Geo IP throwing wrong Country names

Kishore · August 2, 2016, 10:05am

Hi Elastic,

Geo IP Plugin is not populating correct information. and for some of the IPs it is not showing the City Name.

Ex: 170.251.154.205 This IP belongs to Bangalore and India, but in Kibana it is showing as Dallas, USA.

Based on this we generating some alerts, this is in Production and our Support team will take an action on this.

Below is the configuration:

geoip 
		{
           		add_tag => [ "GeoIP" ]
           		source => "public_ip"
           		add_field => ["[geoip][coordinates]","%{[geoip][longitude]}"]
           		add_field => ["[geoip][coordinates]","%{[geoip][latitude]}"]

       	}
   		mutate 
		{
      			convert => [ "[geoip][coordinates]", "float" ]
   		}

warkolm · August 2, 2016, 10:10am

You would need to update the database it uses, what is provided is only a snapshot in time and IP allocation can change.

Kishore · August 2, 2016, 10:11am

Thanks Mark,

Kindly advise me how to update the Database

warkolm · August 2, 2016, 10:42am

Download it from Maxmind and then use https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html#plugins-filters-geoip-database to point to the updated database file.