GeoIP: print country iso_code data in all logs

wcts · September 21, 2023, 11:33am

Hi,

In tests with GeoIP that use libmaxminddb, when using the geoip settings in the rule according to 7.3. IP Keywords — Suricata 6.0.13 documentation blocking can be done using a geoip-database, so far so good.

I would like all logs to report the geolocation of all traffic, regardless of the action (alert, outage,…). Is there any variable in geoip that can be used to inform the country’s iso_code in all logs?

Suricata version: 6.0.13 compiled
OS: Debian

wcts · September 21, 2023, 7:55pm

I known is possible with Logstash using example A sample Logstash configuration for Suricata JSON output. · GitHub, but exist something native in Suricata? Using one formater in some log by example

Jeff_Lucovsky · September 22, 2023, 12:53pm

Hi,

Please submit a feature request for adding a geoip tag to Suricata log records.

Topic		Replies	Views
Custom geoip database problem Rules	1	813	June 26, 2020
Questions and answers from April 2021's Webinar: An introduction to writing Suricata Rules Rules webinar	3	376	April 22, 2021
Suricata tls-log for analysis async-oneside Help	7	825	November 8, 2023
Analyze Data packet with PythonScript with Lua Rules Help ips , rules , suricata , lua	1	274	August 5, 2023
2 Questions on Suricata (Rules & Vs Zeek) Help	2	876	February 24, 2021

GeoIP: print country iso_code data in all logs

Related Topics