after I install the GEOIP from http://www.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
I chose using C API in splunk,but it returns:"
Encountered the following error while trying to update: In handler 'localapps': The Maxmind C based Geo IP API is not installed!"
How can I fix it ?
Here is how I made mine work.
Download the GeoIP C API (compile and install)
If all goes well you should see the library get installed into SPLUNK-INSTALL-DIR/lib/python2.7/site-packages/
Thank you !
I've followed your step and still can not make it work.
I also copy the /usr/local/lib/libGeoIP* to
/home/splunk/lib/python2.7/site-packages/ /home/splunk/lib64/python2.6/site-packages/ /home/splunk/lib64 and /home/splunk/lib, then restart the splunk,but it did not work.
[root@splunk ~]# ls /home/splunk/lib64/python2.6/site-packages/GeoIP*
what shall I do to make it work ?
Thank you !
One thing you can try to test your environment to see if you have everything installed correctly.
cd GeoIP-Python-1.2.7 (or what ever python GeoIP version you downloaded).
You should see:
If you don't have everything setup correctly then you will see:
Traceback (most recent call last):
File "test.py", line 3, in
ImportError: No module named GeoIP
Step 1 - Install Maxmind's GeoIP for C SDK
tar zxvf GeoIP.tar.gz
If this fails because configure complains about Zlib header not found,
you need to install the zlib-devel package. Then rerun ./configure,
make and make install.
Next, copy the compiled GeoIP libs to $SPLUNK_HOME/lib
cp -p /usr/local/lib/libGeoIP* /opt/splunk/lib/
Step 2 - Install same Python on your Splunk server as Splunk itself is using
Find out which version of python your Splunk installation is using:
/opt/splunk/bin/splunk cmd python --version
Then download and install this on your Splunk server:
tar zxvf Python-2.6.4.tgz
Step 3 - Install Maxmind's GeoIP for Python SDK
tar zxvf GeoIP-Python-1.2.4.tar.gz
/usr/local/bin/python setup.py build
/usr/local/bin/python setup.py install
Next, copy the compiled GeoIP Python lib to Splunk's Python directory:
cp -p /usr/local/lib/python2.6/site-packages/GeoIP* /opt/splunk/lib/python2.6/site-packages/
Step 4 - Install GeoASN Add On
Download the GeoASN Splunk Add On from http://splunkbase.splunk.com
Then install it under $SPLUNK_HOME/etc/apps/
tar zxvf GeoASN.spl
Step 5 - Restart Splunk
Step 6 - Test it from the command line
/opt/splunk/bin/splunk cmd python ga.py < ga.csv
If it works, it should output the following:
18.104.22.168,Brazil,27699,DE SAO PAULO S/A - TELESP
22.214.171.124,Japan,10000,Nagasaki Cable Media Inc.
You are now ready to start using the GeoASN lookup commands!
UPDATING THE MAXMIND DATABASES
We use two different databases from Maxmind.com, bundled with this Add On.
A new version of each database comes out about every month.
Here is how you update to the latest version of these databases:
Maxmind.com also provides commercial versions of its Geo databases,
with better accuracy and more frequent updates.
If you have logs with a single IP address field:
If you have logs with two IP address fields:
If you always want your searches to lookup the Country, AS number and
Organization for IP addresses, you can configure props.conf to do this:
LOOKUP-geoasn = geoasn srcip destip
In this example, all events with sourcetype 'asa' (Cisco firewall logs)
will use the geoasn command to lookup the srcip and destip
This produces the following fields:
srccountry : The Country as found in the Maxmind GeoCity database
destcountry : The Country as found in the Maxmind GeoCity database
srcasn : The AS number and Org as found in the Maxmind ASN database
srcas : The AS number, without the 'AS' prefix
srcorg : The Organization, without the AS number
destasn : The AS number and Orgn as found in the Maxmind ASN database
destas : The AS number, without the 'AS' prefix
destorg : The Organization, without the AS number
If the IP address being looked up is within the ranges defined in RFC 1918,
the Country and Organization fields are set to 'RFC1918', to make it easy to
filter on Private IP addresses. AS number is set to 0.
If the address was not found in the database, and it is not an RFC 1918 address,
the Country and/or Organization is set to 'Unknown', and the AS number is set to 0.
Benchmarking from Maxmind has shown that the native C libraries are capable of
doing 400.000 IP address lookups per second when memory caching is not used.
The C implementation is capable of more than 1 million lookups/s when using memory
caching. We use both the native C libraries and memory caching for maximum performance.
Another optimization is the lookup of the Country, AS number and Organization
for both the srcip and destip in one single command. Instead of executing
multiple lookup commands, we only execute once.
TYPICAL USE CASES
All logs containing IP addresses will be easier to analyze if you, for each
IP address, can tell which Country and Organization it belongs to. This is
especially relevant for security analysis, where one can perform queries and
reports to e.g., show all foreign communications.