Skip to content

How to create custom geolocation zones

LogMan.io allows analysts to enrich events with custom geolocation data using IP range-based lookups. This is useful for tagging internal zones, branch offices, or customer-defined geographies.

Create a Geolocation Lookup

Navigate to the LogMan.io → Lookups section and create a new lookup.

  • Group: geo
  • Key: A pair of IP addresses: start and end, defining a continuous IP range.
  • Fields (optional but recommended):
name: "Křivoklát LAN"
country_iso_code: "CZ"
region_name: "Středočeský kraj"
city_name: "Křivoklát"
location: [50.036, 13.877]  # latitude, longitude

These fields are based on the Elastic Common Schema (ECS) for compatibility with Parsec enrichment.

Example Entry

Start IP End IP name country_iso_code city_name location
192.168.108.122 192.168.108.124 HQ Office LAN CZ Prague 50°5.28' N, 14°25.2' E
10.10.0.1 10.10.0.254 Remote Branch #1 CZ Brno 49°11.7' N, 16°36.54' E

Save the lookup under a unique name, such as hq_locations.

Supported Fields

Field Type Description
name string Descriptive name of the zone
country_iso_code string ISO 3166-1 alpha-2 country code
region_name string Name of the region or province
city_name string Name of the city or area
location geopoint GPS coordinates

Usage

Automatic Enrichment

When a lookup group is set to geo, the data is automatically used by LogMan.io Parsec for enrichment of fields like source.ip, destination.ip, client.ip, etc.

Example output after enrichment:

{
  "source.ip": "192.168.108.123",
  "source.geo": {
    "name": "HQ Office LAN",
    "country_iso_code": "CZ",
    "city_name": "Prague",
    "location": [50.088, 14.420]
  }
}

Using in Correlator

The custom geolocation lookup can be referenced in Correlator rules for zone-based filtering or logic.

Example: Alert on Login from Non-Internal IP

predicate:
  !NOT:
  what:
    !IN
    what: !ITEM EVENT source.ip
    where:
      !LOOKUP
      what: hq_locations

Example: Match Multiple Geo Zones

predicate:
  !OR:
  - !IN
    what: !ITEM EVENT client.ip
    where: !LOOKUP { what: hq_locations }
  - !IN
    what: !ITEM EVENT destination.ip
    where: !LOOKUP { what: remote_sites }

Tips & Best Practices

  • Ensure ranges do not overlap to avoid ambiguity.
  • Use consistent and descriptive names for easier dashboard filtering.
  • Provide location to allow geospatial visualizations.

Troubleshooting

Enrichment not working?

  • Verify the lookup group is geo.
  • Confirm the IP is within a defined start-end range.
  • Use the Test Lookup feature in the UI to simulate a lookup.

Multiple overlapping matches?

  • Avoid overlap; the first match typically wins.