Add a juju action to report on top visits by IP

Bug #1916747 reported by Tom Haddon
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Content Cache Charm

Bug Description

During a potential DoS attack it's useful to quickly retrieve a list of most visits by IP. During a recent issue, an SRE ran the following:

juju run --application content-cache-1ss,content-cache-gs2 -- "awk '/Feb 24 11:/{print \$6}' /var/log/haproxy.log | cut -d ':' -f 1 | sort | uniq -c | sort -rn | head " | pp

This should really be a juju action so it's very obvious and easy for anyone to do this.

Related branches

Revision history for this message
Haw Loeung (hloeung) wrote :

This command would be better as it supports IPv6 as well as includes the sites or listen stanzas being hit:

| awk '/Feb 25 06:/ && $6 !~ / {print $6 " " $8 }' /var/log/haproxy.log | sed -e 's/:[0-9]* / /' | sort | uniq -c | sort -k1 -n -r | head

We also want to replace the date/time "Feb 25 06:" with the last 20 mins or so.

Tom Haddon (mthaddon)
Changed in content-cache-charm:
status: New → Confirmed
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers