Netdata Community

Whitelisting security scanners for web log alarms


How does one whitelist certain IPs, so that netdata does not send emails for alarms triggered by bad requests from webapp security scanners? I am specifically interested in the web server logs, particularly nginx. If 4xx is triggered by a given IP, I don’t want to receive a web_log_nginx.response_statuses is critical. Is it doable?

Thanks in advance,

@ilyam8 I don’t see a way to filter out specific IPs, or somehow split traffic from our side. Unless if we’re talking about a completely custom parser, which seems like an overkill. What do you think?

The only thing I can think of is proxying traffic from that IP to somewhere else via nginx.conf, but that’s not ideal.

1 Like

We count the total number of HTTP requests per code class (1xx, etc.) during data collection. So it is not possible to find out by what IP/Network the 4xx alarm is triggered.

Possible solutions:

  • do not account for security scanners’ HTTP requests (filter them by $remote_addr during data collection).
  • redirect Nginx logs to a separate file when HTTP requests come from security scanners (i think that is possible). In this case, we can still collect data by adding an additional “web_log” job and use charts alarm filter to exclude this job.