Hi Aaron, after 2 days of research, it seems very hard to build a custom geoip2 database. So I will try to add geoip fileds from csv, but I think something is missing
csv file (it have 400 entries) :
startIp,endIp,country,region,city,postalCode,latitude,longitude
10.12.11.*,10.12.11.255,FR,AM,"address city 1",06200,43.667509,7.213238
10.50.219.*,10.50.219.255,FR,AM,"address city 2",06200,43.667509,7.213238
10.12.10.*,10.12.10.255,FR,AM,"address city 3",06200,43.667509,7.213238
My filter file
filter{
csv {
source => "/etc/logstash/mutate/nca.csv"
separator => ","
columns => [ "startIp", "endIp", "country", "region", "city", "postalCode", "latitude", "longitude" ]
add_tag => [ "csv_parse_successfull" ]
add_field => { "temp_longitude" => "%{longitude}" }
add_field => { "temp_latitude" => "%{latitude}" }
}
if "[event_data][IpAddress]" == "startIp"{
mutate {
convert => { "temp_longitude" => "float" }
convert => { "temp_latitude" => "float" }
}
mutate {
rename => { "temp_longitude" => "[geoip][longitude]" }
rename => { "temp_latitude" => "[geoip][latitude]" }
}
}
}
Nothing happens, no tag added, or geoip. longitude /geoip.latitude
Here is a sample of the event log with the nested field with IPV4 address ( "[event_data][IpAddress]" )
{
"_index": "logstash-security-2017.03.22",
"_type": "wineventlog",
"_id": "AVr1COd23DUwVZ8syxA6",
"_score": null,
"_source": {
"computer_name": "VMxxxxDC.company.fr",
"process_id": 620,
"keywords": [
"Audit Success"
],
"level": "Information",
"log_name": "Security",
"record_number": "2343599933",
"event_data": {
"ProcessName": "-",
"LogonGuid": "{6823A8C7-1FF6-3D97-7BE9-BCEE2D}",
"LogonType": "3",
"IpPort": "54313",
"SubjectLogonId": "0x0",
"TransmittedServices": "-",
"KeyLength": "0",
"LmPackageName": "-",
"TargetLogonId": "0x1408bb25f",
"SubjectUserName": "-",
"IpAddress": "10.13.38.45",
"SubjectDomainName": "-",
"ImpersonationLevel": "%%1833",
"ProcessId": "0x0",
"TargetUserName": "N133973",
"LogonProcessName": "Kerberos",
"TargetDomainName": "DOMAIN",
"SubjectUserSid": "S-1-0-0",
"AuthenticationPackageName": "Kerberos",
"TargetUserSid": "S-1-5-21-117609710-1482476501-18016745317"
},
Thank you for help and advices
Fayce