Hello everybody,
first of all i have to say that i am totally new to splunk.
What i want to do is to implement a GeoIP lookup. Yet splunk receives syslog data from a Lancom 1781VA (over ISDN) Router. I don't even know if GeoIP works with the syslog data.
Can anyone explain me how to implement a GeoIP lookup within splunk?
I'm not a native speaker, so please excuse if there an mistakes.
Please feel free to ask me if there is information you need.
thanks in advance
Markus
Assuming the IP has been blue'd out, an extraction and iplocation
using rex
might look like this:
base search | rex "peer (?<peer_ip>\d+\.\d+\.\d+\.\d+)" | iplocation peer_ip
That will add fields to your field list on the left, such as lat an lon for the estimates location.
Wenn du meinen Namen anklickst, ist da ein Contact Me button - darüber können wir auch Deutsch schnacken.
For converting an ip to a location using the maxmind app you need to use the geoip
command, something like this:
sourcetype=syslog | rex "Dst: (?<dst_ip>[^,:]+)" | geoip dst_ip
Enter that search into the maps view of the Google Maps app, you should see clusters on the map.
I tried it with this command:
sourcetype=syslog | rex field=_raw "(?
But the Map is still empty
No i got to the point that i have syslog messages that look like this one:
http://abload.de/image.php?img=sampledata20njmr.jpg
I installed MaxMind and GoogleMaps.
How can i Display the IP that comes after Dst: on the GoogleMaps map?
Somehow I have to use this rex command to name that value.
Sending the message worked fine, twice even 😛
If you don't have the destination IP but want to know the location of the destination IP then you're out of luck. You'll need to find a data source that contains this IP first.
"syslog" is quite a wide array of different data sources, so that depends on your device producing the data. I'm not familiar with that device though, maybe there's logging configuration to change to include that IP.
Hi Martin,
thanks again. Due to the circumstance that sending you a message over the Contact Me button is not working at the moment i go on writing you here.
To come back to the topic: The blue'd out part is the name of another firewall which is connected with the one i get my logs from.
As far as i see it, in my syslog messages there is not the destination ip displayed. But that is the one i want to display on my GoogleMaps map (i've installted the GoogleMaps add on). Is syslog the right source for this kind of information?
Thank you for answering that fast Martin,
German-language help would really be awesome 🙂
here is a screenshot of some sample data
http://abload.de/image.php?img=sampledatak4jmc.jpg
thanks again
Do post some sample data. The general idea is to extract an IP from the data, run the iplocation
command, and then do statistics or mapping based on the lat/lon generated.
If you happen to need German-language help (guessing based on the name...), let me know and we'll figure something out.