scirius icon indicating copy to clipboard operation
scirius copied to clipboard
verified publisher icon StamusNetworks

question about geoip

Open snaki4 opened this issue 8 years ago • 2 comments

Good morning.

I have installed SELKS and it looks great, while in SSH Dashboard geoip part is taken from dest_ip info, while src_ip is populated as well and as per logtsash config, src_ info should be taken into account at first step. Is there any explanation of that?

Thank you!

snaki4 avatar Jan 17 '17 12:01 snaki4

logstash 5.1 for some reason process dest_ip before, src_ip. Disabling dest_ip -> provides geoip.ip as src_ip instead of dest_ip.

Anyone saw the same pls?

snaki4 avatar Jan 17 '17 20:01 snaki4

It checks for dest IP - if it is in the geoip db it will use that - if it is not (internal/private IP) it will try to look up for the src GeoIP.

-- Regards, Peter Manev

On 17 Jan 2017, at 12:37, snaki4 [email protected] wrote:

logstash 5.1 for some reason process dest_ip before, src_ip. Disabling dest_ip -> provides geoip.ip as src_ip instead of dest_ip.

Anyone saw the same pls?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

stamus avatar Jan 19 '17 18:01 stamus