Geoip filter reports incorrect location

I discovered some incorrect results when geocoding IP addresses through the geoip filter in Logsstash 6.5.4. The IP address in question is

If I go to it gives me:

However, if I run it through Logstash's geoip filter I get:

         "geoip" => {
          "latitude" => 52.2394,
    "continent_code" => "EU",
          "location" => {
        "lat" => 52.2394,
        "lon" => 21.0362
      "country_name" => "Poland",
                "ip" => "",
         "longitude" => 21.0362,
          "timezone" => "Europe/Warsaw",
     "country_code3" => "PL",
     "country_code2" => "PL"

Is Logstash shipping with a stale database?

Version 5.0.3 of the plugin was released shortly after Logstash 6.5.4 was cut, but includes an updated GeoLite2 database.

Instructions for updating plugins are here.

Thanks @yaauie. Is there a best practice for operationalizing the periodic updates of the plugin? I imagine there must be lot's of people using Logstash for a long time who unknowingly are getting incorrect geo lookups due to stale databases. Maybe Logstash could allow plugins to upgrade themselves?

MaxMind release a new version of the database once a month. I don't think it is Elastic's job to keep the GeoLite2-City.mmdb on my install up to date for me. YMMV.

It might be worth documenting the fact that the database is a snapshot from around the time the plugin version was released.

Given the terrible quality of most free geolocation data I'm not terribly concerned about it being a little stale. You can tell from the frequency with which the location is the former corporate HQ of a cable company that has been rolled up that a lot of the time it is just whois data warmed over.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.