Any advantages using geoip plugin filter with GeoLite2 Dat File?


(Rich Horace) #1

Are there any advantage configuring geoip file with GeoLite Dat File or just using geoip?

I haven't seen any write-ups on the use case for when to use GeoLite Dat File or in the geoip documentation

I've successfully implemented it both ways, but more curious.

Here's my configs:
GeoIP Filter

    filter {
      if [path] =~ "access.log" {
        if [user_agent] != "ELB-HealthChecker/1.0" {
          geoip {
            source => "remote_addr"
            target => "geoip"
          }
          useragent {
            source => "user_agent"
          }
        }
      }
    }

GeoIP Filter with GeoLite Dat File

    filter {
      if [path] =~ "access.log" {
        if [user_agent] != "ELB-HealthChecker/1.0" {
       geoip {
          source => "remote_addr"
          target => "geoip"
 -        database => "/etc/logstash/GeoLite2-City.dat"
 -        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
 -        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
 -        add_tag => ["geo"]
        }
        useragent {
          source => "user_agent"
          }
        }
      }
    }

Thanks,
Rich


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.