Dashboards & Visualizations

Help with implementing a GeoIP Lookup

MarkusT
New Member

Hello everybody,

first of all i have to say that i am totally new to splunk.
What i want to do is to implement a GeoIP lookup. Yet splunk receives syslog data from a Lancom 1781VA (over ISDN) Router. I don't even know if GeoIP works with the syslog data.
Can anyone explain me how to implement a GeoIP lookup within splunk?

I'm not a native speaker, so please excuse if there an mistakes.

Please feel free to ask me if there is information you need.

thanks in advance

Markus

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming the IP has been blue'd out, an extraction and iplocation using rex might look like this:

base search | rex "peer (?<peer_ip>\d+\.\d+\.\d+\.\d+)" | iplocation peer_ip

That will add fields to your field list on the left, such as lat an lon for the estimates location.

Wenn du meinen Namen anklickst, ist da ein Contact Me button - darüber können wir auch Deutsch schnacken.

martin_mueller
SplunkTrust
SplunkTrust

For converting an ip to a location using the maxmind app you need to use the geoip command, something like this:

sourcetype=syslog | rex "Dst: (?<dst_ip>[^,:]+)" | geoip dst_ip

Enter that search into the maps view of the Google Maps app, you should see clusters on the map.

0 Karma

MarkusT
New Member

I tried it with this command:
sourcetype=syslog | rex field=_raw "(?\d+.\d+.\d+.\d+)" | lookup geoip clientip as ip

But the Map is still empty

0 Karma

MarkusT
New Member

No i got to the point that i have syslog messages that look like this one:
http://abload.de/image.php?img=sampledata20njmr.jpg

I installed MaxMind and GoogleMaps.

How can i Display the IP that comes after Dst: on the GoogleMaps map?
Somehow I have to use this rex command to name that value.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sending the message worked fine, twice even 😛

If you don't have the destination IP but want to know the location of the destination IP then you're out of luck. You'll need to find a data source that contains this IP first.
"syslog" is quite a wide array of different data sources, so that depends on your device producing the data. I'm not familiar with that device though, maybe there's logging configuration to change to include that IP.

0 Karma

MarkusT
New Member

Hi Martin,

thanks again. Due to the circumstance that sending you a message over the Contact Me button is not working at the moment i go on writing you here.

To come back to the topic: The blue'd out part is the name of another firewall which is connected with the one i get my logs from.

As far as i see it, in my syslog messages there is not the destination ip displayed. But that is the one i want to display on my GoogleMaps map (i've installted the GoogleMaps add on). Is syslog the right source for this kind of information?

0 Karma

MarkusT
New Member

Thank you for answering that fast Martin,

German-language help would really be awesome 🙂

here is a screenshot of some sample data

http://abload.de/image.php?img=sampledatak4jmc.jpg

thanks again

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do post some sample data. The general idea is to extract an IP from the data, run the iplocation command, and then do statistics or mapping based on the lat/lon generated.

If you happen to need German-language help (guessing based on the name...), let me know and we'll figure something out.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...