IIS Dashboard - need geoip help

[SteveBeauchemin]

sorry for the serial posting, but as I dig in I like to keep track of what I have looked at.

I just tried to circumvent the if statement in the filter. Changed the filter to this

Code: Select all

if [tags] == 'IIS_requests' {
  grok {
    match => {"message" => "%{DATESTAMP:timestamp} %{IPORHOST:hostip} %{WORD:method} %{URIPATH:request} (?:%{NOTSPACE:param}|-) %{NUMBER:port} (?:%{USER:username}|-) %{IPORHOST:clientip} (?:%{NOTSPACE:agent}|-) - %{NUMBER:response} %{NUMBER:status} %{NUMBER:substatus} %{NUMBER:timetaken}"}
  }
  date {
    match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
  }
  geoip {
    database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
    source => "clientip"
  }
}

geoip {
  database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
  source => "c-ip"
}

And now I do have geoip data showing up. So something in that filter syntax "if' statement is not cutting it. Does it work for you?

Steve B

[scottwilkerson]

If I had to guess you are running this through another filter first that is splitting the message field into it's parts and that the remaining "message" no longer matches the grok filter.

If the grok doesn't match, then the clientip field would never be set.

I assume this because your screenshot earlier in this thread already has all the message broken up into separate fields

[SteveBeauchemin]

This is my story... I seem to write these small books often...

This entire dashboard is based on the Nagios Exchange NLS/IIS Dashboard post from "Spenser" sp? .
The nxlog setup he provided does split the IIS log into the correct pieces. I am not sure why the if statement in the filter is even there. I don't see that it is required at all. The name:value pair of c-ip:[client IP address] is already created by nxlog.

I was just taking the easy way out and assumed too much. I simply imported and used what was provided. Now that I have had to dig in, I do note some minor inconsistencies (trivial) with the files provided. Not all Panels are defined as the same width. Some are 4 and some are 6. I have changed the order at the bottom to have Log Sources display above Events. For my personal preference it made more sense to put the raw data at the bottom. To me that looks better.

Other than that, my SharePoint Admin is thrilled with this.

To make the mapping work, I needed to add a new geoip data file to the OS.

The only real concern I have is the IIS Dashboard map. I need a 'bettermap' as the default map is not going to give the visibility we need. Almost all the data is in the US. I need to see Where in the US it is. So I am adding bettermap.

But, when adding bettermap, filling in the tooltip field, I noticed that there were no geoip 'city' items to choose from. This may become a nuisance later. I'll reserve judgement until I get the rest of my IP squared away.

My plan is to add my company buildings to the geoip data so we can see where the web communication is coming from. We are using private IP Address space, so the basic geoip database is not going to be good enough. I will have to add my internal IP to the database via some code. I plan to grab the Internal IP location data from the Active Directory - Sites and Services information.

Once I have the private IP spaces working on a map I'll be happy. For now, I'm okay.

Since I am getting the geo data now I think this can be closed.

Thanks

Steve B

[scottwilkerson]

Sounds good Steve!