Geoip filter

Ronnie_Raraihuru · November 1, 2020, 10:03pm

My sample log contents

#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
2020-10-22T23:59:53.533Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB78EDF,0,127.0.0.1:25,127.0.0.1:10742,+,,
2020-10-22T23:59:53.533Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB78EDF,1,127.0.0.1:25,127.0.0.1:10742,*,SMTPAcceptAnyRecipient,Set Session Permissions
2020-10-22T23:59:53.533Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB78EDF,2,127.0.0.1:25,127.0.0.1:10742,>,"220 SIG-EXCH13-01.sinpf.org.sb Microsoft ESMTP MAIL Service

My logstash pipeline

input {
beats {
port => 5044
}
filter{
mutate {
gsub => [ "message", ":" , "," ]
}
csv{
separator => ","
columns => ["date", "hour", "minutes" , "connector-id","session-id","sequence-number","local-ip", "local-port", "remote-ip", "remote-port","event" ,"data","context"]

geoip {
source => "remote-ip"
}

}

output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}"

}
}

My geoip filter is not working as expected, please help.

leandrojmp · November 2, 2020, 1:02am

What is not working?

The log lines examples that you shared only have private IPs, the geoip filter does not work with private IPs, only with public IPs.

Ronnie_Raraihuru · November 2, 2020, 2:27am

Thanks Leandro , it does but have not shared that . See below . Thanks

2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,3,192.168.1.110:25,60.169.126.177:3763,<,EHLO ylmf-pc,
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,4,192.168.1.110:25,60.169.126.177:3763,*,SMTPAcceptAnyRecipient,Set Session Permissions
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,5,192.168.1.110:25,60.169.126.177:3763,>,250-SIG-EXCH13-01.sinpf.org.sb Hello [60.169.126.177],
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,6,192.168.1.110:25,60.169.126.177:3763,>,250-SIZE 10485760,
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,7,192.168.1.110:25,60.169.126.177:3763,>,250-PIPELINING,
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,8,192.168.1.110:25,60.169.126.177:3763,>,250-DSN,
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,9,192.168.1.110:25,60.169.126.177:3763,>,250-ENHANCEDSTATUSCODES,
2020-10-23T21:13:32.471Z,SIG-EXCH13-01\Default Frontend SIG-EXCH13-01,08D8724E3CB79F0D,10,192.168.1.110:25,60.169.126.177:3763,>,250-STARTTLS,

leandrojmp · November 2, 2020, 3:01am

You didn't say what is not working, the configuration is correct.

geoip {
    source => "remote-ip"
}

This will apply the geoip filter on the public IPs in the field remote-ip.

You need to describe better what is the problem.

What is not working? What is the result that you expect to get and what is the result you are getting? Did you create the mapping for the geo_point field?

Also, use the <\> code button when sharing configurations and log samples, it is better to read and replicate.

I've run your pipeline and the geoip filter worked without problem for this IP you shared.

 "geoip" => {
    "country_code3" => "CN",
    "region_name" => "Anhui",
    "longitude" => 117.2865,
    "country_name" => "China",
    "latitude" => 31.8642,
    "continent_code" => "AS",
     "timezone" => "Asia/Shanghai",
    "location" => {
        "lat" => 31.8642,
        "lon" => 117.2865
    },
    "country_code2" => "CN",
    "ip" => "60.169.126.177",
    "region_code" => "AH"
}

system · November 30, 2020, 3:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.