How to retrieve organizations IP address

I am trying to create a visualization which shows the organization the IP address.

Check this link may help you

thanks @ylasri I am still very confused. is it possible for you to guide me step by step i want to get the ASN from an IP address which is in Log.

How are you ingesting your logs into elasticsearch ? filebeat or logatsh ?

Check this processor to have more ideas

*Depends on what is available in database_file :

  • If the GeoLite2 City database is used, then the following fields may be added under the target_field : ip , country_iso_code , country_name , continent_name , region_iso_code , region_name , city_name , timezone , latitude , longitude and location . The fields actually added depend on what has been found and which properties were configured in properties .
  • If the GeoLite2 Country database is used, then the following fields may be added under the target_field : ip , country_iso_code , country_name and continent_name . The fields actually added depend on what has been found and which properties were configured in properties .
  • If the GeoLite2 ASN database is used, then the following fields may be added under the target_field : ip , asn , organization_name and network . The fields actually added depend on what has been found and which properties were configured in properties .

Try this example on Dev Console, you can combine multiple geoip processor to get what you need

PUT _ingest/pipeline/geoip
{
  "description" : "Add geoip info",
  "processors" : [
    {
      "geoip" : {
        "field" : "ip"
      }
    },
    {
      "geoip" : {
        "field" : "ip",
        "target_field" : "geo_asn",
        "database_file" : "GeoLite2-ASN.mmdb"
      }
    }
  ]
}


PUT my-asn-logs
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "properties": {
      "timestamp": {
        "type": "date"
      },
      "ip": {
        "type": "ip"
      }
    }
  }
}

POST my-asn-logs/_doc?pipeline=geoip
{
  "@timestamp": "2020-10-10T10:10:10.000",
  "ip": "196.75.80.10"
}


GET my-asn-logs/_search

okay I will try and revert.Thanks

@ylasri Thank you how should i visualize this for example an ip address in the log matches with the asn so is it possible to create a visualization?

Yes all possible, all you need is :
1- Create an index pattern
2- Go to discover to search on your logs you will get ip and asn
3- You can create visualization (Example unique count of IP per ASN ... etc)

i created an index pattern
in discover it does show ip and asn

i want to create a visualization matching kibana sample log and the my-asn-log rest is working just fine

The data in kibana_sample_data_logs has been enriched using default properties
You need to reindex the data using a custom ingest pipeline to add properties like asn ...

Try this

PUT _ingest/pipeline/geoip
{
  "description" : "Add geoip info",
  "processors" : [
    {
      "geoip" : {
        "field" : "clientip",
        "database_file": "GeoLite2-ASN.mmdb",
        "target_field": "clientip_geo"
      }
    }
  ]
}

POST kibana_sample_data_logs/_update_by_query?pipeline=geoip

you will see a new field added

  "clientip_geo" : {
    "ip" : "111.58.155.54",
    "organization_name" : "Guangdong Mobile Communication Co.Ltd.",
    "asn" : 9808
  },
1 Like

yep one step closer but when i try to build the visualization the fields that are added are not displayed inside the table are not being displayed

Go to index pattern and refresh it

Thank you so much for your effort, time,help and patience. :smiley: :+1:

1 Like

That is a new topic :), could flag this as solution and open a new thread please

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.