本实践提供了13个典型的Web应用防火墙(WAF)日志查询分析告警场景的配置范例。您可以参考本文的SQL语句模板在WAF日志仪表盘中配置图表,并按照告警参数配置建议配置告警。
使用须知
使用本参考前,您必须已完成创建WAF日志分析仪表盘。更多信息,请参见步骤1:创建WAF日志分析仪表盘。
- 关于在仪表盘中配置图表的步骤,请参见步骤2:配置日志图表。
- 关于在仪表盘中配置告警的步骤,请参见步骤3:配置日志告警。
本参考提供以下13个告警配置范例。
| 序号 | 告警场景 |
|---|---|
| 1 | 4XX比例异常告警 |
| 2 | 5XX比例异常告警 |
| 3 | QPS异常告警 |
| 4 | QPS突增告警 |
| 5 | QPS突降告警 |
| 6 | 5分钟内ACL拦截情况告警 |
| 7 | 5分钟内WAF拦截情况告警 |
| 8 | 5分钟内CC拦截情况告警 |
| 9 | 5分钟内扫描拦截情况告警 |
| 10 | 单IP攻击量预警 |
| 11 | 单IP攻击域名数量告警 |
| 12 | 5分钟平均时延情况 |
| 13 | UID维度流量突降告警 |
4XX比例异常告警
图表名称:4XX比例(忽略拦截数据)
SQL语句模板
user_id:11111111110000 and not
real_client_ip:1.1.1.1|select user_id,host as "域名",Rate_2XX as
"2XX比例",Rate_3XX as "3XX比例",Rate_4XX as "4XX比例",Rate_5XX
as "5XX比例",countall as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round
(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,
host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where countall>120 order by Rate_4XX DESC limit 5告警参数配置建议:
该图表包含以下字段:aveQPS、2XX比例、3XX比例、4XX比例、5XX比例,分别表示域名QPS和各类型响应状态码的占比。其中,4XX比例不包含WAF拦截的CC攻击和Web攻击等造成的444和405状态码,以便只展示因业务自身原因造成的状态码变化。在设置告警触发条件时,您可以自由组合上述字段。例如,aveQPS>10 && 2XX比例<60表示在设定的统计时间内指定域名的QPS达到10以上且2XX比例小于60%。
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.countall>3000&& $0.4XX比例>80 - 触发通知阈值:2次
- 通知间隔:10分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].域名} - 产品:WAF - 最近5分钟内总请求数:${Results[0].RawResults[0].countall} - 2XX比例:${Results[0].RawResults[0].2XX比例} % - 3XX比例:${Results[0].RawResults[0].3XX比例} % - 4XX比例:${Results[0].RawResults[0].4XX比例} % - 5XX比例:${Results[0].RawResults[0].5XX比例} %
告警样例
5XX比例异常告警
图表名称:5XX比例
SQL语句模板
user_id:11111111110000 and not
real_client_ip:1.1.1.1|select user_id,host as "域名",Rate_2XX as
"2XX比例",Rate_3XX as "3XX比例",Rate_4XX as "4XX比例",Rate_5XX
as "5XX比例",countall as "相对时间内访问量",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round
(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from(select
user_id,
host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500) as
status_4XX,count_if(status>=500 and
status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where countall>120 order by Rate_5XX DESC limit 5告警参数配置建议:
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.countall>3000&& $0.5XX比例>80 - 触发通知阈值:2次
- 通知间隔:10分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].域名} - 产品:WAF - 最近5分钟内总请求数:${Results[0].RawResults[0].countall} - 2XX比例:${Results[0].RawResults[0].2XX比例} % - 3XX比例:${Results[0].RawResults[0].3XX比例} % - 4XX比例:${Results[0].RawResults[0].4XX比例} % - 5XX比例:${Results[0].RawResults[0].5XX比例} %
告警样例
QPS异常告警
图表名称:QPS TOP5
SQL语句模板
user_id: 11111111110000 and not
real_client_ip:1.1.1.1|select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2)
as Rate_3XX, round(round
(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from(select
user_id,
host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where countall>120 order by aveQPS DESC limit 5告警参数配置建议:
- 查询区间:建议设置为1分钟
- 频率:建议设置为1分钟
- 触发条件:
$0.aveQPS>=50 - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF - 过去1分钟平均QPS:${Results[0].RawResults[0].aveQPS} - 响应码 2xx_rate :${Results[0].RawResults[0].Rate_2XX}% - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
告警样例
QPS突增告警
图表名称:QPS突增情况
SQL语句模板
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,in_ratio,t1.host,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (
(
SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(round(c[1]/60,0)/round(c[2]/60,0)*100-100,0) as in_ratio ,host from
(SELECT
compare(t, 60) as c,host, user_id from
(SELECT
COUNT(*) as t,host,user_id from log GROUP by host, user_id ) GROUP by host, user_id) where c[3] >1.1
and (c[1]>180 or c[2]>180
)
)t1
join
(select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id, host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and status<600) as
status_5XX,COUNT(*) as countall from log group by host,user_id)
) where countall>1
)t2
on t1.host=t2.host) order by in_ratio DESC
limit 5告警参数配置建议:
- 查询区间:建议设置为1分钟
- 频率:建议设置为1分钟
- 触发条件:
$0.now1mqps>50&& $0.in_ratio>300 - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF - 过去1分钟平均QPS:${Results[0].RawResults[0].now1mqps} - QPS突增率:${Results[0].RawResults[0].in_ratio}% - 响应码 2xx_Rate :${Results[0].RawResults[0].rate_2xx}% - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
告警样例
QPS突降告警
图表名称:QPS突降情况
SQL语句模板
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,de_ratio,t1.host,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (
(
SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(100-round(c[1]/60,0)/round(c[2]/60,0)*100,2) as de_ratio,host from
(SELECT compare(t, 60) as c,host, user_id from
(SELECT
COUNT(*) as t,host,user_id from log GROUP by host, user_id ) GROUP by host, user_id ) where c[3] <0.9
and (c[1]>180 or c[2]>180
)
)t1
join
(select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as
Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from
(select
user_id, host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as status_3XX,count_if
(status>=400 and status<500 and status<>444
and status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as status_5XX,COUNT(*) as countall from log group by host,user_id)
) where countall>1
)t2 on
t1.host=t2.host) order by de_ratio DESC limit 5告警参数配置建议:
该图表中包含
now1mpqs(当前一分钟平均QPS)、past1mqps(过去一分钟平均QPS)、de_ratio(QPS下降率)、host等字段,您可以根据需要使用这些字段设置告警条件。
- 查询区间:建议设置为1分钟
- 频率:建议设置为1分钟
- 触发条件:
$0.now1mqps>10&& $0.de_ratio>50 - 触发通知阈值:2次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF(海外) - 过去1分钟平均QPS:${Results[0].RawResults[0].now1mqps} - QPS突降率:${Results[0].RawResults[0].de_ratio}% - 响应码 2xx_rate :${Results[0].RawResults[0].rate_2xx}% - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
告警样例
5分钟内ACL拦截情况告警
图表名称:相应时间内ACL拦截情况
SQL语句模板
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "ACL拦截量" DESC limit 5告警参数配置建议:
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.totalblock>=500&&($0.ACL拦截量>=500) - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock} - ACL拦截量:${Results[0].RawResults[0].ACL拦截量} - WAF拦量:${Results[0].RawResults[0].WAF拦截量} - CC拦截量:${Results[0].RawResults[0].CC拦截量} - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}
5分钟内WAF拦截情况告警
图表名称:相应时间内WAF拦截情况
SQL语句模板
user_id:11111111110000
|select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "WAF拦截量" DESC limit 5告警参数配置建议:
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.totalblock>=500&&($0.WAF拦截量>=500) - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock} - ACL拦截量:${Results[0].RawResults[0].ACL拦截量} - WAF拦量:${Results[0].RawResults[0].WAF拦截量} - CC拦截量:${Results[0].RawResults[0].CC拦截量} - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}
5分钟内CC拦截情况告警
图表名称:相应时间内CC拦截情况
SQL语句模板
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "CC拦截量" DESC limit 5告警参数配置建议:
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.totalblock>=500&&($0.CC拦截量>=500) - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock} - ACL拦截量:${Results[0].RawResults[0].ACL拦截量} - WAF拦量:${Results[0].RawResults[0].WAF拦截量} - CC拦截量:${Results[0].RawResults[0].CC拦截量} - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}
5分钟内扫描拦截情况告警
图表名称:相应时间内防扫描拦截情况
SQL语句模板
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "防扫描拦截量" DESC limit 5告警参数配置建议:
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.totalblock>=500&&($0.防扫描拦截量>=500) - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF(海外) - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock} - ACL拦截量:${Results[0].RawResults[0].ACL拦截量} - WAF拦量:${Results[0].RawResults[0].WAF拦截量} - CC拦截量:${Results[0].RawResults[0].CC拦截量} - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}
单IP攻击量预警
图表名称:相应时间内单IP攻击预警
SQL语句模板
user_id:
11111111110000 |select user_id,real_client_ip,concat('ACL拦截量:',cast(aclblock as
varchar(10)),' ','WAF拦截量:',cast(wafblock as varchar(10)),'
','CC拦截量:',cast(aclblock as varchar(10))) as
blockNum,totalblock,allRequest from (select user_id,real_client_ip,count_if(block_action='acl')
as aclblock,count_if(aliwaf_action='block') as
wafblock,count_if(cc_action='close') as ccblock,count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close') as totalblock,COUNT(*) as
allRequest from log group by user_id,real_client_ip having totalblock>1
order by totalblock DESC limit 5)告警参数配置建议:
该图表中包含
real_client_ip、blockNum(含ACL拦截量、WAF拦截量、CC拦截量等数据)、totalblock(总拦截请求数)、allRequest(总请求数)字段,您可以根据需要使用这些字段设置告警条件。
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.totalblock >=500 - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 产品:WAF - 最近5分钟内单IP攻击排行Top3: - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum}) - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum}) -${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})
单IP攻击域名数量告警
图表名称:相应时间内单IP攻击域名数量告警
SQL语句模板
user_id:
11111111110000 and not
upstream_status:504 and not upstream_addr:- and request_time_msec < 5000 and
upstream_status:200 and not ua_browser:bot |SELECT user_id,host,upstream_time,request_time,ssl_handshake,requestnum
from (select user_id,host,round(avg(upstream_response_time),2)*1000 as
upstream_time,round(avg(request_time_msec),2) as
request_time,round(avg(ssl_handshake_time)*1000,2) as ssl_handshake,COUNT(*) as
requestnum from log group by host,user_id) where requestnum>30 order by
request_time DESC limit 5告警参数配置建议:
该图表中包含
real_client_ip(攻击IP)、totalblock(总拦截请求数)、domainnum(该IP攻击的域名数)等字段。在设置告警触发条件时,您可以自由组合上述字段。例如,totalblock>500&& domainnum>5表示某IP在对应时间内总攻击量达到500,并且攻击域名数多于5个。
- 查询区间:建议设置为5分钟
- 频率:建议设置为1分钟
- 触发条件:
$0.domainnum>=10 - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 产品:WAF - 攻击IP:${Results[0].RawResults[0].real_client_ip} - 攻击的域名数:${Results[0].RawResults[0].domainnum} - 最近5分钟总攻击请求数:${Results[0].RawResults[0].totalblock} - 请及时关注处理
5分钟平均时延情况
图表名称:5分钟平均时延情况
SQL语句模板
user_id:
11111111110000 and and not upstream_status:504 and not upstream_addr:- and
request_time_msec < 5000 and upstream_status:200 and not ua_browser:bot|SELECT
user_id,host,upstream_time,request_time,ssl_handshake,requestnum from (select user_id,host,round(avg(upstream_response_time),2)*1000
as upstream_time,round(avg(request_time_msec),2) as
request_time,round(avg(ssl_handshake_time)*1000,2) as ssl_handshake,COUNT(*) as
requestnum from log group by host,user_id) where requestnum>30 order by
request_time DESC limit 5告警参数配置建议:
- 查询区间:建议设置为5分钟
- 频率:建议设置为5分钟
- 触发条件:
$0.request_time>1000&& $0.requestnum>30 - 触发通知阈值:2次
- 通知间隔:10分钟
- 发送内容
- [时间]:${FireTime} - [Uid]:${Results[0].RawResults[0].user_id} - 域名:${Results[0].RawResults[0].host} - 产品:WAF(海外) - [触发条件]:${condition} - 最近5分钟延时情况TOP3(毫秒) - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}
UID维度流量突降告警
图表名称:UID维度流量突降告警
SQL语句模板
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,de_ratio,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (
(
SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(100-round(c[1]/60,0)/round(c[2]/60,0)*100,2) as de_ratio from
(SELECT compare(t, 60) as c, user_id from
(SELECT
COUNT(*) as t,user_id from log GROUP by user_id ) GROUP by user_id ) where c[3] <0.9 and
(c[1]>180 or c[2]>180
)
)t1
join
(select
user_id,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from
(select
user_id,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as
Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from
(select
user_id,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as status_3XX,count_if
(status>=400 and status<500 and status<>444
and status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as status_5XX,COUNT(*) as countall from log group by user_id)
) where countall>0
)t2 on
t1.user_id=t2.user_id) order by de_ratio DESC limit 5告警参数配置建议:
- 查询区间:建议设置为1分钟
- 频率:建议设置为1分钟
- 触发条件:
$0.de_ratio>50&& $0.now1mqps>20 - 触发通知阈值:1次
- 通知间隔:5分钟
- 发送内容
- [时间]:${FireTime} - [UID]:${Results[0].RawResults[0].user_id} - 产品:WAF - 过去1分钟平均QPS:${Results[0].RawResults[0].now1mqps} - [触发条件(突降率&QPS)]:${condition} - QPS突降率:${Results[0].RawResults[0].de_ratio}% - 响应码 2xx_rate :${Results[0].RawResults[0].rate_2xx}% - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}% - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}% - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
在文档使用中是否遇到以下问题
更多建议
匿名提交