To manage and maintain the security of environments, IT and security teams need in-depth insight into the cloud accounts and web services accessed by their users. Better and faster analytics are needed by IT to scale infrastructure and applications based on their user usage and access patterns. With more employees working remotely and end-users accessing applications and services from all over, waiting is not an option – no matter if it’s for the development and enhancement of an application or some new security tool.
Often users connect to a Virtual Private Network (VPN) to access business applications or services behind company firewalls. When a user connects to VPN, a Private IP address is assigned to their device. From that point, all communication to and from the user’s device is routed through VPN services Public IP address – a Public IP address for 100-1000s of devices. There are some enterprise applications users may connect with or without using VPN and so logs from those applications may contain Private and Public IP addresses.
Since access logs can contain Private IPs or a mix of Private and Public IPs, it makes Geolocation enrichment of such logs difficult as most automated Geolocation enrichment tools work on Public IP addresses. Oracle Cloud Infrastructure Logging analytics (Logging Analytics) enables you to circumvent IP address origin and simplify the Geolocation enrichment for Private IPs using custom lookups. Companies can configure VPNs to assign Private IPs based on certain parameters, with the location being one of those.
Network administrators maintain a mapping of Public and Private IPs, which are assigned by their VPN service. Logging Analytics can use this mapping to enrich Geolocation information for Private IPs based on their mapping to Public IPs. Here is an example of a specific source configuration and a Map(Geolocation) visualization showing a mix of Public and Private IPs:
Enabling Geolocation enrichment for Private IP Addresses in a 2 step process:
Step 1: Add a Lookup to display mapped Private and Public IP Addresses
Using the Logging Analytics service choose Lookups to display mapped Private and Public IP Addresses.
Note: First 2 octets of Private IP Address are used to map Public IP
 
 
 
Step 2: Update a Source by choosing Source and adding entries
Make two changes to update a source as shown below. For demonstration purposes, we used ‘Apache Tomcat Access Logs’ which is an Oracle-predefined out-of-the-box (OOB) source. Note that users can update any source (OOB/custom) that has an IP Address field.
- Add two new entries by choosing Source, then selecting the Extended Fields section to arrive at the Edit Source page.
 
 
 
- On the Edit Source page, add two entries as shown below
 
 
 
In this post, we shared one example of how Oracle Cloud Logging Analytics can help your business perform Geolocation enrichment on difficult logs like IP Addresses (Private and Public) to help you better secure and gain greater insight into your environments whether they be in the cloud, on-premises or hybrid combination.
If you would like to try it out yourself or explore more of how Logging Analytics can help ease your job and help your business these new user assistance features make oci logging analytics easier to use than other tools, especially our Compass assistant. The next blog in this series will cover a brand new LiveLab which will allow you to try out these geolocation enrichment features by yourself. Cant’ wait to get location-specific insights or enrich your geolocation log data? Review our latest documentation here.
