Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GeoIP Processor Update #952

Open
waab76 opened this issue Dec 15, 2021 · 0 comments
Open

GeoIP Processor Update #952

waab76 opened this issue Dec 15, 2021 · 0 comments
Assignees
@roberto-graylog
Labels
feature triaged

Comments

@waab76
Copy link
Contributor

waab76 commented Dec 15, 2021
edited

  • Run after Illuminate to ensure IP fields get
  • Look for destination/host/source_ip fields
  • Add tags for internal IPs (192.168 or 10.) but don't do GeoIP lookups
  • Add all geo fields
  • Work with Michael W on geo name logic (because sometimes geo fields like city might be missing)
  • Automagically handle MaxMind or IPInfo databases
  • If AS database present, add AS number and name
  • Make sure in-product docs clarify what fields it looks for

The as fields are {source,host,destination}_as_organization, {}_as_number, {}_geo_coordinates, {}_geo_country, {}_geo_city, {}_geo_country_iso and the derived field {}_geo_name

Right now, {}_geo_name concatenates _geo_city and _geo_country_iso (if both exist) - "City, Country ISO"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@roberto-graylog roberto-graylog

Labels
feature triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@waab76 @roberto-graylog