This documentation is for WSO2 CEP 3.0.0. View the home page of the latest release.

Unknown macro: {next_previous_link3}
Skip to end of metadata
  • Created by Former user, last modified by Former user on Mar 03, 2014
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Introduction

This sample demonstrates how to set up an execution plan with queries to detect suspicious login attempts to a user account. It generates an alert if two or more login attempts are detected to the same user account from different IP addresses within a short time period. This sample uses wso2event for both inputs and outputs.

The query used in this sample is as follows:

    from every a1 = authStream
    -> b1 = authStream[username == a1.username and ipAddress != a1.ipAddress]
    within 10000
    select a1.username as username, a1.ipAddress as ip1, b1.ipAddress as ip2
    insert into alertStream;

In above query,

  • Patterns syntax is used to identify two login attempts, received through the authStream, to the same account by two different IP addresses within 10 seconds. Such two events are named as a1 and b1.
  • The arrow (->) denoted that b1 should occur after a1.
  • The condition given inside brackets is used to capture events with the same user name but different IP addresses.
  • The keyword 'within' specifies that this pattern should occur inside a 10,000 milliseconds time interval.
  • Few attributes are selected and inserted to the alertStream.
  • 'every' keyword ensures that CEP keeps searching for this pattern for every event received. If this keyword is omitted, CEP will search for the pattern only once, and any subsequent events will be discarded.

Prerequisites

For a list of prerequisites, please refer to the prerequisites section in Setting up CEP Samples.

Building the Sample

  1. Start the WSO2 CEP server with the sample number as ./wso2cep-samples.sh -sn 0104  (or on Windows, wso2cep-samples.bat -sn 0104). This will start up the server with the configuration files required for this sample.

    Here when executing the sample with above command, there are some operations done in the background. There is a file called "stream-manager-config.xml" copied to the <CEP_HOME>/repository/conf from the artifacts directory of the sample. This file will be used in the server startup to create the stream definitions to run the sample.

    Then, default Axis2 repo will be pointed to the directory <CEP_HOME>/sample/artifacts/0104 (by default Axis2 repo is <CEP_HOME>/repository/deployment/server). There will be limited functionality in sample server startup mode, so don't perform other tasks in the server when it is start-up in the sample mode.

Executing the Sample

  1. Open another terminal and switch to <CEP_HOME>/samples/consumers/wso2-event and run ant from there. This will build the sample wso2event consumer and execute it. Do not close this terminal as it is required to keep the server running in order to receive events and view them.
  2. From another terminal switch to <CEP_HOME>/samples/producers/login-info/ and run ant from there. This will build and run the wso2event producer which will send some sample login information to the CEP server. From this terminal, you will be able to view the details of the events sent.

  3. Once the step 3 is done successfully, you will be able to see the output events (alerts on suspicious login attempts) received from the CEP via the terminal opened in step 2.

    Note

    Since this sample uses random data and time-based patterns, different executions may result in different results. In some instances, if you limit the number of events sent to a very low number such as 3 or 4, you may not see a result.

  4. Below is the console output of the consumer when sending 6 events from the producer.

  • No labels
Unknown macro: {next_previous_links2}

 
Copyright © WSO2 Inc. 2005-2015