GEO Grok Question For Auth Log

Elastic Stack Logstash
1

Hi there I am looking for some help with getting GEOIP working with logstash. At present I have a working grok for my auth log however I keep getting "_geoip_lookup_failure" whenever I try to use the following, my question is what I am doing wrong within the code? Also I have installed the geo IP plugin for Logstash and elastic-search and at present I have tired a local / private IP address as I understand the geoip plugin shouldn't attempt to resolve my private range. How do I find what is going wrong?

filter {
        if [source] == "/var/log/auth.log" {
               grok {
                    match => {
                        "message" => ["%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ssh.ip} port %{NUMBER:system.auth.ssh.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
                                       "%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ssh.ip}",
                                       "%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
                                       "%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sudo(?:\[%{POSINT:system.auth.pid}\])?: \s*%{DATA:system.auth.user} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
                                       "%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} groupadd(?:\[%{POSINT:system.auth.pid}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
                                       "%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} useradd(?:\[%{POSINT:system.auth.pid}\])?: new user: name=%{DATA:system.auth.useradd.name}, UID=%{NUMBER:system.auth.useradd.uid}, GID=%{NUMBER:system.auth.useradd.gid}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
                                       "%{TIMESTAMP_ISO8601:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} %{DATA:system.auth.program}(?:\[%{POSINT:system.auth.pid}\])?: %{GREEDYMULTILINE:system.auth.message}"]
                    }
                    pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
                    remove_field => ["message"]
}
  geoip {
    source => "system.auth.ssh.ip"
    target => "system.auth.ssh.geoip"

 }
}
}
2

Did you look in the Logstash log? I'd expect the geoip plugin to log additional information about any failures.

at present I have tired a local / private IP address as I understand the geoip plugin shouldn't attempt to resolve my private range

I don't think the filter silently avoids RFC1918 addresses.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.