- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- AmMap with Maxmind is showing wrong location on th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have developed a Splunk App which generates the reports based upon the Barracuda Web Application Firewall logs. I have a dashboard which has amMap flash map to show the location of clien_ip present in the logs. But, the map is showing incorrect location for the client_ip.
The log is :
Jul 11 08:57:07 barracuda 2012-07-11 08:57:07.381 -0400 "-" WF ALER SQL_INJECTION_IN_URL [type="sql-injection-medium" pattern="sql-comments" token="/"]69.61.11.227[type="sql-injection-medium" pattern="sql-comments" token="/"] 54067 66.66.119.52 80 DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 66.66.119.52/nawal/ HTTP 69.61.11.227 54067
The client_ip field is in bold.
69.61.11.227 is from India But, on map it is showing Saint Louis, United States.
I searched on web for the location of this client_ip and getting India as the result. But, on Map it is coming as Saint Louis, United States.
I have downloaded and installed the MAXMIND add on from this link link text, and AmMap from
link text.
I am using the following search string
sourcetype="firewall" | search client_ip!=192.168* client_ip!=0.0.* client_ip!=10.*| stats count by client_ip | eval count_label="Barracuda Security Events" | eval iterator="client_ip" | eval iterator_label="Client IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="barracuda_splunk" |lookup geoip clientip as client_ip |mapit
Is there any way to update the MAXMIND database, which looks up for the geo location.
Please help...
Thanks ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rprakash,
"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).
Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/
Regards, Vince
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rprakash,
"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).
Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/
Regards, Vince
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vince,
Thanks for your reply. I will try replacing the GeoLiteCity.dat file with the newly dowmloaded GeoLiteCity.dat.
Regards,
RPrakash
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Helo,
try running the same search omitting the "| mapit". This way you will see the location in writing.
I've seen this type of symptoms when the "home_threat_data.xml" file could not be overwritten by the script.
When that happens, the map you see is the result of a previous search. In this case, you need to manually delete the XML file before running the mapit search again.
Another comment: Maxmind database is good and better than most but cannot always be accurate. In some instances if it does not know a location for that IP, it will map it to the headquarters of the ISP/ IP range owner. There is nothing to do about this.
Regards, Vince
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Vince,
I ran the search without "mapit" even in that case also I am getting the same result
Client_City - Saint Louis
Client Country - United States.
Is there any way to update the database of maxmind addon ?
How that can be done ?
Thanks,
rprakash
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
