本实践提供了13个典型的Web应用防火墙(WAF)日志查询分析告警场景的配置范例。您可以参考本文的SQL语句模板在WAF日志仪表盘中配置图表,并按照告警参数配置建议配置告警。

使用须知

使用本参考前,您必须已完成创建WAF日志分析仪表盘。更多信息,请参见步骤1:创建WAF日志分析仪表盘

4XX比例异常告警

图表名称:4XX比例(忽略拦截数据)4xx比例异常告警
SQL语句模板
user_id:11111111110000 and not
real_client_ip:1.1.1.1|select user_id,host as "域名",Rate_2XX as
"2XX比例",Rate_3XX as "3XX比例",Rate_4XX as "4XX比例",Rate_5XX
as "5XX比例",countall as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round

(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id, 

host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and 

status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where  countall>120 order by Rate_4XX DESC  limit 5

告警参数配置建议:

该图表包含以下字段:aveQPS2XX比例3XX比例4XX比例5XX比例,分别表示域名QPS和各类型响应状态码的占比。其中,4XX比例不包含WAF拦截的CC攻击和Web攻击等造成的444和405状态码,以便只展示因业务自身原因造成的状态码变化。在设置告警触发条件时,您可以自由组合上述字段。例如,aveQPS>10 && 2XX比例<60表示在设定的统计时间内指定域名的QPS达到10以上且2XX比例小于60%。

  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.countall>3000&& $0.4XX比例>80
  • 触发通知阈值:2次
  • 通知间隔:10分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].域名}
    - 产品:WAF
    - 最近5分钟内总请求数:${Results[0].RawResults[0].countall}
    - 2XX比例:${Results[0].RawResults[0].2XX比例} %
    - 3XX比例:${Results[0].RawResults[0].3XX比例} %
    - 4XX比例:${Results[0].RawResults[0].4XX比例} %
    - 5XX比例:${Results[0].RawResults[0].5XX比例} %
告警样例4xx比例异常告警样例

5XX比例异常告警

图表名称:5XX比例5xx比例异常告警
SQL语句模板
user_id:11111111110000 and not
real_client_ip:1.1.1.1|select user_id,host as "域名",Rate_2XX as
"2XX比例",Rate_3XX as "3XX比例",Rate_4XX as "4XX比例",Rate_5XX
as "5XX比例",countall as "相对时间内访问量",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round

(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from(select
user_id, 

host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500) as
status_4XX,count_if(status>=500 and 

status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where  countall>120 order by Rate_5XX DESC  limit 5
告警参数配置建议:
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.countall>3000&& $0.5XX比例>80
  • 触发通知阈值:2次
  • 通知间隔:10分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].域名}
    - 产品:WAF
    - 最近5分钟内总请求数:${Results[0].RawResults[0].countall}
    - 2XX比例:${Results[0].RawResults[0].2XX比例} %
    - 3XX比例:${Results[0].RawResults[0].3XX比例} %
    - 4XX比例:${Results[0].RawResults[0].4XX比例} %
    - 5XX比例:${Results[0].RawResults[0].5XX比例} %
告警样例5xx比例异常告警样例

QPS异常告警

图表名称:QPS TOP5QPS异常告警
SQL语句模板
user_id: 11111111110000 and not
real_client_ip:1.1.1.1|select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall
from(select user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2)
as Rate_3XX, round(round

(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from(select
user_id, 

host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and 

status<600) as
status_5XX,COUNT(*) as countall group by host,user_id)) where  countall>120 order by aveQPS DESC  limit 5
告警参数配置建议:
  • 查询区间:建议设置为1分钟
  • 频率:建议设置为1分钟
  • 触发条件$0.aveQPS>=50
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF
    - 过去1分钟平均QPS:${Results[0].RawResults[0].aveQPS}
    - 响应码 2xx_rate :${Results[0].RawResults[0].Rate_2XX}%
    - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}%
    - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}%
    - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
告警样例QPS异常告警样例

QPS突增告警

图表名称:QPS突增情况QPS突增告警
SQL语句模板
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,in_ratio,t1.host,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (

 (

 SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(round(c[1]/60,0)/round(c[2]/60,0)*100-100,0) as in_ratio ,host from 

       (SELECT
compare(t, 60) as c,host, user_id from 

           (SELECT
COUNT(*) as t,host,user_id from log GROUP by host, user_id )  GROUP by host, user_id) where c[3] >1.1
and (c[1]>180 or c[2]>180

        )

  )t1 

           join 

  (select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from

 

     (select
user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as
Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall from

        (select
user_id, host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as
status_3XX,count_if(status>=400 and status<500 and status<>444 and
status<>405 ) as status_4XX,count_if(status>=500 and status<600) as
status_5XX,COUNT(*) as countall from log group by host,user_id)

     ) where  countall>1

   )t2 

     on t1.host=t2.host) order by in_ratio DESC
limit 5
告警参数配置建议:
  • 查询区间:建议设置为1分钟
  • 频率:建议设置为1分钟
  • 触发条件$0.now1mqps>50&& $0.in_ratio>300
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF
    - 过去1分钟平均QPS:${Results[0].RawResults[0].now1mqps}
    - QPS突增率:${Results[0].RawResults[0].in_ratio}%
    - 响应码 2xx_Rate :${Results[0].RawResults[0].rate_2xx}%
    - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}%
    - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}%
    - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
告警样例QPS突增告警样例

QPS突降告警

图表名称:QPS突降情况QPS突降告警
SQL语句模板
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,de_ratio,t1.host,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (

 (

 SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(100-round(c[1]/60,0)/round(c[2]/60,0)*100,2) as de_ratio,host from 

(SELECT compare(t, 60) as c,host, user_id from 

    (SELECT
COUNT(*) as t,host,user_id from log GROUP by host, user_id )  GROUP by host, user_id ) where c[3] <0.9
and (c[1]>180 or c[2]>180

        )

  )t1 

           join 

  (select
user_id,host,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from

     (select
user_id,host,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as 

Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as 

Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from

        (select
user_id, host,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as status_3XX,count_if

(status>=400 and status<500 and status<>444
and status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as status_5XX,COUNT(*) as countall from log group by host,user_id)

     ) where  countall>1

)t2 on
t1.host=t2.host) order by de_ratio DESC limit 5

告警参数配置建议:

该图表中包含now1mpqs(当前一分钟平均QPS)、past1mqps(过去一分钟平均QPS)、de_ratio(QPS下降率)、host等字段,您可以根据需要使用这些字段设置告警条件。
  • 查询区间:建议设置为1分钟
  • 频率:建议设置为1分钟
  • 触发条件$0.now1mqps>10&& $0.de_ratio>50
  • 触发通知阈值:2次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF(海外)
    - 过去1分钟平均QPS:${Results[0].RawResults[0].now1mqps}
    - QPS突降率:${Results[0].RawResults[0].de_ratio}%
    - 响应码 2xx_rate :${Results[0].RawResults[0].rate_2xx}%
    - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}%
    - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}%
    - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%
告警样例QPS突降告警样例

5分钟内ACL拦截情况告警

图表名称:相应时间内ACL拦截情况5分钟内ACL拦截情况
SQL语句模板
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock  group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "ACL拦截量"  DESC limit 5
告警参数配置建议:
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.totalblock>=500&&($0.ACL拦截量>=500)
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF
    - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock}
    - ACL拦截量:${Results[0].RawResults[0].ACL拦截量}
    - WAF拦量:${Results[0].RawResults[0].WAF拦截量}
    - CC拦截量:${Results[0].RawResults[0].CC拦截量}
    - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}

5分钟内WAF拦截情况告警

图表名称:相应时间内WAF拦截情况5分钟内WAF拦截情况告警
SQL语句模板
user_id:11111111110000
|select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock  group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "WAF拦截量"  DESC limit 5
告警参数配置建议:
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.totalblock>=500&&($0.WAF拦截量>=500)
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF
    - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock}
    - ACL拦截量:${Results[0].RawResults[0].ACL拦截量}
    - WAF拦量:${Results[0].RawResults[0].WAF拦截量}
    - CC拦截量:${Results[0].RawResults[0].CC拦截量}
    - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}

5分钟内CC拦截情况告警

图表名称:相应时间内CC拦截情况5分钟内CC拦截情况告警
SQL语句模板
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock  group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "CC拦截量"  DESC limit 5
告警参数配置建议:
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.totalblock>=500&&($0.CC拦截量>=500)
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF
    - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock}
    - ACL拦截量:${Results[0].RawResults[0].ACL拦截量}
    - WAF拦量:${Results[0].RawResults[0].WAF拦截量}
    - CC拦截量:${Results[0].RawResults[0].CC拦截量}
    - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}

5分钟内扫描拦截情况告警

图表名称:相应时间内防扫描拦截情况5分钟内扫描拦截情况告警
SQL语句模板
user_id:
11111111110000 |select user_id,host,count_if(block_action='antiscan') as "防扫描拦截量",count_if(block_action='acl')
as "ACL拦截量",count_if(aliwaf_action='block')
as "WAF拦截量",count_if(cc_action='close') as
"CC拦截量",count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close' or block_action='antiscan') as
totalblock  group by host,user_id having
("ACL拦截量" >=0 and "WAF拦截量" >=0 and "CC拦截量">=0
and totalblock>10) order by "防扫描拦截量"  DESC limit 5
告警参数配置建议:
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.totalblock>=500&&($0.防扫描拦截量>=500)
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF(海外)
    - 最近5分钟内拦截总量:${Results[0].RawResults[0].totalblock}
    - ACL拦截量:${Results[0].RawResults[0].ACL拦截量}
    - WAF拦量:${Results[0].RawResults[0].WAF拦截量}
    - CC拦截量:${Results[0].RawResults[0].CC拦截量}
    - 防扫描拦截量:${Results[0].RawResults[0].防扫描拦截量}

单IP攻击量预警

图表名称:相应时间内单IP攻击预警单IP攻击攻击量预警
SQL语句模板
user_id:
11111111110000 |select user_id,real_client_ip,concat('ACL拦截量:',cast(aclblock as
varchar(10)),'  ','WAF拦截量:',cast(wafblock as varchar(10)),' 
','CC拦截量:',cast(aclblock as varchar(10))) as
blockNum,totalblock,allRequest from (select user_id,real_client_ip,count_if(block_action='acl')
as aclblock,count_if(aliwaf_action='block') as
wafblock,count_if(cc_action='close') as ccblock,count_if(block_action='acl' or
aliwaf_action='block' or cc_action='close') as totalblock,COUNT(*) as
allRequest from log group by user_id,real_client_ip having totalblock>1
order by totalblock DESC  limit 5)

告警参数配置建议:

该图表中包含real_client_ipblockNum(含ACL拦截量WAF拦截量CC拦截量等数据)、totalblock(总拦截请求数)、allRequest(总请求数)字段,您可以根据需要使用这些字段设置告警条件。
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.totalblock >=500
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 产品:WAF
    - 最近5分钟内单IP攻击排行Top3:
    - ${Results[0].RawResults[0].real_client_ip}  (${Results[0].RawResults[0].blockNum})
    - ${Results[0].RawResults[1].real_client_ip}  (${Results[0].RawResults[1].blockNum})
    -${Results[0].RawResults[2].real_client_ip}  (${Results[0].RawResults[2].blockNum})

单IP攻击域名数量告警

图表名称:相应时间内单IP攻击域名数量告警单IP攻击域名数量告警
SQL语句模板
user_id:
11111111110000  and not
upstream_status:504 and not upstream_addr:- and request_time_msec < 5000 and
upstream_status:200 and not ua_browser:bot |SELECT user_id,host,upstream_time,request_time,ssl_handshake,requestnum
from (select user_id,host,round(avg(upstream_response_time),2)*1000 as
upstream_time,round(avg(request_time_msec),2) as
request_time,round(avg(ssl_handshake_time)*1000,2) as ssl_handshake,COUNT(*) as
requestnum from log group by host,user_id) where requestnum>30 order by
request_time DESC limit 5

告警参数配置建议:

该图表中包含real_client_ip(攻击IP)、totalblock(总拦截请求数)、domainnum(该IP攻击的域名数)等字段。在设置告警触发条件时,您可以自由组合上述字段。例如,totalblock>500&& domainnum>5表示某IP在对应时间内总攻击量达到500,并且攻击域名数多于5个。
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为1分钟
  • 触发条件$0.domainnum>=10
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 产品:WAF
    - 攻击IP:${Results[0].RawResults[0].real_client_ip}
    - 攻击的域名数:${Results[0].RawResults[0].domainnum}
    - 最近5分钟总攻击请求数:${Results[0].RawResults[0].totalblock}
    - 请及时关注处理

5分钟平均时延情况

图表名称:5分钟平均时延情况5分钟平均时延情况
SQL语句模板
user_id:
11111111110000 and and not upstream_status:504 and not upstream_addr:- and
request_time_msec < 5000 and upstream_status:200 and not ua_browser:bot|SELECT
user_id,host,upstream_time,request_time,ssl_handshake,requestnum from (select user_id,host,round(avg(upstream_response_time),2)*1000
as upstream_time,round(avg(request_time_msec),2) as
request_time,round(avg(ssl_handshake_time)*1000,2) as ssl_handshake,COUNT(*) as
requestnum from log group by host,user_id) where requestnum>30 order by
request_time DESC limit 5
告警参数配置建议:
  • 查询区间:建议设置为5分钟
  • 频率:建议设置为5分钟
  • 触发条件$0.request_time>1000&& $0.requestnum>30
  • 触发通知阈值:2次
  • 通知间隔:10分钟
  • 发送内容
    - [时间]:${FireTime}
    - [Uid]:${Results[0].RawResults[0].user_id}
    - 域名:${Results[0].RawResults[0].host}
    - 产品:WAF(海外)
    - [触发条件]:${condition}
    - 最近5分钟延时情况TOP3(毫秒)
    - Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time} 
    - Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time} 
    - Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}

UID维度流量突降告警

图表名称:UID维度流量突降告警UID维度流量突降告警
SQL语句模板
user_id: 11111111110000 |select
t1.user_id,t1.now1mQPS,t1.past1mQPS,de_ratio,t2.Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,aveQPS
from (

 (

 SELECT
user_id,round(c[1]/60,0) as now1mQPS,round(c[2]/60,0) as past1mQPS,
round(100-round(c[1]/60,0)/round(c[2]/60,0)*100,2) as de_ratio from 

(SELECT compare(t, 60) as c, user_id from 

    (SELECT
COUNT(*) as t,user_id from log GROUP by user_id )  GROUP by user_id ) where c[3] <0.9 and
(c[1]>180 or c[2]>180

        )

  )t1 

           join 

  (select
user_id,Rate_2XX,Rate_3XX,Rate_4XX,Rate_5XX,countall/60 as
"aveQPS",status_2XX,status_3XX,status_4XX,status_5XX,countall from

 

     (select
user_id,round(round(status_2XX*1.0000/countall,4)*100,2) as
Rate_2XX,round(round(status_3XX*1.0000/countall,4)*100,2) as 

 

Rate_3XX,
round(round(status_4XX*1.0000/countall,4)*100,2) as
Rate_4XX,round(round(status_5XX*1.0000/countall,4)*100,2) as 

 

Rate_5XX,status_2XX,status_3XX,status_4XX,status_5XX,countall
from

        (select
user_id,count_if(status>=200 and status<300) as
status_2XX,count_if(status>=300 and status<400) as status_3XX,count_if

 

(status>=400 and status<500 and status<>444
and status<>405 ) as status_4XX,count_if(status>=500 and
status<600) as status_5XX,COUNT(*) as countall from log group by user_id)

     ) where  countall>0

)t2 on
t1.user_id=t2.user_id) order by de_ratio DESC limit 5
告警参数配置建议:
  • 查询区间:建议设置为1分钟
  • 频率:建议设置为1分钟
  • 触发条件$0.de_ratio>50&& $0.now1mqps>20
  • 触发通知阈值:1次
  • 通知间隔:5分钟
  • 发送内容
    - [时间]:${FireTime}
    - [UID]:${Results[0].RawResults[0].user_id}
    - 产品:WAF
    - 过去1分钟平均QPS:${Results[0].RawResults[0].now1mqps}
    - [触发条件(突降率&QPS)]:${condition}
    - QPS突降率:${Results[0].RawResults[0].de_ratio}%
    - 响应码 2xx_rate :${Results[0].RawResults[0].rate_2xx}%
    - 响应码 3xx_rate :${Results[0].RawResults[0].Rate_3XX}%
    - 响应码 4xx_rate :${Results[0].RawResults[0].Rate_4XX}%
    - 响应码 5xx_rate :${Results[0].RawResults[0].Rate_5XX}%