Source: socprime.com – Author: Oleksandr L
If you are using Logstash and need to enrich event data with geolocation information based on IP addresses, the following filter configuration can help. This setup checks if the source IP is an external IP and applies geolocation enrichment. For internal IPs, geolocation is skipped to optimize processing.
Recommended Logstash Filter for Geolocation Enrichment
if [source][ip] and [source][ip] =~ /d+.d+.d+.d+/ { cidr { add_tag => [ "source_internal" ] address => [ "%{[source][ip]}" ] network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] } if "source_internal" not in [tags] { geoip { source => "[source][ip]" target => "[source][geo]" tag_on_failure => [ ] } } else { mutate { remove_tag => [ "source_internal" ] } } }
Explanation
- Initial Check for IP Address
The filter first verifies whether the[source][ip]
field exists and matches the format of an IPv4 address. - Internal Network Check with CIDR
- The
cidr
filter checks if the IP belongs to private/internal network ranges (10.0.0.0/8
,172.16.0.0/12
,192.168.0.0/16
). - If the IP matches any of these ranges, the tag
source_internal
is added to the event.
- The
- Geolocation Enrichment
- If the
source_internal
tag is not present, thegeoip
filter is applied to enrich the event with geolocation information. - The enriched data is stored under the
[source][geo]
field.
- If the
- Tag Cleanup
- If the
source_internal
tag was added, it is removed after processing to keep the event clean and avoid unnecessary metadata.
- If the
Benefits
- Efficient Processing: Skipping geolocation enrichment for internal IPs reduces resource consumption and improves Logstash performance.
- Accurate Enrichment: External IPs are enriched with reliable geolocation data, enhancing the value of logged events.
- Scalable Design: The configuration can easily be expanded by modifying the network ranges or adding more conditions.
Example Use Case
Assume you are processing logs from multiple network sources. Internal traffic from your organization’s private networks does not require geolocation enrichment, while external traffic needs to be tagged with location data for analysis and monitoring purposes. This filter simplifies that workflow and optimizes data processing.
By implementing this Logstash configuration, you ensure efficient and targeted geolocation enrichment for your Elasticsearch logs.
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/enhancing-events-with-geolocation-data-in-logstash/
Category & Tags: Blog,Knowledge Bits,Elasticsearch,Logstash – Blog,Knowledge Bits,Elasticsearch,Logstash
Views: 2