Coaxing geoip data from logstash

ethrbunny · December 3, 2018, 12:41pm

I have logstash setup to convert ip -> geoip. Im getting latitude/longitude coordinates from apache2/filebeat now. What I don't seem to have is whatever is required to create a visualization from this data.

I've read through various posts on this (here and here) but haven't yet found the secret sauce to make kibana happy yet.

Relevant entry from logstash:

geoip {
    source => "clientip"
}

mutate {
  convert => { "[geoip][longitude]" => "float" }
  convert => { "[geoip][latitude]" => "float" }
}
mutate {
  rename => {
    "[geoip][longitude]" => "[location][lon]"
    "[geoip][latitude]" => "[location][lat]"
  }
}

So now Im getting [geoip][location][lon]/[lat] in my data with type "float". How do I get this saved (consistentl) as "geoip"?

ethrbunny · December 7, 2018, 12:33pm

Some additional info: Im trying to parse apache2 logs to see who is abusing / probing it. Ive got the files parsed out using logstash and can see the geoip.[country|region|etc] fields in the 'discover' window in kibana.

The logs are parsed into a new index "apache2-*". This is probably where my issues begin. I don't have a template defined for this and am not sure how to create one.

system · January 4, 2019, 12:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting geohash / geoip data from apache Elasticsearch	14	1602	January 9, 2019
Getting GeoIP field for NGINX Logs Logstash	2	987	July 18, 2020
Geo_point coming from geoip are not plotting in Kibana Kibana	4	1859	November 6, 2017
Can Anyone tell each and every step of how to use geoIP with logstash and kibana? Logstash	12	1920	October 24, 2017
Can't get geoip to work Logstash	12	647	January 10, 2019

Coaxing geoip data from logstash

Related topics