Hi Guys,
I have file this and I am trying to build a pattern for the same. Somehow this is not working. Can some one please help
/var/log/badhost.txt =
125.118.243.164
216.245.208.133
199.59.242.150
104.145.232.3
.
.
.
.
.
input {
# add necessary input parameters
file {
type => "threat-intel"
path => "/var/log/badhost.txt"
}
}
filter {
if [type] == "threat-intel" {
grok {
match => { "message =>"%{ clientip:IPV4}"
"geoip": {
"field": "clientip"
}
}
The basic syntax for GROK Pattern is %{SYNTAX:SEMANTIC}. So you need to change %{ clientip:IPV4} this :
to
%{IPV4:clientip}
Refer this for the basic grok filter : Grok filter plugin | Logstash Reference [8.11] | Elastic
.
Thanks I am complete novice to Logstash and learning bit by bit ..Thnks for the info though 
`input {
beats {
port => 5044
}
}
filter {
if [type] == "threat-intel" {
grok {
match => { "message" => "%{IPV4:clientip}"
geoip {
{
source => "clientip"
}
}
}
}
}
output {
elasticsearch {
hosts => "192.168.1.15:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
`
Any clue with this config I am not able to parse geo tagging and I am accepting data over filebeat.
You've put your geoip filter inside your grok filter, i.e. your curly braces are mismatched.
Hey there,
Is there any sample config that I can refer to? I mean these are just a simple IP addresses with Line break.
Well, in this case you don't need a grok filter since the lines as you say only contain the IP address. Just point the geoip filter at the message field, or use a mutate filter to rename message to clientip or whatever you prefer.
so in my case it would just be match => Message?
No, drop the grok filter completely.
If you dont mind would you please give me sample snippet? Plss? My use case is simple just have IP addresses and need to parse and tag with Geo_points
geoip {
source => "message"
}
Thanks man.. I really appreciate that
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.