Decoder: GeoIP2 and GeoIP Parsers

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Sep 11, 2018
Version 8Show Document
  • View in full screen mode

This topic descibes the GeoIP2 and GeoIP parsers for Decoders. You can only enable one of these parsers at any given time. Both of these parsers convert IP addresses into geographic locations, such as the country name and city where the IP address is typically found.

GeoIP2 Parser

Available in NetWitness Platform version 11.2 or later, the GeoIP2 Parser is enabled by default for upgrades and new installations. The GeoIP2 parser provides the latest Maxmind GeoIP package and supports IPv6 addresses as well as IPv4.

The GeoIP2 parser configuration can be edited by:

  1. Go to ADMIN > Services.
  2. In the Administration services view, select a Log Decoder or a Decoder.
  3. Click the settings icon (Image of the Action button) and select View > Config. The Parsers Configuration panel is displayed, from which you can select GeoIP2 to view and update configuration options.

You can define which IP addresses to lookup. The GeoIP2 parser enables the following IP addresses by default: ip.src, ip.dst, ipv6.src, and ipv6.dst. You can, however, update options by using parsers.options to remove or add new IP addresses. For example, you can edit parsers.options and pass a comma-separated list of IP addresses to use as follows:
This will add a new IP address to lookup called ip.addr. However, since ip.addr does not end in .src or .dst, the parser will elect to place the GeoIP2 metadata generated in metadata without a .src or .dst suffix. So, you would see country, city, and so on, after the ip.addr metadata.

Note: The list you pass for ip.addr replaces the default list. So, if you pass ipaddr=ip.src, it will only generate GeoIP2 metadata for ip.src and no other IP addresses.

Note: parsers.options is used for passing options to multiple parsers. So if you add GeoIP2 to it, you should not delete any other options being passed to other parsers (like Entropy).

The following table provides the full list of metadata that the GeoIP2 parser can potentially generate and indicates which metadata is or is not enabled by default:

Enabled by DefaultNot Enabled
country, country.src, country.dstlatdec, latdec.src, latdec.dst
 longdec, longdec.src, longdec.dst
domain, domain.src, domain.dstisp, isp.src, isp,dst
org, org.src, org.dstcity, city.src, city.dst

You can enable the other metadata using the standard parser configurations.

Note: By disabling some metadata by default, the GeoIP2 parser does not work the same as the GeoIP parser (which did not, by default, disable any metadata it generated). If you have a need for any of the disabled metadata, then you will need to enable them (once only) for each Decoder, after upgrading to 11.2 or later. Keep in mind that the isp and org meta fields usually produce an equivalent value to domain.

GeoIP Parser

The GeoIP parser is an older parser available in previous versions of NetWitness Platform, but it is still supported in addition to the newer GeoIP2 parser. To modify the parser configuration, users can edit the parser options from here: Services Config view > Files > GeoPrivate.ipl.

The geolocation metadata in GeoPrivate.ipl, are added for both ip.src and ip.dst. The parser uses two external data files, GeoCity.dat and GeoCountry.dat, which are both stored in the application directory. There are up to eight metadata for each IP address as listed in the table below.

city.dst Destination City
city.src Source City
country.dst Destination Country
country.src Source Country
latdec.dst Destination Decimal Latitude
latdec.src Source Decimal Latitude
longdec.dst Destination Decimal Longitude
longdec.src Source Decimal Longitude
Previous Topic:String Functions
Next Topic:Lua Parsers
You are here
Table of Contents > Feed and Parser References > GeoIP2 and GeoIP Parsers