All Apps and Add-ons

Google Maps 11.3 / Splunk server 6.0.2

Path Finder

Dears,

Not working well:

Trying to make it working with modsecurity app ....

source="www-access_log" | geoip clientip

ip = row[ip_field]
preprocess_row=preprocess)
File "/opt/splunk/etc/apps/maps/bin/geoip.py", line 199, in process_csv_stream
File "/opt/splunk/etc/apps/maps/bin/geoipcmd.py", line 59, in
KeyError: 'clientip'
Traceback (most recent call last):

Any ideas ?
Seems to be a pb with GoogleMaps ....

Thx

0 Karma

SplunkTrust
SplunkTrust

Disabling the command isn't going to make it work.

Run a search like this:

source="*www-access_log*"

and see if there is a field containing the client's ip. Then use that field name in the geoip call.
If there's no field yet, post some sample events and we'll help you extract the field.

0 Karma

Path Finder

On GoogleMaps/Settings, I have disabled the geoip command.
When running modsecurity/dashboard I do not have anymore mistake, only geoip not found.

Thx

0 Karma

Path Finder

I have re installed everything, same problem ...
What am I supposed to do now ?
Do I have to open a ticket somewhere ??

Thx for your help.

0 Karma

SplunkTrust
SplunkTrust

Yup, that error message supports my guess that geoip is looking for a field called clientip but can't find one.

0 Karma

Path Finder

Dear both,

Please have a look to this snapshot:

https://drive.google.com/file/d/0BxTKjXaz-ROBdVdPNTN1TjNrNm8/edit?usp=sharing (dl the document to see it)

It seems to be a problem with interaction between modsecurity and Googlemaps ....
As I said, I don't know what those two apps are doing .... The source="www-access_log" give me nothing ...

Thx

0 Karma

Splunk Employee
Splunk Employee

Can you provide a sample of the log:

source="www-access_log"

As Martin stated, you would need a field called clientip. If you don't have one simple use REX or the other UI methods to extract this field at search time. Then your geoip command will work.

0 Karma

Path Finder

Hum, please don't shoot me ....
But I am a bit lost ..... Where this "clientip" field should be ?
As I said, modsecurity is transparent for me, I do not know what is he doing ....
Is it a pb with the config of my splunkforwarder (inputs)?

Thx for your help.

0 Karma

SplunkTrust
SplunkTrust

There you go then, geoip is failing as documented in the error message. If it's supposed to translate a field called clientip into a geolocation but that field does not exist - what is it supposed to do?

0 Karma

Path Finder

Hum, please don't shoot me ....
But I am a bit lost ..... Where this "clientip" field should be ?
As I said, modsecurity is transparent for me, I do not know what is he doing ....
Is it a pb with the config of my splunkforwarder (inputs)?
Thx for your help.

0 Karma

Path Finder

I do not see any field called "clientip" ....

0 Karma

Path Finder

I have found other error messages:

ago 03-24-2014 16:54:23.679 +0200 ERROR TailingProcessor - Ignoring path="/var/log/apache2/modsec_audit.log" due to: Bug: tried to check/configure STData processing but have no pending metadata.

....

0 Karma

SplunkTrust
SplunkTrust

That URL gives me a 403.

I'm asking about whether your source events have a field called clientip because not having that field produces the same KeyError from geoip.

0 Karma

Path Finder

I have this error when I am trying to use the apps "modsecurity".
I don't know what the apps "modsecurity" is doing exactly.
When I click on Dashboard, I have 423 events and on the top of the splunk web page, I have all this errors messages in red.

please have a look:
https://drive.google.com/file/d/0BxTKjXaz-ROBdVdPNTN1TjNrNm8/edit?usp=sharing

Thx

0 Karma

SplunkTrust
SplunkTrust

You're asking the geoip command to guess location data based on the field clientip. I'm wondering if the events you're giving to geoip, ie the results from your search source="www-access_log", actually have a field by that name.

0 Karma

Path Finder

Sorry but can you be a bit more precise ?
What event are you referring to ?

Thx

0 Karma

SplunkTrust
SplunkTrust

Do your events have a field called clientip?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!