Logstash and ip reputation


I have an ELK for my Apache Logs, everything OK.

I would like to query a reputation IP database to detect tor, vpn, open-proxy .... traffic on my website.

have you got any idea ?

I havec contacted http://www.brightcloud.com/ and https://www.maxmind.com/ without success.

Only 2 things I can think of if it is not already in your data

You can have a file dictionary but I don't think that is what you want.

The other idea, is just write the ruby code to fetch the data you need

We currently do this using the translate filter pointing to a YAML file structured like

<IP>: "<category>"

The dictionary, around 200k items, is loaded into memory on startup so it's quite performant. Alhough not ideal it works for our tactical solution.