Marking Nepenthes' log with GeoIP
I always wanted to let my Nepenthes log meaningful, rather than cryptic columns which is pretty much boring.
So this is what I did after several searches on the Net... some of the link just show the result, and I wonder why don't they just *put* the script online. Here goes!
Let say, I am processing /var/log/nepenthes/logged_downloads
I want it to be:
If I just invoked "geoip" tool from the BASH command line, it's going to be:
for ip in `awk {'print $1'} hcountry.txt`; do echo "$ip" `geoiplookup $ip|awk
-F "GeoIP Country Edition" {'print $2'}`; done
This, however only like this:
114.136.161.59 : TW, Taiwan
114.136.83.68 : TW, Taiwan
114.137.222.91 : TW, Taiwan
114.43.232.67 : TW, Taiwan
115.171.144.48 : CN, China
115.177.145.254 : JP, Japan
116.10.232.29 : CN, China
116.11.39.46 : CN, China
116.1.222.156 : CN, China
116.19.174.223 : CN, China
116.206.128.101 : MY, Malaysia
116.206.147.239 : MY, Malaysia
116.226.37.237 : CN, China
116.227.187.234 : CN, China
without the hash.
I solve the problem by using Python language.. it worked, despite my minimal knowledge in Python.. also some clue from a friend :)
Also, if you simply want to use geoiplookup from CLI directly, I asked a friend who gave me a solution here (final one)
awk '{ ("geoiplookup " $1) | getline d; split(d, data, ":"); print data[2]
";" $1 ";" $2; close ("geoiplookup "$1); }' hcountry.txt
I always wanted to let my Nepenthes log meaningful, rather than cryptic columns which is pretty much boring.
So this is what I did after several searches on the Net... some of the link just show the result, and I wonder why don't they just *put* the script online. Here goes!
Let say, I am processing /var/log/nepenthes/logged_downloads
116.7.16.130 df51e3310ef609e908a6b487a28ac068
116.80.225.172 1d419d615dbe5a238bbaa569b3829a23
116.80.227.106 e269d0462eb2b0b70d5e64dcd7c676cd
116.80.81.221 98eb0fdadf8a403c013a8b1882ec986d
116.80.85.224 e269d0462eb2b0b70d5e64dcd7c676cd
116.81.88.146 2fa0e36b36382b74e6e6a437ad664a80
I want it to be:
Russian Federation ,95.28.56.118 , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation ,95.28.63.209 , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation ,95.28.71.57 , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation ,95.28.82.129 , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation ,95.28.89.135 , 7d99b0e9108065ad5700a899a1fe3441
Russian Federation ,95.29.28.40 , 7d99b0e9108065ad5700a899a1fe3441
United States ,98.101.106.156 , 7d99b0e9108065ad5700a899a1fe3441
If I just invoked "geoip" tool from the BASH command line, it's going to be:
for ip in `awk {'print $1'} hcountry.txt`; do echo "$ip" `geoiplookup $ip|awk
-F "GeoIP Country Edition" {'print $2'}`; done
This, however only like this:
114.136.161.59 : TW, Taiwan
114.136.83.68 : TW, Taiwan
114.137.222.91 : TW, Taiwan
114.43.232.67 : TW, Taiwan
115.171.144.48 : CN, China
115.177.145.254 : JP, Japan
116.10.232.29 : CN, China
116.11.39.46 : CN, China
116.1.222.156 : CN, China
116.19.174.223 : CN, China
116.206.128.101 : MY, Malaysia
116.206.147.239 : MY, Malaysia
116.226.37.237 : CN, China
116.227.187.234 : CN, China
without the hash.
I solve the problem by using Python language.. it worked, despite my minimal knowledge in Python.. also some clue from a friend :)
import re
import sys
import GeoIP
GEOIP_DATABASE='/usr/share/GeoIP/GeoIP.dat'
geoip=GeoIP.open(GEOIP_DATABASE,GeoIP.GEOIP_STANDARD)
for line in open("chcountry.txt"):
columns = line.split(',')
negara=geoip.country_name_by_addr(columns[0])
x=columns[1].strip("\n")
print columns[0],(','),negara,(','),x
Also, if you simply want to use geoiplookup from CLI directly, I asked a friend who gave me a solution here (final one)
awk '{ ("geoiplookup " $1) | getline d; split(d, data, ":"); print data[2]
";" $1 ";" $2; close ("geoiplookup "$1); }' hcountry.txt
Comments