ASN lookup table

dmayan · February 15, 2019, 2:58pm

Hi,

How can I made Graylog to lookup ASN numbers on an IP field.
I can use GeoIP cities database to get cities and country codes, but, is there a way to use the Maxminds ASN database on Graylog?

Any help would be greatly appreciated. Sorry for poor english,

Diego

benvanstaveren · February 17, 2019, 11:11am

It can’t handle it directly I think, but what you can do is write a little webservice that uses the ASN database that can be called with, say, https://mytinyservice.somewhere.com/ip/1.2.3.4 and it will return the ASN from that, then set up a data adapter in graylog (HTTP JSONpath) that calls that service and retrieves the ASN from the response, then set up a lookup table using that data adapter and a cache of your choice to provide the functionality

dmayan · February 18, 2019, 12:51pm

Thanks for your reply!! I will try to do it and post again if it worked, My concern is that I have in excess of 3000 qps, so it will be welcome to do it via a stored file.

thanks again!

benvanstaveren · February 18, 2019, 7:15pm

Well, a lookup table (even via JSONpath) in Graylog can cache results, so if you are willing to have relatively long cache life (14 days, give or take, since IP ranges don’t really get reassigned that often anymore) you only have to survive the first hour or so

You did give me an idea so I may do up a proof of concept app and see how fast it is, see if it’s viable

dmayan · February 21, 2019, 1:16pm

Hi Ben,

I wrote a small api in php that reads from a MySQL instance loaded with data from https://iptoasn.com. I connected Graylog to the API via HTTP JSON Path.

I update the database once a day with the CSV files. It works perfectly. The cache stabilized around 1.4M entries, with 1 day TTL. Please tell me if you need more info!

Thanks!

benvanstaveren · February 21, 2019, 2:37pm

Excellent, I got something similar going as well so… looks like it all worked out

dmayan · February 21, 2019, 2:53pm

Yeah. It would be nice if Graylog could do the SQL query itself, for the lookup, so I can bypass the intermediarys.

Maybe a SQL query data adapter?

jan · February 21, 2019, 2:54pm

feel free to create one!

benvanstaveren · February 21, 2019, 2:59pm

@dmayan what @jan said My Java skills are not up to the task I actually prefer the intermediary step since we have other services that require a variety of lookups so we integrated all of that into some webapps running in our Nomad cluster so it’s easy enough

dmayan · February 27, 2019, 12:45pm

Any tip to create one? My programmer skills are not up to date, but I will do my best.

Thanks!

system · March 13, 2019, 12:50pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog ASN lookup Graylog Central (peer support)	4	1051	October 31, 2017
MaxMind ISP databases Development	5	700	April 27, 2022
Lookup table using data stored in MySQL? Graylog Central (peer support)	2	696	March 18, 2021
Large Lookup tables OK? Graylog Central (peer support)	2	359	December 24, 2017
Geolocation / GeoIP confusion on 3.x Graylog Central (peer support)	2	1090	July 1, 2019

ASN lookup table

Related topics