Displaying pmacct country code on a Kibana 4 map

On the Integration of pmacct with ElasticSearch and Kibana post a user (Xentoo) asked how to display geographic information provided by pmacct on a Kibana 4 map using pmacct-to-elasticsearch.

An experimental feature of p2es called transformations can be used to add a Geo Point field on the basis of the country code provided by pmacct.

pmacct-to-elasticsearch-geoip


A new field can be added using a lookup table having the country code as key and the capital city’s lat/lon as string value:

Example:

{ ...
"Transformations": [
  {
    "Conditions": [ { "src_host_country": "", "__op__": "!=" } ],
    "Actions": [
      {
        "Type": "AddFieldLookup",
        "Name": "location",
        "LookupFieldName": "src_host_country",
        "LookupTableFile": "/etc/p2es/cc_location_map.json"
      }
    ]
  }
]
... }

Where:

src_host_country is the field containing the country code that p2es receives from pmacct;
location is the new geopoint field added by p2es ( "location" : { "type" : "geo_point" } );
/etc/p2es/cc_location_map.json is a file containing the mapping between contry codes and locations (for example the capital city coordinates):

{
  "IT": "41.9,12.56",
  "FR": "48.81,2.48",
  "DE": "52.47,13.62"
  ...
}

This is an example on how to build the cc-lat/lon table using a simple Python script and the OpenGeoCode Countries of the World (COW) database:

# curl  http://opengeocode.org/cude/download.php?file=/home/fashions/public_html/opengeocode.org/download/cow.txt
# python cc-to-latlng.py > /etc/p2es/cc_location_map.json

Another source may be the MaxMind Average Latitude and Longitude for Countries table.

The following two tabs change content below.
Italian, born in 1980, I started working in the IT area in the late '90s; I'm now a system and network administrator with a deep knowledge of the global Internet and its core architectures.

2 Comments

  1. Gugan.K says:

    how do I get the country code of source/destination IP’s. ?. as the print plugin output doesn’t have country code. Is there any way to get it ?.

    output :
    {“etype”: “800”, “bytes”: 1996, “ip_dst”: “10.11.12.13”, “ip_src”: “10.11.12.202”, “port_src”: 22, “port_dst”: 49244, “ip_proto”: “tcp”, “packets”: 11}
    {“etype”: “800”, “bytes”: 60, “ip_dst”: “10.11.12.130”, “ip_src”: “216.58.220.46”, “port_src”: 80, “port_dst”: 54336, “ip_proto”: “tcp”, “packets”: 1}

Leave a Reply