Help with implementing a GeoIP Lookup

MarkusT · ‎03-14-2014

Hello everybody,

first of all i have to say that i am totally new to splunk.
What i want to do is to implement a GeoIP lookup. Yet splunk receives syslog data from a Lancom 1781VA (over ISDN) Router. I don't even know if GeoIP works with the syslog data.
Can anyone explain me how to implement a GeoIP lookup within splunk?

I'm not a native speaker, so please excuse if there an mistakes.

Please feel free to ask me if there is information you need.

thanks in advance

Markus

martin_mueller · ‎03-14-2014

Assuming the IP has been blue'd out, an extraction and iplocation using rex might look like this:

base search | rex "peer (?<peer_ip>\d+\.\d+\.\d+\.\d+)" | iplocation peer_ip

That will add fields to your field list on the left, such as lat an lon for the estimates location.

Wenn du meinen Namen anklickst, ist da ein Contact Me button - darüber können wir auch Deutsch schnacken.

martin_mueller · ‎03-14-2014

For converting an ip to a location using the maxmind app you need to use the geoip command, something like this:

sourcetype=syslog | rex "Dst: (?<dst_ip>[^,:]+)" | geoip dst_ip

Enter that search into the maps view of the Google Maps app, you should see clusters on the map.

MarkusT · ‎03-14-2014

I tried it with this command:
sourcetype=syslog | rex field=_raw "(?\d+.\d+.\d+.\d+)" | lookup geoip clientip as ip

But the Map is still empty

MarkusT · ‎03-14-2014

No i got to the point that i have syslog messages that look like this one:
http://abload.de/image.php?img=sampledata20njmr.jpg

I installed MaxMind and GoogleMaps.

How can i Display the IP that comes after Dst: on the GoogleMaps map?
Somehow I have to use this rex command to name that value.

martin_mueller · ‎03-14-2014

Sending the message worked fine, twice even 😛

If you don't have the destination IP but want to know the location of the destination IP then you're out of luck. You'll need to find a data source that contains this IP first.
"syslog" is quite a wide array of different data sources, so that depends on your device producing the data. I'm not familiar with that device though, maybe there's logging configuration to change to include that IP.

MarkusT · ‎03-14-2014

Hi Martin,

thanks again. Due to the circumstance that sending you a message over the Contact Me button is not working at the moment i go on writing you here.

To come back to the topic: The blue'd out part is the name of another firewall which is connected with the one i get my logs from.

As far as i see it, in my syslog messages there is not the destination ip displayed. But that is the one i want to display on my GoogleMaps map (i've installted the GoogleMaps add on). Is syslog the right source for this kind of information?

MarkusT · ‎03-14-2014

Thank you for answering that fast Martin,

German-language help would really be awesome 🙂

here is a screenshot of some sample data

http://abload.de/image.php?img=sampledatak4jmc.jpg

thanks again

martin_mueller · ‎03-14-2014

Do post some sample data. The general idea is to extract an IP from the data, run the iplocation command, and then do statistics or mapping based on the lat/lon generated.

If you happen to need German-language help (guessing based on the name...), let me know and we'll figure something out.

Help with implementing a GeoIP Lookup

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk