Geoip with two ASN (mmdb format) database

Hi Team,

I am trying to generate static ASN for the IPs in local network but I couldn't get any results.

My filter config:

          if [@metadata][asn_lookup] == "true" {
            geoip {
              id => "elastiflow_postproc_geoip_src_asn"
              source => "[flow][src_addr]"
              database => "${ELASTIFLOW_GEOIP_DB_PATH:/etc/logstash/elastiflow/geoipdbs}/GeoLite2-ASN.mmdb"
              cache_size => "${ELASTIFLOW_GEOIP_CACHE_SIZE:8192}"
              target => "[metadata][geoip_src]"
            }
            # Populate src_autonomous_system.
            if "_geoip_lookup_failure" not in [tags] {
              if [metadata][geoip_src][as_org] {
                if [metadata][geoip_src][asn] {
                  mutate {
                    id => "elastiflow_postproc_src_as_from_as_org_asn"
                    add_field => { "[flow][src_autonomous_system]" => "%{[metadata][geoip_src][as_org]} (%{[metadata][geoip_src][asn]})" }
                  }
                } else {
                  mutate {
                    id => "elastiflow_postproc_src_as_from_as_org"
                    add_field => { "[flow][src_autonomous_system]" => "%{[metadata][geoip_src][as_org]}" }
                  }
                }
              } else if [metadata][geoip_src][asn] {
                mutate {
                  id => "elastiflow_postproc_src_as_from_asn"
                  add_field => { "[flow][src_autonomous_system]" => "%{[metadata][geoip_src][asn]}" }
                }
              } else {
                mutate {
                  add_field => { "[flow][src_autonomous_system]" => "public" }
                }
              }
              mutate {
                id => "elastiflow_set_src_asn"
                rename => { "[metadata][geoip_src][asn]" => "[flow][src_asn]" }
              }          
             ##### Private ASN Lookup - Source -
              if [metadata][geoip_src][asn] == "1213" {
               # Lookup destination Autonomous System.
               geoip {
                 id => "elastiflow_postproc_local_geoip_src_private_asn"
                 source => "[flow][src_addr]"
                 database => "${ELASTIFLOW_GEOIP_DB_PATH:/etc/logstash/elastiflow/geoipdbs}/local-ASN.mmdb" ##### Add Private ASN
                 cache_size => "${ELASTIFLOW_GEOIP_CACHE_SIZE:8192}"
                 target => "[metadata][local_geoip_src]"
                }
              if [metadata][local_geoip_src][as_org] {
                 if [metadata][local_geoip_src][asn] {
                   mutate {
                     id => "elastiflow_postproc_local_src_as_from_as_org_asn"
                     add_field => { "[flow][local_src_autonomous_system]" => "%{[metadata][[local_geoip_src][as_org]} (%{[metadata][local_geoip_src][asn]})" }
                    }
                  } else {
                    mutate {
                     id => "elastiflow_postproc_local_src_as_from_as_org"
                     add_field => { "[flow][local_src_autonomous_system]" => "%{[metadata][local_geoip_src][as_org]}" }
                    }
                  }
                } else if [metadata][local_geoip_src][asn] {
                  mutate {
                   id => "elastiflow_postproc_local_src_as_from_asn"
                   add_field => { "[flow][local_src_autonomous_system]" => "%{[metadata][local_geoip_src][asn]}" }
                  }
                  } else {
                   mutate {
                   add_field => { "[flow][local_src_autonomous_system]" => "public" }
                  }
                  }
                mutate {
                 id => "elastiflow_local_src_asn"
                 rename => { "[metadata][local_geoip_src][asn]" => "[flow][local_src_asn]" }
                }
             }
           ############ End - 
            } else {
              mutate {
                add_field => { "[flow][src_autonomous_system]" => "public" }
                remove_tag => [ "_geoip_lookup_failure" ]
              }
            }
          } else {
            mutate {
              id => "elastiflow_postproc_no_src_asn_lookup"
              add_field => { "[flow][src_autonomous_system]" => "public" }
            }
          }
          mutate {
            add_field => {
              "[flow][autonomous_system]" => "%{[flow][src_autonomous_system]}"
            }
          }

Fields in mmdb, when I did mmdb lookup.

Database metadata
Node count: 616
Record size: 24 bits
IP version: IPv4
Binary format: 2.0
Build epoch: 1557242134 (2019-05-07 15:15:34 UTC)
Type: GeoLite2-ASN
Languages:
Description:
en: Clinet ASN Database
{
"autonomous_system_number":
65401 <uint32>
"autonomous_system_organization":
"Office" <utf8_string>
}

I have two ASN DBs configured; one checks the public ASN (GeoLite2-ASN) and other ASN (local-ASN.mmdb) is used when there is a match.

If I user my private ASN instead (GeoLite2-ASN) I get the results (this proved my mmdb is not corrupted), whereas when I use as secondary I cannot get any values.

Note: No error in logs pointing to the filter or database.

Can anyone shed some light on my config please?

Best,
Yash

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.