Enriching Logs with Internal Geo Ip Location Lookups


(Devin Ferguson) #1

I have been trying to find a way to do internal Geo IP lookup to enrich logs. I have over 500 subnets with specific locations for each that I want to map the whole subnet to that location. Is there any way that this would be possible with the current plugins. If not I would really appreciate it if we could maybe open an issue to get this sort of function added to logstash.


(Magnus B├Ąck) #2

Have a look at the cidr and translate filters. The former allows you to set fields based on whether an IP address matches a CIDR subnet specification (so you'll end up with one filter per subnet, but you'd obviously generate that configuration) while the translate filter would require you to enumerate all IP addresses in each subnet but would allow you to specify the mappings between IP addresses and resulting location values in a single file referenced by a single translate filter.


#3

Alternatively, use the geoip filter, but build your own MMDB that includes your internal networks. I have not tried it, but it seems like a reasonable approach.


(Devin Ferguson) #4

I have figured out a way to do it using this using a previous thread and by using python to manipulate a couple of csv's to create the yaml file this thread talks about. Create Custom geoip database for Logstash 5.2

Thank you guys for all the suggestions. If anyone has questions about the script or the yaml file, or the filter just shoot me a message. Thanks!


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.