Apache logs not able to map geo IPs

Hi Guys,

I am trying to plot the geo for my apache logs but somehow I am getting below error on kibana, can someone please help me on this error?

No Compatible Fields: The "apache-*" index pattern does not contain any of the following field types: geo_point

This is my logstash file

input {
# add necessary input parameters
file {
path => "/var/apache/access_log"
start_position => "beginning"

    }

}

filter {

    # for Apache Access logs
    grok {
            match => { "message" => "%{COMBINEDAPACHELOG}" }
    }

    # for Apache Access logs
    grok {
            match => { "message" => "%{EXTENDEDAPACHELOG}" }
            patterns_dir => ["/etc/logstash/patterns"]
    }

    # for Apache Error logs
    grok {
    match => { "message" => "%{APACHEERRORLOG}" }
    patterns_dir => ["/etc/logstash/patterns"]
}

    date {
            match => ["timestamp", "dd/MMM/YYYY:HH:mm:ss Z"]
            remove_field => "timestamp"
    }
    useragent {
            source => "agent"
            target => "UA"
    }
    mutate {
            convert => ["response","integer"]
            convert => ["bytes","integer"]
            convert => ["responsetime","integer"]
    }
    geoip {
            source => "clientip"
            target => geoip
            add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
            add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
            convert => [ "[geoip][coordinates]", "float" ]
    }

}

output {
# add necessary output parameters
elasticsearch {
hosts => "192.168.5.15:9200"
index => "apache-logs-%{+YYYY.MM.dd}"
}
stdout
{
codec => rubydebug
}
}

Here is the thread I followed to troubleshoot and able to query the logs correctly based on lon/lat but not sure why that error is appearing

echo 37.58.58.206 | /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.config
09:30:55.665 [Api Webserver] INFO logstash.agent - Successfully started Logstash API endpoint {:port=>9601}
{
"@timestamp" => 2017-08-26T04:00:55.645Z,
"geoip" => {
"ip" => "37.58.58.206",
"latitude" => 51.2993,
"country_name" => "Germany",
"country_code2" => "DE",
"continent_code" => "EU",
"country_code3" => "DE",
"location" => {
"lon" => 9.491,
"lat" => 51.2993
},
"longitude" => 9.491
},
"@version" => "1",
"host" => "0.0.0.0",
"message" => "37.58.58.206"

GeoIP in the Elastic Stack - Elasticsearch, Logstash, Ingest API | Elastic Blog is worth reading too.

But you're over thinking things, check that blog post for more.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.