Use geoip plugin to load VLAN IDs

yasvanth · May 14, 2019, 4:03pm

Hi Team,

I would like to know whether the my idea/approach is possible.

Using geoip plugin I need to query mmdb which contains list of network mapped to vlan id as given below:

netowork | vlan_id| vlan_description

    geoip {
       source => "[flow][dst_addr]"
      database => NetworkVLAN.mmdb" 
      target => "[metadata][local_vlan_dst]"
      }

When If try use geoip filter I get geoip_lookup_failuer. Is it due that mmdb does cotains the feilds which are not support by geoip plugin such as city_name , continent_code , country_code2 , country_code3 , country_name , dma_code , ip , latitude , longitude , postal_code , region_name and timezone .

Thanks in advance.

Best,
Yash

Badger · May 14, 2019, 4:46pm

The geoip filter has a list of database types that it understands. Is your database type one of those? If not, a geoip filter cannot read it.

yasvanth · May 15, 2019, 7:36am

Hi @Badger,

Thanks for your response, I am using MMDB format and Database type as GEOLite2-ASN but I have different column name, instead of "autonomous_system_number" and "autonomus_organization" I used "vlan_id" and "vlan_description".

Badger · May 15, 2019, 12:40pm

It knows how to fetch ASN and ASO from a GEOLite2-ASN.

Given that you are fetching a number and a string, how about you don't change the column names? Otherwise, you are going to have to fork the filter code and add support for a new type.

yasvanth · May 15, 2019, 12:44pm

Hi @Badger,

By change the column names to default worked and I map the as_org and asn to vlan_descritpiton and vlan_id using logstash mutate filter.

Thanks for the advice in future, I will fork the plugin if my database grows with more fields.

Best,
Yash

system · June 12, 2019, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.