I have developed a Splunk App which generates the reports based upon the Barracuda Web Application Firewall logs. I have a dashboard which has amMap flash map to show the location of clien_ip present in the logs. But, the map is showing incorrect location for the client_ip.
The log is :
Jul 11 08:57:07 barracuda 2012-07-11 08:57:07.381 -0400 "-" WF ALER SQL_INJECTION_IN_URL [type="sql-injection-medium" pattern="sql-comments" token="/"]69.61.11.227[type="sql-injection-medium" pattern="sql-comments" token="/"] 54067 66.66.119.52 80 DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 66.66.119.52/nawal/ HTTP 69.61.11.227 54067
The client_ip field is in bold.
69.61.11.227 is from India But, on map it is showing Saint Louis, United States.
I searched on web for the location of this client_ip and getting India as the result. But, on Map it is coming as Saint Louis, United States.
I have downloaded and installed the MAXMIND add on from this link link text, and AmMap from
link text.
I am using the following search string
sourcetype="firewall" | search client_ip!=192.168* client_ip!=0.0.* client_ip!=10.*| stats count by client_ip | eval count_label="Barracuda Security Events" | eval iterator="client_ip" | eval iterator_label="Client IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="barracuda_splunk" |lookup geoip clientip as client_ip |mapit
Is there any way to update the MAXMIND database, which looks up for the geo location.
Please help...
Thanks ...
Rprakash,
"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).
Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/
Regards, Vince
Rprakash,
"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).
Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/
Regards, Vince
Hi Vince,
Thanks for your reply. I will try replacing the GeoLiteCity.dat file with the newly dowmloaded GeoLiteCity.dat.
Regards,
RPrakash
Helo,
try running the same search omitting the "| mapit". This way you will see the location in writing.
I've seen this type of symptoms when the "home_threat_data.xml" file could not be overwritten by the script.
When that happens, the map you see is the result of a previous search. In this case, you need to manually delete the XML file before running the mapit search again.
Another comment: Maxmind database is good and better than most but cannot always be accurate. In some instances if it does not know a location for that IP, it will map it to the headquarters of the ISP/ IP range owner. There is nothing to do about this.
Regards, Vince
Hi Vince,
I ran the search without "mapit" even in that case also I am getting the same result
Client_City - Saint Louis
Client Country - United States.
Is there any way to update the database of maxmind addon ?
How that can be done ?
Thanks,
rprakash