GEO Mapping and IPV6 addresses

fhansen · April 1, 2019, 9:08pm

I'm struggling with getting IPV6 addresses to correctly show up in the GEO mapping. I've created the following configuration for Logstash:
input {

snmp {

walk =&gt; ["1.3.6.1.2.1.31.1.1.1"]

hosts =&gt; [{host =&gt; "udp:172.20.64.62/161" community =&gt; "public"}, {host =&gt; "udp:fda1:40:0:b:1c:6404:8061:7ccb/161" community =&gt; "Public"}, {host =&gt; "udp:fda1:40:0:b::8077:786/161" community =&gt; "Public"}]

}

}

filter {

mutate {

rename =&gt; ["host", "clientip"]

}

geoip {

source =&gt; "clientip"

database =&gt; "/home/kswaminathan/GeoLite2-City_20190402/GeoLite2-City.mmdb"

}

}

output {

elasticsearch {

hosts =&gt; ["localhost:9200"]

index =&gt; "logstash"
}

}

I see the _geoip_lookup failure on the records that have a valid IPV6 address...I've even added a geo type to the template. I do not see any examples of IPV6 configuration related to GEO mapping. Any help would be greatly appreciated.

Thanks
Frank

warkolm · April 1, 2019, 9:28pm

Have you tried the inbuilt database? It supports IPv6 if you are using a new version of Logstash.

Badger · April 1, 2019, 9:30pm

What version of the plugin do you have

bin/logstash-plugin list --verbose geoip

V6 addresses work for me...

input { generator { count => 1 message => '' } }
filter {
    mutate { add_field => { "clientip" => "2001:0:3238:DFE1:0063::FEFB" } }
    geoip { source => "clientip" }
}

gets me a location in San Antonio, TX

system · April 29, 2019, 9:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.