Mapping private IP Address to geolocation with GeoIP Processor

Vannessa_Kemeni · July 29, 2021, 12:18pm

Hello,
i am using a tool, that uses Elastic search. For retrieving the geolocaton of the IP Address a Json file was created that uses the GeoIP Processor. I updated this file in order to set the geolocation of the private IP Address. But when i restart the system, i get this failure :
Exiting: Error getting pipeline for fileset wazuh/alerts: Error JSON decoding the pipeline file: ingest/pipeline.json: invalid character 'i' looking for beginning of object key string
I think the format the i have used with the IF Else command is not correct. Can someone explain me what is wrong?The code is below. P.S I just used the same IP address for simulatng the case.

{
  "description": "Wazuh alerts pipeline",
  "processors": [
    { "json" : { "field" : "message", "add_to_root": true } },
    {
      "geoip": {
        "field": "data.srcip",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      if [win.eventdata.ipAddress] =~ /^192\.168\./ { 
        mutate {replace  => { "[geoip] [country_name]" => "Austria"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^192\.168\./  {
        mutate {replace  => { "[geoip] [city_name]"    => "Grebenau"} }
        mutate {replace  => { "[geoip] [country_name]" => "Germany"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^192\.168\./{
        mutate {replace  => { "[geoip] [city_name]"    => "Germany-Derching"} }
        mutate {replace  => { "[geoip] [country_name]" => "Germany-Derching"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^192\.168\./ or /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [city_name]"    => "Recklinghausen"} }
        mutate {replace  => { "[geoip] [country_name]" => "Germany"} }
      }
       elseif [win.eventdata.ipAddress] =~/^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "USA"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./{
        mutate {replace  => { "[geoip] [country_name]" => "USA"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "USA"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./  {
        mutate {replace  => { "[geoip] [country_name]" => "Italy"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "United Kingdom"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\.//  {
        mutate {replace  => { "[geoip] [country_name]" => "United Kingdom"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Denmark"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Denmark"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Czech Republic"} }
      }
       elseif [win.eventdata.ipAddress =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Czech Republic"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Norway"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Spain"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "Spain"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./ {
        mutate {replace  => { "[geoip] [country_name]" => "China"} }
      }
       elseif [win.eventdata.ipAddress] =~ /^193\.170\.72\./  {
        mutate {replace  => { "[geoip] [country_name]" => "Australia"} }
      }
       elseif [win.eventdata.ipAddress] =~/^193\.170\.72\./  {
        mutate {replace  => { "[geoip] [country_name]" => "Australia"} }
      }
      else {
         "geoip": {
        "field": "data.win.eventdata.ipAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
        }
      }
    },
    {
      "geoip": {
        "field": "data.aws.sourceIPAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.gcp.jsonPayload.sourceIP",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "date": {
        "field": "timestamp",
        "target_field": "@timestamp",
        "formats": ["ISO8601"],
        "ignore_failure": false 
      }
    },
    {
      "date_index_name": {
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false 
      }
    },
    { "remove": { "field": "message", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "ecs", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "beat", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "input_type", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "tags", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "count", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "@version", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "log", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "offset", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "type", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "host", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "fields", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "event", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "fileset", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "service", "ignore_missing": true, "ignore_failure": true } }
  ],
  "on_failure" : [{
    "drop" : { }
  }]
}

grumo35 · July 29, 2021, 3:28pm

Hi,

I dont know how a GeoIP filter would work on private IP addresses ? maybe i'm wrong

leandrojmp · July 29, 2021, 4:19pm

Your IF configuration is wrong, it is a Logstash configuration, it won't work in an ingest pipeline.

I do not use ingest pipelines much, but according to the documentation you need something in this format:

    {
      "set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^192\.168\./",
        "field": "geoip.country_name",
        "value": "country name",
      }
    }

Vannessa_Kemeni · July 30, 2021, 8:02am

If i correctly understand, i have to use for each case a "If condition" for checking the IP-Address and then at least, i did not find any ip Adress, i will use the standard geopIP? The solution should look like something:

{
  "description": "Wazuh alerts pipeline",
  "processors": [
    { "json" : { "field" : "message", "add_to_root": true } },
    {
      "geoip": {
        "field": "data.srcip",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
       "set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^192\.168\./",
        "field": "geoip.country_name",
        "value": "country name",
        }
        set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^192\.168\./",
        "field": "geoip.country_name",
        "value": "country name",
        }

      "geoip": {
        "field": "data.win.eventdata.ipAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.aws.sourceIPAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.gcp.jsonPayload.sourceIP",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "date": {
        "field": "timestamp",
        "target_field": "@timestamp",
        "formats": ["ISO8601"],
        "ignore_failure": false
      }
    },
    {
      "date_index_name": {
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },
    { "remove": { "field": "message", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "ecs", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "beat", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "input_type", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "tags", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "count", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "@version", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "log", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "offset", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "type", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "host", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "fields", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "event", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "fileset", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "service", "ignore_missing": true, "ignore_failure": true } }
  ],
  "on_failure" : [{
    "drop" : { }
  }]
}
type or paste code here

Vannessa_Kemeni · August 3, 2021, 11:54am

Hello @leandrojmp ,
i have written this code but that does not work. Can you please help me?

"processors": [
    { "json" : { "field" : "message", "add_to_root": true } },
    {
      "geoip": {
        "field": "data.srcip",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {

      "set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^555\\.55\\.5.\\./ ",
        "field": "geoip.country_name",
        "value": "Austria"
      },
      "set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^333\\.33\\.3.\\./",
        "field": "geoip.country_name",
        "value": "Germany",
        "field": "geoip.city_name",
        "value": "Grebenau"
      },
      "set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^22\\.22\\.222\\./",
        "field": "geoip.country_name",
        "value": "Germany",
        "field": "geoip.city_name",
        "value": "Derching"
      },
      "set": {
        "if": "ctx.win?.eventdata?.ipAddress =~ /^111\\.11\\.11\\./ or /^222\\.22\\.22\\./ ",
        "field": "geoip.country_name",
        "value": "Germany",
        "field": "geoip.city_name",
        "value": "Recklinghausen"
      },
        "geoip": {
        "field": "data.win.eventdata.ipAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }

    },
    {
      "geoip": {
        "field": "data.aws.sourceIPAddress",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    },
    {
      "geoip": {
        "field": "data.gcp.jsonPayload.sourceIP",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
 },
    {
      "date": {
        "field": "timestamp",
        "target_field": "@timestamp",
        "formats": ["ISO8601"],
        "ignore_failure": false
      }
    },
    {
      "date_index_name": {
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },
    { "remove": { "field": "message", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "ecs", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "beat", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "input_type", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "tags", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "count", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "@version", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "log", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "offset", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "type", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "host", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "fields", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "event", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "fileset", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "service", "ignore_missing": true, "ignore_failure": true } }
  ],
  "on_failure" : [{
    "drop" : { }
  }]
}

system · August 31, 2021, 11:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.