Geoip.ip and private ip file

Hi, I want to try geoip functionnalities.

I import with ELK logs from many active directory controllers. I want to match IP from that logs with a personal file.
For example 10.12.x.x => research floor 1 or 10.15.x.x -> labs floor 6

I've found that I must use a filter in my logstash.conf

filter {
mutate {
remove_field => [ "@version", "@timestamp" ]
}
geoip {
source => "event_data.IpAddress" <--- the field containing the IP string
}
}
So where to put my source file and how to build it (csv or something else ????)

A great thanks for your help

Fayce

Have a look at Creating geoip data for internal networks

Thanks for your reply.

In my case, I want to build a custom.dat database
Here is a simple of my file csv file

startIP,endIP,country,region,city,postalCode,latitude,longitude,metroCode,areaCode
168561408,168561663,FR,,Nice,06200,43.667509,7.213238,"455 Promenade des Anglais","Communica 1"
171105024,171105279,FR,,Nice,06200,43.667509,7.213238,"455 Promenade des Anglais","Communica 2"

When I try to build the dat file with the command from /usr/lib/geoip :

./geoip-generator -v -o custom_geoip.dat /etc/logstash/geoip/GeoLiteCity-NCA.csv

I get that error :

./geoip-generator: Reading CSV and building the trie
./geoip-generator:/etc/logstash/geoip/GeoLiteCity-NCA.csv:1: Wrong number of fields

I don't know which field is missing.

Thanks for help friends

Update, I hade the -l option to specify the location of my csv file.

./geoip-generator -v -o custom_geoip.dat -l /etc/logstash/geoip/GeoLiteCity-NCA.csv

It seems to work, it takes a very long time but nothing happens. When I press Enter I have tue Wrong number of fields error message, again.

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.