Apache logs not able to map geo IPs

Blason · August 26, 2017, 3:56am

Hi Guys,

I am trying to plot the geo for my apache logs but somehow I am getting below error on kibana, can someone please help me on this error?

No Compatible Fields: The "apache-*" index pattern does not contain any of the following field types: geo_point

This is my logstash file

input {
# add necessary input parameters
file {
path => "/var/apache/access_log"
start_position => "beginning"

}

filter {

    # for Apache Access logs
    grok {
            match => { "message" => "%{COMBINEDAPACHELOG}" }
    }

    # for Apache Access logs
    grok {
            match => { "message" => "%{EXTENDEDAPACHELOG}" }
            patterns_dir => ["/etc/logstash/patterns"]
    }

    # for Apache Error logs
    grok {
    match => { "message" => "%{APACHEERRORLOG}" }
    patterns_dir => ["/etc/logstash/patterns"]
}

    date {
            match => ["timestamp", "dd/MMM/YYYY:HH:mm:ss Z"]
            remove_field => "timestamp"
    }
    useragent {
            source => "agent"
            target => "UA"
    }
    mutate {
            convert => ["response","integer"]
            convert => ["bytes","integer"]
            convert => ["responsetime","integer"]
    }
    geoip {
            source => "clientip"
            target => geoip
            add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
            add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
            convert => [ "[geoip][coordinates]", "float" ]
    }

}

output {
# add necessary output parameters
elasticsearch {
hosts => "192.168.5.15:9200"
index => "apache-logs-%{+YYYY.MM.dd}"
}
stdout
{
codec => rubydebug
}
}

Blason · August 26, 2017, 4:05am

Here is the thread I followed to troubleshoot and able to query the logs correctly based on lon/lat but not sure why that error is appearing

echo 37.58.58.206 | /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.config
09:30:55.665 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9601}
{
"@timestamp" => 2017-08-26T04:00:55.645Z,
"geoip" => {
"ip" => "37.58.58.206",
"latitude" => 51.2993,
"country_name" => "Germany",
"country_code2" => "DE",
"continent_code" => "EU",
"country_code3" => "DE",
"location" => {
"lon" => 9.491,
"lat" => 51.2993
},
"longitude" => 9.491
},
"@version" => "1",
"host" => "0.0.0.0",
"message" => "37.58.58.206"

warkolm · August 26, 2017, 4:55am

GeoIP in the Elastic Stack - Elasticsearch, Logstash, Ingest API | Elastic Blog is worth reading too.

But you're over thinking things, check that blog post for more.

system · September 23, 2017, 4:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.