Hi Team,
I am trying to generate static ASN for the IPs in local network but I couldn't get any results.
My filter config:
if [@metadata][asn_lookup] == "true" {
geoip {
id => "elastiflow_postproc_geoip_src_asn"
source => "[flow][src_addr]"
database => "${ELASTIFLOW_GEOIP_DB_PATH:/etc/logstash/elastiflow/geoipdbs}/GeoLite2-ASN.mmdb"
cache_size => "${ELASTIFLOW_GEOIP_CACHE_SIZE:8192}"
target => "[metadata][geoip_src]"
}
# Populate src_autonomous_system.
if "_geoip_lookup_failure" not in [tags] {
if [metadata][geoip_src][as_org] {
if [metadata][geoip_src][asn] {
mutate {
id => "elastiflow_postproc_src_as_from_as_org_asn"
add_field => { "[flow][src_autonomous_system]" => "%{[metadata][geoip_src][as_org]} (%{[metadata][geoip_src][asn]})" }
}
} else {
mutate {
id => "elastiflow_postproc_src_as_from_as_org"
add_field => { "[flow][src_autonomous_system]" => "%{[metadata][geoip_src][as_org]}" }
}
}
} else if [metadata][geoip_src][asn] {
mutate {
id => "elastiflow_postproc_src_as_from_asn"
add_field => { "[flow][src_autonomous_system]" => "%{[metadata][geoip_src][asn]}" }
}
} else {
mutate {
add_field => { "[flow][src_autonomous_system]" => "public" }
}
}
mutate {
id => "elastiflow_set_src_asn"
rename => { "[metadata][geoip_src][asn]" => "[flow][src_asn]" }
}
##### Private ASN Lookup - Source -
if [metadata][geoip_src][asn] == "1213" {
# Lookup destination Autonomous System.
geoip {
id => "elastiflow_postproc_local_geoip_src_private_asn"
source => "[flow][src_addr]"
database => "${ELASTIFLOW_GEOIP_DB_PATH:/etc/logstash/elastiflow/geoipdbs}/local-ASN.mmdb" ##### Add Private ASN
cache_size => "${ELASTIFLOW_GEOIP_CACHE_SIZE:8192}"
target => "[metadata][local_geoip_src]"
}
if [metadata][local_geoip_src][as_org] {
if [metadata][local_geoip_src][asn] {
mutate {
id => "elastiflow_postproc_local_src_as_from_as_org_asn"
add_field => { "[flow][local_src_autonomous_system]" => "%{[metadata][[local_geoip_src][as_org]} (%{[metadata][local_geoip_src][asn]})" }
}
} else {
mutate {
id => "elastiflow_postproc_local_src_as_from_as_org"
add_field => { "[flow][local_src_autonomous_system]" => "%{[metadata][local_geoip_src][as_org]}" }
}
}
} else if [metadata][local_geoip_src][asn] {
mutate {
id => "elastiflow_postproc_local_src_as_from_asn"
add_field => { "[flow][local_src_autonomous_system]" => "%{[metadata][local_geoip_src][asn]}" }
}
} else {
mutate {
add_field => { "[flow][local_src_autonomous_system]" => "public" }
}
}
mutate {
id => "elastiflow_local_src_asn"
rename => { "[metadata][local_geoip_src][asn]" => "[flow][local_src_asn]" }
}
}
############ End -
} else {
mutate {
add_field => { "[flow][src_autonomous_system]" => "public" }
remove_tag => [ "_geoip_lookup_failure" ]
}
}
} else {
mutate {
id => "elastiflow_postproc_no_src_asn_lookup"
add_field => { "[flow][src_autonomous_system]" => "public" }
}
}
mutate {
add_field => {
"[flow][autonomous_system]" => "%{[flow][src_autonomous_system]}"
}
}
Fields in mmdb, when I did mmdb lookup.
Database metadata
Node count: 616
Record size: 24 bits
IP version: IPv4
Binary format: 2.0
Build epoch: 1557242134 (2019-05-07 15:15:34 UTC)
Type: GeoLite2-ASN
Languages:
Description:
en: Clinet ASN Database
{
"autonomous_system_number":
65401<uint32>
"autonomous_system_organization":
"Office"<utf8_string>
}
I have two ASN DBs configured; one checks the public ASN (GeoLite2-ASN) and other ASN (local-ASN.mmdb) is used when there is a match.
If I user my private ASN instead (GeoLite2-ASN) I get the results (this proved my mmdb is not corrupted), whereas when I use as secondary I cannot get any values.
Note: No error in logs pointing to the filter or database.
Can anyone shed some light on my config please?
Best,
Yash