After lot of effort my geo_ip is still not working

Hi Team,

Below is my config and after lot of tries my geo_ip is still not reflecting in my indices. Am I doing anything wrong here?

input {
        stdin {
                type => "json"
                 codec => "json"
}
filter {
        json {
        source => "message"
#       target => "transaction"
        }
        split {
        field => "[transaction][messages]"
        }
        mutate {
        rename => {
        "client_ip" => "src_ip"
        }
}
# Add geo coordinates / ASN info / IP rep.
  if [src_ip]  {
    geoip {
      cache_size => 10000
      source => "src_ip"
      database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-City.mmdb"
    }
    geoip {
      cache_size => 10000
      source => "src_ip"
      database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-ASN.mmdb"
    }
  }
}
# Output section
output {
        stdout {
        codec => rubydebug
        }
}

And here is the output

{
           "host" => "applox",
    "transaction" => {
            "host_ip" => "143.110.185.133",
         "time_stamp" => "Thu Jul 29 01:09:50 2021",
           "producer" => {
                  "connector" => "ModSecurity-nginx v1.0.1",
            "secrules_engine" => "Enabled",
                "modsecurity" => "ModSecurity v3.0.4 (Linux)",
                 "components" => [
                [0] "OWASP_CRS/3.3.0\""
            ]
        },
           "messages" => {
            "details" => {
                       "rev" => "",
                 "reference" => "o0,9v148,23t:lowercase",
                  "severity" => "2",
                      "data" => "|text/html|",
                      "file" => "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
                       "ver" => "OWASP_CRS/3.3.0",
                  "accuracy" => "0",
                      "tags" => [
                    [0] "application-multi",
                    [1] "language-multi",
                    [2] "platform-multi",
                    [3] "attack-protocol",
                    [4] "paranoia-level/1",
                    [5] "OWASP_CRS",
                    [6] "capec/1000/255/153",
                    [7] "PCI/12.1"
                ],
                     "match" => "Matched \"Operator `Within' with parameter `|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json|  (134 characters omitted)' against variable `TX:content_type' (Value: `|text/html|' )",
                    "ruleId" => "920420",
                "lineNumber" => "937",
                  "maturity" => "0"
            },
            "message" => "Request content type is not allowed by policy"
        },
          "client_ip" => "149.56.74.89",
          "host_port" => 443,
          "unique_id" => "1627501190",
           "response" => {
              "headers" => {
                             "Content-Type" => "text/html",
                                   "Server" => "nginx",
                                     "ETag" => "\"604e3852-194\"",
                            "Last-Modified" => "Sun, 14 Mar 2021 16:22:42 GMT",
                "Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",
                               "Connection" => "close",
                           "Content-Length" => "404",
                                     "Date" => "Wed, 28 Jul 2021 19:39:49 GMT"
            },
            "http_code" => 403
        },
            "request" => {
                  "method" => "GET",
            "http_version" => 1.1,
                     "uri" => "/",
                 "headers" => {
                   "Content-Type" => "text/html;charset=utf-8",
                     "User-Agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
                        "Referer" => "https://micougercie.mystrikingly.com/",
                         "Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                     "Connection" => "Close",
                           "Host" => "xxxxxxxx",
                "Accept-Encoding" => "gzip, deflate"
            },
                    "body" => ""
        },
        "client_port" => 63254,
          "server_id" => "0e733d4796f338eb99386e5c5f6fa28091c4a6f4"
    },
     "@timestamp" => 2021-07-30T05:09:11.591Z,
           "type" => "json",
       "@version" => "1"
}
{
           "host" => "xxxx",
    "transaction" => {
            "host_ip" => "143.110.185.133",
         "time_stamp" => "Thu Jul 29 01:09:50 2021",
           "producer" => {
                  "connector" => "ModSecurity-nginx v1.0.1",
            "secrules_engine" => "Enabled",
                "modsecurity" => "ModSecurity v3.0.4 (Linux)",
                 "components" => [
                [0] "OWASP_CRS/3.3.0\""
            ]
        },
           "messages" => {
            "details" => {
                       "rev" => "",
                 "reference" => "",
                  "severity" => "2",
                      "data" => "",
                      "file" => "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
                       "ver" => "OWASP_CRS/3.3.0",
                  "accuracy" => "0",
                      "tags" => [
                    [0] "application-multi",
                    [1] "language-multi",
                    [2] "platform-multi",
                    [3] "attack-generic"
                ],
                     "match" => "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )",
                    "ruleId" => "949110",
                "lineNumber" => "80",
                  "maturity" => "0"
            },
            "message" => "Inbound Anomaly Score Exceeded (Total Score: 5)"
        },
          "client_ip" => "149.56.74.89",
          "host_port" => 443,
          "unique_id" => "1627501190",
           "response" => {
              "headers" => {
                             "Content-Type" => "text/html",
                                   "Server" => "nginx",
                                     "ETag" => "\"604e3852-194\"",
                            "Last-Modified" => "Sun, 14 Mar 2021 16:22:42 GMT",
                "Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",
                               "Connection" => "close",
                           "Content-Length" => "404",
                                     "Date" => "Wed, 28 Jul 2021 19:39:49 GMT"
            },
            "http_code" => 403
        },
            "request" => {
                  "method" => "GET",
            "http_version" => 1.1,
                     "uri" => "/",
                 "headers" => {
                   "Content-Type" => "text/html;charset=utf-8",
                     "User-Agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
                        "Referer" => "https://micougercie.mystrikingly.com/",
                         "Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                     "Connection" => "Close",
                           "Host" => "xxxxx",
                "Accept-Encoding" => "gzip, deflate"
            },
                    "body" => ""
        },
        "client_port" => 63254,
          "server_id" => "0e733d4796f338eb99386e5c5f6fa28091c4a6f4"
    },
     "@timestamp" => 2021-07-30T05:09:11.591Z,
           "type" => "json",
       "@version" => "1"
}

Your events do not have a [src_ip] field so the geoip filter is a no-op.

OK -Resolved the issue with below changes.

filter {
        json {
        source => "message"
#       target => "transaction"
        }
        split {
        field => "[transaction][messages]"
        }
# Add geo coordinates / ASN info / IP rep.
    geoip {
      cache_size => 10000
      source => "[transaction][client_ip]"
      database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-City.mmdb"
    }
    geoip {
      cache_size => 10000
      source => "[transaction][client_ip]"
      database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-ASN.mmdb"
    }
  }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.