jù)需要使用這些字段設(shè)置告警條件。查詢區(qū)間:1分鐘(相對(duì))
頻率:固定間隔1分鐘
觸發(fā)條件:
$0.now1mqps>10&& $0.de_ratio>50觸發(fā)通知閾值:2次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF(海外) - 過去1分鐘平均QPS:${Results[0].RawResults[0].now1mqps} - QPS突降率:${Results[0].RawResults[0].de_ratio}% - 響應(yīng)碼 2xx_rate :${Results[0].RawResults[0].rate_2xx}% - 響應(yīng)碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應(yīng)碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應(yīng)碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
5分鐘內(nèi)ACL攔截情況告警
告警參數(shù)配置建議:
圖表名稱:ACL規(guī)則攔截量
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規(guī)則防護(hù)引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護(hù)攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規(guī)則防護(hù)引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護(hù)攔截量" >= 0 AND totalblock > 10 ) ORDER BY "ACL攔截量" DESC LIMIT 5查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.totalblock>=500&&($0.ACL攔截量>=500)觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF - 最近5分鐘內(nèi)攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規(guī)則防護(hù)引擎攔截量:${Results[0].RawResults[0].規(guī)則防護(hù)引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護(hù)攔截量:${Results[0].RawResults[0].掃描防護(hù)攔截量}
5分鐘內(nèi)規(guī)則防護(hù)引擎攔截情況告警
告警參數(shù)配置建議:
圖表名稱:規(guī)則防護(hù)引擎攔截量
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規(guī)則防護(hù)引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護(hù)攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規(guī)則防護(hù)引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護(hù)攔截量" >= 0 AND totalblock > 10 ) ORDER BY "規(guī)則防護(hù)引擎攔截量" DESC LIMIT 5查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.totalblock>=500&&($0.規(guī)則防護(hù)引擎攔截量>=500)觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF - 最近5分鐘內(nèi)攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規(guī)則防護(hù)引擎攔截量:${Results[0].RawResults[0].規(guī)則防護(hù)引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護(hù)攔截量:${Results[0].RawResults[0].掃描防護(hù)攔截量}
5分鐘內(nèi)CC攔截情況告警
告警參數(shù)配置建議:
圖表名稱:CC防護(hù)規(guī)則攔截量
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規(guī)則防護(hù)引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護(hù)攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規(guī)則防護(hù)引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護(hù)攔截量" >= 0 AND totalblock > 10 ) ORDER BY "CC攔截量" DESC LIMIT 5查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.totalblock>=500&&($0.CC攔截量>=500)觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF - 最近5分鐘內(nèi)攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規(guī)則防護(hù)引擎攔截量:${Results[0].RawResults[0].規(guī)則防護(hù)引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護(hù)攔截量:${Results[0].RawResults[0].掃描防護(hù)攔截量}
5分鐘內(nèi)掃描攔截情況告警
告警參數(shù)配置建議:
圖表名稱:掃描防護(hù)攔截量
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規(guī)則防護(hù)引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護(hù)攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規(guī)則防護(hù)引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護(hù)攔截量" >= 0 AND totalblock > 10 ) ORDER BY "掃描防護(hù)攔截量" DESC LIMIT 5查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.totalblock>=500&&($0.掃描防護(hù)攔截量>=500)觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF(海外) - 最近5分鐘內(nèi)攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規(guī)則防護(hù)引擎攔截量:${Results[0].RawResults[0].規(guī)則防護(hù)引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護(hù)攔截量:${Results[0].RawResults[0].掃描防護(hù)攔截量}
單IP攻擊量預(yù)警
告警參數(shù)配置建議:
圖表名稱:?jiǎn)?span id="z68uejxpaoma" class="help-letter-space">IP攻擊量
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT user_id, real_client_ip, concat( 'ACL攔截量:', cast(aclblock AS varchar(10)), ' ', '規(guī)則防護(hù)引擎攔截量:', cast(wafblock AS varchar(10)), ' ', 'CC攔截量:', cast(aclblock AS varchar(10)) ) AS blockNum, totalblock, allRequest FROM ( SELECT user_id, real_client_ip, count_if( final_plugin = 'acl' AND final_action = 'block' ) AS aclblock, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS wafblock, count_if( final_plugin = 'cc' AND final_action = 'block' ) AS ccblock, count_if( ( final_plugin = 'acl' AND final_action = 'block' ) OR ( final_plugin = 'waf' AND final_action = 'block' ) OR ( final_plugin = 'cc' AND final_action = 'block' ) ) AS totalblock, COUNT(*) AS allRequest FROM log GROUP BY user_id, real_client_ip HAVING totalblock > 1 ORDER BY totalblock DESC LIMIT 5 )該圖表中包含
real_client_ip(攻擊IP)、blockNum(包含ACL攔截量、規(guī)則防護(hù)引擎攔截量、CC攔截量等數(shù)據(jù))、totalblock(總攔截請(qǐng)求數(shù))、allRequest(總請(qǐng)求數(shù))字段,您可以根據(jù)需要使用這些字段設(shè)置告警條件。查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.totalblock >=500觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 產(chǎn)品:WAF - 最近5分鐘內(nèi)單IP攻擊排行Top3: - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum}) - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum}) - ${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})
單IP攻擊域名數(shù)量告警
告警參數(shù)配置建議:
圖表名稱:?jiǎn)?span id="z68uejxpaoma" class="help-letter-space">IP攻擊域名數(shù)量
查詢語句:
user_id :您的阿里云賬號(hào)ID and not upstream_status :504 and not upstream_addr :'-' and request_time_msec < 5000 and upstream_status :200 and not ua_browser :bot | SELECT user_id, host, upstream_time, request_time, requestnum FROM ( SELECT user_id, host, round(avg(upstream_response_time), 2) * 1000 AS upstream_time, round(avg(request_time_msec), 2) AS request_time, COUNT(*) AS requestnum FROM log GROUP BY host, user_id ) WHERE requestnum > 30 ORDER BY request_time DESC LIMIT 5該圖表中包含
real_client_ip(攻擊IP)、totalblock(總攔截請(qǐng)求數(shù))、domainnum(該IP攻擊的域名數(shù))等字段。在設(shè)置告警觸發(fā)條件時(shí),您可以自由組合上述字段來設(shè)置告警條件。例如,totalblock>500&& domainnum>5表示某IP在對(duì)應(yīng)時(shí)間內(nèi)總攻擊量達(dá)到500,并且攻擊域名數(shù)多于5個(gè)。查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔1分鐘
觸發(fā)條件:
$0.domainnum>=10觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 產(chǎn)品:WAF - 攻擊IP:${Results[0].RawResults[0].real_client_ip} - 攻擊的域名數(shù):${Results[0].RawResults[0].domainnum} - 最近5分鐘總攻擊請(qǐng)求數(shù):${Results[0].RawResults[0].totalblock} - 請(qǐng)及時(shí)關(guān)注處理
5分鐘平均時(shí)延異常告警
告警參數(shù)配置建議:
圖表名稱:平均時(shí)延監(jiān)控
查詢語句:
user_id :您的阿里云賬號(hào)ID and not upstream_status :504 and not upstream_addr :'-' and request_time_msec < 5000 and upstream_status :200 and not ua_browser :bot | SELECT user_id, host, upstream_time, request_time, requestnum FROM ( SELECT user_id, host, round(avg(upstream_response_time), 2) * 1000 AS upstream_time, round(avg(request_time_msec), 2) AS request_time, COUNT(*) AS requestnum FROM log GROUP BY host, user_id ) WHERE requestnum > 30 ORDER BY request_time DESC LIMIT 5查詢區(qū)間:5分鐘(相對(duì))
頻率:固定間隔5分鐘
觸發(fā)條件:
$0.request_time>1000&& $0.requestnum>30觸發(fā)通知閾值:2次
通知間隔:10分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 產(chǎn)品:WAF(海外) - [觸發(fā)條件]:${condition} - 最近5分鐘延時(shí)情況TOP 3(毫秒) - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}
流量突降告警
告警參數(shù)配置建議:
圖表名稱:流量突降監(jiān)控
查詢語句:
user_id :您的阿里云賬號(hào)ID | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, de_ratio, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( 100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100, 2 ) AS de_ratio FROM ( SELECT compare(t, 60) AS c, user_id FROM ( SELECT COUNT(*) AS t, user_id FROM log GROUP BY user_id ) GROUP BY user_id ) WHERE c [3] < 0.9 AND ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, count_if( status >= 200 AND status < 300 ) AS status_2XX, count_if( status >= 300 AND status < 400 ) AS status_3XX, count_if ( status >= 400 AND status < 500 AND status <> 444 AND status <> 405 ) AS status_4XX, count_if( status >= 500 AND status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY user_id ) ) WHERE countall > 0 ) t2 ON t1.user_id = t2.user_id ) ORDER BY de_ratio DESC LIMIT 5查詢區(qū)間:1分鐘(相對(duì))
頻率:固定間隔1分鐘
觸發(fā)條件:
$0.de_ratio>50&& $0.now1mqps>20觸發(fā)通知閾值:1次
通知間隔:5分鐘
發(fā)送內(nèi)容:
- [時(shí)間]:${FireTime} - [UID]:${Results[0].RawResults[0].user_id} - 產(chǎn)品:WAF - 過去1分鐘平均QPS:${Results[0].RawResults[0].now1mqps} - [觸發(fā)條件(突降率&QPS)]:${condition} - QPS突降率:${Results[0].RawResults[0].de_ratio}% - 響應(yīng)碼 2xx_rate :${Results[0].RawResults[0].rate_2xx}% - 響應(yīng)碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應(yīng)碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應(yīng)碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
文檔內(nèi)容是否對(duì)您有幫助?