ASN details using graylog

Hello Everyone,

We want to see all the details of the visitor’s network details based on their IP address in our graylog dashboard. For instances -

What we already have - nginx logs looks like - using json formatting

{"@timestamp": "2021-03-03T10:14:09+01:00", "remote_addr": "", "remote_user": "", "body_bytes_sent": "0", "request_time": "0.000", "status": "304", "request": "GET /assets/js/bootstrap/bootstrap.bundle.min.js HTTP/1.1", "request_method": "GET", "http_host": "", "http_referrer": "", "http_x_forwarded_for": "", "scheme": "https", "upstream_addr": "", "upstream_status": "", "upstream_response_time": "", "upstream_cache_status": "", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36", "CloudFlare-IPCountry": "", "CloudFlare-Connecting-IP": "", "args": "", "request_uri": "/assets/js/bootstrap/bootstrap.bundle.min.js" }

How logs are currently displayed in Graylog - screenshot of just few fields -

We want to get a new field with visitor network details - for example -

Configurations already done are as follows -

  1. Created cache
  2. Created a data adapter - while giving db file path for ASN
  3. Created a lookup table
  4. Created a pipeline.
  5. Created a pipeline rule

    Rule source -
rule "remote addr who is"
  // Do the lookup and add "Not available" to field remote_addr_whois
  let lookup_result = lowercase(to_string(lookup_value("whois", $message.remote_addr)));
  set_field("remote_addr_whois", lookup_result);

Is there anything missing or incorrect with the approach?

It’s very obvious:

  1. You need to extract as_organization from multi_value output
  2. Use fuction lookup instead of lookup_value as you need multi_value
let lookup_result = lookup("whois", $message.remote_addr);
set_field("remote_addr_whois", lowercase(to_string(lookup_result["as_organization"])));

Thanks for you reply… @shoothub

However, I solved it using nginx geo ip module.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.