Maxmind Plugin

The maxmind filter plugin inserts geographic information for each IP address found within a generated result. The plugin is capable of adding the coordinates (latitude and longitude), the geohash code, the city name and country name.

Generated fields

If the following structure is found

{
	"source": {
		"ip": "yyy.yyy.yyy.yyy",
		"port": 48220
	},
	"destination": {
		"ip": "xxx.xxx.xxx.xxx",
		"port": 10050
	}
]

the maxmind plugin will insert the geographic information and it will become

{
	"source": {
		"ip": "yyy.yyy.yyy.yyy",
		"port": 48220,
		"ip_longitude": 174.767900,
		"ip_latitude": -36.850600,
		"ip_geohash": "rckq2g",
		"ip_geohash_value": 1,
		"ip_city": "Auckland",
		"ip_country": "New Zealand"
	},
	"destination": {
		"ip": "xxx.xxx.xxx.xxx",
		"port": 10050,
		"ip_longitude": 174.767900,
		"ip_latitude": -36.850600,
		"ip_geohash": "rckq2g",
		"ip_geohash_value": 1,
		"ip_city": "Auckland",
		"ip_country": "New Zealand"
	}
}

Configuration example:

  # The maxmind plugin will insert latitude and longitude coordinates for each
  # IP address inserted into a result set.
  maxmind:
    enabled: 0
    # Location of the maxmind database to use and can be obtained from
    # https://dev.maxmind.com/geoip/geoip2/geolite2/
    database: /etc/bigdata/GeoLite2-City.mmdb
    metrics:
      - coordinates
      - geohash
      - city
      - country

Configuration options

enabled

Used to enabled or disable the maxmind plugin (0 disabled, 1 enabled)

database

The location of the maxmind database to query for geolocation information. Freely available databases can be obtained from https://dev.maxmind.com/geoip/geoip2/geolite2/

metrics

The metrics to generate:

• coordinates - latitude and longitude.
• geohash - the geohash code for the IP.
• city - the city the IP address belongs to.
• country - the country the IP address belongs to.