Netdata Community

Whitelisting security scanners for web log alarms

Problem/Question

How does one whitelist certain IPs, so that netdata does not send emails for alarms triggered by bad requests from webapp security scanners? I am specifically interested in the web server logs, particularly nginx. If 4xx is triggered by a given IP, I don’t want to receive a web_log_nginx.response_statuses is critical. Is it doable?

Thanks in advance,
Andrew

@ilyam8 I don’t see a way to filter out specific IPs, or somehow split traffic from our side. Unless if we’re talking about a completely custom parser, which seems like an overkill. What do you think?

The only thing I can think of is proxying traffic from that IP to somewhere else via nginx.conf, but that’s not ideal.

1 Like

We count the total number of HTTP requests per code class (1xx, etc.) during data collection. So it is not possible to find out by what IP/Network the 4xx alarm is triggered.

Possible solutions:

  • do not account for security scanners’ HTTP requests (filter them by $remote_addr during data collection).
  • redirect Nginx logs to a separate file when HTTP requests come from security scanners (i think that is possible). In this case, we can still collect data by adding an additional “web_log” job and use charts alarm filter to exclude this job.