本文提供了典型的Web Application Firewall(WAF)日誌查詢與分析警示配置案例。您可以參考本文提供的警示配置參數,在自訂WAF日誌儀錶盤中添加監控圖表及配置警示。
重要
本文以舊版Log Service警示配置為例,介紹相關配置參數。如果您已升級使用了新版Log Service警示,請結合本文提供的查詢語句及警示參數建議,並參見快速設定日誌警示來完成相關配置。
4XX比例異常警示
警示參數配置建議:
圖表名稱:4XX比例(忽略攔截資料)
查詢語句:
user_id :您的阿里雲帳號ID and not real_client_ip :被攔截的請求IP | SELECT user_id, host AS "網域名稱", Rate_2XX AS "2XX比例", Rate_3XX AS "3XX比例", Rate_4XX AS "4XX比例", Rate_5XX AS "5XX比例", countall AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY Rate_4XX DESC LIMIT 5該圖表包含以下欄位:
aveQPS、2XX比例、3XX比例、4XX比例、5XX比例,分別表示網域名稱QPS和各類型響應狀態代碼的佔比。其中,4XX比例不包含WAF攔截的CC攻擊和Web攻擊等造成的444和405狀態代碼,以便只展示因業務自身原因造成的狀態代碼變化。在設定警示觸發條件時,您可以自由組合上述欄位。例如,aveQPS>10 && 2XX比例<60表示在設定的統計時間內,指定網域名稱的QPS達到10以上且2XX比例小於60%。查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.countall>3000&& $0.4XX比例>80觸發通知門檻:2次
通知間隔:10分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].網域名稱} - 產品:WAF - 最近5分鐘內總請求數:${Results[0].RawResults[0].countall} - 2XX比例:${Results[0].RawResults[0].2XX比例} % - 3XX比例:${Results[0].RawResults[0].3XX比例} % - 4XX比例:${Results[0].RawResults[0].4XX比例} % - 5XX比例:${Results[0].RawResults[0].5XX比例} %
5XX比例異常警示
警示參數配置建議:
圖表名稱:5XX比例
查詢語句:
user_id :您的阿里雲帳號ID and not real_client_ip :被攔截的請求IP | select user_id, host AS "網域名稱", Rate_2XX AS "2XX比例", Rate_3XX AS "3XX比例", Rate_4XX AS "4XX比例", Rate_5XX AS "5XX比例", countall AS "相對時間內訪問量", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY Rate_5XX DESC LIMIT 5查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.countall>3000&& $0.5XX比例>80觸發通知門檻:2次
通知間隔:10分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].網域名稱} - 產品:WAF - 最近5分鐘內總請求數:${Results[0].RawResults[0].countall} - 2XX比例:${Results[0].RawResults[0].2XX比例} % - 3XX比例:${Results[0].RawResults[0].3XX比例} % - 4XX比例:${Results[0].RawResults[0].4XX比例} % - 5XX比例:${Results[0].RawResults[0].5XX比例} %
QPS異常警示
警示參數配置建議:
圖表名稱:QPS TOP 5
查詢語句:
user_id :您的阿里雲帳號ID and not real_client_ip :被攔截的請求IP | SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 as "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_3XX, round( round (status_4XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) as Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM( SELECT user_id, host, count_if( status >= 200 and status < 300 ) as status_2XX, count_if( status >= 300 and status < 400 ) as status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) as status_4XX, count_if( status >= 500 and status < 600 ) as status_5XX, COUNT(*) as countall FROM log GROUP BY host, user_id ) ) WHERE countall > 120 ORDER BY aveQPS DESC LIMIT 5查詢區間:1分鐘(相對)
頻率:固定間隔1分鐘
觸發條件:
$0.aveQPS>=50觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF - 過去1分鐘平均QPS:${Results[0].RawResults[0].aveQPS} - 響應碼 2xx_rate :${Results[0].RawResults[0].Rate_2XX}% - 響應碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
QPS突增警示
警示參數配置建議:
圖表名稱:QPS突增監控
查詢語句:
user_id :您的阿里雲帳號ID | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, in_ratio, t1.host, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100 -100, 0 ) AS in_ratio, host FROM ( SELECT compare(t, 60) AS c, host, user_id FROM ( SELECT COUNT(*) AS t, host, user_id FROM log GROUP by host, user_id ) GROUP by host, user_id ) WHERE c [3] > 1.1 and ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 1 ) t2 on t1.host = t2.host ) ORDER BY in_ratio DESC LIMIT 5查詢區間:1分鐘(相對)
頻率:固定間隔1分鐘
觸發條件:
$0.now1mqps>50&& $0.in_ratio>300觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF - 過去1分鐘平均QPS:${Results[0].RawResults[0].now1mqps} - QPS突增率:${Results[0].RawResults[0].in_ratio}% - 響應碼 2xx_Rate :${Results[0].RawResults[0].rate_2xx}% - 響應碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
QPS突降警示
圖表名稱:QPS突降監控
查詢語句:
user_id :您的阿里雲帳號ID | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, de_ratio, t1.host, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( 100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100, 2 ) AS de_ratio, host FROM ( SELECT compare(t, 60) AS c, host, user_id FROM ( SELECT COUNT(*) AS t, host, user_id FROM log GROUP BY host, user_id ) GROUP BY host, user_id ) WHERE c [3] < 0.9 AND ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, host, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, host, count_if( status >= 200 and status < 300 ) AS status_2XX, count_if( status >= 300 and status < 400 ) AS status_3XX, count_if ( status >= 400 and status < 500 and status <> 444 and status <> 405 ) AS status_4XX, count_if( status >= 500 and status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY host, user_id ) ) WHERE countall > 1 ) t2 on t1.host = t2.host ) ORDER BY de_ratio DESC LIMIT 5該圖表中包含
now1mqps(當前一分鐘的平均QPS)、past1mqps(過去一分鐘的平均QPS)、de_ratio(QPS下降率)、host等欄位,您可以根據需要使用這些欄位設定警示條件。查詢區間:1分鐘(相對)
頻率:固定間隔1分鐘
觸發條件:
$0.now1mqps>10&& $0.de_ratio>50觸發通知門檻:2次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF(海外) - 過去1分鐘平均QPS:${Results[0].RawResults[0].now1mqps} - QPS突降率:${Results[0].RawResults[0].de_ratio}% - 響應碼 2xx_rate :${Results[0].RawResults[0].rate_2xx}% - 響應碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
5分鐘內ACL攔截情況警示
警示參數配置建議:
圖表名稱:ACL規則攔截量
查詢語句:
user_id :您的阿里雲帳號ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規則防護引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規則防護引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護攔截量" >= 0 AND totalblock > 10 ) ORDER BY "ACL攔截量" DESC LIMIT 5查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.totalblock>=500&&($0.ACL攔截量>=500)觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF - 最近5分鐘內攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規則防護引擎攔截量:${Results[0].RawResults[0].規則防護引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護攔截量:${Results[0].RawResults[0].掃描防護攔截量}
5分鐘內規則防護引擎攔截情況警示
警示參數配置建議:
圖表名稱:規則防護引擎攔截量
查詢語句:
user_id :您的阿里雲帳號ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規則防護引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規則防護引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護攔截量" >= 0 AND totalblock > 10 ) ORDER BY "規則防護引擎攔截量" DESC LIMIT 5查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.totalblock>=500&&($0.規則防護引擎攔截量>=500)觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF - 最近5分鐘內攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規則防護引擎攔截量:${Results[0].RawResults[0].規則防護引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護攔截量:${Results[0].RawResults[0].掃描防護攔截量}
5分鐘內CC攔截情況警示
警示參數配置建議:
圖表名稱:CC防護規則攔截量
查詢語句:
user_id :您的阿里雲帳號ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規則防護引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規則防護引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護攔截量" >= 0 AND totalblock > 10 ) ORDER BY "CC攔截量" DESC LIMIT 5查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.totalblock>=500&&($0.CC攔截量>=500)觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF - 最近5分鐘內攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規則防護引擎攔截量:${Results[0].RawResults[0].規則防護引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護攔截量:${Results[0].RawResults[0].掃描防護攔截量}
5分鐘內掃描攔截情況警示
警示參數配置建議:
圖表名稱:掃描防護攔截量
查詢語句:
user_id :您的阿里雲帳號ID | SELECT user_id, host, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS "規則防護引擎攔截量", count_if( final_plugin = 'cc' AND final_action = 'block' ) AS "CC攔截量", count_if( final_plugin = 'acl' AND final_action = 'block' ) AS "ACL攔截量", count_if( final_plugin = 'antiscan' AND final_action = 'block' ) AS "掃描防護攔截量", count_if( (final_plugin = 'waf' AND final_action = 'block') OR (final_plugin = 'cc' AND final_action = 'block') OR (final_plugin = 'acl' AND final_action = 'block') OR (final_plugin = 'antiscan' AND final_action = 'block') ) AS totalblock GROUP BY host, user_id HAVING ( "ACL攔截量" >= 0 AND "規則防護引擎攔截量" >= 0 AND "CC攔截量" >= 0 AND "掃描防護攔截量" >= 0 AND totalblock > 10 ) ORDER BY "掃描防護攔截量" DESC LIMIT 5查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.totalblock>=500&&($0.掃描防護攔截量>=500)觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF(海外) - 最近5分鐘內攔截總量:${Results[0].RawResults[0].totalblock} - ACL攔截量:${Results[0].RawResults[0].ACL攔截量} - 規則防護引擎攔截量:${Results[0].RawResults[0].規則防護引擎攔截量} - CC攔截量:${Results[0].RawResults[0].CC攔截量} - 掃描防護攔截量:${Results[0].RawResults[0].掃描防護攔截量}
單IP攻擊量預警
警示參數配置建議:
圖表名稱:單IP攻擊量
查詢語句:
user_id :您的阿里雲帳號ID | SELECT user_id, real_client_ip, concat( 'ACL攔截量:', cast(aclblock AS varchar(10)), ' ', '規則防護引擎攔截量:', cast(wafblock AS varchar(10)), ' ', 'CC攔截量:', cast(aclblock AS varchar(10)) ) AS blockNum, totalblock, allRequest FROM ( SELECT user_id, real_client_ip, count_if( final_plugin = 'acl' AND final_action = 'block' ) AS aclblock, count_if( final_plugin = 'waf' AND final_action = 'block' ) AS wafblock, count_if( final_plugin = 'cc' AND final_action = 'block' ) AS ccblock, count_if( ( final_plugin = 'acl' AND final_action = 'block' ) OR ( final_plugin = 'waf' AND final_action = 'block' ) OR ( final_plugin = 'cc' AND final_action = 'block' ) ) AS totalblock, COUNT(*) AS allRequest FROM log GROUP BY user_id, real_client_ip HAVING totalblock > 1 ORDER BY totalblock DESC LIMIT 5 )該圖表中包含
real_client_ip(攻擊IP)、blockNum(包含ACL攔截量、規則防護引擎攔截量、CC攔截量等資料)、totalblock(總攔截請求數)、allRequest(總請求數)欄位,您可以根據需要使用這些欄位設定警示條件。查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.totalblock >=500觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 產品:WAF - 最近5分鐘內單IP攻擊排行Top3: - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum}) - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum}) - ${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})
單IP攻擊網域名稱數量警示
警示參數配置建議:
圖表名稱:單IP攻擊網域名稱數量
查詢語句:
user_id :您的阿里雲帳號ID and not upstream_status :504 and not upstream_addr :'-' and request_time_msec < 5000 and upstream_status :200 and not ua_browser :bot | SELECT user_id, host, upstream_time, request_time, requestnum FROM ( SELECT user_id, host, round(avg(upstream_response_time), 2) * 1000 AS upstream_time, round(avg(request_time_msec), 2) AS request_time, COUNT(*) AS requestnum FROM log GROUP BY host, user_id ) WHERE requestnum > 30 ORDER BY request_time DESC LIMIT 5該圖表中包含
real_client_ip(攻擊IP)、totalblock(總攔截請求數)、domainnum(該IP攻擊的網域名稱數)等欄位。在設定警示觸發條件時,您可以自由組合上述欄位來設定警示條件。例如,totalblock>500&& domainnum>5表示某IP在對應時間內總攻擊量達到500,並且攻擊網域名稱數多於5個。查詢區間:5分鐘(相對)
頻率:固定間隔1分鐘
觸發條件:
$0.domainnum>=10觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 產品:WAF - 攻擊IP:${Results[0].RawResults[0].real_client_ip} - 攻擊的網域名稱數:${Results[0].RawResults[0].domainnum} - 最近5分鐘總攻擊請求數:${Results[0].RawResults[0].totalblock} - 請及時關注處理
5分鐘平均時延異常警示
警示參數配置建議:
圖表名稱:平均時延監控
查詢語句:
user_id :您的阿里雲帳號ID and not upstream_status :504 and not upstream_addr :'-' and request_time_msec < 5000 and upstream_status :200 and not ua_browser :bot | SELECT user_id, host, upstream_time, request_time, requestnum FROM ( SELECT user_id, host, round(avg(upstream_response_time), 2) * 1000 AS upstream_time, round(avg(request_time_msec), 2) AS request_time, COUNT(*) AS requestnum FROM log GROUP BY host, user_id ) WHERE requestnum > 30 ORDER BY request_time DESC LIMIT 5查詢區間:5分鐘(相對)
頻率:固定間隔5分鐘
觸發條件:
$0.request_time>1000&& $0.requestnum>30觸發通知門檻:2次
通知間隔:10分鐘
發送內容:
- [時間]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 網域名稱:${Results[0].RawResults[0].host} - 產品:WAF(海外) - [觸發條件]:${condition} - 最近5分鐘延時情況TOP 3(毫秒) - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}
流量突降警示
警示參數配置建議:
圖表名稱:流量突降監控
查詢語句:
user_id :您的阿里雲帳號ID | SELECT t1.user_id, t1.now1mQPS, t1.past1mQPS, de_ratio, t2.Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, aveQPS FROM ( ( SELECT user_id, round(c [1] / 60, 0) AS now1mQPS, round(c [2] / 60, 0) AS past1mQPS, round( 100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100, 2 ) AS de_ratio FROM ( SELECT compare(t, 60) AS c, user_id FROM ( SELECT COUNT(*) AS t, user_id FROM log GROUP BY user_id ) GROUP BY user_id ) WHERE c [3] < 0.9 AND ( c [1] > 180 or c [2] > 180 ) ) t1 JOIN ( SELECT user_id, Rate_2XX, Rate_3XX, Rate_4XX, Rate_5XX, countall / 60 AS "aveQPS", status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, round( round(status_2XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_2XX, round( round(status_3XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_3XX, round( round(status_4XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_4XX, round( round(status_5XX * 1.0000 / countall, 4) * 100, 2 ) AS Rate_5XX, status_2XX, status_3XX, status_4XX, status_5XX, countall FROM ( SELECT user_id, count_if( status >= 200 AND status < 300 ) AS status_2XX, count_if( status >= 300 AND status < 400 ) AS status_3XX, count_if ( status >= 400 AND status < 500 AND status <> 444 AND status <> 405 ) AS status_4XX, count_if( status >= 500 AND status < 600 ) AS status_5XX, COUNT(*) AS countall FROM log GROUP BY user_id ) ) WHERE countall > 0 ) t2 ON t1.user_id = t2.user_id ) ORDER BY de_ratio DESC LIMIT 5查詢區間:1分鐘(相對)
頻率:固定間隔1分鐘
觸發條件:
$0.de_ratio>50&& $0.now1mqps>20觸發通知門檻:1次
通知間隔:5分鐘
發送內容:
- [時間]:${FireTime} - [UID]:${Results[0].RawResults[0].user_id} - 產品:WAF - 過去1分鐘平均QPS:${Results[0].RawResults[0].now1mqps} - [觸發條件(突降率&QPS)]:${condition} - QPS突降率:${Results[0].RawResults[0].de_ratio}% - 響應碼 2xx_rate :${Results[0].RawResults[0].rate_2xx}% - 響應碼 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 響應碼 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 響應碼 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%