This documentation is for WSO2 CEP 3.1.0. View the home page of the latest release.

Unknown macro: {next_previous_links}
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

This sample demonstrates how to set up an execution plan with queries to detect suspicious login attempts to a user account. It generates an alert if two or more login attempts are detected to the same user account from different IP addresses within a short time period. This sample uses wso2event for both inputs and outputs.

The query used in this sample is as follows:

    from every a1 = authStream
    -> b1 = authStream[username == a1.username and ipAddress != a1.ipAddress]
    within 10000
    select a1.username as username, a1.ipAddress as ip1, b1.ipAddress as ip2
    insert into alertStream;

In above query,

  • Patterns syntax is used to identify two login attempts, received through the authStream, to the same account by two different IP addresses within 10 seconds. Such two events are named as a1 and b1.
  • The arrow (->) denoted that b1 should occur after a1.
  • The condition given inside brackets is used to capture events with the same user name but different IP addresses.
  • The keyword 'within' specifies that this pattern should occur inside a 10,000 milliseconds time interval.
  • Few attributes are selected and inserted to the alertStream.
  • 'every' keyword ensures that CEP keeps searching for this pattern for every event received. If this keyword is omitted, CEP will search for the pattern only once, and any subsequent events will be discarded.

Prerequisites

See Prerequisites in CEP Samples Setup page.

Building the sample

Start the WSO2 CEP server with the sample configuration numbered 0104. For instructions, see Starting sample CEP configurations. This sample configuration does the following:

  • Creates <CEP_HOME>/repository/conf/stream-manager-config.xml file, which is used to create the stream definitions for the sample.
  • Points the default Axis2 repo to <CEP_HOME>/sample/artifacts/0104 (by default, the Axis2 repo is <CEP_HOME>/repository/deployment/server).

Executing the sample

  1. Open a new terminal, go to <CEP_HOME>/samples/consumers/wso2-event and run ant from there. It builds the sample wso2event consumer and executes it.

    Do not close this terminal. It is required to keep the server running and receiving events.

  2. Open another terminal, go to <CEP_HOME>/samples/producers/login-info and run ant from there.

    It builds and runs the wso2event producer, which sends sample login information to the CEP server.

  3. On this terminal, see details of the output events (alerts on suspicious login attempts) received from the CEP.

    Note

    Since this sample uses random data and time-based patterns, different executions may produce different results. In some instances, if you limit the number of events sent to a very low number such as 3 or 4, you may not see a result at all.

    For example, given below is the console output of the consumer when sending 6 events from the producer.

  • No labels