Create a MaxMind Databases for your own needs.
pip install mmdb[cli]
- Query any maxmind database:
mmdb get <IP> -d <DATABASE> - Download and build DBIP database ASN Lite, Country Lite, and City Lite:
mmdb dbip-build - Create an IP database from a CSV file:
mmdb build <CSV> - Logstash GeoIP Filter Plugin compatibility:
mmdb build <CSV> --lsc - Additional country data such as is_eu, is_nato, or is_g7:
mmdb build <CSV> -f country
Logstash ships with the GeoIP Filter Plugin which enriches a document with IP GeoData. However, the plugin supports specific MaxMind database types only. As a result, any other database type disables the plugin.
Regarding this, the plag --lsc enables logstash support. Long story short:
You get a MaxMind ASN Database, but the IP info as an embedded json string within the
asn_organization_name field. The logstash pipeline must load that json data and adds it to
the document, exemplified below
filter {
geoip {
source => "ip"
database => "/path/to/my/database.mmdb"
ecs_compatibility => disabled
target => "wrapped_ip_data"
}
json {
source => "[wrapped_ip_data][organization_name]"
target => "myip"
}
mutate {
remove_field => ["wrapped_ip_data"]
}
}