Hi Team,
Below is my config and after lot of tries my geo_ip is still not reflecting in my indices. Am I doing anything wrong here?
input {
stdin {
type => "json"
codec => "json"
}
filter {
json {
source => "message"
# target => "transaction"
}
split {
field => "[transaction][messages]"
}
mutate {
rename => {
"client_ip" => "src_ip"
}
}
# Add geo coordinates / ASN info / IP rep.
if [src_ip] {
geoip {
cache_size => 10000
source => "src_ip"
database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "src_ip"
database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-ASN.mmdb"
}
}
}
# Output section
output {
stdout {
codec => rubydebug
}
}
And here is the output
{
"host" => "applox",
"transaction" => {
"host_ip" => "143.110.185.133",
"time_stamp" => "Thu Jul 29 01:09:50 2021",
"producer" => {
"connector" => "ModSecurity-nginx v1.0.1",
"secrules_engine" => "Enabled",
"modsecurity" => "ModSecurity v3.0.4 (Linux)",
"components" => [
[0] "OWASP_CRS/3.3.0\""
]
},
"messages" => {
"details" => {
"rev" => "",
"reference" => "o0,9v148,23t:lowercase",
"severity" => "2",
"data" => "|text/html|",
"file" => "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"ver" => "OWASP_CRS/3.3.0",
"accuracy" => "0",
"tags" => [
[0] "application-multi",
[1] "language-multi",
[2] "platform-multi",
[3] "attack-protocol",
[4] "paranoia-level/1",
[5] "OWASP_CRS",
[6] "capec/1000/255/153",
[7] "PCI/12.1"
],
"match" => "Matched \"Operator `Within' with parameter `|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| (134 characters omitted)' against variable `TX:content_type' (Value: `|text/html|' )",
"ruleId" => "920420",
"lineNumber" => "937",
"maturity" => "0"
},
"message" => "Request content type is not allowed by policy"
},
"client_ip" => "149.56.74.89",
"host_port" => 443,
"unique_id" => "1627501190",
"response" => {
"headers" => {
"Content-Type" => "text/html",
"Server" => "nginx",
"ETag" => "\"604e3852-194\"",
"Last-Modified" => "Sun, 14 Mar 2021 16:22:42 GMT",
"Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",
"Connection" => "close",
"Content-Length" => "404",
"Date" => "Wed, 28 Jul 2021 19:39:49 GMT"
},
"http_code" => 403
},
"request" => {
"method" => "GET",
"http_version" => 1.1,
"uri" => "/",
"headers" => {
"Content-Type" => "text/html;charset=utf-8",
"User-Agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"Referer" => "https://micougercie.mystrikingly.com/",
"Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection" => "Close",
"Host" => "xxxxxxxx",
"Accept-Encoding" => "gzip, deflate"
},
"body" => ""
},
"client_port" => 63254,
"server_id" => "0e733d4796f338eb99386e5c5f6fa28091c4a6f4"
},
"@timestamp" => 2021-07-30T05:09:11.591Z,
"type" => "json",
"@version" => "1"
}
{
"host" => "xxxx",
"transaction" => {
"host_ip" => "143.110.185.133",
"time_stamp" => "Thu Jul 29 01:09:50 2021",
"producer" => {
"connector" => "ModSecurity-nginx v1.0.1",
"secrules_engine" => "Enabled",
"modsecurity" => "ModSecurity v3.0.4 (Linux)",
"components" => [
[0] "OWASP_CRS/3.3.0\""
]
},
"messages" => {
"details" => {
"rev" => "",
"reference" => "",
"severity" => "2",
"data" => "",
"file" => "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
"ver" => "OWASP_CRS/3.3.0",
"accuracy" => "0",
"tags" => [
[0] "application-multi",
[1] "language-multi",
[2] "platform-multi",
[3] "attack-generic"
],
"match" => "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )",
"ruleId" => "949110",
"lineNumber" => "80",
"maturity" => "0"
},
"message" => "Inbound Anomaly Score Exceeded (Total Score: 5)"
},
"client_ip" => "149.56.74.89",
"host_port" => 443,
"unique_id" => "1627501190",
"response" => {
"headers" => {
"Content-Type" => "text/html",
"Server" => "nginx",
"ETag" => "\"604e3852-194\"",
"Last-Modified" => "Sun, 14 Mar 2021 16:22:42 GMT",
"Strict-Transport-Security" => "max-age=31536000; includeSubDomains; preload",
"Connection" => "close",
"Content-Length" => "404",
"Date" => "Wed, 28 Jul 2021 19:39:49 GMT"
},
"http_code" => 403
},
"request" => {
"method" => "GET",
"http_version" => 1.1,
"uri" => "/",
"headers" => {
"Content-Type" => "text/html;charset=utf-8",
"User-Agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36",
"Referer" => "https://micougercie.mystrikingly.com/",
"Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Connection" => "Close",
"Host" => "xxxxx",
"Accept-Encoding" => "gzip, deflate"
},
"body" => ""
},
"client_port" => 63254,
"server_id" => "0e733d4796f338eb99386e5c5f6fa28091c4a6f4"
},
"@timestamp" => 2021-07-30T05:09:11.591Z,
"type" => "json",
"@version" => "1"
}