Decoder: Geo IP Parser

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

One of the files available for editing in the Services Config view > Files tab is GeoPrivate.ipl, the Geo IP parser.

GeoPrivate.ipl

The Geo IP parser is a fixed parser that takes IP addresses and converts them to geographical locations.

Note: (In Security Analytics 10.5.2 or later) The GeoMap feature from Google Earth that was used to display some geographical locations has been deprecated.

The geolocation metadata in GeoPrivate.ipl, are added for both ip.src and ip.dst. The parser uses two external data files, GeoCity.dat and GeoCountry.dat, which are both stored in the application directory. There are up to eight metadata for each IP address as listed in the table below.

                               
MetadataDescription
city.dstDestination City
city.srcSource City
country.dstDestination Country
country.srcSource Country
latdec.dstDestination Decimal Latitude
latdec.srcSource Decimal Latitude
longdec.dstDestination Decimal Longitude
longdec.srcSource Decimal Longitude
You are here: References > Services Config View - Files Tab > Geo IP Parser

Attachments

    Outcomes