GeoIP: print country iso_code data in all logs

wcts · September 21, 2023, 11:33am

Hi,

In tests with GeoIP that use libmaxminddb, when using the geoip settings in the rule according to 7.3. IP Keywords — Suricata 6.0.13 documentation blocking can be done using a geoip-database, so far so good.

I would like all logs to report the geolocation of all traffic, regardless of the action (alert, outage,…). Is there any variable in geoip that can be used to inform the country’s iso_code in all logs?

Suricata version: 6.0.13 compiled
OS: Debian

wcts · September 21, 2023, 7:55pm

I known is possible with Logstash using example A sample Logstash configuration for Suricata JSON output. · GitHub, but exist something native in Suricata? Using one formater in some log by example

Jeff_Lucovsky · September 22, 2023, 12:53pm

Hi,

Please submit a feature request for adding a geoip tag to Suricata log records.

Topic		Replies	Views
Custom geoip database problem Rules	1	926	June 26, 2020
When I use Docker to run Suricata, I am unable to turn on geoip Help	4	335	December 21, 2023
How to filter IP-addresses correctly? Help	2	651	May 24, 2022
Need help understanding geo location from Suricata logs Help	1	617	November 27, 2021
Some alerts do not show either Source Geolocation or Destination Geolocation Help suricata	4	520	June 11, 2022

GeoIP: print country iso_code data in all logs

Related topics