source / destination ip world map

possibility to visualize source/dest ip on world map to analyze geographical distribution

  • andrea consadori
  • Apr 4 2017
  • Shipped
  • Attach files
  • Matt Maloney commented
    4 Apr, 2017 08:50pm

    Planned for a future release post 1.2.

  • Guest commented
    4 Apr, 2017 08:50pm

    Hi Matt,

    Along with Bui I would be interested on any information on mapping ip to country name. 

    Great work on v. 2.0!

  • Bui Tien commented
    4 Apr, 2017 08:50pm

    Hi Matt,

    Geolocation on graylog2 v2.0 return on latitude,longitude format. I want to convert to Country name for display. How do you do?

    Thanks.

  • Lennart Koopmann commented
    4 Apr, 2017 08:50pm

    I am happy to announce that this was released in v2.0 yesterday! :) Closing this issue.

  • Guest commented
    4 Apr, 2017 08:50pm

    Map visualisation does not work in latest Graylog beta - see https://github.com/Graylog2/graylog2-server/issues/2113

  • Matt Maloney commented
    4 Apr, 2017 08:50pm

    It's planned for the upcoming 2.0 release. We have an alpha coming out shortly but the GeoIP widget may not make it in until the GA release (this quarter) or shortly thereafter. 

  • andrea consadori commented
    4 Apr, 2017 08:50pm

    Hi Matt, this feature is still not present in 1.3, when will be released?

  • kea oner commented
    4 Apr, 2017 08:50pm

    look this screenshot

  • kea oner commented
    4 Apr, 2017 08:50pm

    With this configuration in logstatch it works to retrieve the geo information from the IP:

     

    filter {
    grok {
    match => { "message" => "%{IP:clientip}" }
    }
    geoip {
    source => "clientip"
    target => "geoip"
    database => "/var/opt/gray/logstash/logstash-1.4.2/geodb/GeoLiteCity.dat"
    }
    mutate {
    convert => [ "[geoip][coordinates]", "float"]
    }
    }

  • kea oner commented
    4 Apr, 2017 08:50pm

    freegeoip:

    Features

    • Zero maintenance

    The DB object alone can download an IP database file from the internet and service lookups to your program right away. It will auto-update the file in background and always magically work.

    • DevOps friendly

    If you do care about the database and have the commercial version of the MaxMind database, you can update the database file with your program running and the DB object will load it in background. You can focus on your stuff.

    • Extensible

    Besides the database part, the package provides an http.Handler object that you can add to your HTTP server to service IP geolocation lookups with the same simplistic API of freegeoip.net. There's also an interface for crafting your own HTTP responses encoded in any format.

     

    https://github.com/fiorix/freegeoip

  • kea oner commented
    4 Apr, 2017 08:50pm

    Example add in the extractor Add converter:

    in extractors add a converter geoip with field url for geoip service api and field return format : json / csv and fields for position for extraction of information:  example the city in position (4) write to city graylog field and latitude in position (1) write to lat graylog field

  • kea oner commented
    4 Apr, 2017 08:50pm

    Erratum:

    Online webservice:

    http://ip-api.com/json/208.80.152.201?callback=yourfunction

    http://ip-api.com/csv/208.80.152.201?callback=yourfunction

    http://ip-api.com/xml/208.80.152.201?callback=yourfunction

  • Kelvin W commented
    4 Apr, 2017 08:50pm

    This is the one features that stops us from adopting Graylog.

    The power of seeing data visualised on a map is often underestimated, but Splunk has an amazing feature which will allows data to be visualised and broken down on a geographical map.  For example, our Firewall Dashboards shows the destination for all our inbound traffic, hovering a country shows a table or pie chart of the type of traffic/applications/threats to that destination, so we can quickly see any illicit or suspicious traffic.

  • Jason Haar commented
    4 Apr, 2017 08:50pm

    Could this be done in conjunction with a  geoip "convertor" in the "extractor" feature?

    I have a lot of "src_ip" and "dst_ip" fields in my syslog data that I'd like to do geoip stuff with - but I can't see how that could be done with syslog Input methods today. I could see easily doing this with (say) apache logfiles via GELF - as graylog-collector/python-gelf could be coded to do the geoip stuff, and add new fields, etc. But doing it within an extractor would mean it could add such fields for *any* data input method - which would be better? (certainly better for me ;-)

    eg: create an extractor that pulls an IPv[46] address out of a record, and then you add a "geoip convertor" to that extractor that will use that address and add (say) lat/long/country fields to the record.

  • Paolo Boni commented
    4 Apr, 2017 08:50pm

    Hi Matt,

    I'm happy to see that this feature will be in the 1.2 release, I really look forward to it. I'm wondering which issue is related to this in the current 1.2.0 release schedule: https://github.com/Graylog2/graylog2-web-interface/milestones/1.2.0

    Thanks