Description
The GeoIP Function enriches events with geographic fields, given an IP address. It is optimized for binary databases such as MaxMind's GeoIP.
For details on setting up MaxMind (and similar) databases, see Managing Large Lookups.
Usage
Filter: Filter expression (JS) that selects data to be fed through the Function. Defaults to true, meaning that all events will be evaluated.
Description: Simple description about this Function. Defaults to empty.
Final: If true, stops data from being fed to the downstream Functions. Defaults to No.
GeoIP file (.mmdb): Path to a Maxmind database, in binary format, with .mmdb extension.
If the database file is located within the lookup directory (
$CRIBL_HOME/data/lookups/), the GeoIP fIle does not need to be an absolute path.In distributed deployments, ensure that the Maxmind database file is in the same location on both the Master and Worker Nodes.
IP field: Field name in which to find an IP to look up. Can be nested. Defaults to ip.
Result field : Field name in which to store the GeoIP lookup results. Defaults to geoip.
Examples
Assume that you are receiving SMTP logs, and need to see geolocation information associated with IPs using the SMTP service.
Here's a sample of our data, from IPSwitch IMail Server logs:
03:19 03:22 SMTPD(00180250) [192.168.1.131] connect 74.136.132.88 port 2539 03:19 03:22 SMTPD(00180250) [74.136.132.88] EHLO msnbc.com 03:19 03:22 SMTPD(00180250) [74.136.132.88] MAIL FROM:<[email protected]> 03:19 03:22 SMTPD(00180250) [74.136.132.88] RCPT To:<[email protected]>
In this example, we’ll chain together three Functions. First, we’ll use a Regex Extract Function to isolate the host’s IP. Next, we’ll use the GeoIP Function to look up the extracted IP against our geoIP database, placing the returned info into a new __geoip field. Finally we’ll use an Eval Function to parse that field’s city, state, country, ZIP, latitude, and longitude.
Function 1 – Regex Extract
Regex: \[(?<ip>\S+)\]
Source field: _raw
Result: 74.136.132.88
Function 2 – GeoIP
Event’s IP field: ip
Result field: __geoip
Function 3 – Eval
| Name | Value Expression |
|---|---|
City | __geoip.city.names.en |
Country | __geoip.country.names.en |
Zip | __geoip.postal.code |
Lat | __geoip.location.latitude |
Long | __geoip.location.longitude |
In the Eval Function’s Remove fields setting, you could specify the __geoip field for removal, if desired. However, its __ prefix makes it an internal field anyway.
For a hosted tutorial on applying the GeoIP Function, see Cribl's GeoIP and Threat Feed Enrichment Sandbox.
Updated 4 months ago