I am trying to create a visualization which shows the organization the IP address.
thanks @ylasri I am still very confused. is it possible for you to guide me step by step i want to get the ASN from an IP address which is in Log.
How are you ingesting your logs into elasticsearch ? filebeat or logatsh ?
Check this processor to have more ideas
*Depends on what is available in database_file
:
- If the GeoLite2 City database is used, then the following fields may be added under the
target_field
:ip
,country_iso_code
,country_name
,continent_name
,region_iso_code
,region_name
,city_name
,timezone
,latitude
,longitude
andlocation
. The fields actually added depend on what has been found and which properties were configured inproperties
. - If the GeoLite2 Country database is used, then the following fields may be added under the
target_field
:ip
,country_iso_code
,country_name
andcontinent_name
. The fields actually added depend on what has been found and which properties were configured inproperties
. - If the GeoLite2 ASN database is used, then the following fields may be added under the
target_field
:ip
,asn
,organization_name
andnetwork
. The fields actually added depend on what has been found and which properties were configured inproperties
.
Try this example on Dev Console, you can combine multiple geoip processor to get what you need
PUT _ingest/pipeline/geoip
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
"field" : "ip"
}
},
{
"geoip" : {
"field" : "ip",
"target_field" : "geo_asn",
"database_file" : "GeoLite2-ASN.mmdb"
}
}
]
}
PUT my-asn-logs
{
"settings": {
"number_of_shards": 1,
"number_of_replicas": 0
},
"mappings": {
"properties": {
"timestamp": {
"type": "date"
},
"ip": {
"type": "ip"
}
}
}
}
POST my-asn-logs/_doc?pipeline=geoip
{
"@timestamp": "2020-10-10T10:10:10.000",
"ip": "196.75.80.10"
}
GET my-asn-logs/_search
okay I will try and revert.Thanks
@ylasri Thank you how should i visualize this for example an ip address in the log matches with the asn so is it possible to create a visualization?
Yes all possible, all you need is :
1- Create an index pattern
2- Go to discover to search on your logs you will get ip and asn
3- You can create visualization (Example unique count of IP per ASN ... etc)
i created an index pattern
in discover it does show ip and asn
i want to create a visualization matching kibana sample log and the my-asn-log rest is working just fine
The data in kibana_sample_data_logs
has been enriched using default properties
You need to reindex the data using a custom ingest pipeline to add properties like asn ...
Try this
PUT _ingest/pipeline/geoip
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
"field" : "clientip",
"database_file": "GeoLite2-ASN.mmdb",
"target_field": "clientip_geo"
}
}
]
}
POST kibana_sample_data_logs/_update_by_query?pipeline=geoip
you will see a new field added
"clientip_geo" : {
"ip" : "111.58.155.54",
"organization_name" : "Guangdong Mobile Communication Co.Ltd.",
"asn" : 9808
},
yep one step closer but when i try to build the visualization the fields that are added are not displayed inside the table are not being displayed
Go to index pattern and refresh it
Thank you so much for your effort, time,help and patience.
That is a new topic :), could flag this as solution and open a new thread please
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.