Hi,
Since upgrading to Bro 2.5, we've seen some odd behavior with the geodata lookups in the SSH logs. In particular, the remote_location.* fields in the SSH logs are always missing the geodata when auth_success is true. For example, here are stats for a day running 2.4-709 and a day running 2.5:
Bro version, auth_success, country_code logged, country_code not logged
I'm curious if you have Bro built against libGeoIP correctly? What you are seeing would indicate to me that it isn't. It's also possible that you don't have the geoip database installed.
.Seth
Hi Seth,
Thanks for your response. GeoIP lookups are working for our HTTP logs (code we added) and the SSH logs when auth_success==F. It's only not working with SSH when auth_success==T, and in this case it apparently is partially working since there are watched country entries in the notice log for successful SSH connections, but the SSH log does not contain the geodata for these successful connections it's altering on (see the two log lines I had in my initial mail for evidence of this).