IP2Location Enricher (OBSOLETE)¶

This enricher is obsoleted, please use IPEnricher instead.

IP2Location enriches the event with specified location attributes based on IPV4 or IPV6 value.

Example¶

Declaration¶

---
define:
  name: IP2Location
  type: enricher/ip2location

zones:
  - myLocalZone
  - ip2location
  - ...

attributes:
  ip_addr1:
    country_short: firstCountry
    city: firstCity
    L: firstL
  ip_addr2:
    country_short: secondCountry
    city: secondCity
    L: secondL
  ...

Input¶

Feb 5 10:50:01 0:0:0:0:0:ffff:1f1f:e001 %ASA-1-105043 test

Output¶

{
    'rt': 1580899801.0,
    'msg': 'test',
    'ip_addr1': '0:0:0:0:0:ffff:1f1f:e001',
    'firstCountry': 'CZ',
    'firstCity': 'Brno',
    'firstL': {
        'lat': 49.195220947265625,
        'lon': 16.607959747314453
    }
}

Section `define`¶

This section defines the name and the type of the enricher, which in the case of IP2Location is always enricher/ip2location.

Item `name`¶

Shorter human-readable name of this declaration.

Item `type`¶

The type of this declaration, must be enricher/ip2location. Value enricher/geoip is obsoleted equivalent.

Section `zones`¶

Specify a list of zones (database files or streams), which are going to be used by the enricher. First zone that successfully performs the lookup is used, so order them by priority.

Section `attributes`¶

Specify dictionary with event IPV6 attributes to search the lookup for, such as dvchost. Inside the dictionary, mention fields/attributes from the lookup that are going to be loaded plus the attribute name in the event after it. For example:

  ip_addr1:
    country_short: firstCountry
    city: firstCity
    L: firstL

will search the IP to GEO lookup for IP stored event["ip_addr1"], load country_short, city, L from the lookup (if present) and map them to event["firstCountry"], event["firstCity"], event["firstL"]

Lookup attributes¶

The following lookup attributes, if present in the lookup's zone, may be used for further mapping:

country_short: string
country_long: string
region: string
city: string
isp: string
L: dictionary (includes: lat: float, lon: float)
domain: string
zipcode: string
timezone: string
netspeed: string
idd_code: string
area_code: string
weather_code: string
weather_name: string
mcc: string
mnc: string
mobile_brand: string
elevation: float
usage_type: string

IP2Location Enricher (OBSOLETE)¶

Example¶

Declaration¶

Input¶

Output¶

Section define¶

Item name¶

Item type¶

Section zones¶

Section attributes¶