GeoIP mapping returns wrong results

norgro2601 · October 13, 2020, 9:18am

I use the geoip processor to enhance packetbeat documents. The ingest pipeline looks like this:

{
  "geoip-info" : {
    "description" : "Add geoip info",
    "processors" : [
      {
        "geoip" : {
          "field" : "client.ip",
          "target_field" : "client.geo",
          "ignore_missing" : true
        }
      },
      {
        "geoip" : {
          "field" : "source.ip",
          "target_field" : "source.geo",
          "ignore_missing" : true
        }
      },
      {
        "geoip" : {
          "field" : "destination.ip",
          "target_field" : "destination.geo",
          "ignore_missing" : true
        }
      },
      {
        "geoip" : {
          "field" : "server.ip",
          "target_field" : "server.geo",
          "ignore_missing" : true
        }
      },
      {
        "geoip" : {
          "field" : "host.ip",
          "target_field" : "host.geo",
          "ignore_missing" : true
        }
      }
    ]
  }
}

Now I've noticed, that the result from the processor is wrong for at least one ip address. I've downloaded the database to doublecheck, with that version, the reult should be correct. Here is the example result:

{
  "_index": "packetbeat-test-2020.10.13-000009",
  "_type": "_doc",
  "_id": "n-YlIXUBDd9eAz49jeaB",
  "_version": 1,
  "_score": null,
  "_source": {
    "server": {
      "geo": {
        "continent_name": "Europe",
        "region_iso_code": "CZ-713",
        "city_name": "Prostejov",
        "country_iso_code": "CZ",
        "region_name": "Prostejov District",
        "location": {
          "lon": 17.075,
          "lat": 49.4667
        }
      },
      "port": 443,
      "ip": "193.25.208.59"
    },
    "agent": {
      "hostname": "Host",
      "name": "Server",
      "id": "c7bbfb60-ebf8-4821-9664-3db32633b615",
      "type": "packetbeat",
      "ephemeral_id": "9ad6afab-6014-42ce-aa99-055e23bb3fb0",
      "version": "7.9.1"
    },
    "destination": {
      "geo": {
        "continent_name": "Europe",
        "region_iso_code": "CZ-713",
        "city_name": "Prostejov",
        "country_iso_code": "CZ",
        "region_name": "Prostejov District",
        "location": {
          "lon": 17.075,
          "lat": 49.4667
        }
      },
      "port": 443,
      "ip": "193.25.208.59"
    },
    "source": {
      "geo": {
        "continent_name": "North America",
        "region_iso_code": "US-NY",
        "city_name": "Great Neck",
        "country_iso_code": "US",
        "region_name": "New York",
        "location": {
          "lon": -73.7262,
          "lat": 40.789
        }
      },
      "port": 2888,
      "ip": "63.118.13.10"
    },
    "type": "tls",
    "network": {
      "protocol": "tls",
      "community_id": "1:6IVoMuFJVfxl9q1GPThTnA4/opc=",
      "transport": "tcp",
      "type": "ipv4",
      "direction": "inbound"
    },
    "tags": [
      "Sametime",
      "Remote Services",
      "prod"
    ],
    "@timestamp": "2020-10-13T08:48:29.870Z",
    "related": {
      "ip": [
        "63.118.13.10",
        "193.25.208.59"
      ]
    },
    "ecs": {
      "version": "1.5.0"
    },
    "host": {
      "geo": {
        "continent_name": "Europe",
        "region_iso_code": "CZ-713",
        "city_name": "Prostejov",
        "country_iso_code": "CZ",
        "region_name": "Prostejov District",
        "location": {
          "lon": 17.075,
          "lat": 49.4667
        }
      },
      "hostname": "Host",
      "os": {
        "kernel": "3.0.101-108.87-default",
        "name": "SLES",
        "family": "suse",
        "version": "11.4",
        "platform": "sles"
      },
      "containerized": false,
      "ip": [
        "193.25.208.59"
      ],
      "name": "Server",
      "id": "28ec60084410b837c5b4efd752fcd27f",
      "architecture": "x86_64"
    },
    "client": {
      "geo": {
        "continent_name": "North America",
        "region_iso_code": "US-NY",
        "city_name": "Great Neck",
        "country_iso_code": "US",
        "region_name": "New York",
        "location": {
          "lon": -73.7262,
          "lat": 40.789
        }
      },
      "port": 2888,
      "ip": "63.118.13.10"
    },
    "event": {
      "duration": 128335211,
      "kind": "event",
      "start": "2020-10-13T08:48:29.870Z",
      "end": "2020-10-13T08:48:29.998Z",
      "category": [
        "network_traffic",
        "network"
      ],
      "type": [
        "connection",
        "protocol"
      ],
      "dataset": "tls"
    },
    "status": "OK"
  },
  "fields": {
    "event.end": [
      "2020-10-13T08:48:29.998Z"
    ],
    "tls.server.x509.not_after": [
      "2021-06-12T14:43:26.000Z"
    ],
    "tls.detailed.server_certificate.not_before": [
      "2019-06-12T14:43:26.000Z"
    ],
    "tls.server_certificate.not_before": [
      "2019-06-12T14:43:26.000Z"
    ],
    "tls.server_certificate.not_after": [
      "2021-06-12T14:43:26.000Z"
    ],
    "@timestamp": [
      "2020-10-13T08:48:29.870Z"
    ],
    "tls.server.x509.not_before": [
      "2019-06-12T14:43:26.000Z"
    ],
    "tls.server.not_before": [
      "2019-06-12T14:43:26.000Z"
    ],
    "tls.detailed.server_certificate.not_after": [
      "2021-06-12T14:43:26.000Z"
    ],
    "event.start": [
      "2020-10-13T08:48:29.870Z"
    ],
    "tls.server.not_after": [
      "2021-06-12T14:43:26.000Z"
    ]
  },
  "sort": [
    1602578909870
  ]
}

The ip 193.25.208.59 is converted to a location in Czechia, from the database it should be Germany.
In GeoLite2-City-Blocks-IPv4 I find this record:
193.25.208.0/23,2847645,2921044,,0,0,48432,52.2672,7.4443,500

With the value from the second column, the lookup in GeoLite2-City-Locations-de returns this record:
2847645,de,EU,Europa,DE,Deutschland,NW,Nordrhein-Westfalen,,,Rheine,,Europe/Berlin,1

What could be the problem in Packetbeat ? Is the database not correct ?

nickpeihl · October 14, 2020, 4:24pm

Hi @norgro2601. The GeoLite2 database bundled with Elasticsearch is several versions behind the current GeoLite2 database available from MaxMind. You can download the latest database from MaxMind and configure your Elasticsearch cluster to use the database you provide. https://www.elastic.co/guide/en/elasticsearch/reference/current/geoip-processor.html

norgro2601 · October 15, 2020, 6:40am

Hi @nickpeihl,
thanks for the explanation, but as our stack is running on Elastic Cloud, I'm not sure if this solution will work for me. I'm not aware of an extension or setting that will allow to upload and configure a custom database. I will check this again.

nickpeihl · October 16, 2020, 6:54pm

Hi @norgro2601. I believe you can Create an Extension of type "Bundle..." and upload a file that contains the directory structure as seen below. All bundles are decompressed in the $ES_CONFIG directory so whatever you call the directory will end up there. Note the top level directory must be named ingest-geoip.

.
└── ingest-geoip
    └── GeoLite2-ASN-Custom.mmdb

You will also need to specify the geoip.database_file in your processor pipeline as seen in the documentation.

system · November 13, 2020, 8:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.