Geoip filter reports incorrect location

Elastic Stack Logstash
1

I discovered some incorrect results when geocoding IP addresses through the geoip filter in Logsstash 6.5.4. The IP address in question is 185.234.217.248.

If I go to https://www.maxmind.com/en/geoip-demo it gives me:

Untitled
Untitled.png724×185 18.5 KB

However, if I run it through Logstash's geoip filter I get:

         "geoip" => {
          "latitude" => 52.2394,
    "continent_code" => "EU",
          "location" => {
        "lat" => 52.2394,
        "lon" => 21.0362
    },
      "country_name" => "Poland",
                "ip" => "185.234.217.248",
         "longitude" => 21.0362,
          "timezone" => "Europe/Warsaw",
     "country_code3" => "PL",
     "country_code2" => "PL"
}

Is Logstash shipping with a stale database?

2

Version 5.0.3 of the plugin was released shortly after Logstash 6.5.4 was cut, but includes an updated GeoLite2 database.

Instructions for updating plugins are here.

3

Thanks @yaauie. Is there a best practice for operationalizing the periodic updates of the plugin? I imagine there must be lot's of people using Logstash for a long time who unknowingly are getting incorrect geo lookups due to stale databases. Maybe Logstash could allow plugins to upgrade themselves?

4

MaxMind release a new version of the database once a month. I don't think it is Elastic's job to keep the GeoLite2-City.mmdb on my install up to date for me. YMMV.

It might be worth documenting the fact that the database is a snapshot from around the time the plugin version was released.

Given the terrible quality of most free geolocation data I'm not terribly concerned about it being a little stale. You can tell from the frequency with which the location is the former corporate HQ of a cable company that has been rolled up that a lot of the time it is just whois data warmed over.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.