Hello,
I have an ELK for my Apache Logs, everything OK.
I would like to query a reputation IP database to detect tor, vpn, open-proxy .... traffic on my website.
have you got any idea ?
I havec contacted http://www.brightcloud.com/ and https://www.maxmind.com/ without success.
Only 2 things I can think of if it is not already in your data
You can have a file dictionary but I don't think that is what you want.
https://www.elastic.co/guide/en/logstash/current/plugins-filters-translate.html
The other idea, is just write the ruby code to fetch the data you need
https://www.elastic.co/guide/en/logstash/current/plugins-filters-ruby.html
We currently do this using the translate filter pointing to a YAML file structured like
<IP>: "<category>"
The dictionary, around 200k items, is loaded into memory on startup so it's quite performant. Alhough not ideal it works for our tactical solution.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.