Dears,
Not working well:
Trying to make it working with modsecurity app ....
source="www-access_log" | geoip clientip
ip = row[ip_field]
preprocess_row=preprocess)
File "/opt/splunk/etc/apps/maps/bin/geoip.py", line 199, in process_csv_stream
File "/opt/splunk/etc/apps/maps/bin/geoipcmd.py", line 59, in
KeyError: 'clientip'
Traceback (most recent call last):
Any ideas ?
Seems to be a pb with GoogleMaps ....
Thx
Disabling the command isn't going to make it work.
Run a search like this:
source="*www-access_log*"
and see if there is a field containing the client's ip. Then use that field name in the geoip
call.
If there's no field yet, post some sample events and we'll help you extract the field.
On GoogleMaps/Settings, I have disabled the geoip command.
When running modsecurity/dashboard I do not have anymore mistake, only geoip not found.
Thx
I have re installed everything, same problem ...
What am I supposed to do now ?
Do I have to open a ticket somewhere ??
Thx for your help.
Yup, that error message supports my guess that geoip
is looking for a field called clientip
but can't find one.
Dear both,
Please have a look to this snapshot:
https://drive.google.com/file/d/0BxTKjXaz-ROBdVdPNTN1TjNrNm8/edit?usp=sharing (dl the document to see it)
It seems to be a problem with interaction between modsecurity and Googlemaps ....
As I said, I don't know what those two apps are doing .... The source="www-access_log" give me nothing ...
Thx
Can you provide a sample of the log:
source="www-access_log"
As Martin stated, you would need a field called clientip. If you don't have one simple use REX or the other UI methods to extract this field at search time. Then your geoip command will work.
Hum, please don't shoot me ....
But I am a bit lost ..... Where this "clientip" field should be ?
As I said, modsecurity is transparent for me, I do not know what is he doing ....
Is it a pb with the config of my splunkforwarder (inputs)?
Thx for your help.
There you go then, geoip
is failing as documented in the error message. If it's supposed to translate a field called clientip
into a geolocation but that field does not exist - what is it supposed to do?
Hum, please don't shoot me ....
But I am a bit lost ..... Where this "clientip" field should be ?
As I said, modsecurity is transparent for me, I do not know what is he doing ....
Is it a pb with the config of my splunkforwarder (inputs)?
Thx for your help.
I do not see any field called "clientip" ....
I have found other error messages:
ago 03-24-2014 16:54:23.679 +0200 ERROR TailingProcessor - Ignoring path="/var/log/apache2/modsec_audit.log" due to: Bug: tried to check/configure STData processing but have no pending metadata.
....
That URL gives me a 403.
I'm asking about whether your source events have a field called clientip
because not having that field produces the same KeyError from geoip
.
I have this error when I am trying to use the apps "modsecurity".
I don't know what the apps "modsecurity" is doing exactly.
When I click on Dashboard, I have 423 events and on the top of the splunk web page, I have all this errors messages in red.
please have a look:
https://drive.google.com/file/d/0BxTKjXaz-ROBdVdPNTN1TjNrNm8/edit?usp=sharing
Thx
You're asking the geoip
command to guess location data based on the field clientip
. I'm wondering if the events you're giving to geoip
, ie the results from your search source="www-access_log"
, actually have a field by that name.
Sorry but can you be a bit more precise ?
What event are you referring to ?
Thx
Do your events have a field called clientip
?