Manually adding geoip data fails


#1

Hi,

I would like to rewrite/add geoip data manually to events to/from 172.40.40.0/24 and 172.40.41.0/24 subnets.
The filter is configured like this:

# Geo-IP lookup
if [src_ip] {
  # Fix public IP subnets
  if [src_ip] =~ /^172\.40\.40/ or [src_ip] =~ /^172\.40\.41/ {
    mutate { update => { "[src_geoip][timezone]" => "Continent/City" } }
    mutate { update => { "[src_geoip][city_name]" => "City" } }
    mutate { update => { "[src_geoip][continent_code]" => "Continent" } }
    mutate { update => { "[src_geoip][country_name]" => "Country" } }
    mutate { update => { "[src_geoip][country_code2]" => "XX" } }
    mutate { update => { "[src_geoip][country_code3]" => "XX" } }
    mutate { update => { "[src_geoip][postal_code]" => "00000" } }
    mutate { update => { "[src_geoip][region_code]" => "00" } }
    mutate { update => { "[src_geoip][region_name]" => "Region Name" } }
    mutate { remove_field => [ "[src_geoip][location]" ] }
    mutate { add_field => { "[src_geoip][location]" => "XX.XXXXXX" } }
    mutate { add_field => { "[src_geoip][location]" => "XX.XXXXXX" } }
    mutate { convert => [ "[src_geoip][location]", "float" ] }
    mutate { update => [ "[src_geoip][latitude]", XX.XXXXXX ] }
    mutate { convert => [ "[src_geoip][latitude]", "float" ] }
    mutate { update => [ "[src_geoip][longitude]", XX.XXXXXX ] }
    mutate { convert => [ "[src_geoip][longitude]", "float" ] }
  }
  else {
    geoip {
      source => "src_ip"
      target => "src_geoip"
      tag_on_failure => [ "src_private" ]
    }
  }
}
if [dst_ip] {
  # Fix public IP subnets
  if [dst_ip] =~ /^172\.40\.40/ or [dst_ip] =~ /^172\.40\.41/ {
    mutate { update => { "[dst_geoip][timezone]" => "Continent/City" } }
    mutate { update => { "[dst_geoip][city_name]" => "City" } }
    mutate { update => { "[dst_geoip][continent_code]" => "Continent" } }
    mutate { update => { "[dst_geoip][country_name]" => "Country" } }
    mutate { update => { "[dst_geoip][country_code2]" => "XX" } }
    mutate { update => { "[dst_geoip][country_code3]" => "XX" } }
    mutate { update => { "[dst_geoip][postal_code]" => "00000" } }
    mutate { update => { "[dst_geoip][region_code]" => "00" } }
    mutate { update => { "[dst_geoip][region_name]" => "Region Name" } }
    mutate { remove_field => [ "[dst_geoip][location]" ] }
    mutate { add_field => { "[dst_geoip][location]" => "XX.XXXXXX" } }
    mutate { add_field => { "[dst_geoip][location]" => "XX.XXXXXX" } }
    mutate { convert => [ "[dst_geoip][location]", "float" ] }
    mutate { update => [ "[dst_geoip][latitude]", XX.XXXXXX ] }
    mutate { convert => [ "[dst_geoip][latitude]", "float" ] }
    mutate { update => [ "[dst_geoip][longitude]", XX.XXXXXX ] }
    mutate { convert => [ "[dst_geoip][longitude]", "float" ] }
  }
  else {
    geoip {
      source => "dst_ip"
      target => "dst_geoip"
 	  tag_on_failure => [ "dst_private" ]
    }
  }
}

So, if source or destination IP address hits the 172.40.40.0/24 or 172.40.41.0/24 subnets, manually rewrite the location. If not, use geoip lookup.
But if I apply this, I lose all events to and from those subnets. It acts like a drop {} filter!

Can anyone explain why this happens and how can I fix this?

Thanks!


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.