Hello folks,
I imported Log Data in Neo4j from Elastic Search and the next step would be the connection of the (raw) events to each other:
The following cypher:
MATCH (e:event)
WHERE not e.destination_IP = "empty"
return e.timestamp, e.source_IP, e.host_NAME, e.network_DIRECTION,e.client_PORT,e.destination_IP, e.server_IP
LIMIT 10
shows some of these events:
e.host_NAME e.source_IP e.network_DIRECTION e.destination_IP
"guac" "192.168.178.26" "outbound" "192.168.178.73"
"guac" "127.0.0.1" "outbound" "127.0.0.1"
"guac" "192.168.178.52" "inbound" "192.168.178.26"
"guac" "127.0.0.1" "unknown" "127.0.0.1"
"guac" "192.168.178.26" "outbound" "192.168.178.1"
"guac" "192.168.178.26" "outbound" "192.168.178.1"
"guac" "127.0.0.1" "outbound" "127.0.0.53"
"nginx" "192.168.178.26" "inbound" "192.168.178.73"
"guac" "192.168.178.52" "inbound" "192.168.178.26"
I tried to find events with the same IP relation - (3.10.2.2. Create a relationship and set properties)
MATCH (a:event),(b:event)
WHERE a.destination_IP = b.source_IP
create (a.source_IP)-[:direction {e.network_DIRECTION}]-(b.destination_IP)
return a,b
This does NOT work ends with an error:
Invalid input '.': expected an identifier character, whitespace, COPY, node labels, a property map, ')' or a relationship pattern (line 3, column 11 (offset: 74))
" create (a.source_IP)-[:direction {e.network_DIRECTION}]-(b.destination_IP)"
and I tried a statement without relationship:
MATCH (a:event),(b:event)
WHERE a.destination_IP = b.source_IP
return a,b
this ends with a black screen as I ignored the "cartessian product error warning"
Is there a hint to create the relationship ?
Is there a good way to find events with the same identifier like IP-Adress?
Any other hints ?
Greetings Sebastian