All Apps and Add-ons

AmMap with Maxmind is showing wrong location on the map ?

Communicator

I have developed a Splunk App which generates the reports based upon the Barracuda Web Application Firewall logs. I have a dashboard which has amMap flash map to show the location of clienip present in the logs. But, the map is showing incorrect location for the clientip.

The log is :
Jul 11 08:57:07 barracuda 2012-07-11 08:57:07.381 -0400 "-" WF ALER SQLINJECTIONIN_URL [type="sql-injection-medium" pattern="sql-comments" token="/"]69.61.11.227[type="sql-injection-medium" pattern="sql-comments" token="/"] 54067 66.66.119.52 80 DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 66.66.119.52/nawal/ HTTP 69.61.11.227 54067

The client_ip field is in bold.
69.61.11.227 is from India But, on map it is showing Saint Louis, United States.

I searched on web for the location of this client_ip and getting India as the result. But, on Map it is coming as Saint Louis, United States.

I have downloaded and installed the MAXMIND add on from this link link text, and AmMap from
link text.

I am using the following search string

sourcetype="firewall" | search clientip!=192.168* clientip!=0.0.* clientip!=10.*| stats count by clientip | eval countlabel="Barracuda Security Events" | eval iterator="clientip" | eval iteratorlabel="Client IP" | eval moviecolor="#FF0000" | eval outputfile="homethreatdata.xml" | eval app="barracudasplunk" |lookup geoip clientip as client_ip |mapit

Is there any way to update the MAXMIND database, which looks up for the geo location.

Please help...
Thanks ...

0 Karma
1 Solution

Engager

Rprakash,

"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).

Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/

Regards, Vince

View solution in original post

0 Karma

Engager

Rprakash,

"GeoLite Country and GeoLite City are free IP geolocation databases, updated on the first Tuesday of each month", source: Maxmind web site (http://www.maxmind.com/app/geolite).

Get the new file:
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz, unzip it.
Replace your GeoIPLightCity.dat file with this new one.
On my spunk server (MAcOSx) this file is in /Applications/splunk/etc/apps/MAXMIND/bin/

Regards, Vince

View solution in original post

0 Karma

Communicator

Hi Vince,

Thanks for your reply. I will try replacing the GeoLiteCity.dat file with the newly dowmloaded GeoLiteCity.dat.

Regards,
RPrakash

0 Karma

Engager

Helo,

try running the same search omitting the "| mapit". This way you will see the location in writing.
I've seen this type of symptoms when the "homethreatdata.xml" file could not be overwritten by the script.
When that happens, the map you see is the result of a previous search. In this case, you need to manually delete the XML file before running the mapit search again.

Another comment: Maxmind database is good and better than most but cannot always be accurate. In some instances if it does not know a location for that IP, it will map it to the headquarters of the ISP/ IP range owner. There is nothing to do about this.

Regards, Vince

Communicator

Hi Vince,

I ran the search without "mapit" even in that case also I am getting the same result

Client_City - Saint Louis

Client Country - United States.

Is there any way to update the database of maxmind addon ?
How that can be done ?

Thanks,
rprakash

0 Karma