In this use case, we will extract geographic information from log records of communication devices that protect us from attacks and we will represent it in a map.
This is a somewhat obfuscated real record:
Aug 14 12:02:45 XXXX_F5_DMZXX err dcc[11457]: 9999999999:9: [SECEV] Request blocked, violations: Web scraping detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Virus name: N/A. Support id: 99999999999999999, source ip: 999.999.999.999, xff ip: N/A, source port: 99999, destination ip: 999.999.999.999, destination port: 999, route_domain: 200, HTTP classifier: /Common/www.xxxxxxxxx.yy.http, scheme HTTPS, geographic location: <RU>, request: <GET /ns/xxxxxx.yyy?id_seccion=9999 HTTP/1.1\r\nContent-Length: 0\r\nCookie: XXXXXXXX_XXXXXXXXX=d8b78f937f6f9d569cda500fd5cae49>, username: <8117.1533970714@MAILCATCH.COM>, session_id: <d9ba5ea0f4e98df0>
To do this we must configure these two characteristics in the log source:
Extended Fields
It is a way to extract values from a field in the log record by means of a regular expression. We are going to extract the source IP and put it in the “Source IP” field:
Base Field: Message
Example Content: Whatever
Extended Field Extraction Expression: source ip:?\s{Source IP:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}}
Enabled: true
Field Enrichment
It is about obtaining geographic information from the origin ip that we have obtained before.
Wait 5 minutes or so and you will start to see records on the map:
If you select a continent and zoom (+) you can see by countries:
Enjoy 😉
approaching off the bow 