I'm wanting to be able to geolocate IPv6 addresses. MaxMind publish a free (beta) IPv6 database along side their free IPv4 database, but when I configure it, logstash crashes during initialization. Has anyone gotten this to work?
[icb@n logstash-2.3.1]$ ./bin/logstash -f v6test.conf
Settings: Default pipeline workers: 1
Pipeline aborted due to error {:exception=>#<NameError: uninitialized constant LogStash::Filters::GeoIP::RuntimeException>, :backtrace=>["org/jruby/RubyModule.java:2745:in `const_missing'", "/home/icb/elastic/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-2.0.7/lib/logstash/filters/geoip.rb:114:in `register'", "/home/icb/elastic/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:182:in `start_workers'", "org/jruby/RubyArray.java:1613:in `each'", "/home/icb/elastic/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:182:in `start_workers'", "/home/icb/elastic/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/pipeline.rb:136:in `run'", "/home/icb/elastic/logstash-2.3.1/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.1-java/lib/logstash/agent.rb:465:in `start_pipeline'"], :level=>:error}
stopping pipeline {:id=>"main"}
[icb@n logstash-2.3.1]$
Minimal config to reproduce this (with the GeoLite City IPv6 (Beta) database put at the geoip database path):
input {
stdin {}
}
filter {
grok {
match => {
"message" => "%{SYSLOGBASE} queries: info: client %{IP:clientip}#%{INT:port}: query: %{DATA:query} %{WORD:class} %{WORD:querytype} %{DATA:flags} \(%{IP:serverip}\)"
}
}
geoip {
database => "/home/icb/elastic/maxmind/GeoLiteCityv6.dat"
source => "clientip"
}
}
output {
elasticsearch {}
}