All Apps and Add-ons

AmMap with Maxmind is showing wrong location on the map ?

ranjyotiprakash
Communicator

I have developed a Splunk App which generates the reports based upon the Barracuda Web Application Firewall logs. I have a dashboard which has amMap flash map to show the location of clien_ip present in the logs. But, the map is showing incorrect location for the client_ip.

The log is :
Jul 11 08:57:07 barracuda 2012-07-11 08:57:07.381 -0400 "-" WF ALER SQL_INJECTION_IN_URL [type="sql-injection-medium" pattern="sql-comments" token="/"]69.61.11.227[type="sql-injection-medium" pattern="sql-comments" token="/"] 54067 66.66.119.52 80 DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 66.66.119.52/nawal/ HTTP 69.61.11.227 54067

The client_ip field is in bold.
69.61.11.227 is from India But, on map it is showing Saint Louis, United States.

I searched on web for the location of this client_ip and getting India as the result. But, on Map it is coming as Saint Louis, United States.

I have downloaded and installed the MAXMIND add on from this link link text, and AmMap from
link text.

I am using the following search string

sourcetype="firewall" | search client_ip!=192.168* client_ip!=0.0.* client_ip!=10.*| stats count by client_ip | eval count_label="Barracuda Security Events" | eval iterator="client_ip" | eval iterator_label="Client IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="barracuda_splunk" |lookup geoip clientip as client_ip |mapit

Is there any way to update the MAXMIND database, which looks up for the geo location.

Please help...
Thanks ...

0 Karma
1 Solution

Vince246
Engager

Rprakash,

"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).

Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/

Regards, Vince

View solution in original post

0 Karma

Vince246
Engager

Rprakash,

"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).

Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/

Regards, Vince

0 Karma

ranjyotiprakash
Communicator

Hi Vince,

Thanks for your reply. I will try replacing the GeoLiteCity.dat file with the newly dowmloaded GeoLiteCity.dat.

Regards,
RPrakash

0 Karma

Vince246
Engager

Helo,

try running the same search omitting the "| mapit". This way you will see the location in writing.
I've seen this type of symptoms when the "home_threat_data.xml" file could not be overwritten by the script.
When that happens, the map you see is the result of a previous search. In this case, you need to manually delete the XML file before running the mapit search again.

Another comment: Maxmind database is good and better than most but cannot always be accurate. In some instances if it does not know a location for that IP, it will map it to the headquarters of the ISP/ IP range owner. There is nothing to do about this.

Regards, Vince

ranjyotiprakash
Communicator

Hi Vince,

I ran the search without "mapit" even in that case also I am getting the same result

Client_City - Saint Louis

Client Country - United States.

Is there any way to update the database of maxmind addon ?
How that can be done ?

Thanks,
rprakash

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...