Re: Google Maps App - Mapping Deny's from Firewall

aferone · ‎08-03-2011

This is the current search that I am running, and it is working, but I think it is working only because it is finding the first IP address in the log, which happens to be the IP address I want anyway:

host="my host" action="Deny" | rex "(?\d+.\d+.\d+.\d+)" | geoip ip

How do I select the field that I want to map out? I am sure there will be instances in which the IP address I want to map out will not be the first one in the log.

I tried the following search, specifically selecting the field (which I extracted), and it doesn't work:

host="my host" action="Deny" SourceIP=* | rex "(?\d+.\d+.\d+.\d+)" | geoip ip

or

host="my host" action="Deny" SourceIP=* | rex "(?\d+.\d+.\d+.\d+)" | geoip ip as SourceIP

Thanks for any help!

ziegfried · ‎08-03-2011

Since you seem to already have the SourceIP field extracted, you can simply use it:

host="my host" action="Deny" SourceIP=* | geoip SourceIP

ziegfried · ‎08-04-2011

What values does this SourceIP field contain? Make sure there are not whitespaces around the IP address.

aferone · ‎08-03-2011

Thanks for responding!

Yes, I did try that as well, and I get no results. It doesn't crash or error out, but no results.

Google Maps App - Mapping Deny's from Firewall

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...