Need to map ip address from logs to map with corresponding hostname

ArchitG358 · January 16, 2022, 12:49pm

I have logs that includes IP address I want to map IP address to its hostname (eg, AWS ec2) or its organisation.
Just like whatsmyipaddress does. Need suggestions or plugins that can help do this.
I am open to get any of the details - Hostname/ISP/Organisation.

Or basic reverse DNS Lookup will also work

eg (public IP)-

Tomo_M · January 16, 2022, 2:11pm

If you are using Logstash, dns filter plugin wil help you.

ArchitG358 · January 16, 2022, 3:10pm

Thanks for the suggeestion.
I am currently using kibana elastic.
does this support plugin?

Tomo_M · January 17, 2022, 12:18am

How do you load your logs to Elasticsearch?

stephenb · January 17, 2022, 1:52am

You can Use an Ingest Pipeline for ASN and Organization

With GeoIP Processor

And configure for ISP / ASN options

PUT _ingest/pipeline/discuss-geoip
{
  "processors": [
    {
      "geoip": {
        "ignore_missing": true,
        "database_file": "GeoLite2-ASN.mmdb",
        "field": "ip",
        "target_field": "as",
        "properties": [
          "asn",
          "organization_name"
        ]
      }
    }
  ]
}

POST discuss-index/_doc?pipeline=discuss-geoip
{
  "ip": "8.8.8.8"
}

GET discuss-index/_search

results

{
  "took" : 104,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "discuss-index",
        "_id" : "ECjEZX4BE6hlKdvwv5MT",
        "_score" : 1.0,
        "_source" : {
          "as" : {
            "organization_name" : "GOOGLE",
            "asn" : 15169
          },
          "ip" : "8.8.8.8"
        }
      }
    ]
  }
}

system · February 14, 2022, 1:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.