Geoip Issues with Logstash?


(Killmasta93) #1

Hi I was wondering if someone could help me out. I have been at it a while but nothing and whats funny is that sometimes it shows the geoip of some countries but others not. Did i miss something?

http://pastebin.com/pEPD6Y0T

Also when i run tail -f /var/log/logstash/logstash.stdout
i should be getting something like this
http://s2.postimg.org/4vvn0yhbt/Clipboarder_2015_08_26_007.png

tags" => [
    [0] "PFSense",
    [1] "firewall",
    [2] "packetfilter",
    [3] "GeoIP"

but instead i get

tags" => [
 [0] "PFSense",
 [1] "firewall"

Thank you


(Joshua Rich) #2

The geoip filter won't work for private addresses, so everything in 10.0.0.0/8 (like all your block messages) won't get geo data added. The geoip filter only works on internet routable addresses.


(Killmasta93) #3

Hi,
Thank you for your response, so the 10.141.5.1 is private? my network is 192.168.3.0/24

if that's correct then everything is working good? but i do see that some IP do not get registered with the country names

Thank you


(Joshua Rich) #4

That's right. Also, geoip lookup is a best effort, the database is definitely not thorough nor completely accurate, so you may find some IPs just do not resolve to anywhere. We also unfortunately ship and older version of the geoip database within Logstash, we will be shipping a newer version in a future release I believe.


(Lloyd Dewolf) #5

That's correct @killmasta93. These are called rfc1918 addresses, because that is the Requests for Comments (RFC) that defined them.

IPv4 Private Address Space and Filtering
10.0.0.0/8 IP addresses: 10.0.0.0 -- 10.255.255.255.
172.16.0.0/12 IP addresses: 172.16.0.0 -- 172.31.255.255.
192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255.

See also:


(Mark Walkom) #6

You could try this Creating geoip data for internal networks


(Killmasta93) #7

Hi,
@lloydde @Joshua_Rich thank you for helping me understand

and @warkolm i will sure check it out looks very interesting

Thank you again


(system) #8