Private IP GeoIP

dshepard · March 31, 2020, 5:42pm

Does anyone have a working config for assigning GeoIP data to private subnets wtih winlogbeat?

warkolm · April 1, 2020, 12:51am

Creating geoip data for internal networks is an older thread but will still work.

If you don't want to use Logstash you could use probably use an ingest pipeline to build something.

dshepard · April 1, 2020, 1:22pm

I'm trying to use the instruction for beats 7.6.0.

https://www.elastic.co/guide/en/siem/guide/7.6/conf-map-ui.html

But using that throws an error "Mapping values are not allowed in this context" I'm sure I'm just messing up the syntax.

I was wondering if anyone had an actual example of working code in Beats to add the GeoIP data.

I have a working config in Logstash using Translate, but since I have to rewrite that to match up to ECS, I figured I'd try the Elastic documented way. Frankly, I'm amazed that more people are demanding an easy way to add GeoIP data for private IPs.

Sam_Chen · April 28, 2020, 6:46am

I have faced the same issue with filebeat cisco module that use default ingest pipeline,
but it is too large and hard to maintenance.

Any best way to add for my own private IPs?

andrewkroh · May 7, 2020, 2:12pm

Using processors in Beats is a pretty simple solution if you don't have a lot of different locations or networks to map. Here's an example that I tested using Filebeat to read a file containing {"source": {"ip": "10.13.14.15"}}.

processors:
- decode_json_fields:
    fields: message
    target: ""
- add_fields:
    when.network.source.ip: '10.13.0.0/16'
    target: ''
    fields:
      source.geo.location:
        lat: 30.1
        lon: 70.33
      network.name: voice

You will get something like

{
    "@timestamp": "2020-05-07T13:52:05.799Z",
    "message": "{\"source\": {\"ip\": \"10.13.14.15\"}}",
    "network": {
      "name": "voice"
    },
    "source": {
      "geo": {
        "location": {
          "lat": 30.1,
          "lon": 70.33
        }
      },
      "ip": "10.13.14.15"
    }
  }

Another option might be to add final_pipeline to your index templates and force all incoming data through one ingest node pipeline that uses the enrich processor to add this data. In theory you would create an index containing your network segments with geo data then enrich incoming events that match.

system · June 4, 2020, 2:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.