From ed5e3479452057ace2413432124464f23bb9d151 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Andr=C3=A9?= <elhoim@gmail.com>
Date: Mon, 16 Nov 2015 23:57:09 +0100
Subject: [PATCH] Added SQL request for top 10 API users/ip pair

---
 administration/README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/administration/README.md b/administration/README.md
index 9f4b22a..207f847 100644
--- a/administration/README.md
+++ b/administration/README.md
@@ -352,3 +352,20 @@ Event 8 - OSINT - Dissecting  XXX... - Low - TLP Amber
 
    Taken from [Koen Van Impe's blog](http://www.vanimpe.eu/2015/05/31/getting-started-misp-malware-information-sharing-platform-threat-sharing-part-3/)
 
+#### Get top API users
+
+Enable the _log_auth_ setting in the server settings. Optionally enable _log_client_ip_ if you want to get stats per client ip.
+Log into your mysql server and run the following query:
+```
+select ip,email,count(id) as c from logs WHERE ip IS NOT NULL group by ip,email order by c desc limit 10;
+```
+
+This will give you a top 10 table per ip and username:
++----------------+----------------------------------+------+
+| ip             | email                            | c    |
++----------------+----------------------------------+------+
+| 1.2.3.4        | bob@nsa.gov                      | 4124 |
+| 5.6.7.8        | vladimir@kremlin.ru              | 1932 |
+| 9.10.11.12     | fred@somewhere.eu                | 1317 |
+| 13.14.15.16    | SYSTEM                           |   16 |
++----------------+----------------------------------+------+