Cannot Load MaxMind GeoIP2-ISP.mmdb

Elastic Stack Elasticsearch
1

Hello,

We use multiple GeoIP databases. We're using GeoIP2-City to get location information, and GeoIP-ISP to get as.number and as.organization.name. However, I cannot load the provided MaxMind GeoIP2-ISP.mmdb.

{
  "description": "Adds geoip info for ECS documents",
  "processors": [
    {
      "geoip": {
        "database_file": "GeoIP2-City.mmdb",
        "field": "client.ip",
        "ignore_missing": true,
        "target_field": "client.geo"
      }
    },
    {
      "geoip": {
        "database_file": "GeoIP2-ISP.mmdb",
        "field": "client.ip",
        "ignore_missing": true,
        "target_field": "client.as"
      }
    }
  }

Results in:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "parse_exception",
        "reason" : "[database_file] Unsupported database type [GeoIP2-ISP]",
        "property_name" : "database_file",
        "processor_type" : "geoip",
    ...

The docs mention being able to use multiple database files for this information. The old GeoIP-ASN was replaced with GeoIP2-ISP, so this should be supported. Is there a way to get past this. I've found 2 other discussions asking this question on this forum with no answer. Maybe, the third time is a charm and someone familiar with the product has the magic incantation.

2

Crickets? Anyone from Elastic able to comment? Would love to get ASN processing working with ingest-geoip.

3

Curious... I looked a bit where does it say in the elastic docs that GeoIP2-ISP is supported (not saying we don't I just don't see it in our docs).

From the MaxMind site the format of the ISP database is different than the ASN database.

And the docs appear to say

You can also use custom city, country, and ASN .mmdb files. These files must be uncompressed and use the respective -City.mmdb , -Country.mmdb , or -ASN.mmdb extensions.

I am trying to check, but I am thinking that is not supported at the moment, because it is not actually a GEOIP lookup, i.e. it does not contain a lat / lon which is expected (i.e. the GEO portion of the equation) it just has ISP / ASN info so perhaps it is more of a standard enrich lookup.

If I get a chance I will look.

Update.. interesting yes ASN contains no geo data... I will look more, it could be it is simply a different format / set of columns.

Update 2 : Looks like a flat out feature request, not currently supported.

Looks like it is supported with Logastash Here

The path to MaxMind’s database file that Logstash should use. The default database is GeoLite2-City. GeoLite2-City, GeoLite2-Country, GeoLite2-ASN are the free databases from MaxMind that are supported. GeoIP2-City, GeoIP2-ISP, GeoIP2-Country are the commercial databases from MaxMind that are supported.

4

https://www.elastic.co/guide/en/elasticsearch/reference/7.16/geoip-processor.html#using-ingest-geoip

The "GeoLite2-ASN.mmdb" is listed, but there is no paid -ASN.mmdb, the -ISP.mmdb is the paid version with this data.

See: https://www.maxmind.com/en/geoip2-databases

Notice there's no ASN DB.

5

I purchased a GeoIP2-ISP.mmdb and tried, it is not currently supported (AFAICT) I also tried to build a direct enrich processor from the ISP CSV but that did not work because of the IP range search is not supported (that would have been a good workaround)

You can use Logstash see here

I opened a feature Request Here. Please add to it as you see fit

6

Awesome! Thanks!

7

You should add your comments to the feature request, actual users / customer can help otherwise it is just me.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.