You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@metron.apache.org by Laurens Vets <la...@daemon.be> on 2017/10/05 21:33:03 UTC

Enable geo enrichment

What's the quickest way to enable geo enrichment on a source ip address 
in 0.4.1-release? Is there a simple document somewhere with 
instructions?

Re: Enable geo enrichment

Posted by Kyle Richardson <ky...@gmail.com>.

You could do something like this in your sensor enrichment config:

{ "enrichment": {
  "fieldMap": {
    "stellar": {
      "config": {
        "src_geo": "GEO_GET(ip_src_addr)",
        "dst_geo": "GEO_GET(ip_dst_addr)"
      }
    }
  }
}

You would then just need to update the elasticsearch index template you're
using to include *_geo:<field_name> as part of the dynamic_templates
section so they are properly indexed. For example:

"dynamic_templates": [
  { "geo_location_point": {
    "match": "*_geo:location_point",
    "match_mapping_type": "*",
    "mapping": {
      "type": "geo_point"
    }
  }
]

-Kyle

On Mon, Oct 16, 2017 at 12:14 PM, Laurens Vets <la...@daemon.be> wrote:

> How would you go about getting all geo information with GEO_GET and
> putting it in separate fields? For instance, GEO_GET for "ip := '1.2.3.4'"
> returns:
>
> [Stellar]>>> GEO_GET(if IS_IP(ip) then ip else NULL)
> {country=US, dmaCode=819, city=Mukilteo, postalCode=98275,
> latitude=47.913, location_point=47.913,-122.3042, locID=5804306,
> longitude=-122.3042}
> [Stellar]>>>
>
> How can I map those values to new fields in my events? If that makes
> senses?
>
> On 2017-10-05 14:59, Justin Leet wrote:
>
> There is also a Stellar function for doing geo lookups.
> http://metron.apache.org/current-book/metron-stellar/stellar-common/index.
> html#GEO_GET It'll return a map of the fields when given an IP.
>
> On Thu, Oct 5, 2017 at 5:37 PM, Simon Elliston Ball <
> simon@simonellistonball.com> wrote:
>
>> And incase your install didn't pick up the latest geo database (or you
>> want to update it, the bottom of http://metron.apache.org/cu
>> rrent-book/metron-platform/metron-data-management/index.html gives you
>> the relevant info.
>>
>>
>> On 5 Oct 2017, at 22:36, Simon Elliston Ball <si...@simonellistonball.com>
>> wrote:
>>
>> http://metron.apache.org/current-book/metron-platform/metron
>> -enrichment/index.html
>>
>> Shows you how to configure geo enrichment.
>>
>> Simon
>>
>> On 5 Oct 2017, at 22:33, Laurens Vets <la...@daemon.be> wrote:
>>
>> What's the quickest way to enable geo enrichment on a source ip address
>> in 0.4.1-release? Is there a simple document somewhere with instructions?
>>
>>

Re: Enable geo enrichment

Posted by Laurens Vets <la...@daemon.be>.

How would you go about getting all geo information with GEO_GET and
putting it in separate fields? For instance, GEO_GET for "ip :=
'1.2.3.4'" returns: 

[Stellar]>>> GEO_GET(if IS_IP(ip) then ip else NULL)
{country=US, dmaCode=819, city=Mukilteo, postalCode=98275,
latitude=47.913, location_point=47.913,-122.3042, locID=5804306,
longitude=-122.3042}
[Stellar]>>> 

How can I map those values to new fields in my events? If that makes
senses? 

On 2017-10-05 14:59, Justin Leet wrote:

> There is also a Stellar function for doing geo lookups. http://metron.apache.org/current-book/metron-stellar/stellar-common/index.html#GEO_GET It'll return a map of the fields when given an IP. 
> 
> On Thu, Oct 5, 2017 at 5:37 PM, Simon Elliston Ball <si...@simonellistonball.com> wrote:
> 
> And incase your install didn't pick up the latest geo database (or you want to update it, the bottom of http://metron.apache.org/current-book/metron-platform/metron-data-management/index.html [1] gives you the relevant info.  
> 
> On 5 Oct 2017, at 22:36, Simon Elliston Ball <si...@simonellistonball.com> wrote: 
> 
> http://metron.apache.org/current-book/metron-platform/metron-enrichment/index.html [2] 
> 
> Shows you how to configure geo enrichment.  
> 
> Simon
> 
> On 5 Oct 2017, at 22:33, Laurens Vets <la...@daemon.be> wrote: 
> 
> What's the quickest way to enable geo enrichment on a source ip address in 0.4.1-release? Is there a simple document somewhere with instructions?
 

Links:
------
[1]
http://metron.apache.org/current-book/metron-platform/metron-data-management/index.html
[2]
http://metron.apache.org/current-book/metron-platform/metron-enrichment/index.html

Re: Enable geo enrichment

Posted by Nick Allen <ni...@nickallen.org>.

+1 to using GEO_GET

On Thu, Oct 5, 2017 at 5:59 PM, Justin Leet <ju...@gmail.com> wrote:

> There is also a Stellar function for doing geo lookups.
> http://metron.apache.org/current-book/metron-stellar/stellar-common/index.
> html#GEO_GET It'll return a map of the fields when given an IP.
>
> On Thu, Oct 5, 2017 at 5:37 PM, Simon Elliston Ball <
> simon@simonellistonball.com> wrote:
>
>> And incase your install didn’t pick up the latest geo database (or you
>> want to update it, the bottom of http://metron.apache.org/cu
>> rrent-book/metron-platform/metron-data-management/index.html gives you
>> the relevant info.
>>
>>
>> On 5 Oct 2017, at 22:36, Simon Elliston Ball <si...@simonellistonball.com>
>> wrote:
>>
>> http://metron.apache.org/current-book/metron-platform/metron
>> -enrichment/index.html
>>
>> Shows you how to configure geo enrichment.
>>
>> Simon
>>
>> On 5 Oct 2017, at 22:33, Laurens Vets <la...@daemon.be> wrote:
>>
>> What's the quickest way to enable geo enrichment on a source ip address
>> in 0.4.1-release? Is there a simple document somewhere with instructions?
>>
>>
>>
>>
>

Re: Enable geo enrichment

Posted by Justin Leet <ju...@gmail.com>.

There is also a Stellar function for doing geo lookups.
http://metron.apache.org/current-book/metron-stellar/stellar-common/index.html#GEO_GET
It'll
return a map of the fields when given an IP.

On Thu, Oct 5, 2017 at 5:37 PM, Simon Elliston Ball <
simon@simonellistonball.com> wrote:

> And incase your install didn’t pick up the latest geo database (or you
> want to update it, the bottom of http://metron.apache.org/
> current-book/metron-platform/metron-data-management/index.html gives you
> the relevant info.
>
>
> On 5 Oct 2017, at 22:36, Simon Elliston Ball <si...@simonellistonball.com>
> wrote:
>
> http://metron.apache.org/current-book/metron-platform/
> metron-enrichment/index.html
>
> Shows you how to configure geo enrichment.
>
> Simon
>
> On 5 Oct 2017, at 22:33, Laurens Vets <la...@daemon.be> wrote:
>
> What's the quickest way to enable geo enrichment on a source ip address in
> 0.4.1-release? Is there a simple document somewhere with instructions?
>
>
>
>

Re: Enable geo enrichment

Posted by Simon Elliston Ball <si...@simonellistonball.com>.

And incase your install didn’t pick up the latest geo database (or you want to update it, the bottom of http://metron.apache.org/current-book/metron-platform/metron-data-management/index.html <http://metron.apache.org/current-book/metron-platform/metron-data-management/index.html> gives you the relevant info. 

> On 5 Oct 2017, at 22:36, Simon Elliston Ball <si...@simonellistonball.com> wrote:
> 
> http://metron.apache.org/current-book/metron-platform/metron-enrichment/index.html <http://metron.apache.org/current-book/metron-platform/metron-enrichment/index.html>
> 
> Shows you how to configure geo enrichment. 
> 
> Simon
> 
>> On 5 Oct 2017, at 22:33, Laurens Vets <laurens@daemon.be <ma...@daemon.be>> wrote:
>> 
>> What's the quickest way to enable geo enrichment on a source ip address in 0.4.1-release? Is there a simple document somewhere with instructions?
>

Re: Enable geo enrichment

Posted by Simon Elliston Ball <si...@simonellistonball.com>.

http://metron.apache.org/current-book/metron-platform/metron-enrichment/index.html <http://metron.apache.org/current-book/metron-platform/metron-enrichment/index.html>

Shows you how to configure geo enrichment. 

Simon

> On 5 Oct 2017, at 22:33, Laurens Vets <la...@daemon.be> wrote:
> 
> What's the quickest way to enable geo enrichment on a source ip address in 0.4.1-release? Is there a simple document somewhere with instructions?