The GeoIP Function enriches events with geographic fields, given an IP address. It is optimized for binary databases such as MaxMind's GeoIP.
For details on setting up MaxMind (and similar) databases, see Managing Large Lookups.
Filter: Filter expression (JS) that selects data to be fed through the Function. Defaults to
true, meaning that all events will be evaluated.
Description: Simple description about this Function. Defaults to empty.
Final: If true, stops data from being fed to the downstream Functions. Defaults to
GeoIP file (.mmdb): Path to a Maxmind database, in binary format, with
If the database file is located within the lookup directory (
$CRIBL_HOME/data/lookups/), the GeoIP fIle does not need to be an absolute path.
In distributed deployments, ensure that the Maxmind database file is in the same location on both the Master and Worker Nodes.
IP field: Field name in which to find an IP to look up. Can be nested. Defaults to
Result field : Field name in which to store the GeoIP lookup results. Defaults to
Assume that you are receiving SMTP logs, and need to see geolocation information associated with IPs using the SMTP service.
Here's a sample of our data, from IPSwitch IMail Server logs:
03:19 03:22 SMTPD(00180250) [192.168.1.131] connect 188.8.131.52 port 2539 03:19 03:22 SMTPD(00180250) [184.108.40.206] EHLO msnbc.com 03:19 03:22 SMTPD(00180250) [220.127.116.11] MAIL FROM:<[email protected]> 03:19 03:22 SMTPD(00180250) [18.104.22.168] RCPT To:<[email protected]>
In this example, we’ll chain together three Functions. First, we’ll use a Regex Extract Function to isolate the host’s IP. Next, we’ll use the GeoIP Function to look up the extracted IP against our geoIP database, placing the returned info into a new
__geoip field. Finally we’ll use an Eval Function to parse that field’s city, state, country, ZIP, latitude, and longitude.
Event’s IP field:
In the Eval Function’s Remove fields setting, you could specify the
__geoip field for removal, if desired. However, its
__ prefix makes it an internal field anyway.
For a hosted tutorial on applying the GeoIP Function, see Cribl's GeoIP and Threat Feed Enrichment Sandbox.
Updated 4 months ago