Geoip Field mapping

Catalin_Liviu_Vrince · February 28, 2018, 5:09pm

Hi guys,

I have one issue parsing the nested geoip filed on Logstash 5.6.7. I'm not able to find the right path for this. Please can you help me with that?

Input:

10.57.49.85 - catalin.vrinceanu [28/Feb/2018:16:44:58 +0000] "GET /ui/favicons/favicon-16x16.png HTTP/1.1" 304 0 "https://catalinvr.com/app/kibana" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36"

logstash filter:

filter {
if [SourceModuleName] == "nginx_access_log" {
grok {
'match' => [ "message", "%{IPORHOST:[access][remote_ip]} %{USER:[access][ident]} %{USER:[access][user_name]} [%{HTTPDATE:nginxtimestamp}] "((%{WORD:[access][method]} %{URIPATHPARAM:[access][request]} HTTP/%{NUMBER:[access][http_version]})|-)" %{NUMBER:[access][response_code]} (?:%{NUMBER:[access][body_sent][bytes]}|-) (?:"(?:%{URI:[access][referrer]}|-)"|%{QS:[access][referrer]}) %{QS:[access][agent]}" ]
}
geoip {
source => "[access][remote_ip]"
target => "[access][geoip]"
}
date {
match => [ "nginxtimestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
locale => en
}
useragent {
source => "[access][agent]"
target => "[access][user_agent]"
}
}
}

On the index template, the geoip field is mapped correctly:

{ "mappings": {
"default": {
"_meta": {
"version": "5.6.8"
},
"date_detection": false,
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"access": {
"properties": {
"agent": {
"norms": false,
"type": "text"
},
"body_sent": {
"properties": {
"bytes": {
"type": "long"
}
}
},
"geoip": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"message": {
"norms": false,
"type": "text"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"order": 0,
"settings": {
"index.mapping.total_fields.limit": 10000,
"index.refresh_interval": "5s"
},
"template": "nginx-*"
}

Thank you,
Catalin

Catalin_Liviu_Vrince · February 28, 2018, 6:07pm

Please ignore this request.
This was caused because I the Ip was private.

system · March 28, 2018, 6:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.