I configured the Geoip and the Geolite database in logstash.
How often do you update the Geolite database?
Regards,
A copy of the database is bundled with the plugin. If you want a current copy of the database it is up to you to download it.
Do you have to download it per week or per month?
That is entirely up to you.
But, the update is done how often on Maxmind?
It is therefore necessary to download it every week and restart the logstash service.
If you want the latest data then yes, but keep in mind that freely available geoip information is worth about as much as you paid for it. Much of it is warmed over whois data, you will find many address are mapped back to the corporate headquarters of cable companies that no longer exist (having been rolled up into larger companies). And my experience of CDNs is that they get mapped back to the corporate HQ (Cambridge, MA, for Akamai). Many European address appear to be in Amsterdam because that is where RIPE is headquartered.
Free geoip data provides a useful hint, it is not fact.
thanks for the information.
But, I have a question which has nothing to do with the main topic.
I would like to identify malicious IPs, URLs and domain names.
How can I configure this in logstash?
There are dozens of sites that maintain databases of malicious IPs and URLs.
How to convert such a database into something logstash could use would depend upon the database format.
Do you have an example logstash configuration for this?
I do not.
Can you help me please.
I don't know how to do this kind of setup
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.