I have developed a Splunk App which generates the reports based upon the Barracuda Web Application Firewall logs. I have a dashboard which has amMap flash map to show the location of clien_ip present in the logs. But, the map is showing incorrect location for the client_ip.
The log is :
Jul 11 08:57:07 barracuda 2012-07-11 08:57:07.381 -0400 "-" WF ALER SQL_INJECTION_IN_URL [type="sql-injection-medium" pattern="sql-comments" token="/"]69.61.11.227[type="sql-injection-medium" pattern="sql-comments" token="/"] 54067 66.66.119.52 80 DENY NONE [type="sql-injection-medium" pattern="sql-comments" token="/"] GET 66.66.119.52/nawal/ HTTP 69.61.11.227 54067
The client_ip field is in bold.
69.61.11.227 is from India But, on map it is showing Saint Louis, United States.
I searched on web for the location of this client_ip and getting India as the result. But, on Map it is coming as Saint Louis, United States.
I have downloaded and installed the MAXMIND add on from this link link text, and AmMap from
link text.
I am using the following search string
sourcetype="firewall" | search client_ip!=192.168* client_ip!=0.0.* client_ip!=10.*| stats count by client_ip | eval count_label="Barracuda Security Events" | eval iterator="client_ip" | eval iterator_label="Client IP" | eval movie_color="#FF0000" | eval output_file="home_threat_data.xml" | eval app="barracuda_splunk" |lookup geoip clientip as client_ip |mapit
Is there any way to update the MAXMIND database, which looks up for the geo location.
Please help...
Thanks ...
... View more