Nginx anomaly detection configurations

edit

These anomaly detection job wizards appear in Kibana if you use the Nginx integration in Fleet or you use Filebeat to ship access logs from your Nginx HTTP servers to Elasticsearch. The jobs assume that you use fields and data types from the Elastic Common Schema (ECS).

Nginx access logs

edit

These anomaly detection jobs find unusual activity in HTTP access logs.

For more details, see the datafeed and job definitions in GitHub. Note that these jobs are available in Kibana only if data exists that matches the datafeed query.

low_request_rate_nginx

Detects low request rates.

Job details
Required Beats or Elastic Agent integrations
  • Nginx integration
source_ip_request_rate_nginx

Detects unusual source IPs.

Job details
  • Analyzes request rates (using the high_count function) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Nginx integration
source_ip_url_count_nginx

Detects unusual source IPs.

Job details
  • Analyzes distinct counts of URLs (using the high_distinct_count function on the url.original field) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Nginx integration
status_code_rate_nginx

Detects unusual status code rates.

Job details
  • Analyzes request rates (using the count function) split by status code (partition_field_name is http.response.status_code).
Required Beats or Elastic Agent integrations
  • Nginx integration
visitor_rate_nginx

Detects unusual visitor rates.

Job details
Required Beats or Elastic Agent integrations
  • Nginx integration

Nginx access logs (Filebeat)

edit

These legacy anomaly detection jobs find unusual activity in HTTP access logs. For the latest versions, install the Nginx integration in Fleet; see Nginx access logs.

For more details, see the datafeed and job definitions in GitHub.

These configurations are only available if data exists that matches the recognizer query specified in the manifest file.

low_request_rate_ecs

Detects low request rates.

Job details
Required Beats or Elastic Agent integrations
  • Filebeat
source_ip_request_rate_ecs

Detects unusual source IPs.

Job details
  • Analyzes request rates (using the high_count function) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Filebeat
source_ip_url_count_ecs

Detects unusual source IPs.

Job details
  • Analyzes distinct counts of URLs (using the high_distinct_count function on the url.original field) relative to all the source IPs (over_field_name is source.address).
Required Beats or Elastic Agent integrations
  • Filebeat
status_code_rate_ecs

Detects unusual status code rates.

Job details
  • Analyzes request rates (using the count function) split by status code (partition_field_name is http.response.status_code).
Required Beats or Elastic Agent integrations
  • Filebeat
visitor_rate_ecs

Detects unusual visitor rates.

Job details
Required Beats or Elastic Agent integrations
  • Filebeat