GEO Mapping and IPV6 addresses

Elastic Stack Logstash
1

I'm struggling with getting IPV6 addresses to correctly show up in the GEO mapping. I've created the following configuration for Logstash:
input {

snmp {

walk => ["1.3.6.1.2.1.31.1.1.1"]

hosts => [{host => "udp:172.20.64.62/161" community => "public"}, {host => "udp:fda1:40:0:b:1c:6404:8061:7ccb/161" community => "Public"}, {host => "udp:fda1:40:0:b::8077:786/161" community => "Public"}]

}

}

filter {

mutate {

rename => ["host", "clientip"]

}

geoip {

source => "clientip"

database => "/home/kswaminathan/GeoLite2-City_20190402/GeoLite2-City.mmdb"

}

}

output {

elasticsearch {

hosts => ["localhost:9200"]

index => "logstash"
}

}

I see the _geoip_lookup failure on the records that have a valid IPV6 address...I've even added a geo type to the template. I do not see any examples of IPV6 configuration related to GEO mapping. Any help would be greatly appreciated.

Thanks
Frank

2

Have you tried the inbuilt database? It supports IPv6 if you are using a new version of Logstash.

3

What version of the plugin do you have

bin/logstash-plugin list --verbose geoip

V6 addresses work for me...

input { generator { count => 1 message => '' } }
filter {
    mutate { add_field => { "clientip" => "2001:0:3238:DFE1:0063::FEFB" } }
    geoip { source => "clientip" }
}

gets me a location in San Antonio, TX

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.