GeoIP2 Parsers

This topic describes the GeoIP2 parser for Decoders. This parser converts IP addresses into geographic locations, such as the country name and city where the IP address is typically found.

Note: In version 11.3 and later, the native GeoIP2 parser replaces the GeoIP parser (which has been permanently removed). The GeoIP2 parser provides the same basic functionality as the GeoIP parser as well as many enhancements. For example, it converts IP addresses into geographic locations, provides the latest Maxmind GeoIP package, and supports IPv6 addresses as well as IPv4.

Available in NetWitness version 11.2 or later, the GeoIP2 Parser is enabled by default for upgrades and new installations. The GeoIP2 parser provides the latest Maxmind GeoIP package and supports IPv6 addresses as well as IPv4.

To edit the GeoIP2 parser configuration:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Administration services view, select a Log Decoder or a Decoder.
  3. Click the settings icon (netwitness_ic-actns2.png) and select View > Config. In the Parsers Configuration panel, select GeoIP2 to view and update configuration options.
  4. Define the IP addresses to lookup. The GeoIP2 parser enables the following IP addresses by default: ip.src, ip.dst, ipv6.src, and ipv6.dst. You can update options by using parsers.options to remove or add new IP addresses. For example, you can edit parsers.options and pass a comma-separated list of IP addresses to use as follows:
    GeoIP2="ipaddr=ip.src,ip.dst,ipv6.src,ipv6.dst,alias.ip"
    This adds a new IP address to lookup called ip.addr. However, since alias.ip does not end in .src or .dst, the parser will elect to place the GeoIP2 metadata generated in meta keys without a .src or .dst suffix. So, you would see country, city, and so on, after the alias.ip metadata.
  5. In the left panel, right-click parsers and click Properties. In the drop-down menu, select reload and then click Send.

Note: The list you pass for alias.ip replaces the default list. So, if you pass alias.ip=ip.src, it generates only GeoIP2 metadata for ip.src, and generates no metadata for other IP addresses.

Note: parsers.options is used for passing options to multiple parsers. So if you add GeoIP2 to it, you should not delete any other options being passed to other parsers (like Entropy).

The following table provides the full list of metadata that the GeoIP2 parser can potentially generate and indicates which metadata is or is not enabled by default:

Enabled by Default Not Enabled
country, country.src, country.dst latdec, latdec.src, latdec.dst
longdec, longdec.src, longdec.dst
domain, domain.src, domain.dst isp, isp.src, isp.dst
org, org.src, org.dst city, city.src, city.dst

You can enable the other metadata using the standard parser configurations.

Note: By disabling some metadata by default, the GeoIP2 parser does not work the same as the GeoIP parser (which did not, by default, disable any metadata it generated). If you need any of the disabled metadata, you need to enable them (once only) for each Decoder, after upgrading to 11.2 or later. Keep in mind that the isp and org meta keys usually produce an equivalent value to domain.