IIS Dashboard - need geoip help

[SteveBeauchemin]

I have implemented the IIS Dashboard from Nagios Exchange. Posted by former employee.
https://exchange.nagios.org/directory/A ... rd/details
I am not seeing the expected data in the map and wonder if this is for an older version of NLS.

Can someone please see if this needs changes to work properly in the latest NLS?

Also, is there some geo ip thing I need to to do use a newer version? I believe some providers of geoip databases are no longer making updates maybe? Not sure.

Thanks

Steve B

[npolovenko]

Hello, @SteveBeauchemin. Yes, the GeoIP database has been changed. Please find the geoip filter in the elasticsearch settings and add the following line:

Code: Select all

database => "/usr/share/GeoIP/GeoLite2-City.mmdb"

For example:

Code: Select all

geoip {
    database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
    source => "c-ip"
  }    

Download the newer version of the geoip database from here:
https://geolite.maxmind.com/download/ge ... ity.tar.gz
Extract the GeoLite2-City.mmdb file to the /usr/share/GeoIP/ folder.

If that doesn't work please share the Log Server system profile. It can be gathered under Admin > System > System Status > Download System Profile.

Also, let me know if you can see the geoip field inside the events with the type "IIS_Requests".

[SteveBeauchemin]

I updated to the mmdb file. But not seeing any geoip anywhere yet.

I am sending my profile as a PM to @npolovenko

Thanks

Steve B

[npolovenko]

@SteveBeauchemin, Just to clarify, you're not seeing any new events related to IIS in the events dashboard?
If you delete the filter but leave the input, will you be able to see raw IIS events on the dashboard?
Can you verify that the IIS device is actually sending logs to the log server?
Please include a sample of the log that is being sent.

[SteveBeauchemin]

I have a ton of IIS hits. The filter and field extractor works perfectly. The IIS Dashboard is fully populated with lots of data. Just the map is not.

I just have nothing when I search for geoip. No search results.

Steve B

[SteveBeauchemin]

Data is there... just no Geo IP data...

NLS-Geo-Debug-01.PNG

Steve B

[SteveBeauchemin]

Tons of colors to display for dozens of servers...

NLS-Geo-Debug-02.PNG

The mushrooms finally kicked in.

[npolovenko]

@SteveBeauchemin, Please change this block in the filter:

Code: Select all

geoip {
    database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
    source => "c-ip"
  } 

To:

Code: Select all

geoip {
    database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
    source => "clientip"
  } 

[SteveBeauchemin]

just nothing on the Map.

NLS-Geo-Debug-03.PNG

Also - I did already try clientip and c-ip both... But did just now change it again to clientip which I saw in the filter.

Same result. no geoip. Should I be able to search for geoip and get something? I actually get no matching data.

Steve B

[SteveBeauchemin]

maybe I have a config issue...

Looking in elasticsearch log file I have some Java data...

Code: Select all

[2019-06-17 15:01:09,204][DEBUG][action.index             ] [d7d08025-52f9-44ca-af64-0beca7c2f116] [nagioslogserver][3], node[D02FGccLQRu8Ze4UIGNEFw], [P], s        [STARTED]: Failed to execute [index {[nagioslogserver][cf_option][configuration_required], source[{"created":"2019-06-17 15:01:09","created_by":"AVs0eRz9mkiL        _tWAkW5m","value":0}]}]
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [created_by]
        at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:411)
        at org.elasticsearch.index.mapper.object.ObjectMapper.serializeValue(ObjectMapper.java:706)
        at org.elasticsearch.index.mapper.object.ObjectMapper.parse(ObjectMapper.java:497)
        at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:544)
        at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:493)
        at org.elasticsearch.index.shard.IndexShard.prepareIndex(IndexShard.java:492)
        at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:192)
        at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOpera        tionAction.java:574)
        at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationActio        n.java:440)
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NumberFormatException: For input string: "AVs0eRz9mkiL_tWAkW5m"
        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
        at java.lang.Long.parseLong(Long.java:589)
        at java.lang.Long.parseLong(Long.java:631)
        at org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145)
        at org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:288)
        at org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:239)
        at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:401)
        ... 12 more
(Linux 3.10.0-957.10.1.el7.x86_64)nagios@ciulnls01:/var/log/elasticsearch
edited - chopped off next line item...

It is not scrolling.

Does this help or make it more confusing.

Steve B