If I use client.domain: 192.168.1.147 in the GeoIP map, there are no results. Is it possible to show private IP addresses and what they are accessing in ElastiFlow?
Thanks.
Yes it is definitely possible to show private IP addresses on the GeoIP dashboard. There are multiple reasons why are flow might not show:
- You might be zoomed in to the map in a way that the “server” of this flow is not part of the current map.
- You might have other filters (or a time filter) set that does not contain a flow from this specific client
I’ve attached an example of our demo GeoIP dashboard showing traffic from a private IP address.
Note that the client key in the picture is different, because I’m using ElastiFlows own CODEX data schema, rather than ECS (this should not cause your issue though).
1 Like
@ADegitz I seem to not be able to see anything even when fully zoomed out and using client.ip: instead of client.domain:, I have attached a screenshot:
I seemed to have solved the issue by adding metadata to ipaddrs.yml for my private IP range 192.168.1.0/24:
192.168.0.0/16:
metadata:
.geo.loc.coord: 48.167106,11.486918
.geo.city.name: Munich
.geo.country.code: DE
.geo.country.name: Germany
.geo.tz.name: Europe/Berlin
From: IP Addresses | ElastiFlow
This sets a default location for all IPs in my subnet.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.