Page 1 of 2
IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 12:38 pm
by SteveBeauchemin
I have implemented the IIS Dashboard from Nagios Exchange. Posted by former employee.
https://exchange.nagios.org/directory/A ... rd/details
I am not seeing the expected data in the map and wonder if this is for an older version of NLS.
Can someone please see if this needs changes to work properly in the latest NLS?
Also, is there some geo ip thing I need to to do use a newer version? I believe some providers of geoip databases are no longer making updates maybe? Not sure.
Thanks
Steve B
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 1:29 pm
by npolovenko
Hello,
@SteveBeauchemin. Yes, the GeoIP database has been changed. Please find the geoip filter in the elasticsearch settings and add the following line:
Code: Select all
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
For example:
Code: Select all
geoip {
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
source => "c-ip"
}
Download the newer version of the geoip database from here:
https://geolite.maxmind.com/download/ge ... ity.tar.gz
Extract the GeoLite2-City.mmdb file to the /usr/share/GeoIP/ folder.
If that doesn't work please share the Log Server system profile. It can be gathered under Admin > System > System Status > Download System Profile.
Also, let me know if you can see the geoip field inside the events with the type "IIS_Requests".
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 2:18 pm
by SteveBeauchemin
I updated to the mmdb file. But not seeing any geoip anywhere yet.
I am sending my profile as a PM to @npolovenko
Thanks
Steve B
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 2:39 pm
by npolovenko
@SteveBeauchemin, Just to clarify, you're not seeing any new events related to IIS in the events dashboard?
If you delete the filter but leave the input, will you be able to see raw IIS events on the dashboard?
Can you verify that the IIS device is actually sending logs to the log server?
Please include a sample of the log that is being sent.
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 2:42 pm
by SteveBeauchemin
I have a ton of IIS hits. The filter and field extractor works perfectly. The IIS Dashboard is fully populated with lots of data. Just the map is not.
I just have nothing when I search for geoip. No search results.
Steve B
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 2:49 pm
by SteveBeauchemin
Data is there... just no Geo IP data...
NLS-Geo-Debug-01.PNG
Steve B
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 2:58 pm
by SteveBeauchemin
Tons of colors to display for dozens of servers...
NLS-Geo-Debug-02.PNG
The mushrooms finally kicked in.
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 2:59 pm
by npolovenko
@SteveBeauchemin, Please change this block in the filter:
Code: Select all
geoip {
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
source => "c-ip"
}
To:
Code: Select all
geoip {
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
source => "clientip"
}
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 3:03 pm
by SteveBeauchemin
just nothing on the Map.
NLS-Geo-Debug-03.PNG
Also - I did already try clientip and c-ip both... But did just now change it again to clientip which I saw in the filter.
Same result. no geoip. Should I be able to search for geoip and get something? I actually get no matching data.
Steve B
Re: IIS Dashboard - need geoip help
Posted: Mon Jun 17, 2019 3:10 pm
by SteveBeauchemin
maybe I have a config issue...
Looking in elasticsearch log file I have some Java data...
Code: Select all
[2019-06-17 15:01:09,204][DEBUG][action.index ] [d7d08025-52f9-44ca-af64-0beca7c2f116] [nagioslogserver][3], node[D02FGccLQRu8Ze4UIGNEFw], [P], s [STARTED]: Failed to execute [index {[nagioslogserver][cf_option][configuration_required], source[{"created":"2019-06-17 15:01:09","created_by":"AVs0eRz9mkiL _tWAkW5m","value":0}]}]
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [created_by]
at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:411)
at org.elasticsearch.index.mapper.object.ObjectMapper.serializeValue(ObjectMapper.java:706)
at org.elasticsearch.index.mapper.object.ObjectMapper.parse(ObjectMapper.java:497)
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:544)
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:493)
at org.elasticsearch.index.shard.IndexShard.prepareIndex(IndexShard.java:492)
at org.elasticsearch.action.index.TransportIndexAction.shardOperationOnPrimary(TransportIndexAction.java:192)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase.performOnPrimary(TransportShardReplicationOpera tionAction.java:574)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$PrimaryPhase$1.doRun(TransportShardReplicationOperationActio n.java:440)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:36)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NumberFormatException: For input string: "AVs0eRz9mkiL_tWAkW5m"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Long.parseLong(Long.java:589)
at java.lang.Long.parseLong(Long.java:631)
at org.elasticsearch.common.xcontent.support.AbstractXContentParser.longValue(AbstractXContentParser.java:145)
at org.elasticsearch.index.mapper.core.LongFieldMapper.innerParseCreateField(LongFieldMapper.java:288)
at org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:239)
at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:401)
... 12 more
(Linux 3.10.0-957.10.1.el7.x86_64)nagios@ciulnls01:/var/log/elasticsearch
edited - chopped off next line item...
It is not scrolling.
Does this help or make it more confusing.
Steve B